HW 6 SSE - HackMD

# HW 6 SSE Ivan Christian # 1 ```java= package week6; import java.sql.Connection; import java.sql.ResultSet; import java.sql.SQLException; import java.sql.Statement; import java.util.Scanner; public class SQLInjectionNoncompliant2 { static String hashPassword(char[] password) { // create hash of password return null; } public static void main (String[] args) throws Exception { Scanner reader = new Scanner(System.in); // Reading from System.in System.out.println("Enter a name: "); String username = reader.next(); // Scans the next token of the input as an int. System.out.println("Enter a password: "); char[] password = reader.next().toCharArray(); //once finished reader.close(); doPrivilegedAction(username, password); } public static void doPrivilegedAction(String username, char[] password) throws SQLException { Connection connection = getConnection(); if (connection == null) { // handle error } try { String pwd = hashPassword(password); String sqlString = "SELECT * FROM db_user WHERE username = '" + username + "' AND password = '" + pwd + "'"; Statement stmt = connection.createStatement(); ResultSet rs = stmt.executeQuery(sqlString); if (!rs.next()) { throw new SecurityException("User name or password incorrect"); } // Authenticated; proceed } finally { try { connection.close(); } catch (SQLException x) { // forward to handler } } } private static Connection getConnection() { // this method establishes a connection to a DBMS return null; } } ``` Using line numbers: ![](https://i.imgur.com/gRuEIxa.png) # 2 ```java= package week6; import java.sql.Connection; import java.sql.PreparedStatement; import java.sql.ResultSet; import java.sql.SQLException; import java.util.HashMap; public class PrivacyExample { private final HashMap<String, String> accounts = new HashMap<String, String>(); //accounts is the secret // Untainted variable since it is declared in the class with no outside influence public void register(String username, String password) throws Exception { // tainted because it is user inputs. if (accounts.containsKey(username)) { throw new SecurityException("User name already exists"); // tainted username due to giving out information to users. } accounts.put(username, password); //tainted since both password and username are tainted. } // In the end both variables are tainted. private String hashPassword(char[] password) { // create hash of password return null; // password becomes sanitised (untainted) } // method sanitises password public void doPrivilegedAction(String username, char[] password) throws Exception { // username, password tainted String pwd = hashPassword(password); // untainted due to password processing // Ensure that the length of user name is legitimate if (username.length() > 8) { // Handle error // untainted due to processing } if (!accounts.containsKey(username)) { throw new SecurityException("User name incorrect"); // username tainted due to giving out information to users. } if (!accounts.get(username).equals(pwd)) { throw new SecurityException("password incorrect"); // password tainted due to giving out information to users } } // In the end both variables are tainted. } ``` Requirements: At the end of doprivilegedactions = username and password must be untainted. ```java if (username.length() > 8) { // let this check be α // Handle error // untainted due to processing } ``` Tainted ≤ α ≤ untainted ```java if (username.length() > 8) {// let this check be β // Handle error // untainted due to processing } ``` Tainted ≤ β ≤ untainted ```java if (!accounts.get(username).equals(pwd)) {// let this check be γ throw new SecurityException("password incorrect"); // username tainted due to giving out information to users } ``` Tainted ≤ γ ≤ untainted ```java private String hashPassword(char[] password) { // let this processing be δ // create hash of password return null; // password becomes sanitised (untainted) } // method sanitises password ``` untainted = δ ``` Void doPrivilegedAction(username = tainted), password = tainted){ pwd = untainted If (α = tainted) { error message = tainted } If (β = tainted) { error message = tainted } If (γ = tainted) { error message = tainted } } ``` It returns a tainted variable as the username is tainted. Even if the password is untainted, it becomes tainted due to username being tainted. # 3 ```cpp int k = 0, i = 0, j = 0; int[] array = new int[100]; while (k < 100) { i = 0; j = k; while (i < j) { i = i + 1; j = j – 1; } k = k + 1; } array[i] = 0; ``` ![](https://i.imgur.com/aPaPqFL.png) After Abstraction: init: ------------- i_interval_0 = [0,0] j_interval_0 = [0,0] k_interval_0 = [0,0] array_interval_1 = [100] # length set when k < 100: -------------- i_interval_2 = (i_interval_0 U i_interval_6) j_interval_2 = (j_interval_0 U j_interval_6) k_interval_2 = (k_interval_0 U k_interval_6) n ([-∞, 99]) i_interval_3 = [0,0] j_interval_3 = k_interval_3 k_interval_3 = k_interval_3 when i < j: ------------------ i_interval_7 = (i_interval_3 U i_interval_7) n ([-∞, 49*]) j_interval_7 = (j_interval_3 U j_interval_7) n ([-∞, 99]) k_interval_7 = (k_interval_3 U k_interval 7) *This is calculated by finding the max value of i when i < j for k = 99, which is i = 49 -------------------- i_interval_7 = i_interval_4 + [1,1] j_interval_7 = j_interval_4 k_interval_7 = k_interval_4 i_interval_8 = i_interval_7 j_interval_8 = j_interval 7 - [1,1] k_interval_8 = k_interval_7 when i >= j: -------------- i_interval_6 = (i_interval_4 U i_interval_8) n ([-∞, 50**]) j_interval_6 = (j_interval_4 U j_interval_8) n ([-∞, 49***]) k_interval_6 = (k_interval_2 + [1,1]) **max value of i when i > j for k = 99, which is i = 50 ***max value of i when i > j for k = 99, which is j = 49 when k >= 100: ---------- i_interval_9 = (i_interval_2 U i_interval_6) n ([50,∞]) j_interval_9 = (j_interval_2 U j_interval_6) n ([49,∞]) k_interval_9 = (k_interval_2 U k_interval_6) n ([100, ∞]) Value of i will be 50 which is within the array. Hence indexOutOfBoundException will not be thrown.