CS5430 System Security (Fall 2021)

CS5430 Homework 1: Articulating Security Goals

General Instructions. You are expected to work alone on this assignment.

Due: Sept 12, 11:59pm. No late assignments will be accepted.

Submit your solution using CMS. Prepare your solution as .pdf, as follows:

Use 10 point or larger font.
Put each problem into a separate file and submit it to the correct CMS submission box for that problem.
Use at most 1 page per problem.

To assert that a system S is trustworthy, we first must understand (i) what S is expected to do, and (ii) what S is expected not to do. One step toward reaching that level of understanding is to write a description of the system in terms of the following elements (in this order)

Types of users. Each different user type is allowed to engage in potentially different activities. Enumerate the list of user types. For each user type, describe what those allowed activities are (including interfaces that would be accessed).
Assets and threat. What are the threats? What are the capabilities of each threat? What system assets is each threat motivated to compromise? Here, assets are system state and/or system operations (such as input/output).
Security policies. What security policies should be enforced to prevent threats from achieving their goals. List at most 6 of the security policies that you believe are the most critical. For each security policy, identify whether it is confidentiality, integrity, or availability.

Example. Using this structure, a simple grade management system like CMS might be described as follows.

Types of users: All access to the system is through a web interface. Nobody has physical access to the server itself.
- student. Submits assignments provided the due date has not passed. Learns grade (perhaps with a grader's comments) for an assignment he/she submitted that has been graded. Learns summary statistics for any graded assignment.
- teaching assistant. Assigns grades to assignments, adding comments to explain flaws; can create new assignments; can alter submission deadline and other assignment characteristics.
- course administrator. Adds/removes students from class; adds/removes teaching assistants.
- professor. Can do anything a teaching assistant or course administrator can do.
Assets and threat: Assets include: system state that is recording the deadline and other characteristics of an assignmernt, assignment submission made by any student, grade assigned to any student for an assignment.
The threat is students who will attempt to access the server through its web site and read/change the values of any asset. The capabilities of this threat are the ability to write programs and the ability to send messages to the hosting system either directly or by using a web browser.
Security policies: The list given below is abbreviated and only intended to illustrate the appropriate level of detail---you might well include additional policies (up to a total of 6).

Write a description in the above style for each of the following systems. The description for each system should be structured as three separate parts (types of users, assets and threat, security policies), where each part has roughly the same level of detail as given above.

Problem 1. Somewhat anonymous cloud-based secret email. The service runs in a cloud that is hosted by some third-party cloud-provider. A web front-end provides to ordinary users and law enforcement users (but no others) access to the service. Using this web front-end:

An ordinary user U may (i) format a message for delivery to another ordinary user U' or (ii) read messages that were sent by another ordinary user U' for delivery to U. The recipient of a message does not learn the sender's identity but can issue a reply that will be delivered back to that sender.
A law enforcement user may request that the system generate and provide a communications graph for a given set S of ordinary users and a given past interval of time Int. The nodes of this graph correspond to ordinary users in S; an edge from U to U' in this graph signifies that ordinary users U and U' are members of S and that, during the past interval Int, ordinary user U communicated with ordinary user U' by using a message or reply.

Problem 2. Crypto-currency exchanage. A web-based app that allows users to view their holdings in some selected set of crypto-currencies. The app also allows users to request the conversion of a holding in one crypto-currency to another crypto-currency. Per-user holdings are stored and managed by a server running in a third-party cloud.