CS5430 System Security - Articulating Security Goals (Fall 2020)
To assert that a system S is trustworthy, we first must understand
(i) what S is expected to do, and
(ii) what S is expected not to do.
One way to reach that level of understanding is to write a description of
the system in terms of the following elements (and in this order)
-
Types of users.
Each different user type is allowed to engage in different activities.
Enumerate the list of user types.
For each user type, describe what those allowed activities are
(including interfaces that would be accessed).
-
Assets and threat.
What are the threats?
What are the capabilities of each threat?
What system assets is each threat motivated to compromise?
Here, assets are system state and/or system operations (such as input/output).
-
Security policies.
What security policies prevent threats from realizing achieving their goals.
List the security policies that you believe are critical.
For each security policy, identify whether it is confidentiality,
integrity, or availability.
Example: Grade Management System
Using the above structure,
a simple grade management system might be described as follows.
-
Types of users:
All access to the system is through a web interface.
Nobody has physical access to the server itself.
- student.
Submits assignments, if the due date has not passed.
Learns grade for an assignment he/she submitted that has been graded.
Learns summary statistics for any graded assignment.
- teaching assistant.
Assigns grades to assignments, adding comments to explain flaws;
can create new assignments;
can alter submission deadline and other assignment characteristics.
- course administrator.
Adds/removes students from class;
adds/removes teaching assistants.
- professor.
Can do anything a teaching assistant or course administrator can do.
-
Assets and threat:
Assets include:
system state recording the deadline and other characteristics of an assignmernt,
assignment submission made by any student,
grade assigned to any student for an assignment.
The threat is
students who will attempt to access the server through its web site and read/change
the assets.
The capabilities of this threat are the ability to write programs and
send messages to the hosting system (either directly or by using a web browser).
-
Security policies:
The list given below is abbreviated and intended just to illustrate
the level of detail we are suggesting---you might well include
additional policies
(up to a total of 7).
[Integrity]:
No student may change the grade on any assignment.
[Confidentiality]:
No student may learn the grade assigned to another student's assignment.
[Availability]:
If the due date has not passed then a student may submit an assignment.
....
Exercise: Secure 1-way anonymous communication
An app runs on a computer and enables communication of text messages with
another user who is running a copy of the app.
The app communicates with a cloud-based service, which reformats and relays messages.
The recipient of a message does not learn the sender's identity but can issue a reply that
will be delivered to the original sender.