# A1 **Deadline:** Monday, 02/08/16, 11:59 pm *This assignment is to be done as individuals, not with partners nor with teams. Although you may discuss the assignment with others, your solution and the ideas contained therein are expected to be your own. Any ideas you borrow from others should be attributed to them. Please review the [course policies on academic integrity][ai]. Also review the [course policies on assignments][assignments].* [ai]: http://www.cs.cornell.edu/courses/cs5430/2016sp/syllabus.php#ai [assignments]: http://www.cs.cornell.edu/courses/cs5430/2016sp/syllabus.php#assignments ### Problem 1 Cornell's [Policy Regarding Abuse of Computers and Network Systems][policy] is, in part, a security policy that stipulates appropriate usage of computer systems at Cornell. As a student studying computer security, you obviously need to know your responsibilities with respect to that policy. And as a security expert, you might some day be asked to write such a security policy or to evaluate somebody's actions relative to a policy. So study the policy, as well as the [Interpretation][interp] to which it links. Then consider the following problem. [policy]: http://www.it.cornell.edu/policies/university/privacy/abuse/index.cfm [interp]: http://www.it.cornell.edu/policies/university/privacy/abuse/interpret.cfm Suppose that a CS 5430 student discovers a vulnerability that can be exploited to bypass the usual NetID authentication used to login to Cornell systems. Such exploitation would enable an attacker to login under any NetID of their choice, thus impersonating any person at Cornell. The attack would yield access to all Cornell email, student grades, and student financial statements. Discuss whether each of the following behaviors is permitted by the Cornell Policy linked above: 1. The student programs a tool that accomplishes the attack. The student uses the tool, but only to read files they are already allowed to access with their NetID. 2. The student programs a tool that accomplishes the attack. The student doesn't actually use the tool but posts it to a well-known website, along with instructions for use of the tool. 3. The student does not program an attack tool but does post a discussion of how the attack would work to a well-known website. The discussion contains sufficient technical details to enable a CS major to program an attack tool. Explain your reasoning, and point to specific excerpts from the policy that support your answer. Identify any conditions or assumptions that affect your answer. ### Problem 2 *[based on Schneider, exercise 1.4]* Consider the following protocol for conducting an election: 1. A set of identical paper ballots is printed. Each ballot contains the same list of candidates. 2. A pair of clerks prepares a ballot collection box by emptying it and locking it. 3. When potential voters arrive, they present photo ID to the pair of clerks, who verify that the voter's name is on a predetermined list of qualified voters. 4. Each qualified voter is given a single unmarked ballot. 5. In a secluded voting booth, the voter uses a pen to circle one candidate on the ballot. 6. The voter folds the ballot in half, hiding from view the list of candidates and the one that was circled. The voter emerges from the booth and deposits the marked ballot in the collection box. 7. After all votes have been cast, the pair of clerks unlocks the collection box. 8. The ballots are unfolded and counted by the clerks, who announce the winner. **Part A.** Construct a numbered list of security properties that should be satisfied by any reasonable protocol for conducting an election&mdash;not just by the protocol above. Identify each property as being about confidentiality, integrity, or availability. Choose exactly one of those three aspects for each property; if there is ambiguity about which applies, revise your statement of the property to eliminate the ambiguity. **Part B.** Establish the necessity of each of the eight protocol steps above by explaining how each contributes to one or more of the numbered security properties you listed. ### Problem 3 *[inspired by Pfleeger and Pfleeger, *Security in Computing*, 2007, exercise 1.20]* Consider a computer system that enables a surgeon in one city to perform an operation on a patient who is physically located in another city. The system involves a program running on the surgeon's local computer, a robot that is co-located with the patient, and an Internet connection between the computer and robot. Discuss how each of the following three approaches could be employed in securing this system: * Prevention * Risk Management * Deterrence through Accountability Give examples of challenges that would arise in applying each approach. The best examples will involve the specifics of this system, rather than being general examples that would hold of most systems. ### Problem 4 Cybersecurity is often in the news. Find a news article about an incident that occurred within the last year. Analyze the incident as follows: * Summarize the attack. Provide a URL for the article. * Identify the harm(s) involved. What was the asset? What loss or damage occurred? * What was the threat? How would that threat be categorized in Schneider's Taxonomy of Cybersecurity Threats [[S1 p. 3][fbs]]? * What vulnerability was exploited in the attack? * What countermeasure(s) could have been deployed? [fbs]: http://www.cs.cornell.edu/fbs/publications/chptr.Intro.pdf ### Problem 5 *based on [Bishop, chapter 12, problem 12.10]* The `su` command enables a UNIX user to access another user's account. Unless the first user is the superuser ("root"), `su` requires that the password of the second user be given. Checking whether that password is correct requires `su` to open the password file, `/etc/passwd`. On a correctly configured UNIX system, that particular open operation will always succeed. A CS 5430 student decides to build a version of `su` that works as follows. If the password file cannot be opened, then the system is badly misconfigured, therefore the superuser must be allowed to login to fix it. So the student's `su` implementation immediately grants superuser access to the user. Discuss which of the following security principles this approach upholds, which principles it violates, and which are simply irrelevant: <span style="color:#00FF00;">[UPDATED 02/02/16: reordered, renamed "Open Design", added "Psychological Acceptability"]</span> * Accountability * Complete Mediation * Least Privilege * Failsafe Defaults * Separation of Privilege * Defense in Depth * Economy of Mechanism * Open Design * Psychological Acceptability ### Submission Submit a file named `a1.pdf` on [CMS][cms]. Use 10 point or larger type. Be succinct; it's unlikely you will need to write more than one page per problem. [cms]: https://cms.csuglab.cornell.edu/ ### Evaluation You will be evaluated on the quality of your solutions and on your adherence to the submission stipulations above. We'll use the following criteria in evaluating quality: - *Validity:* do you present a logical, lucid, coherent, clearly focused, well structured, and appropriately detailed argument? - *Consistency:* do you employ concepts, principles, and terminology as they are used in this course? - *Evidence:* do you adequately support your conclusions? - *Writing:* do you use proper mechanics, grammar, and style?