Homework 2: Security Policies

Hard deadline: Wednesday, March 4, 11:59 pm.
Soft deadline: Monday, March 2, 11:59 pm

Problem 1

Gates Hall is a fancy new building that incorporates many security features. Among them are the following:

1. All Cornell affiliates are issued RFID-enabled ID cards.
2. Building entrances, staircases, elevators, and some rooms have RFID locks.
3. Building entrances, staircases, and elevators are locked after hours. If a student is expected to work in the building (e.g., in a lab or student office), their ID card can unlock the external doors. If a student is expected to work upstairs, their ID card can unlock the staircases and elevators.
4. There are security cameras in the front entrances on the first and ground floors.
5. Student workspaces are locked at all times. If a student is expected to work in the building, their ID card can unlock the room where they are expected to work.
6. Faculty ID cards can unlock all student offices, lab spaces, and common rooms.
7. Any Cornell affiliate can have their ID card enabled to unlock additional RFID locks by requesting (and being approved for) access by the IT department.
8. Campus Police have master keys that unlock all locks.

What security goals are these security features designed to accomplish? For each goal, identify it as being related to a confidentiality, integrity, or availability harm, explain the connection each security feature has to this goal, and identify any assumptions that are necessary for these security features to achieve this goal.

You should endeavor to construct a complete list of security goals. At a minimum, make sure you have at least one security goal related to each of confidentiality, integrity, and availability.

Problem 2

based on [Schneider, chapter 1, problem 1.17]

Several of the Gates Hall security features are intended to prevent access by unauthorized persons.

1. To what extent do these security features satisfy the independence requirement of Defense in Depth? How might you improve Gates Hall's security features to increase independence?
2. To what extent do these security features satisfy the overlapping requirement of Defense in Depth? How might you improve Gates Hall's security features to increase overlap?
3. To what extent do these security features enforce Complete Mediation? How might you improve Gates Hall's security features to achieve Complete Mediation?

You may refer to the security features given in Problem 1, or you may discuss other features you have observed. Be sure to identify any assumptions that affect your answers.

Problem 3

based on [Bishop, chapter 12, problem 12.10]

The su command enables a UNIX user to access another user's account. Unless the first user is the superuser ("root"), su requires that the password of the second user be given. Checking whether that password is correct requires su to open the password file, /etc/passwd. On a correctly configured UNIX system, that particular open operation will always succeed.

A CS 5430 student decides to build a version of su that works as follows. If the password file cannot be opened, then the system is badly misconfigured, therefore the superuser must be allowed to login to fix it. So the student's su implementation immediately grants superuser access to the user.

Discuss which of the security principles this approach meets, and which principles it violates.

Problem 4

Cornell's Policy Regarding Abuse of Computers and Network Systems is, in part, a security policy that stipulates appropriate usage of computer systems at Cornell.

As a student studying computer security, you obviously need to know your responsibilities with respect to that policy. (As a security expert, you might some day be asked to write such a security policy or to evaluate somebody's actions relative to a policy.) So study the policy, as well as the Interpretation to which it links. Then consider the following problem.

Suppose that a CS 5430 student discovers a vulnerability that can be exploited to login to Cornell systems under any Cornell NetID, thus impersonating any person at Cornell. This attack would yield access to all Cornell email, student grades, and student financial statements.

Discuss whether each of the following behaviors is permitted by Cornell's policies:

1. The student programs a tool that accomplishes the attack. The student uses the tool, but only to read files they are allowed to access with their NetID.
2. The student programs a tool that accomplishes the attack. The student doesn't actually use the tool but posts it to a well-known website, along with instructions for use of the tool.
3. The student does not program an attack tool but does post a discussion of how the attack would work to a well-known website.

Explain your reasoning, and point to specific excerpts from the policy that support your answer. Identify any conditions or assumptions that affect your answer.

Submission

Format your solutions as a single PDF. Include your name and NetID as a header on every page. Use 10 point or larger type. Start your solution to each problem on a separate page. Restrict your solution to at most one page for every problem. (Your PDF should therefore contain exactly 4 pages.) Submit a file named hw2.pdf on CMS.

Evaluation

You will be evaluated on the quality of your solutions and on your adherence to the submission stipulations above. We'll use the following criteria in evaluating quality:

• Validity: do you present a logical, lucid, coherent, clearly focused, well structured, and appropriately detailed argument?
• Consistency: do you employ concepts, principles, and terminology as they are used in this course?
• Evidence: do you adequately support your conclusions?
• Writing: do you use proper mechanics, grammar, and style?