# A1
**Deadline:** Monday, 02/08/16, 11:59 pm
*This assignment is to be done as individuals, not with partners nor with teams.
Although you may discuss the assignment with others, your solution and the ideas
contained therein are expected to be your own. Any ideas you borrow from others
should be attributed to them. Please review the [course policies on academic
integrity][ai]. Also review the [course policies on assignments][assignments].*
[ai]: http://www.cs.cornell.edu/courses/cs5430/2016sp/syllabus.php#ai
[assignments]: http://www.cs.cornell.edu/courses/cs5430/2016sp/syllabus.php#assignments
### Problem 1
Cornell's [Policy Regarding Abuse of Computers and Network
Systems][policy] is, in part, a security policy that stipulates
appropriate usage of computer systems at Cornell.
As a student studying computer security, you obviously need to know your
responsibilities with respect to that policy. And as a security expert, you
might some day be asked to write such a security policy or to evaluate
somebody's actions relative to a policy. So study the policy, as well
as the [Interpretation][interp] to which it links. Then consider the following
problem.
[policy]: http://www.it.cornell.edu/policies/university/privacy/abuse/index.cfm
[interp]: http://www.it.cornell.edu/policies/university/privacy/abuse/interpret.cfm
Suppose that a CS 5430 student discovers a vulnerability that can be
exploited to bypass the usual NetID authentication used to login to Cornell
systems. Such exploitation would enable an attacker to login under any
NetID of their choice, thus impersonating any person at Cornell. The attack
would yield access to all Cornell email, student grades, and student financial
statements.
Discuss whether each of the following behaviors is permitted by
the Cornell Policy linked above:
1. The student programs a tool that accomplishes the attack. The
student uses the tool, but only to read files they are already
allowed to access with their NetID.
2. The student programs a tool that accomplishes the attack. The
student doesn't actually use the tool but posts it to a well-known
website, along with instructions for use of the tool.
3. The student does not program an attack tool but does post a discussion
of how the attack would work to a well-known website. The discussion
contains sufficient technical details to enable a CS major to program
an attack tool.
Explain your reasoning, and point to specific excerpts from the policy
that support your answer. Identify any conditions or assumptions that
affect your answer.
### Problem 2
*[based on Schneider, exercise 1.4]*
Consider the following protocol for conducting an election:
1. A set of identical paper ballots is printed. Each ballot contains
the same list of candidates.
2. A pair of clerks prepares a ballot collection box by emptying it and locking it.
3. When potential voters arrive, they present photo ID to the pair of clerks, who
verify that the voter's name is on a predetermined list of qualified voters.
4. Each qualified voter is given a single unmarked ballot.
5. In a secluded voting booth, the voter uses a pen to circle one
candidate on the ballot.
6. The voter folds the ballot in half, hiding from view the list of candidates
and the one that was circled. The voter emerges from the booth and deposits the
marked ballot in the collection box.
7. After all votes have been cast, the pair of clerks unlocks the collection box.
8. The ballots are unfolded and counted by the clerks, who announce the winner.
**Part A.**
Construct a numbered list of security properties that should be
satisfied by any reasonable protocol for conducting an
election—not just by the protocol above. Identify each property as
being about confidentiality, integrity, or availability. Choose exactly
one of those three aspects for each property; if there is ambiguity
about which applies, revise your statement of the property to eliminate
the ambiguity.
**Part B.**
Establish the necessity of each of the eight protocol steps above by explaining how each
contributes to one or more of the numbered security properties you listed.
### Problem 3
*[inspired by Pfleeger and Pfleeger, *Security in Computing*, 2007, exercise 1.20]*
Consider a computer system that enables a surgeon in one city to perform an operation
on a patient who is physically located in another city. The system involves
a program running on the surgeon's local computer, a robot that is co-located with
the patient, and an Internet connection between the computer and robot.
Discuss how each of the following three approaches could be employed in securing this
system:
* Prevention
* Risk Management
* Deterrence through Accountability
Give examples of challenges that would arise in applying each approach.
The best examples will involve the specifics of this system, rather than
being general examples that would hold of most systems.
### Problem 4
Cybersecurity is often in the news. Find a news article about an incident that occurred
within the last year. Analyze the incident as follows:
* Summarize the attack. Provide a URL for the article.
* Identify the harm(s) involved. What was the asset? What loss or damage occurred?
* What was the threat? How would that threat be categorized in Schneider's
Taxonomy of Cybersecurity Threats [[S1 p. 3][fbs]]?
* What vulnerability was exploited in the attack?
* What countermeasure(s) could have been deployed?
[fbs]: http://www.cs.cornell.edu/fbs/publications/chptr.Intro.pdf
### Problem 5
*based on [Bishop, chapter 12, problem 12.10]*
The `su` command enables a UNIX user to access another user's account.
Unless the first user is the superuser ("root"), `su` requires that the
password of the second user be given. Checking whether that password is
correct requires `su` to open the password file, `/etc/passwd`. On a
correctly configured UNIX system, that particular open operation will
always succeed.
A CS 5430 student decides to build a version of `su` that works as
follows. If the password file cannot be opened, then the system is badly
misconfigured, therefore the superuser must be allowed to login to fix
it. So the student's `su` implementation immediately grants superuser
access to the user.
Discuss which of the following security principles this approach upholds, which
principles it violates, and which are simply irrelevant:
[UPDATED 02/02/16:
reordered, renamed "Open Design", added "Psychological Acceptability"]
* Accountability
* Complete Mediation
* Least Privilege
* Failsafe Defaults
* Separation of Privilege
* Defense in Depth
* Economy of Mechanism
* Open Design
* Psychological Acceptability
### Submission
Submit a file named `a1.pdf` on [CMS][cms].
Use 10 point or larger type.
Be succinct; it's unlikely you will need to write more than one page per problem.
[cms]: https://cms.csuglab.cornell.edu/
### Evaluation
You will be evaluated on the quality of your solutions and on your
adherence to the submission stipulations above. We'll use the following
criteria in evaluating quality:
- *Validity:* do you present a logical, lucid, coherent, clearly
focused, well structured, and appropriately detailed argument?
- *Consistency:* do you employ concepts, principles, and terminology
as they are used in this course?
- *Evidence:* do you adequately support your conclusions?
- *Writing:* do you use proper mechanics, grammar, and style?