# A2 **Deadline:** Wednesday, 03/01/17, 11:59 pm *This assignment may be done as individuals or with one partner. Teams of size three or greater are not permitted. If you do use a partner, you might try the following strategy: one of you drafts answers to problems 1 and 2, the other drafts answers to problem 1 and 3, then you meet to critique and improve each other's answers, and to do problem 4 together.* ### Problem 1 (16 pts) **Part A** A house is equipped with an alarm system that communicates with a *monitoring service*. This alarm system consists of a *control panel*, which is installed on the ground floor; *proximity sensors*, which are attached to each portal (door or window) on the ground floor and notify the control panel when a portal is open; and *motion sensors*, which are attached near each door on the ground floor and notify the control panel when they detect motion. Both kinds of sensors are connected to the control panel by wires that run through the house walls. The control panel is wired to house power. It also is wired to the house landline that connects to a telephone provider; that connection is used by the control panel to contact the monitoring service. The house, in addition to a ground floor, has a basement. The basement has no exterior doors, but it does have small (1x2') windows mounted at the tops of the walls to provide some natural light. There is a single interior door on the first floor that opens to a stairwell leading down to the basement. There are no motion or proximity sensors in the basement. The house also has a second floor reachable by a stairwell from the ground floor. Neither end of that stairwell has a door. The control panel is mounted in the middle of the stairwell. The second floor does have windows, but there are no motion or proximity sensors on the second floor. The alarm system operates in either *armed* or *disarmed* mode. The mode can be changed by pushing buttons on the control panel. In disarmed mode, the alarm system is idle. In armed mode, the control panel processes signals received from sensors and take proper actions, such as emitting noise or notifying the monitoring service, as described below. Immediately after the system is armed, there is a one minute delay during which the system remains idle; when that minute expires, the system becomes active. The control panel is capable of emitting a soft beep, which can be heard from within about 15', as well as a loud alarm, which can be heard throughout the house. Whenever the loud alarm is triggered, the control panel notifies the monitoring service. The monitoring service first attempts to contact the resident of the house using a phone number established in advance. If the resident cannot be reached within one minute, the monitoring company notifies the local police precinct. Let's engage in some *adversarial thinking*: we want you to think about how to attack this alarm system. Below, we list some of the countermeasures the alarm system employs. For each countermeasure, reverse engineer a vulnerability it controls, and identify what capabilities a threat would need to exploit that vulnerability. If your answer depends on unspecified details of the house or alarm system, make a reasonable choice and document that as part of your answer. 1. When the system is armed and a proximity sensor detects that a portal is open, the panel sounds a soft beep for one minute, followed by a loud alarm. If the system is disarmed during the soft beep phase, the loud alarm does not occur. 2. When the system is armed and a motion sensor detects sustained movement for more than five seconds, the panel sounds a soft beep for one minute, followed by a loud alarm. If the system is disarmed during the soft beep phase, the loud alarm does not occur. 3. When the system is armed and the proximity sensor detects that the interior basement door is open, the panel immediately sounds a loud alarm. (This behavior overrides the behavior in bullet point 1.) 4. When the monitoring services reaches the resident at the phone number, the resident is required to state a password. If the resident does not, or states the wrong password, the monitoring service notifies the local police precinct. 5. When arming or disarming the alarm system, the user must enter a 4-digit PIN code on the control panel. 6. The control panel has a 9-volt battery as an alternative power source. The battery recharges itself from house power whenever that is available. **Part B** System security often comes at a tradeoff. Discuss any tradeoffs you see in the design of this alarm system. Here are some ideas to get you started: * Security vs. convenience * Security vs. privacy ### Problem 2 (21 pts) First, **perform a threat analysis and harm analysis** on the following system. In doing so, you should answer these questions: 1. What are the assets of the system? Identify at least three core assets that are essential to stakeholders in the system, rather than ancillary assets that merely enable access to those core assets. You may exclude the hardware and software implementing clients and servers from your analysis, as well as the network itself. 2. What are the threats of concern? What are their motivations and capabilities? Are there any threats that are excluded? Make your threat analysis specific to the system under consideration, rather than being generic. 3. For each asset, what are the possible harms that could occur? For each harm, characterize whether it affects the confidentiality, integrity, or availability of the corresponding asset. If you can't come up with one of those three kinds of harms for a particular asset, write a sentence or two explaining why you believe that asset can't be harmed in that way. Second, **write security goals** for the system based on your analysis. If any goals are infeasible, identify ways to relax the goals. **Email System.** Users access the email system through a web browser and a well-known URL. The following user stories summarize the functional requirements for the email system: 1. Users can enter a user name and password to authenticate. 2. Authenticated users can see a list of email messages in their inbox. 3. Authenticated users can view, reply to, and delete messages. 4. Authenticated users can compose a new message, aided by an address book of known contacts. 5. Authenticated users can logout. Note that the user stories sketched above leave many details of the system unspecified. Where necessary, feel free to resolve those details in your answer, but also clearly state any additional assumptions you make. ### Problem 3 (21 pts) Repeat what you did in Problem 2, but for the following system: **Smart Meter System.** Users have an electricity meter installed outside their house; you may assume that the meter resists physical attacks. The meter is connected to a WiFi home area network (HAN), as are major appliances inside the house; assume that the HAN is not bridged to the public Internet. The meter is also connected to a cellular (e.g., GSM) wide area network (WAN), which enables communication with the electrical utility service. Here are some user stories: 1. The meter can report to the utility service the amount of electricity used each hour. 2. During periods of peak power usage, the utility service can send hints to the meter to conserve energy, which the meter relays to appliances on the HAN. 3. Upon receiving conservation hints, an appliance can choose to enter a lower-power mode. ### Problem 4 (10 pts) Follow these instructions to familiarize yourself with FindBugs: * Ensure Java is already installed in your machine. * Download and unzip [Findbugs 3.0.1](http://findbugs.sourceforge.net/downloads.html). Also download `gradesystem.zip` from CMS. This is part of the source code of a course project from a previous semester. Please do not redistribute this code. * Follow instructions in [Quick Start](http://findbugs.sourceforge.net/manual/running.html) to launch the FindBugs GUI. * In the FindBugs GUI, choose File->New Project. Give the project a name of your choice. Add to the "Classpath for Analysis" the gradesystem.zip file you downloaded in the previous part of the lab. Add to "Source Directories" the same gradesystem.zip file. Run the analysis. * Use the View menu to view only Scary bugs. Then only the Scariest bugs. Then All Bug Ranks. * Experiment with viewing bugs in different ways using the "Group Bugs By" interface. Drag-and-drop the different bug attributes ("Bug Kind", "Category", etc.) to see how bugs can be sorted in various ways. Attributes before symbol "<->" are considered for the "Group Bugs By" operation, while attributes after "<->" are ignored. Then write answers to the following questions: 1. How many bugs of Troubling or worse rank exist in the Security category? 2. Examine the rank 12, Correctness bug, where field logDisplay in method Client_Second.connectClient is deemed to be unwritten. Did the analysis miss an initialization of this field? Or did the programmer fail to initialize it? What is the potential problem that results from this bug? How should this bug be fixed? 3. Examine any of the security bugs identified by the analysis in ConnectionClass.java. What is a potential harm that results from this bug and how can this harm be caused? *Hint: read about [SQL injection](https://en.wikipedia.org/wiki/SQL_injection).* ### Submission If you work with a partner, first form a group on CMS; submit as that group, rather than submitting the same solution independently. Submit a single PDF to [CMS][cms]. Use 10 point or larger type. Be succinct; it's unlikely you will need to write more than a page or two per problem. [cms]: https://cms.csuglab.cornell.edu/ ### Evaluation You will be evaluated on the quality of your solutions and on your adherence to the submission stipulations above. We'll use the following criteria in evaluating quality: - *Validity:* do you present a logical, lucid, coherent, clearly focused, well structured, and appropriately detailed argument? - *Consistency:* do you employ concepts, principles, and terminology as they are used in this course? - *Evidence:* do you adequately support your conclusions? - *Writing:* do you use proper mechanics, grammar, and style?