CSE 5379/7379 Software Security Final Exam

Question 1

5379/7379 ( 50 / 35 ) According to Oaks ("Java Security" pg 112) "if you want to establish a different security policy in your application, it is easier to do it by writing a custom class loader and establishing the permissions of classes within that class loader than by writing a new implementation ofthe Policy class." Do you agree or disagree? Why or why not?

Question 2

5379/7379 ( 50 / 35 ) Discuss the Java security model in light of the principles of software security described in the first part of the class. Is the Java security model "necessary and sufficient" -- i.e. is all of its overhead really needed and is it enough for the problem it is trying to solve?

Question 3

7379 only ( -- / 30 ) Assume that you are going to be the technical lead on an important application development project. You (of course) believe that Java should be used for its security features. Write a persuasive argument for your management explaining the trade-offs between using C and using Java for the application. Just to make it interesting, assume that most of the programming staff already knows C and only a few members of the staff know Java.