**Deadline:** Wednesday, 03/01/17, 11:59 pm
*This assignment may be done as individuals or with one partner.
Teams of size three or greater are not permitted. If you do use
a partner, you might try the following strategy: one of you drafts
answers to problems 1 and 2, the other drafts answers to problem 1 and 3,
then you meet to critique and improve each other's answers, and to do
problem 4 together.*
### Problem 1 (16 pts)
A house is equipped with an alarm system that communicates with a
*monitoring service*. This alarm system consists of a *control panel*,
which is installed on the ground floor; *proximity sensors*, which are
attached to each portal (door or window) on the ground floor and notify
the control panel when a portal is open; and *motion sensors*, which are
attached near each door on the ground floor and notify the control panel
when they detect motion. Both kinds of sensors are connected to the
control panel by wires that run through the house walls. The control
panel is wired to house power. It also is wired to the house landline
that connects to a telephone provider; that connection is used by the
control panel to contact the monitoring service.
The house, in addition to a ground floor, has a basement. The basement
has no exterior doors, but it does have small (1x2') windows mounted at
the tops of the walls to provide some natural light. There is a single
interior door on the first floor that opens to a stairwell leading down
to the basement. There are no motion or proximity sensors in the
The house also has a second floor reachable by a stairwell from the
ground floor. Neither end of that stairwell has a door. The control
panel is mounted in the middle of the stairwell. The second floor does
have windows, but there are no motion or proximity sensors on the second
The alarm system operates in either *armed* or *disarmed* mode. The mode
can be changed by pushing buttons on the control panel. In disarmed
mode, the alarm system is idle. In armed mode, the control panel
processes signals received from sensors and take proper actions, such as
emitting noise or notifying the monitoring service, as described below.
Immediately after the system is armed, there is a one minute delay during
which the system remains idle; when that minute expires, the system
The control panel is capable of emitting a soft beep, which can be heard
from within about 15', as well as a loud alarm, which can be heard
throughout the house. Whenever the loud alarm is triggered, the control
panel notifies the monitoring service. The monitoring service first
attempts to contact the resident of the house using a phone number established
in advance. If the resident cannot be reached within one minute, the monitoring
company notifies the local police precinct.
Let's engage in some *adversarial thinking*: we want you to think about
how to attack this alarm system. Below, we list some of the
countermeasures the alarm system employs. For each
countermeasure, reverse engineer a vulnerability it controls, and
identify what capabilities a threat would need to exploit that
vulnerability. If your answer depends on unspecified details of
the house or alarm system, make a reasonable choice and document
that as part of your answer.
1. When the system is armed and a proximity sensor detects that a portal is open, the
panel sounds a soft beep for one minute, followed by a loud alarm. If the system
is disarmed during the soft beep phase, the loud alarm does not occur.
2. When the system is armed and a motion sensor detects sustained movement for more
than five seconds, the panel sounds a soft beep for one minute, followed by a loud
alarm. If the system is disarmed during the soft beep phase, the loud alarm does
3. When the system is armed and the proximity sensor detects that the interior basement
door is open, the panel immediately sounds a loud alarm. (This behavior
overrides the behavior in bullet point 1.)
4. When the monitoring services reaches the resident at the phone number, the
resident is required to state a password. If the resident does not, or
states the wrong password, the monitoring service notifies the local police
5. When arming or disarming the alarm system, the user must enter a 4-digit
PIN code on the control panel.
6. The control panel has a 9-volt battery as an alternative power source. The battery
recharges itself from house power whenever that is available.
System security often comes at a tradeoff. Discuss any tradeoffs you see in
the design of this alarm system. Here are some ideas to get you started:
* Security vs. convenience
* Security vs. privacy
### Problem 2 (21 pts)
First, **perform a threat analysis and harm analysis** on the following system.
In doing so, you should answer these questions:
1. What are the assets of the system? Identify at least three core assets
that are essential to stakeholders in the system, rather than ancillary
assets that merely enable access to those core assets. You may exclude
the hardware and software implementing clients and servers from your
analysis, as well as the network itself.
2. What are the threats of concern? What are their motivations and capabilities?
Are there any threats that are excluded? Make your threat analysis specific
to the system under consideration, rather than being generic.
3. For each asset, what are the possible harms that could occur? For each harm,
characterize whether it affects the confidentiality, integrity, or
availability of the corresponding asset. If you can't come up with
one of those three kinds of harms for a particular asset, write a
sentence or two explaining why you believe that asset can't be harmed in
Second, **write security goals** for the system based on your analysis.
If any goals are infeasible, identify ways to relax the goals.
**Email System.** Users access the email system through a web browser
and a well-known URL. The following user stories summarize the functional
requirements for the email system:
1. Users can enter a user name and password to authenticate.
2. Authenticated users can see a list of email messages in their inbox.
3. Authenticated users can view, reply to, and delete messages.
4. Authenticated users can compose a new message, aided by an address book
of known contacts.
5. Authenticated users can logout.
Note that the user stories sketched above leave many details of the system
unspecified. Where necessary, feel free to resolve those details in your
answer, but also clearly state any additional assumptions you make.
### Problem 3 (21 pts)
Repeat what you did in Problem 2, but for the following system:
**Smart Meter System.** Users have an electricity meter installed
outside their house; you may assume that the meter resists physical
attacks. The meter is connected to a WiFi home area network
(HAN), as are major appliances inside the house; assume that the HAN is
not bridged to the public Internet. The meter is also connected to a
cellular (e.g., GSM) wide area network (WAN), which enables
communication with the electrical utility service. Here are
some user stories:
1. The meter can report to the utility service the amount of
electricity used each hour.
2. During periods of peak power usage, the utility service can send hints to
the meter to conserve energy, which the meter relays to appliances on the HAN.
3. Upon receiving conservation hints, an appliance can choose to enter
a lower-power mode.
### Problem 4 (10 pts)
Follow these instructions to familiarize yourself with FindBugs:
* Ensure Java is already installed in your machine.
* Download and unzip [Findbugs 3.0.1](http://findbugs.sourceforge.net/downloads.html).
Also download `gradesystem.zip` from CMS. This is part of the source code of a
course project from a previous semester. Please do not redistribute this code.
* Follow instructions in [Quick Start](http://findbugs.sourceforge.net/manual/running.html)
to launch the FindBugs GUI.
* In the FindBugs GUI, choose File->New Project. Give the project a name of your choice.
Add to the "Classpath for Analysis" the gradesystem.zip file you downloaded in the
previous part of the lab. Add to "Source Directories" the same gradesystem.zip file.
Run the analysis.
* Use the View menu to view only Scary bugs. Then only the Scariest bugs. Then All
* Experiment with viewing bugs in different ways using the "Group Bugs By" interface.
Drag-and-drop the different bug attributes ("Bug Kind", "Category", etc.) to see how
bugs can be sorted in various ways.
Attributes before symbol "<->" are considered for the "Group Bugs By" operation,
while attributes after "<->" are ignored.
Then write answers to the following questions:
1. How many bugs of Troubling or worse rank exist in the Security category?
2. Examine the rank 12, Correctness bug, where field logDisplay in
method Client_Second.connectClient is deemed to be unwritten.
Did the analysis miss an initialization of this field?
Or did the programmer fail to initialize it? What is the potential problem that results from this bug?
How should this bug be fixed?
3. Examine any of the security bugs identified by the analysis in ConnectionClass.java.
What is a potential harm that results from this bug and how can this harm be caused? *Hint: read about
If you work with a partner, first form a group on CMS; submit as that group,
rather than submitting the same solution independently.
Submit a single PDF to [CMS][cms].
Use 10 point or larger type.
Be succinct; it's unlikely you will need to write more than a page or two per problem.
You will be evaluated on the quality of your solutions and on your
adherence to the submission stipulations above. We'll use the following
criteria in evaluating quality:
- *Validity:* do you present a logical, lucid, coherent, clearly
focused, well structured, and appropriately detailed argument?
- *Consistency:* do you employ concepts, principles, and terminology
as they are used in this course?
- *Evidence:* do you adequately support your conclusions?
- *Writing:* do you use proper mechanics, grammar, and style?