Description

Vulnerability Detection and Mitigation project

You have been recruited as a full-time security administrator/engineer. You are responsible
for monitoring newly discovered vulnerabilities, and if they affect the organisation’s IT
systems it is also your responsibility to design and implement security measures to deal with
the vulnerability if the vulnerable system/software cannot be upgraded or patched. For this
project we assume a “new” vulnerability has been recently discovered for a system/software
that is critical for the organisation and cannot be taken offline, upgraded, or replaced in the
short-term, and no upgrade or patch will be available in the short-term.
The aim of this project is to put your skills to practical use. In this project you will identify
and research a security vulnerability and then design and implement strategies for detecting
the exploitation of the vulnerability and mitigating the vulnerability (while continuing to
provide the affected service). You will document these in a report and implement them in a
(virtual) test environment. You will demonstrate the effectiveness of your approach to other
students in class. Your reports will contain details on the vulnerability, the setup and
demonstration of the test environment as well as descriptions of the design and
implementation of the detection and mitigation techniques developed.
It is anticipated that students will attempt a very diverse range of projects; specific details of
the project may be discussed with your teacher in class to give you more guidance.
The project has three phases: (1) topic proposal, (2) vulnerability description and proposed
exploitation detection and mitigation techniques report and (3) vulnerability detection and
mitigation demonstration and final report.
Topic Proposal
You must pick a vulnerability you want to tackle and propose exploitation detection and
mitigation approaches for it. It is not your teacher’s responsibility to suggest vulnerabilities to
you. Each proposal must be approved by your teacher, so make sure you get the
approval prior to the topic proposal submission.
You must submit a one-page document containing the list of group members (student names
and numbers), the vulnerability (CVE number and name), a 2-3 paragraph description of the
vulnerability and a 3-4 paragraph description on how you plan to detect and mitigate it. The
descriptions must be written by you and not be copied from other sources.
Vulnerabilities without CVE identifier may be accepted at the discretion of the unit
coordinator but only if you can make a good case at least 1 week prior to the proposal
deadline.
The following requirements apply. Any choices that do not fulfil the requirements are
automatically rejected (or if submitted will result in 0 marks) unless an exception has been
granted by the unit coordinator in writing.
1. In each lab/workshop one vulnerability can only be picked once. This is so the final
demonstrations are not just a repetition of the same topic, but everybody will learn about
protections against several vulnerabilities. Check with your teacher which

ICT379 Security Architectures and Systems Administration Project – V3 Last Updated 05/12/2022
vulnerabilities are still available before topic submission and submit the topic
proposal early to get the vulnerability of your choice.
2. The vulnerability must have a significant impact (5.0 or higher as per the CVSS rating)
and must have the potential to be reasonably widespread as in it should be a vulnerability
that affect(ed) reasonably popular OS/application/devices.
3. The vulnerability must be from the year 2020 or newer (as per CVE).
4. You cannot choose vulnerabilities that are trivial, and you must choose vulnerabilities
which can be reproduced by some means (e.g. Metasploit or other proof of concept code)
and for which detection and mitigations mechanisms as outlined above can be
implemented and demonstrated.
Vulnerability Detection and Mitigation Design
The activities that you will undertake are as follows:
1. Describe and explain the vulnerability with a reasonable high level of technical detail
in your own words. A copy of a CVE report is not acceptable, and a superficial
description will attract low marks. The description must include outcomes of the
vulnerability, i.e. what it can be used for, what level of access it provides, and which
systems are affected by the vulnerability.
2. Under the assumption that there is no short-term fix for the vulnerability, describe a
method for detecting the actual exploitation of this vulnerability. This part should start
with a more general explanation of the approach but must also provide a detailed
technical design for it and explain how it can be implemented. Significant limitations
must be discussed.
3. Under the assumption that there is no short-term fix for the vulnerability, describe a
method for mitigating exploitation based on this vulnerability. This part should start with
a more general explanation of the approach but must also provide a detailed technical
design for it and explain how it can be implemented. Significant limitations must be
discussed.

Your proposed approaches should be original solutions and not a copy of existing
approaches/solutions, and originality will be used as one marking criterium. If your solution
is based on any previous work, this previous work must be referenced. Non-original solutions
without references are academic misconduct and will result in 0 marks.
Vulnerability Detection and Mitigation Implementation
The main activities that you will undertake are as follows:
1. Build a virtual test environment and implement and test your proposed techniques. With
this environment you should then be able to demonstrate the detection of an exploitation
of the vulnerability and the mitigation of the vulnerability. The test environment

ICT379 Security Architectures and Systems Administration Project – V3 Last Updated 05/12/2022
should be saved as one or more Virtual Box VM image(s) that are self-contained and
need to be submitted.
The login credentials used for all the test environment machines must be
documented in the report.
If you submit a VM that we cannot access, due to wrong credentials or any other reasons
then you will get a penalty of 20% of the total marks for this report.
To execute the vulnerability, you can use any existing code including Metasploit.
However, the solutions for detection and mitigation must be your own.
In general, your setup must include a vulnerable system that can be exploited. In some
cases where this is not practical as a vulnerable system cannot be obtained (e.g. the
vulnerable software is no longer available) and only with permission of the unit
coordinator, this requirement can be waived.
2. Document the setup of the test environment. This does not need to include trivial steps,
like the basic install of Windows/Linux, but any configuration/installation beyond that
must be documented in detail.
3. Explain step-by-step the demonstration of detection and mitigation measures. The level of
detail must be such that the teacher could use your VM(s) and repeat the demonstration.
4. Prepare and give a live demonstration and prepare to be asked questions after the
demonstration. Using screen capture video for parts of the demonstration is permissible in
exceptional circumstances, e.g. if an exploit takes very long, but this must be approved by
your teacher. If video is used, the student ID of one student must be included in shell
commands or by other means.
5. Your final report will document the design and implementation of the proposed
techniques (refined version of the initial design), discuss limitation (if any), explain the
test environment, and provide a step-by-step demonstration.
Assessment Items
The following items need to be submitted for assessment:
1. Topic proposal (before you submit, discuss it with your teacher first!).
This is a mandatory component of the assignment.
2. Vulnerability detection and mitigation written report:

a. Explanation of the vulnerability and how it is exploited.
b. Explanation and design of approach to detect exploitation of the vulnerability.
c. Explanation and design of approach to mitigate exploitation of the
vulnerability.

Each part should explain all the technical details but without being excessively long.
Limitations (if any should also be briefly discussed).
This is a mandatory component of the assignment.

ICT379 Security Architectures and Systems Administration Project – V3 Last Updated 05/12/2022
3. Vulnerability detection and mitigation implementation written report:

a. Refined explanation of your designed and implemented detection and
mitigation approaches.
b. Documentation for setting up the test environment. Screenshots are very
useful here.
c. Demonstration of your implemented approaches. You must use screenshots to
illustrate the different steps and outcomes.
d. Discussion on the limitations of your approaches.
This is a mandatory component of the assignment.
4. Demonstration of the vulnerability detection and mitigation to your fellow students in
class. This is meant to be a practical demonstration rather than a slide presentation.
However, you should think about how to demonstrate it best, so that other people can
understand what you are talking about. Your demonstration should have a clear structure,
such as introduction, vulnerability explanation, detection, mitigation, and limitations. It is
not mandatory to create any slides, but a few slides may be helpful, especially for the
theoretic parts. The demonstration will conclude with a short question and answer section.
This is a mandatory component of the assignment and will be done in the last
lab/workshop time slot or in the case of external students enrolled in Perth in a
special session to be announced.
5. Test environment (VMs). Due to the size of the test environment, it cannot be submitted
via LMS, and you need to submit it directly to your teacher, for example via USB stick
after the demo or a link to cloud storage. If using cloud storage, a link to the VMs must be
included in the final report and MS OneDrive should be used (every Murdoch University
student is provided with sufficient free space on OneDrive thanks to the MS education
program). This is a mandatory component of the assignment.
Note that NOT submitting one of the mandatory components will result in a fail in this
assessment, i.e. your mark for this assessment will be capped at a maximum of 49.

ICT379 Security Architectures and Systems Administration Project – V3 Last Updated 05/12/2022
Assessment
The overall mark allocation out of 40 marks is as follows:
Topic Proposal
The mark will be determined based on how well you describe the vulnerability and
your plan to detect and mitigate it. The proposal should demonstrate that you
understand the basics of the vulnerability and the fundamental mechanisms of how
to detect and mitigate it.
No individual extensions will be given for the topic proposal. Any late
submissions will receive 0 marks for the topic proposal component.
Documents longer than 1 page will also receive 0 marks.

2 (5%)

Vulnerability Detection and Mitigation Design Report
The vulnerability description (4 marks) will be marked based on the level of detail
provided and the clarity of the description. The detection and mitigation design
descriptions (6 marks) will be marked based on the applicability of the approach to
the vulnerability, practicality, originality, feasibility (working design), level of
detail provided, limitations discussed and the clarity of the description.
The maximum length for this report is 7 pages (excluding title page, ToC,
references, and appendices with supplementary material). Documents longer
than the allowed limit may receive a penalty of 10% for each page over the
limit.

10
(25%)

Vulnerability Detection and Mitigation Implementation Report
Detection (5 marks) and mitigation (5 marks) implementations will be marked on
the level of detail provided, practicality, originality, and effectiveness, working
implementations, and the clarity of the descriptions. We will also consider how
well limitations of the implementations are explained. Description of the test
environment setup and demo steps (6 marks) will be marked based on
completeness, necessary details, structure, how well one could reproduce the setup
and how well the steps can be understood without a live demo.
The maximum length for this report is 15 pages (excluding title page, ToC,
references, and appendices with supplementary material). Documents longer
than the allowed limit may receive a penalty of 10% for each page over the
limit.

16
(40%)

Demonstration of design and implementation and Q&A will be marked on success,
coverage of all aspects, structure, details, clarity, and ability to answer questions.
The demonstration must not take longer than 10 minutes. More details will be
provided later in the semester. If the project was done as team, then each student
must do approx. half of the demonstration. Marks for this component will be
allocated individually and not presenting will result in a 0 mark for this
component automatically.

12
(30%)

For both major reports we also expect short introductions (1-2 paragraphs) that provide an
overview of the structure of the report and of course a reference section.