Software q1: /10 Here is my initial list of things to look for. My suggestion is to give them marks according to the exploit/information they gather. This is an indication of the discovery of vulnerabilities. You may want to add more if students gathered additional information. Also, students should get substantially more points if they demonstrated understanding of how the exploits works, as opposed to copying an output of some tool. See Q&A section on the assignment website. Methods other than brute-force are generally better. In the end, we can rank them based on how thorough they were. DB: DB Type DB Version Application queries Application users Database tables (via postgresql meta data is better) Modifying Database Content PHP/XSS: Successful cross site scripting Silent cross site scripting (user does not know they have been exploited) Crypto q1: /5 5/5 The code is fully functional and produces the expected results. It is clean, well-documented and easy to understand. 4/5 The code is fully functional and produces the expected results. However, the code is either messy or not well-documented. 3/5 The code is partially functional (works for small, but not for large numbers). Little or no documentation is given. 2/5 Some code is provided in the assignment, but it does not produce the expected results. Evidence of understanding of the problem is present. 1/5 Some code is provided in the assignment, but it does not produce the expected results. Very little evidence of understanding of the problem is present. Crypto q2a: /2 2/2 for correct answer + command (threeLaws2.txt). No marks for the answer only. Crypto q2b: /6 2/2 points for each correct and well-explained answer. 1/2 point for each correct answer with no explanation OR some evidence of understanding. Crypto q3part1: /5 Answer: for any message d multiple of block length. 5/5 for the answer, clear explanation and understanding of the issue. 3/5 for the answer and vague explanation of the issue. 1/5 for the answer only. Crypto q3part2: /5 Answer: An attacker can forge the MAC for the message "b||(CBC_MAC(b)\xor CBC_MAC(a) \xor b)" The forged tag is equal to M(a||b). 5/5 for the answer, clear explanation and understanding of the issue. 3/5 for the answer and vague explanation of the issue. 1/5 for the answer only. Crypto q4a: /5 Answer: the attacker can forge m3=m1*m2 (mod n), with corresponding signature s_3=s_1*s_2 (mod n). 5/5 for the answer, clear explanation and understanding of the issue. 3/5 for the answer and vague explanation of the issue. 1/5 for the answer only.