# A1 **Deadline:** Wednesday, 02/15/17, 11:59 pm *This assignment is to be done as individuals, not with partners nor with teams. Although you may discuss the assignment with others, your solution and the ideas contained therein are expected to be your own. Any ideas you borrow from others should be attributed to them. Please review the [course policies on academic integrity][ai]. Also review the [course policies on assignments][assignments].* [ai]: http://www.cs.cornell.edu/courses/cs5430/2017sp/syllabus.php#ai [assignments]: http://www.cs.cornell.edu/courses/cs5430/2017sp/syllabus.php#assignments ### Problem 1 (6 pts) Cornell's [Policy Regarding Abuse of Computers and Network Systems][policy] is, in part, a security policy that stipulates appropriate usage of computer systems at Cornell. As a student studying computer security, you obviously need to know your responsibilities with respect to that policy. And as a security expert, you might some day be asked to write such a security policy or to evaluate somebody's actions relative to a policy. So study the policy, then consider the following problem. [policy]: https://it.cornell.edu/policy/policy-50-abuse-computers-and-network-systems Suppose that a CS 5430 student discovers a vulnerability that can be exploited to bypass the usual NetID authentication used to login to Cornell systems. Such exploitation would enable an attacker to login under any NetID of their choice, thus impersonating any Cornellian. The attack would yield access to all Cornell email, student grades, and student financial statements. Discuss whether each of the following behaviors is permitted by the Cornell Policy linked above: 1. The student programs a tool that accomplishes the attack. The student uses the tool, but only to read files they are already allowed to access with their NetID. 2. The student programs a tool that accomplishes the attack. The student doesn't actually use the tool but posts it to a well-known website, along with instructions for use of the tool. 3. The student does not program an attack tool but does post a discussion of how the attack would work to the "Overheard at Cornell" Facebook page (i.e., a well-known public website). The discussion contains sufficient technical details to enable a CS major to program an attack tool. Explain your reasoning. You will be evaluated in part on how well-supported your arguments are. It is to your advantage to quote specific excerpts from the policy that support your arguments. ### Problem 2 (24 pts) *[based on Schneider, exercise 1.4]* Consider the following protocol for conducting an election: 1. A set of identical paper ballots is printed. Each ballot contains the same list of candidates. 2. A pair of clerks prepares a ballot collection box by emptying it and locking it. 3. When potential voters arrive, they present photo ID to the pair of clerks, who verify that the voter's name is on a predetermined list of qualified voters. 4. Each qualified voter is given a single unmarked ballot. 5. In a secluded voting booth, the voter uses a pen to mark one candidate on the ballot. 6. The voter folds the ballot in half, hiding from view the list of candidates and the one that was marked. The voter emerges from the booth and deposits the marked ballot in the collection box. 7. After all votes have been cast, the pair of clerks unlocks the collection box. 8. The ballots are unfolded and counted by the clerks, who announce the winner. For each of the eight steps of this protocol, reverse-engineer a security policy that the step is intended to enforce. You should thus invent eight distinct policies. You will be evaluated in part on how closely related each policy is to its corresponding step. For example, "the election is secure" is a policy that is too vague to be closely related to any of the steps. Do your best to invent policies that capture the essence of why each step is necessary in the protocol. For each of your eight policies, label it as being about exactly one of confidentiality, integrity, or availability, and justify your label. If there is ambiguity about which aspect applies, revise your statement of the policy to eliminate the ambiguity. You will be evaluated in part on how clear it is that the label you have chosen is unambiguously the correct label. Across your set of eight policies, there must be at least one policy about confidentiality, one about integrity, and one about availability. ### Problem 3 (9 pts) *[inspired by Pfleeger and Pfleeger, *Security in Computing*, 2007, exercise 1.20]* Consider a computer system that enables a surgeon in one city to perform an operation on a patient who is physically located in another city. The system involves a program running on the surgeon's local computer, a robot that is co-located with the patient, and an Internet connection between the computer and robot. Discuss how each of the following three approaches could be employed in securing this system: * Prevention * Risk Management * Deterrence through Accountability Give examples of challenges that would arise in applying each approach. The best examples will involve the specifics of this system, rather than being general examples that would hold of most systems. You will be evaluated in part on the extent to which you demonstrate understanding of the three approaches, as well as how compelling and specific your examples are. You might find it helpful to review the account of each approach in [[Mulligan and Schneider 2011][ms11]]. [ms11]: http://www.cs.cornell.edu/fbs/publications/publicCybersecDaed.pdf ### Problem 4 (8 pts) Cybersecurity is often in the news. Find a news article about an incident that occurred within the last year. Analyze the incident as follows: * Summarize the attack. Provide a URL for the article. * Identify the harm(s) involved. What was the asset? What loss or damage occurred? * What was the threat? How would that threat be categorized in Schneider's Taxonomy of Cybersecurity Threats [[S1 p. 3][fbs]]? * What vulnerability was exploited in the attack? * What countermeasure(s) could have been deployed? [fbs]: http://www.cs.cornell.edu/fbs/publications/chptr.Intro.pdf You might find it helpful to review [[PP, chapter 1][pp]] for discussion of this terminology. The book is available online through the Cornell library. [pp]: https://newcatalog.library.cornell.edu/catalog/9473792 ### Problem 5 (18 pts) *based on [Bishop, chapter 12, problem 12.10]* The `su` command enables a UNIX user `u1` to access the account of another user `u2`. Unless `u1` is the superuser ("root"), `su` prompts `u1` to enter the password of `u2`. Checking whether that password is correct requires `su` to open the password file, `/etc/passwd`. On a correctly configured UNIX system, that particular open operation will always succeed. Then `su` can proceed with checking whether the password is correct. A CS 5430 student becomes concerned with what might happen if the UNIX system is not configured correctly—in particular, what if a misconfiguration caused the open operation to fail, and what if that led to the system becoming unusable? So the student decides to build a new version of `su` that works as follows. If the open operation succeeds, then the password is checked. If it is indeed the correct password for `u2`, then `u1` is granted access to the account of `u2`. But if the open operation fails, then `u1` immediately is granted access to the account of the superuser ("root"). The student's intention is that `u1` would then be able to fix the misconfiguration. Discuss which of the following security principles the student's new version of `su` upholds, which principles it violates, and which are simply irrelevant: * Accountability * Complete Mediation * Least Privilege * Failsafe Defaults * Separation of Privilege * Defense in Depth * Economy of Mechanism * Open Design * Psychological Acceptability You will be evaluated in part on how well you demonstrate understanding of each of the principles. You might find it helpful to review the discussions of them in [[Schneider, chapter 1][s1]] and [[Saltzer and Schroeder 1975][ss75]]. [s1]: http://www.cs.cornell.edu/fbs/publications/chptr.Intro.pdf [ss75]: http://web.mit.edu/Saltzer/www/publications/protection/ ### Submission Submit a file named `a1.pdf` on [CMS][cms]. Use 10 point or larger type. Be succinct; it's unlikely you will need to write more than one page per problem. [cms]: https://cms.csuglab.cornell.edu/ ### Evaluation You will be evaluated on the quality of your solutions and on your adherence to the submission stipulations above. We'll use the following criteria in evaluating quality: - *Validity:* do you present a logical, lucid, coherent, clearly focused, well structured, and appropriately detailed argument? - *Consistency:* do you employ concepts, principles, and terminology as they are used in this course? - *Evidence:* do you adequately support your conclusions? - *Writing:* do you use proper mechanics, grammar, and style?