Lab 4 - Mutability

Lecturer:
Report Title:
Submit to:
Deadline for submission:

Student Name:
Student Number:
Programme of Study:
Module:

Contents

Description. 2

Aims. 2

Method. 2

Results and Testing. 2

Conclusions. 2

References. 2

Appendices. 2

 

Description

An immutable project can be defined as a program that cannot be changed once a variable has been instantiated. The program contains attributes that makes it impossible to be changed once it has been created (Kjolstad, Dig, Acevedo, & Snir, 2010). The project contains protective measures that make it impossible to add or remove objects once it has been created. Immutable program contains different objects that work together to ensure that the program is not destroyed once it has been created. The project involves testing an existing class known as Planet.java to see whether it has attributes that makes it an immutable program. The test is conducted by reading the code and establishing objects that makes it immutable and also developing a test.java class to test the planet. Java. The test class should be able to use the existing methods in the class planet and establish whether or not the class is immutable.

Aims

       I.            To determine whether the program is immutable

    II.            Develop a strategy that can be used to define immutable objects

 III.            To study and understand the Date object

 IV.            To develop a driver class for the project

Method

The methodology used to analyze the program to determine whether it is immutable is conducted using NetBeans IDE.  

Determining whether the program is immutable

The code below shows the declaration of the code as public final class Planet; this is because no children classes should be created from the immutable class Planet.

public final class Planet

{

}

The fragment of code from the program below shows string name and Date discoveryDate objects. It is an immutable program because the constructor public Planet has parameters.  The parameterized constructor makes it impossible for the project to be changed after it has been created.

public Planet (String name, Date discoveryDate)

{

     this.name = name;

this.discoveryDate = new Date (discoveryDate.getTime ());

  }

The object string name is immutable because once it is created it cannot be changed anywhere in the program.

Both the variables name and discoveryDate have get methods have seen below for each one of them.

public String getName()

  {

    return name;

  }

The public String getName() return name as it is evident in the fragment of code above.

  public Date getDiscoveryDate()

  {

    return new Date(discoveryDate.getTime());

  }

The code above public Date getDiscoveryDate() returns new Date().

The program does not have setter methods to enable change of the variables in the program once it has been created.

The tester code below proves that the class is immutable

// Driver class

import java.util.*;

class Test

{

    public static void main(String args[])

    {

        Date date = new Date();

        Planet p;

        p = new Planet("Testing the Planet Class", date);

        System.out.println(p.getName());

        System.out.println(p.getDiscoveryDate());

 

       

    }

}

The tester code shows that the variables defined in the class planet cannot be changed and it has to be re-used. As it is evident on the code above the class Planet has to be called so as to be able to access the variables name and discoveryDate using the get methods available in class Planet.

Strategy to define immutable objects

The best strategy to define immutable objects is by first opening a program using different java IDE. Once the program has been opened reading and understanding the code is important in understanding the type of program and objects. The objects is plays a critical part in determining the immutable nature of a program. The program should have a constructor that has parameters, there should be a get method for all the variables in the program and finally the program should not have a set method for any of the variables.

Understanding the date variable

The date variable when it comes to immutable objects is complex. This is because the date belongs to data type Date. It is evident in our test class above as we can see in the code below:-

Date date = new Date();

The object date had to be initiated using the function new Date (). The double initiation of date object makes it complex to use. Date object is discouraged from use because it has major flows since it was developed. Such flows includes it lacks time zone, the world contains different time zones. The lack of time zones in the java.util.Date makes it lack necessary features that is important to the users of the systems developed using the object. It also lacks time format that is necessary in ensuring that users of the system understand the time being displayed (Nikolic, 2017). The weakness makes it harder because the software engineer has to design a time format for the program which is time consuming. It also lacks a calendar system. The calendar system has to be developed hence adding work to the individual or team using java util Date for the function of software development. This is not flexible because it rates years based on the year 1900 and it results in problems when using years prior to 1900 (Nikolic, 2017).

Results and Testing

The planet class displayed in Figure 1 is the programmed being tested if it is immutable. Based on the tests above and using the test class in Figure 2 it was confirmed that the planet class is immutable. The test class produced the output below:-

It displayed the string “Testing the Planet Class”, the string was defined with the string posted in the test class. The date displayed was the current time defined on the test class but it was displayed using the function getDiscoveryDate from the Planet class. The same applies to the string name that was from class Planet.

Conclusions

In conclusion, the aims of the study has been met, this because the program has been confirmed to be immutable, the object date has been studying and understood perfectly,  the test class for the main program was developed and finally the strategy to define an object based on immutable program developed. The project is immutable based on (Haack, Poll, Schafer, & Schubert, 2017) definition of an immutable program. The program does not have setter methods that can be used to change the program after it has been instantiated. The program only contains constructors and getter methods that cannot be used to change the program variables once they have been instantiated.

References

 

Haack, C., Poll, E., Schafer, J., & Schubert, A. (2017). Immutable Objects for a Java-like

Language. German research foundation, Retrieved from https://www.cs.ru.nl/E.Poll/papers/esop07.pdf .

Kjolstad, F. B., Dig, D., Acevedo, G., & Snir, M. (2010). Refactoring for Immutability.

Making Classes Immutable, Retrieved from https://core.ac.uk/download/pdf/4824892.pdf .

Nikolic, D. (2017). Still using java.util.Date? Don’t! Programming Hints, Retrieved from

 https://programminghints.com/2017/05/still-using-java-util-date-dont/ .

Appendices

Figure 1: Class Planet

Figure 2:Class Test

Lab 4 - Mutability

“Immutable objects are simple. They can only be in one state, which is carefully controlled by the constructor. One of the most difficult elements of program design is reasoning about the possible states of complex objects. Reasoning about the state of immutable objects, on the other hand, is trivial.

Immutable objects are also safer. Passing a mutable object to untrusted code, or otherwise publishing it where untrusted code could find it, is dangerous — the untrusted code might modify its state, or, worse, retain a reference to it and modify its state later from another thread. On the other hand, immutable objects cannot be subverted in this manner by malicious or buggy code, so they are safe to share and publish freely without the need to make defensive copies.” 

—Brian Goetz, Java Concurrency in Practice

Introduction

An immutable object is one whose externally visible state cannot change after it is instantiated. The String, Integer, and BigDecimal classes in the Java class library are examples of immutable objects -- they represent a single value that cannot change over the lifetime of the object.

Lab Instructions:

Consider the following code:

import java.util.Date;

public final class Planet {

  String name;

  privatefinalDate discoveryDate;

  public Planet (String name, Date discoveryDate) {

     this.name = name;

this.discoveryDate = new Date(discoveryDate.getTime());

  }

  public String getName() {

    return name;

  }

  public Date getDiscoveryDate() {

    return new Date(discoveryDate.getTime());

  }

}

1.      Is this program immutable? If you think it is not, what changes would need to be implemented and why? If you think it is, explain why? To explain you need to create a tester class to run the code and see if you can change any values.

2.      Did you notice anything about the Date object? The Date object is no longer used in the latest versions of Java. Research why this is so and how it relates to Mutable Code.

3.      Using what you have learned about Mutability. Detail a strategy that could be used for defining immutable objects.

Remember to write your conclusions on your work.

Submission and Grading Details

This lab will form part of your complete Lab book, which must be submitted at the end of the module. You must reference your work.  You should follow the layout of a typical lab book, and add extra headings as necessary. Sample layout below:

·         Lab3 Mutability

o   Description

o   Aims

o   Method  

o   Results

§  Section 1 What is Mutability and Immutability

§  Section 2 Immutable Code or Mutable Code?

§  Section 3 Deprecated Object ‘Date’

§  Section 4 A strategy for defining immutable objects

o   Conclusions

o   Appendix

o   References 

	Marks Available
Description	5
Aims	5
Method	5
Results/Testing/Evaluation	10
Is code Mutability or Not, explain	15
Deprecated Object ‘Date’	10
Outline a Strategy that could be used	10
Conclusion	40
TOTAL	100

Cyber Operations and Risk Management Briefing

As a synthesis of all prior steps in this project, you will now develop and submit the first component of your deliverable to your CISO: the Cyber Operations and Risk Management Briefing. The briefing will consist of a written evaluation and video presentation. Each team member should develop his or her own briefing, and submit independently. Research and evaluate the maintenance requirements for each option identified in the software development matrix you submitted in the previous step. What resources and processes are required for each option? You should also address the schedule to implement the recommended software and identify any potential impacts to the mission, any vulnerabilities or risks, and the likelihood of success.

OO Final Project

Requirements
For the final project, you are to design and develop a Java application that you choose. The goal of the final project is for you to combine the things that you've learned this semester into a working and useful application. The best project idea is something that interests you! This is also an opportunity to develop something that you can put in your portfolio to show a prospective employer.
The scope of the application you develop is something you can design and develop in the time remaining in the semester. The application should not be trivial, but it should also not be so big and complex that you are unable to finish and test it.
Due date: 11:59pm, Friday, Reading Day
Program name: You may choose any name that is appropriate for your application’s main class. But, as has been the case with other programming challenges the name is to begin with your pawprint with the first letter capitalized and the other letters in lower case. The remainder of the name is to be camel-cased. For example, if the application is to be named DocumentEditor and the pawprint is abcxyz9 then the main class name is to be named Abcxyz9DocumentEditor.
Language: Java 8 SE
Tools: NetBeans IDE and JavaFX Scene Builder UI
Development: The application’s user interface is to be created using JavaFX. Scene Builder should be used to develop the interface based on FXML. If you choose to develop the interface using code to create the JavaFX objects rather than using FXML created by Scene Builder then you need to present a good reason for doing so in the final project documentation.
Architecture: The application is to be built on the Model View Controller (MVC) architecture as shown in class.
 Required Elements: The following are elements that are required to be included in the application:
 1. Object oriented elements that you write the code for:
 a. Classes.
 b. Subclasses.
 c. At least one abstract class
d. At least one Interface
 2. Code elements that you utilize:
 a. One or more collection classes.
 b. Exception Handling.
3. The application must have a clearly defined model (as in the M in MVC). OO Final Project
4. The UI must utilize multiple scenes and at least one of the scenes will have the contents of the scene graph changed based on the application state.
 5. There must be a way to access “About” information that includes information about you and the application.
 6. The application must save data and load data. The target for saving/loading data can be files, a network service, and/or a database.
 Expectations:
1. The application is functional for a defined activity, task, and purpose. The goal is to develop a complete application not just a pile of code that doesn’t serve a purpose.
 2. The user interface is useable, organized, and understandable.
 3. The code is well-structured and logically organized.
 4. The application you build is not to be trivial in simply meeting the requirements set forth in this document. Yes, you are to meet the requirements but you are also to build an application that has a purpose and delivers functionality or capability. The requirements are parameters to be used in design and implementation of the application. They are not intended to be the end product.
 5. You should design and build an application that you would be happy to show a prospective employer or client. Documentation: A document is to be written titled “ProjectDocumentation” that is a plain text file (.txt) or a PDF (.pdf) and included in the zip file for the project that describes how you met the requirements provided in this document. You should be able to point to instances in your application where the requirements have been met. This means, you should name which requirement you are meeting, label which file it is in, and which lines of code the requirement is accomplished on. This document is for your protection!! If the grader/instructor must search your application’s code to find the places where you met the requirements then they may miss where you met them. This document should be like you are looking over the shoulder of the grader and saying, "Yeah, right there is where I have the code that allows you to save data to a file." By explicitly identifying how you met the criteria the grader/instructor can be sure they are not missing something. It will also save time for the grader that is in short supply during finals week. Easy to find things --> makes grader happy --> good grade. UML: A UML diagram of the application is to also be included in the zip file for the project. The UML diagram can be a PDF, PNG, JPG, or GIF file with a base name of PawprintUML. So, for example if the file is a PDF and your pawprint is Abcxyz9, it is to be called Abcxyz9UML.pdf. NOTE: If you have any questions about the requirements, what you can do, or if you are unsure about a project idea, then feel free to run it by the TAs to double check. It will be wise to check your project by the TAs during office hours to determine if you have met the requirements before submission. If you have any other questions, then ask the TAs or come by office hours. TAs will not check whether you have satisfied the requirements via email. However, you can ask general questions via email. 

Ex-filtration cyber attack

Introduction

There was an incident where an attacker successfully transferred files from the web server. The attack is known as ex-filtration and it was detected by the hosting nation intrusion detection system. The type of attack might result in web servers being vulnerable to other attacks such as denial of services. The attack is from within the member nations attending the conference and it should be stopped before it spreads further. Ex-filtration is a dangerous type of attack because it enables an attack to access resources they are not authorized. The kind of attack might result in major problems since nations keep highly classified information that should never be accessible to other nations at any given period of time. The source of data leak and the tools used to perform the attack should be identified and necessary steps put in place to stop such an attack from happening in the coming future. The resources being targeted should be made unavailable until the web server targeted and the whole network has be secured. The protocols for accessing the resources should be changed so as to give the team an ample time to solve the problem.

Analysis

Wireshark is a dynamic tool capable of sniffing and capturing network activities. Using the tool it is established that a total of 1,907,899 packets were sent over the period of the attack. The participants were computer A and B, computer A sent a total of 1,864,853 and computer B sent a total of 43,046 packets. A total of 170 mega bytes were sent over the total conversation, computer A sent a total of 143 mega bytes and computer B sent a total of 26 mega bytes.  The conversation took a total of 358.3253 seconds; this is the total time the ex-filtration took place.

After the wireshark capture is parsed the process of identifying the time the attack begin starts and it is indicated as 21:59:17.432035000. That is the period the attackers were able to actively copy files from the web server. The protocol the attackers utilized is the UDP and the destination port affected was port 55. Port 55 makes it possible for messages to be transferred from one computer to another and it is utilized in the internet network layer, transport layer and session layer.  The IP address of the web server affected is 192.168.19.111 and the IP addresses for the system the attackers used is 192.168.10.101. The total size of the packet transferred successfully by the attackers to their system is 74 bytes. The system administrator was alerted by the host monitoring system using the user datagram protocol.

Using UDP flood unicorn to perform the denial of service attack is relatively easy. It is done by entering the target IP address and for our case the target is 192.168.19.111 and the target port is 55. The packet size for the attack can be any amount but for testing case 1 KB is enough. Performing a denial of service attack is simple because there are different types of tools available to aid in the process. There is a increase in HTTP request sent to the internal web server and it might be linked to the attack. The resources that is receiving more requests is the /worldpress/randomfile1 HTTP/1.1\r\n. That is the targeted resource in the internal web server and the attackers might be aiming at copying the file or making it inaccessible through the denial of service attack.

The servers’ HTTP response code is 500 and it means the internal server encountered a problem and could not fulfill the required request. The error means that the resource cannot be accessed by legitimate users of the resource due to a problem the server is encountering and it might be linked to the increase in requests to the server. The IP of the computer requesting the resource resulting in the error is 192.168.10.101 and it is the attacking computer. The attacker user-agent for the request is Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\r\n.

The type of web server that is occurring is distributed denial of service attack this is because the resource targeted cannot be accessed by legitimate users. The attackers are also performing a SQL injection to the web server. The abnormal requests send by attackers is 404 not fount (text/html). This is because the request send by attackers are not available hence the error code is displayed. The URL being used by the attackers to perform on distributed denial of service is /wordpress/web/BetaBlockModules/EnableModule/EnableModule.php?path_prefix-http://cirt.net/rfil_.

More attacks are being performed to the web server by sending of abnormal GET requests. The nature of the attack is brute force hacking. This is evident due to the HTTP response code returned for the abnormal requests. The HTTP/1.1 Bad Request (text/html) signifies that the server is receiver bad requests from the attackers. The user-agent for the request received from the attackers is Mozilla/5.00.

There is a repetition of username and password being used by the attacker during the brute force attack. The password and usernames being repeated are located in the root/password folder it is evident by the traffic captured using wireshark tool. The user-agents contained in the attack requests is Mozilla/5.00. The HTTP response code returned for the attack requests sent is HTTP/1.1 404 Not Found (text/html).

The interesting repetition string value is responsible for the denial of service experienced. The user-agent for the interesting string is Mozilla/5.00 and the HTTP response code for the request is HTTP/1.1 Not Found (text/html). The user-agent Mozilla/5.00 points at Nikto web server testing tool. The tool is the one responsible for the attacks the web server is under-going at the moment.

Findings

·         The system is under the following types of attack.

1.      Distributed denial of service

2.      SQL injection

3.      Brute force attack

·         Nikto tool is being used by the attackers to hack the web server

·         The IP address for the victim web server is 192.168.19.111

·         The IP address of the computer being used by attackers is 192.168.10.101

·         The port number affected by the attack is 55

Recommendations

I would recommend that the system administrator blocks traffic from IP address 192.168.10.101 for accessing the network. It can be done by adding the policy on the firewall or configuring the intrusion detection system to drop traffic from the IP address. The port 55 should be blocked using the firewall to reduce its vulnerability of leaking data through ex-filtration. The system administrator should also configure their firewall and intrusion detection and penetration systems to drop traffic to /wordpress/web/BetaBlockModules/EnableModule/EnableModule.php?path_prefix-http://cirt.net/rfil_ and /worldpress/randomfile1 HTTP/1.1\r\n. This should be done until the problem is resolved so as to reduce more attacks to the network resulting in major damages.

Works Cited

Jaiswal, A., Raj, G., & Singh, D. (2014). Security Testing of Web Applications: Issues and

Challenges. International Journal of Computer Applications , 26-30.

Ullah, F., Edwards, M. a., Ramdhany, R., Chitchyan, R., Babar, M. A., & Awais, R. (2018). Data

Exfiltration:A Review of External Attack Vectors and Countermeasures. Journal of Network and Computer Applications , 18-54.

Ullah, F., Edwards, M., Ramdhany, R., & Chitchyan, R. (2017). Data Exfiltration: A Review of

External Attack Vectors and Countermeasures. Journal of Network and Computer Applications , 2-13.