CS5430 Homework 2: Articulating Security Goals
You are expected to work alone on this assignment.
Due: Feb 10, 11:59pm.
No late assignments will be accepted.
Submit your solution using CMS.
Prepare your solution as .pdf, as follows:
Use 10 point or larger font.
Put each problem into a separate file and submit it to the correct CMS
submission box for that problem.
Use at most 1 page per problem.
To assert that a system S is trustworthy, we first must understand
(i) what S is expected to do, and
(ii) what S is expected not to do.
One way to reach that level of understanding is to write a description of
the system in terms of the following elements (and in this order)
Types of users.
Each different user type is allowed to engage in different activities.
Enumerate the list of user types.
For each user type, describe what those allowed activities are
(including interfaces that would be accessed).
Assets and threat.
What are the threats?
What are the capabilities of each threat?
What system assets is each threat motivated to compromise?
Here, assets are system state and/or system operations (such as input/output).
What security policies prevent threats from realizing achieving their goals.
List at most 7 of the security policies that you believe are the most critical.
For each security policy, identify whether it is confidentiality,
integrity, or availability.
Using this structure,
a simple grade management system might be described as follows.
Types of users:
All access to the system is through a web interface.
Nobody has physical access to the server itself.
Submits assignments, if the due date has not passed.
Learns grade for an assignment he/she submitted that has been graded.
Learns summary statistics for any graded assignment.
- teaching assistant.
Assigns grades to assignments, adding comments to explain flaws;
can create new assignments;
can alter submission deadline and other assignment characteristics.
- course administrator.
Adds/removes students from class;
adds/removes teaching assistants.
Can do anything a teaching assistant or course administrator can do.
Assets and threat:
system state recording the deadline and other characteristics of an assignmernt,
assignment submission made by any student,
grade assigned to any student for an assignment.
The threat is
students who will attempt to access the server through its web site and read/change
The capabilities of this threat are the ability to write programs and
send messages to the hosting system (either directly or by using a web browser).
The list given below is abbreviated and intended just to illustrate
the level of detail we are suggesting---you might well include
(up to a total of 7).
No student may change the grade on any assignment.
No student may learn the grade assigned to another student's assignment.
If the due date has not passed then a student may submit an assignment.
Write a description in the above style for each of the following systems.
So each of your descriptions should be structured as three separate parts (types of users, assets
and threat, security policies), where each part has
roughly the same level of detail as given above.
Secure 1-way anonymous communication.
An app runs on a computer and enables communication of text messages with
another user who is running a copy of the app.
The app communicates with a cloud-based service, which reformats and relays messages.
The recipient of a message does not learn the sender's identity but can issue a reply that
will be delivered to the original sender.
Reporter's secure notepad.
An app that allows a reporter in hostile territory to take notes on a laptop
that may not be connected to the Internet.
Once entered, content cannot be reconstructed by the reporter or anyone else,
except back in the newspaper office,
where there is a USB plug-in device storing a "private key".
Electronic banking system.
A web-based app that allows users to view bank balances and request funds
transfers to other bank accounts.