**Deadline:** Wednesday, 02/15/17, 11:59 pm
*This assignment is to be done as individuals, not with partners nor with teams.
Although you may discuss the assignment with others, your solution and the ideas
contained therein are expected to be your own. Any ideas you borrow from others
should be attributed to them. Please review the [course policies on academic
integrity][ai]. Also review the [course policies on assignments][assignments].*
### Problem 1 (6 pts)
Cornell's [Policy Regarding Abuse of Computers and Network
Systems][policy] is, in part, a security policy that stipulates
appropriate usage of computer systems at Cornell.
As a student studying computer security, you obviously need to know your
responsibilities with respect to that policy. And as a security expert, you
might some day be asked to write such a security policy or to evaluate
somebody's actions relative to a policy. So study the policy, then consider the following
Suppose that a CS 5430 student discovers a vulnerability that can be
exploited to bypass the usual NetID authentication used to login to Cornell
systems. Such exploitation would enable an attacker to login under any
NetID of their choice, thus impersonating any Cornellian. The attack
would yield access to all Cornell email, student grades, and student financial
Discuss whether each of the following behaviors is permitted by
the Cornell Policy linked above:
1. The student programs a tool that accomplishes the attack. The
student uses the tool, but only to read files they are already
allowed to access with their NetID.
2. The student programs a tool that accomplishes the attack. The
student doesn't actually use the tool but posts it to a well-known
website, along with instructions for use of the tool.
3. The student does not program an attack tool but does post a discussion
of how the attack would work to the "Overheard at Cornell" Facebook page
(i.e., a well-known public website). The discussion contains sufficient
technical details to enable a CS major to program an attack tool.
Explain your reasoning. You will be evaluated in part on how well-supported
your arguments are. It is to your advantage to quote specific excerpts from the policy
that support your arguments.
### Problem 2 (24 pts)
*[based on Schneider, exercise 1.4]*
Consider the following protocol for conducting an election:
1. A set of identical paper ballots is printed. Each ballot contains
the same list of candidates.
2. A pair of clerks prepares a ballot collection box by emptying it and locking it.
3. When potential voters arrive, they present photo ID to the pair of clerks, who
verify that the voter's name is on a predetermined list of qualified voters.
4. Each qualified voter is given a single unmarked ballot.
5. In a secluded voting booth, the voter uses a pen to mark one
candidate on the ballot.
6. The voter folds the ballot in half, hiding from view the list of candidates
and the one that was marked. The voter emerges from the booth and deposits the
marked ballot in the collection box.
7. After all votes have been cast, the pair of clerks unlocks the collection box.
8. The ballots are unfolded and counted by the clerks, who announce the winner.
For each of the eight steps of this protocol, reverse-engineer a
security policy that the step is intended to enforce. You should thus
invent eight distinct policies. You will be evaluated in part on how
closely related each policy is to its corresponding step. For example,
"the election is secure" is a policy that is too vague to be closely
related to any of the steps. Do your best to invent policies that
capture the essence of why each step is necessary in the protocol.
For each of your eight policies, label it as being about exactly one of
confidentiality, integrity, or availability, and justify your label. If
there is ambiguity about which aspect applies, revise your statement of
the policy to eliminate the ambiguity. You will be evaluated in part on
how clear it is that the label you have chosen is unambiguously the
Across your set of eight policies, there must be at least one policy about
confidentiality, one about integrity, and one about availability.
### Problem 3 (9 pts)
*[inspired by Pfleeger and Pfleeger, *Security in Computing*, 2007, exercise 1.20]*
Consider a computer system that enables a surgeon in one city to perform an operation
on a patient who is physically located in another city. The system involves
a program running on the surgeon's local computer, a robot that is co-located with
the patient, and an Internet connection between the computer and robot.
Discuss how each of the following three approaches could be employed in securing this
* Risk Management
* Deterrence through Accountability
Give examples of challenges that would arise in applying each approach.
The best examples will involve the specifics of this system, rather than
being general examples that would hold of most systems.
You will be evaluated in part on the extent to which you demonstrate understanding
of the three approaches, as well as how compelling and specific your examples are.
You might find it helpful to review the account of each approach in
[[Mulligan and Schneider 2011][ms11]].
### Problem 4 (8 pts)
Cybersecurity is often in the news. Find a news article about an incident that occurred
within the last year. Analyze the incident as follows:
* Summarize the attack. Provide a URL for the article.
* Identify the harm(s) involved. What was the asset? What loss or damage occurred?
* What was the threat? How would that threat be categorized in Schneider's
Taxonomy of Cybersecurity Threats [[S1 p. 3][fbs]]?
* What vulnerability was exploited in the attack?
* What countermeasure(s) could have been deployed?
You might find it helpful to review [[PP, chapter 1][pp]] for discussion of this
terminology. The book is available online through the Cornell library.
### Problem 5 (18 pts)
*based on [Bishop, chapter 12, problem 12.10]*
The `su` command enables a UNIX user `u1` to access the account of
another user `u2`. Unless `u1` is the superuser ("root"), `su` prompts
`u1` to enter the password of `u2`. Checking whether that password is
correct requires `su` to open the password file, `/etc/passwd`. On a
correctly configured UNIX system, that particular open operation will
always succeed. Then `su` can proceed with checking whether the
password is correct.
A CS 5430 student becomes concerned with what might happen if the UNIX
system is not configured correctly—in particular, what if a
misconfiguration caused the open operation to fail, and what if that led
to the system becoming unusable?
So the student decides to build a new version of `su` that works as follows.
If the open operation succeeds, then the password is checked. If it is
indeed the correct password for `u2`, then `u1` is granted access to the
account of `u2`. But if the open operation fails, then `u1` immediately
is granted access to the account of the superuser ("root"). The
student's intention is that `u1` would then be able to fix the
Discuss which of the following security principles the student's new
version of `su` upholds, which principles it violates, and which are simply irrelevant:
* Complete Mediation
* Least Privilege
* Failsafe Defaults
* Separation of Privilege
* Defense in Depth
* Economy of Mechanism
* Open Design
* Psychological Acceptability
You will be evaluated in part on how well you demonstrate understanding of each
of the principles. You might find it helpful to review the discussions of them
in [[Schneider, chapter 1][s1]] and [[Saltzer and Schroeder 1975][ss75]].
Submit a file named `a1.pdf` on [CMS][cms].
Use 10 point or larger type.
Be succinct; it's unlikely you will need to write more than one page per problem.
You will be evaluated on the quality of your solutions and on your
adherence to the submission stipulations above. We'll use the following
criteria in evaluating quality:
- *Validity:* do you present a logical, lucid, coherent, clearly
focused, well structured, and appropriately detailed argument?
- *Consistency:* do you employ concepts, principles, and terminology
as they are used in this course?
- *Evidence:* do you adequately support your conclusions?
- *Writing:* do you use proper mechanics, grammar, and style?