2021/6/8 Quiz: Exam: High Integrity Systems Engineering (SWEN90010_2021_SM1) Exam: High Integrity Systems Engineering
(SWEN90010_2021_SM1)
Started: Jun 8 at 15:00
Quiz Instructions Academic Integrity Declaration
Copyright By Assignmentchef assignmentchef
By commencing and/or submitting this assessment I agree that I have read and understood the
Universitys policy on academic integrity. (https://academicintegrity.unimelb.edu.au/#online-exams)
I also agree that:
1. Unless paragraph 2 applies, the work I submit will be original and solely my own work (cheating);
2. I will not seek or receive any assistance from any other person (collusion) except where the work is for a designated collaborative task, in which case the individual contributions will be indicated; and,
3. I will not use any sources without proper acknowledgment or referencing (plagiarism).
4. Where the work I submit is a computer program or code, I will ensure that:
a. any code I have copied is clearly noted by identifying the source of that code at the start of the program or in a header file or, that comments inline identify the start and end of the copied code; and
b. any modifications to code sourced from elsewhere will be commented upon to show the nature of the modification.
The final exam is an open book assessment.
While you are undertaking the final exam you are permitted to:
make use of the course notes and lecture slides (including soft-copy versions)
make use of the example programs that have been part of this subject, including any code that you have written, provided that you include suitable attribution
make use of the sample solutions to the assignments, provided you include suitable attribution make use of tools such as Alloy, GNAT GPS, gnatmake, gnatprove, for checking, compiling, or executing Alloy models Ada programs respectively.
While you are undertaking the final exam you must not:
make use of any messaging or communications technology
make use of any world-wide web or internet-based resources such as wikipedia, stackoverflow, or google and other search services
act in any manner that could be regarded as providing assistance to another student who is undertaking the final exam, or will in the future be undertaking the final exam.
https://canvas.lms.unimelb.edu.au/courses/106714/quizzes/113648/take 1/18
2021/6/8 Quiz: Exam: High Integrity Systems Engineering (SWEN90010_2021_SM1)
The work you submit must be based on your own knowledge and skills, without assistance from any other person.
Question 1 2 pts
Consider a fault-tolerant system that uses two servers A and B, where each server is a redundant back-up of the other. If you were drawing a fault tree for this system, and that fault tree had two nodes: Server A Fails and Server B Fails, that each represented failure of one of the two servers, which type of gate would the two nodes
[ Select ]
Consider a different system. This system contains a web server and a database server. The web server handles requests from clients and, in order for it to handle those requests, it communicates with the database server. Consider a fault tree for this system that contains two nodes Web Server Fails and Database Server Fails. Which type of gate would they be connected by?
[ Select ]
be connected by?
Question 2 6 pts
For each of the following threats, which STRIDE category does it best correspond to?
The attacker modifies the contents of a public website.
[ Choose ]
[ Choose ]
The attacker crashes the system, preventing other users from accessing it.
https://canvas.lms.unimelb.edu.au/courses/106714/quizzes/113648/take 2/18
2021/6/8 Quiz: Exam: High Integrity Systems Engineering (SWEN90010_2021_SM1)
The attacker steals sensitive data pertaining to other customers.
The attacker pretends to be a legitimate user of the system.
The attacker is able to have their user account added to the System Administrators group, i.e. they are able to obtain Administrator access to the system.
The attacker deletes the access logs for the system.
[ Choose ]
[ Choose ]
[ Choose ]
[ Choose ]
Question 3 1 pts
Consider a simple Alloy model of the access control system for a learning management system (LMS). The job of the access control system is to manage which users have access to which subjects. It does so by storing for each user and each subject the roles that the user has within that subject. Roles include being an Administrator (who is allowed to change which users have access to which subjects in which roles), an Instructor, a Tutor, and a Student.
We can model the various roles using the following Alloy signature declarations:
We can model the access control state of this system using the following Alloy signatures. Here ACL stands for access control list and represents the access control state of the system.
Complete the implementation of the following predicate which given a user u and role r, and ACL a, says whether u has role r in any subject, according to the ACL a.
abstract sig Role {}
one sig Student, Tutor, Instructor, Administrator extends Role {}
sig Subject {}
sig User {}
roles : User -> Subject -> Role
https://canvas.lms.unimelb.edu.au/courses/106714/quizzes/113648/take 3/18
2021/6/8 Quiz: Exam: High Integrity Systems Engineering (SWEN90010_2021_SM1)
pred user_has_role[u : User, r : Role, a : ACL] {
// FILL IN HERE
Edit View Insert Format Tools Table 12pt Paragraph
0 words
Question 4 3 pts
(continuing the LMS example from the previous question)
Only Administrators are allowed to enrol students into subjects. A user is an Administrator if they have the Administrator role in any subject. We say that a user is enrolled in a subject when that user has the Student role in that subject.
Write an Alloy predicate enrol_student that takes as its arguments a User
u, Subject s, User t, initial ACL a, and final ACL a. Your predicate models the action when the user u enrols the user t into the subject s. It should hold if and only if the enrolment is successful. Note: your predicate should succeed if the user t is already enrolled as a student in the subject s, in which case it should leave the ACL unchanged.
https://canvas.lms.unimelb.edu.au/courses/106714/quizzes/113648/take 4/18
2021/6/8 Quiz: Exam: High Integrity Systems Engineering (SWEN90010_2021_SM1)
Edit View Insert Format Tools Table 12pt Paragraph
0 words
Question 5 5 pts
(continuing the LMS example from the previous question)
Administrators can also add users as staff members to subjects. A user is a staff member for a subject if that user has either the Tutor or Instructor role for that subject. A user who is an Instructor for a particular subject s can also add staff members for subject s.
Write an alloy predicate add_staff that takes as its arguments a User u, Subject
s, User t, Role r, initial ACL a, and final ACL a, and models the action of user u adding user t as a staff member with role r to the subject s. As before, your predicate should hold if and only if adding the staff member was successful, and should succeed if user t already has staff role r for subject s (in which case it should leave the ACL unchanged).
https://canvas.lms.unimelb.edu.au/courses/106714/quizzes/113648/take 5/18
2021/6/8 Quiz: Exam: High Integrity Systems Engineering (SWEN90010_2021_SM1)
Edit View Insert Format Tools Table 12pt Paragraph
0 words
Question 6 5 pts
(continuing the LMS example from the previous question)
Your colleague has written the following Alloy function that, given a Subject s and ACL a, is supposed to return the users that are enrolled as students in that subject.
Is this definition correct? Using the concept of relational joins, explain your answer.
Note: a.roles.Student.s is equivalent to ((a.roles).Student).s
Edit View Insert Format Tools Table 12pt Paragraph
fun get_enrolments[s : Subject, a : ACL] : User {
a.roles.Student.s
https://canvas.lms.unimelb.edu.au/courses/106714/quizzes/113648/take 6/18
2021/6/8 Quiz: Exam: High Integrity Systems Engineering (SWEN90010_2021_SM1)
https://canvas.lm
p 0 words
Question 7 7 pts
(continuing the LMS example from the previous question)
Write an Alloy assertion that states that for all subjects s, whenever a student is enrolled in s or a new staff member is added to s, then the roles for all other subjects are left unchanged.
Edit View Insert Format Tools Table 12pt Paragraph
s.unimelb.edu.au/courses/106714/quizzes/113648/take
https://canvas.lms.unimelb.edu.au/courses/106714/quizzes/113648/take 8/18
Quiz: Exam: High Integrity Systems Engineering (SWEN90010_2021_SM1)
p 0 words
Question 8 7 pts
Consider the following snippet of Ada code that defines the specification for a package WaterTemperatureUnsafe. This hypothetical package specification was written by translating some declarations from another (unsafe) programming language, like C. Therefore it is not very safe.
this package provides utility functions for handling and converting
between water temperature values in both Celsius and Fahrenheit
package WaterTemperatureUnsafe is
takes a Celsius water temperature (an Integer in the range 0..100)
and converts it to Fahrenheit (an Integer in the range 32..212)
function Celsius_to_Fahrenheit(C : in Integer) return Integer;
takes a Fahrenheit water temperature (an Integer in the range 32..212)
and converts it to Celsius (an Integer in the range 0..100)
function Fahrenheit_to_Celsius(F : in Integer) return Integer;
end WaterTemperatureUnsafe;
Your task is to show how to rewrite this package specification to take advantage of Adas safe programming features. That is you should write a package specification for a package WaterTemperature that provides two
functions Celsius_to_Fahrenheit and Fahrenheit_to_Celsius for converting water temperatures between Celsius and Fahrenheit. Your package specification is free to declare new types, if you wish. So you are free to change the types for the arguments and return values of these two functions if you wish.
Note: you do not need to implement these functions.
You should not use any SPARK annotations in your package specification (e.g. you
should not use any pre and postcondition annotations).
You should add comments to your code explaining the following, for each function:
What extra guarantees does your package specification provide to client
code that wishes to make use of its functions (i.e. to code that calls functions from your package)?
2021/6/8 Quiz: Exam: High Integrity Systems Engineering (SWEN90010_2021_SM1)
What extra guarantees does your package specification provide to
the implementation code that implements these functions (i.e. to the code that would implement the body of your package)?
Edit View Insert Format Tools Table 12pt Paragraph
0 words
Question 9 3 pts
Consider the program below. Here the constants M and N and the variables k and result are all mathematical integers. This program computes M mod N in the result variable. M mod N is defined when M 0 and N > 0 and is the unique integer r, where 0 r and r < N, such that there exists some integer k for which (N k) + r = M (where is multiplication on mathematical integers).https://canvas.lms.unimelb.edu.au/courses/106714/quizzes/113648/take 9/18 2021/6/8 Quiz: Exam: High Integrity Systems Engineering (SWEN90010_2021_SM1) Suppose we wish to prove the following Hoare logic statement about this program, where S is the program above:Write down a suitable loop invariant I for the while-loop of the program, that is suitable for establishing this specification.Note: you do not need to use Canvas formatted mathematical notation if you do not wish to for this question. For instance instead of writing you can write >= instead. Likewise for multiplication you can just use * if you wish.
However if you do wish to use mathematical formatting, you can do that by clicking the button above the text box with three vertical dots and then selecting the square root symbol.
Edit View Insert Format Tools Table 12pt Paragraph
0 words
Question 10 8 pts
(Continuing with the M mod N example from the previous question.)
https://canvas.lms.unimelb.edu.au/courses/106714/quizzes/113648/take 10/18
2021/6/8 Quiz: Exam: High Integrity Systems Engineering (SWEN90010_2021_SM1)
Use the rules of Hoare logic to prove that this program satisfies the Hoare logic statement from the previous question.
You are free to use the following theorem in your proof:
Theorem 1: Let M, N, k and r be integers. Suppose that (Nk) + r=M, 0r and r < N.Then it is the case that: r = M mod NNote: as with the previous question, you do not need to use Canvas formattedmathematical notation if you do not wish to for this question.However if you do wish to use mathematical formatting, you can do that by clicking the button above the text box with three vertical dots and then selecting the square root symbol.You can also upload image(s) of handwriting by using the insert picture button also available after clicking on the three vertical dots button above.Edit View Insert Format Tools Table 12pt Paragraph0 words
Question 11 2 pts
https://canvas.lms.unimelb.edu.au/courses/106714/quizzes/113648/take 11/18
2021/6/8 Quiz: Exam: High Integrity Systems Engineering (SWEN90010_2021_SM1)
(Continuing with the M mod N example from the previous question.)
The Hoare logic statement you proved about the program guarantees that, when executed from an initial state satisfying the precondition, if the program successfully terminates then its postcondition holds.
What happens when the program is executed when N is negative but M is non- negative, assuming that all variables in the program are mathematical integers (i.e. they never overflow)? Do you think, therefore, that you could prove a version of the Hoare logic statement above for this program that has a weaker precondition? If so, give an example.
Edit View Insert Format Tools Table 12pt Paragraph
0 words
Question 12 2 pts
Consider the following piece of C code. It uses two pointers p and q, which each point to separate ints.
https://canvas.lms.unimelb.edu.au/courses/106714/quizzes/113648/take 12/18
2021/6/8 Quiz: Exam: High Integrity Systems Engineering (SWEN90010_2021_SM1)
We carefully describe what it does, but this description can be skipped if you prefer to read the code. It reads the int that p points to and stores it in the local variable v. It also creates a pointer t and makes t point to the same int that p does, initially. It then reads the value that q points to and stores this value into the location that p points to. It then stores the value v into the location that q points to. Finally it makes p point to the location that q originally pointed to, and makes q point to the location
that p originally pointed to (by making q point to the same location that t does).
Suppose the program is run from a state satisfying the following separation logic precondition:
Which of the following separation logic conditions describes the state of the program after it has executed the first four statements but before it has executed the final two statements. Note: these are written using |-> and * instead of the mathematical notation used above.
{p |-> 5 * q |-> 10 * v = 5 * t = p} {p |-> 10 * q |-> 5 * v = 5 * t = p} {p |-> 5 * q |-> 10 * v = 10 * t = p} {p |-> 10 * q |-> 5 * v = 10 * t = p}
int v = *p;
int *t = p;
p = q; q = t;
Question 13 2 pts
(Continuing with the C pointer program from the previous question.)
Which of the following separation logic conditions describes the state of the program after it has finished, assuming it starts from an initial state satisfying the following precondition:
https://canvas.lms.unimelb.edu.au/courses/106714/quizzes/113648/take 13/18
2021/6/8 Quiz: Exam: High Integrity Systems Engineering (SWEN90010_2021_SM1)
https://canvas.lm
{p |-> 20 * q |-> 10} {p |-> 20 * q |-> v} {p |-> 10 * q |-> 20} {p |-> 10 * q |-> v}
Question 14 4 pts
(Continuing with the C pointer program from the previous question.)
Suppose we translate this program directly into Ada with no optimisations. If the type IntPtr is declared as type IntPtr is access Integer (i.e. represents pointers to Integers) then we can write this program in Ada as follows.
V : Integer := P.all;
T : IntPtr := P;
P.all := Q.all;
Q.all := V;
Does this program satisfy SPARKs aliasing restrictions? If so, explain why. If not, explain how it should be modified to satisfy them without changing how it behaves.
Edit View Insert Format Tools Table 12pt Paragraph
s.unimelb.edu.au/courses/106714/quizzes/113648/take
https://canvas.lms.unimelb.edu.au/courses/106714/quizzes/113648/take 15/18
Quiz: Exam: High Integrity Systems Engineering (SWEN90010_2021_SM1)
p 0 words
Question 15 5 pts
Recall that the SPARK Prover essentially applies the rules of Hoare logic to prove properties about SPARK programs, including proving that they are free of runtime errors like array index out of bounds errors.
Consider the following snippet of SPARK code:
type Int_Array is array(Integer range 1..10) of Integer;
procedure Init_A(A : in out Int_Array)
with Post => (for all I in ARange => A(I) = I)
I : Integer := AFirst;
while I <= A’Last looppragma Loop_Invariant (for all J in A’First..I-1 => A(J) = J);
A(I) := I;
I := I + 1;
end Init_A;
When run through the SPARK Prover, the SPARK Prover complains that the statement A(I) := I in the loop might result in the array being accessed out of bounds. Specifically it gives the following message:
array index check might fail (e.g. when I = 0)
Explain why the loop invariant is not strong enough to prove that the statement A(I) := I will not result in the array being accessed out of bounds, and how the invariant needs to be strengthened so that the SPARK Prover can prove that this code is free of runtime errors.
Ideally, your answer should be no more than 3 to 5 sentences long.
Edit View Insert Format Tools Table 12pt Paragraph
2021/6/8 Quiz: Exam: High Integrity Systems Engineering (SWEN90010_2021_SM1)
p 0 words
Question 16 3 pts
Consider a single server running a single piece of software. Suppose we wish to make the system more fault tolerant. Consider the following three (3) designs. Each design guards against a kind of failure that the preceding designs do not. For instance, design A guards against certain failures that the original system (consisting of a single server running a single piece of software) does not. Likewise, design B guards against certain failures that design A does not, and so on.
Identify one kind of failure that each design guards against that the preceding designs do not. That is, compare design A to the single server running the single piece of software; compare design B to design A; compare design C to design B. For each, identify a failure that the new design guards against. You only need to write 1 to 2 sentences for each.
Design A: multiple identical servers each running identical software
Design B: multiple identical servers each running an independently developed
instance of the software
Design C: multiple servers each of whose hardware was independently developed, each running an independently developed instance of the software
Edit View Insert Format Tools Table
https://canvas.lms.unimelb.edu.au/courses/106714/quizzes/113648/take 16/18
2021/6/8 Quiz: Exam: High Integrity Systems Engineering (SWEN90010_2021_SM1)
0 words
12pt Paragraph
Question 17 5 pts
Suppose you are leading the teams that are developing the software that controls a safety-critical system. Specifically you are given informal requirements derived from a HAZOPS study or similar that describe how the software needs to behave.
Your manager suggests that you should en
CS: assignmentchef QQ: 1823890830 Email: [email protected]
Reviews
There are no reviews yet.