You should submit each report as ONE word-processed document containing all the required question answers. The documents, except the initial proposal, must have a title page indicating the assignmen

Topic Proposal: 3^rd February 2025 23:55

Description report: 24^th February 2025 23:55

Demo report: 24^th March 2025 23:55

Assessment Information

You must submit your assessment components online using the submission on LMS.

You can do this assessment as a group or as an individual, but it is highly recommended that you do it as a group. If done as a group, a group consists of 2 students and larger groups will not be allowed under any circumstances.

Late submissions for reports will be penalised at the rate of 10% of the total mark per day late or part thereof.

You should submit each report as ONE word-processed document containing all the required question answers. The documents, except the initial proposal, must have a title page indicating the assignment, student name and number and the submission date. The documents must be submitted in PDF format.

You must keep a copy of the final version of your report as submitted (PDF and source document) and be prepared to provide it on request.

The University treats plagiarism, collusion, theft of other students work and other forms of academic misconduct in assessment seriously. Any instances of academic misconduct in this assessment will be reported to the Universitys academic misconduct investigators. For guidelines on academic misconduct in assessment including avoiding plagiarism, see: http://our.murdoch.edu.au/Student- life/Study-successfully/Study-Skills/Referencing/

VULNERABILITY DETECTION AND MITIGATION PROJECT

You have been recruited as a full-time security administrator/engineer. You are responsible for monitoring newly discovered vulnerabilities and if they affect the organisations IT systems it is also your responsibility to design and implement security measures to deal with the vulnerability if the vulnerable system/software cannot be upgraded or patched. For this project we assume a new vulnerability has been recently discovered for a system/software that is critical for the organisation and cannot be taken offline, upgraded or replaced in the short-term, and no upgrade or patch will be available in the short-term.

The aim of this project is to put your skills to practical use. In this project you will identify and research a security vulnerability and then design and implement strategies for detecting the exploitation of the vulnerability and mitigating the vulnerability. You will document these in a report and implement them in a (virtual) test environment. You will demonstrate the effectiveness of your approach to other students in class. Your reports will contain details on the vulnerability, the setup and demonstration of the test environment as well as a description of the design and implementation of the detection and mitigation techniques developed.

It is anticipated that students will attempt a very diverse range of projects; specific details of the project may be discussed with your teacher in class to give you more guidance.

The project has three phases: (1) topic proposal, (2) vulnerability description and proposed exploitation detection and mitigation techniques report and (3) vulnerability detection and mitigation demonstration and final report.

Topic Proposal

You must pick a vulnerability you want to tackle and propose exploitation detection and mitigation approaches for it. It is not your teacher’s responsibility to suggest vulnerabilities to you. Each proposal must be approved by your teacher, so make sure you get the approval prior to the topic proposal submission.

You must submit a one-page document containing the list of group members (student names and numbers), the vulnerability (CVE number and name), a 2-3 paragraph description of the vulnerability and a 3-4 paragraph description on how you plan to detect and mitigate it. The descriptions must be written by you and not be copied from other sources.

Vulnerabilities without CVE identifier may be accepted at the discretion of the unit coordinator but only if you can make a good case at least 1 week prior to the proposal deadline.

The following requirements apply. Any choices that do not fulfil the requirements are automatically rejected (or if submitted will result in 0 marks) unless an exception has been granted by the unit coordinator in writing.

In each lab/workshop one vulnerability can only be picked once. This is so the final demonstrations are not just a repetition of the same topic, but everybody will learn about protections against several vulnerabilities. Check with your teacher whichvulnerabilities are still available before topic submission and submit the topic proposal early to get the vulnerability of your choice.

2. The vulnerability must have a significant impact (5.0 or higher as per the CVSS rating) and must have the potential to be reasonably widespread as in it should be a vulnerability that affect(ed) reasonably popular OS/application/devices.

2. The vulnerability must be from the year 2023 or newer (as per CVE).

2. You cannot choose vulnerabilities that are trivial, and you must choose vulnerabilities which can be reproduced by some means (e.g. Metasploit or other proof of concept code) and for which detection and mitigations mechanisms can be implemented and demonstrated.

Vulnerability Detection and Mitigation Design

The activities that you will undertake are as follows:

1. Describe and explain the vulnerability with a reasonable high level of technical detail in your own words. A copy of a CVE report is not acceptable, and a superficial description will attract low marks. The description must include outcomes of the vulnerability, i.e. what it can be used for, what level of access it provides, and which systems are affected by the vulnerability.

2. Under the assumption that there is no short-term fix for the vulnerability, describe a method for detecting the actual exploitation of this This part should start with a more general explanation of the approach but must also provide a detailed technical design for it and explain how it can be implemented.

3. Under the assumption that there is no short-term fix for the vulnerability, describe a method for mitigating exploitation based on this This part should start with a more general explanation of the approach but must also provide a detailed technical design for it and explain how it can be implemented.

Your proposed approaches should be original solutions and not a copy of existing approaches/solutions, and originality will be used as one marking criterium. If your solution is based on any previous work, this previous work must be referenced. Non-original solutions without references are academic misconduct and will result in 0 marks.

Vulnerability Detection and Mitigation Implementation

The main activities that you will undertake are as follows:

1. Build a virtual test environment and implement and test your proposed With this environment you should then be able to demonstrate the detection of an exploitation of the vulnerability and the mitigation of the vulnerability. The test environment should be saved as one or more Virtual Box VM image(s) that are self-contained and need to be submitted.

The login credentials used for all the test environment machines must be documented in the report.

If you submit a VM that we cannot access, due to wrong credentials or any other reasons then you will get a penalty of 20% of the total marks for this report.

To execute the vulnerability, you can use any existing code including Metasploit.

However, the solutions for detection and mitigation must be your own.

In general, your setup must include a vulnerable system that can be exploited. In some cases where this is not practical as a vulnerable system cannot be obtained (e.g. the vulnerable software is no longer available) and only with permission of the unit coordinator, this requirement can be waived.

2. Document the setup of the test This does not need to include trivial steps, like the basic install of Windows/Linux, but any configuration/installation beyond that must be documented in detail.

3. Explain step-by-step the The level of detail must be such that the teacher can use your VM(s) and repeat the demonstration.

4. Prepare and give a live demonstration and prepare to be asked questions after the demonstration. Demonstrations must be presented live either face-to-face (on-campus students) or via video conferencing tool (off-campus students). Screen capture videos of parts of the demo are permissible only in extenuating circumstances, e.g. if the vulnerability needs a long time to pull it off, and only if approved by the unit

5. Your final report will document the design and implementation of the proposed techniques (refined version of the initial design) and explain the test environment and step-by-step demonstration.

Assessment Items

The following items need to be submitted for assessment:

1. Topic proposal (before you submit, discuss it with your teacher first!). This is a mandatory component of the assignment.

2. Vulnerability detection and mitigation written report:
   1. Explanation of the vulnerability and how it is
1. Explanation and design of approach to detect exploitation of the
1. Explanation and design of approach to mitigate exploitation of the

Each part should explain all the technical details but without being excessively long.

This is a mandatory component of the assignment.

3. Vulnerability detection and mitigation implementation written report:
   1. Refined explanation of your designed and implemented detection and mitigation approaches.
1. Documentation for setting up the test Screenshots are very useful here.
1. Demonstration of your implemented You must use screenshots to illustrate the different steps and outcomes.
1. Discussion on the limitations of your

This is a mandatory component of the assignment.

Demonstration of the vulnerability detection and mitigation to your fellow students in class. This is meant to be a practical demonstration rather than a slide presentation.

However, you should think about how to demonstrate it best, so that other people can understand what you are talking about. Your demonstration should have a clear structure, such as introduction, vulnerability explanation, detection, mitigation and limitations. It is not mandatory to create any slides, but a few slides may be very helpful, especially for the theoretical parts. The demonstration will conclude with a short question and answer section. This is a mandatory component of the assignment and will be done in the last lab/workshop time slot (internal students) or in an online session of which the details will be announced mid semester (external students).

4. Test environment (VMs). Due to the size of the test environment, it can usually not be submitted via LMS and you need to submit it directly to your teacher, for example via USB stick (after the demonstration) or via a link to cloud storage (MS OneDrive only, as a Murdoch University student you automatically get free space on OneDrive). This is a mandatory component of the assignment.

Note that NOT submitting one of the mandatory components will result in a fail in this assessment, i.e. your mark for this assessment will be capped at a maximum of 49.

Assessment

The overall mark allocation out of 40 marks is as follows:

Topic Proposal The mark will be determined based on how well you describe the vulnerability and your plan to detect and mitigate it. The proposal should demonstrate that you understand the basics of the vulnerability and the fundamental mechanisms of how to detect and mitigate it. No individual extensions will be given for the topic proposal. Any late submissions will receive 0 marks for the topic proposal component. Documents longer than 1 page will also receive 0 marks.	2 (5%)
Vulnerability Detection and Mitigation Design Report The vulnerability description (4 marks) will be marked based on the level of detail provided and the clarity of the description. The detection and mitigation design descriptions (6 marks) will be marked based on the applicability of the approach to the vulnerability, practicality, originality, feasibility (working design), level of detail provided and the clarity of the description. The maximum length for this report is 6 pages (excluding title page, ToC, references, and appendices with supplementary material). Documents longer than the allowed limit may receive a penalty of 10% for each page over the limit.	10 (25%)
Vulnerability Detection and Mitigation Implementation Report Detection (5 marks) and mitigation (5 marks) implementations will be marked on the level of detail provided, practicality, originality and effectiveness, working implementations and the clarity of the descriptions. We will also consider how well limitations of the implementations are explained. Description of the test environment setup and demo steps (6 marks) will be marked on completeness, details, structure, how well one could reproduce the setup and how well the steps can be understood without a live demo. The maximum length for this report is 12 pages (excluding title page, ToC, references, and appendices with supplementary material). Documents longer than the allowed limit may receive a penalty of 10% for each page over the limit.	16 (40%)
Demonstration of design and implementation and Q&A will be marked on successful demonstration, structure, details, clarity and ability to answer questions. The demonstration must not take longer than 10 minutes. More details will be provided later in the semester.	12 (30%)

For both major reports we also expect short introductions (1-2 paragraphs) that provide an overview of the structure of the report, reference sections and citations in text

Group Work Requirements

If you choose to do the project as group work, please note the following requirements.

Groups must be formed prior to the submission of the topic proposal. Groups cannot be changed after the topic proposal has been submitted, with the exception that differential marking may be invoked in cases of demonstrated non-performance of a group member.

A no more than one-page work contribution summary must be submitted with both the Vulnerability Detection and Mitigation Design Report and the Vulnerability Detection and Mitigation Implementation Report. This contribution summary must detail for each student what work they have contributed and what the estimated percentage of this work out of the total work is. It must show that the contribution is roughly equal. This contribution summary must include work on the actual report (e.g. sections), research carried out, and any practical tasks such as setting up VMs and tools. The page must be dated and signed by both students. Reports without this contribution summary will not be marked. Differential marking may be invoked if the contribution summary does not show equal contributions.