CS5430 Homework 1: Articulating Security Goals
You are expected to work alone on this assignment.
Due: Sept 12, 11:59pm.
No late assignments will be accepted.
Submit your solution using CMS.
Prepare your solution as .pdf, as follows:
Use 10 point or larger font.
Put each problem into a separate file and submit it to the correct CMS
submission box for that problem.
Use at most 1 page per problem.
To assert that a system S is trustworthy, we first must understand
(i) what S is expected to do, and
(ii) what S is expected not to do.
One step toward reaching that level of understanding is to write a description of
the system in terms of the following elements (in this order)
Types of users.
Each different user type is allowed to engage in potentially different activities.
Enumerate the list of user types.
For each user type, describe what those allowed activities are
(including interfaces that would be accessed).
Assets and threat.
What are the threats?
What are the capabilities of each threat?
What system assets is each threat motivated to compromise?
Here, assets are system state and/or system operations (such as input/output).
What security policies should be enforced to
prevent threats from achieving their goals.
List at most 6 of the security policies that you believe are the most critical.
For each security policy, identify whether it is confidentiality,
integrity, or availability.
Using this structure,
a simple grade management system like CMS might be described as follows.
Types of users:
All access to the system is through a web interface.
Nobody has physical access to the server itself.
Submits assignments provided the due date has not passed.
Learns grade (perhaps with a grader's comments)
for an assignment he/she submitted that has been graded.
Learns summary statistics for any graded assignment.
- teaching assistant.
Assigns grades to assignments, adding comments to explain flaws;
can create new assignments;
can alter submission deadline and other assignment characteristics.
- course administrator.
Adds/removes students from class;
adds/removes teaching assistants.
Can do anything a teaching assistant or course administrator can do.
Assets and threat:
system state that is recording the deadline and other
characteristics of an assignmernt,
assignment submission made by any student,
grade assigned to any student for an assignment.
The threat is
students who will attempt to access the server through its web site
and read/change the values of any asset.
The capabilities of this threat are the ability to write programs
and the ability to
send messages to the hosting system
either directly or by using a web browser.
The list given below is abbreviated and only intended to illustrate
the appropriate level of detail---you might well include
(up to a total of 6).
No student may change the grade on any assignment.
No student may learn the grade assigned to another student's assignment.
If the due date has not passed then a student may submit an assignment.
Write a description in the above style for each of the following systems.
The description for each system should be structured
as three separate parts (types of users, assets
and threat, security policies), where each part has
roughly the same level of detail as given above.
Somewhat anonymous cloud-based secret email.
The service runs in a cloud that is hosted by some third-party cloud-provider.
A web front-end provides to ordinary users and law enforcement users
(but no others) access to the service.
Using this web front-end:
- An ordinary user U may
(i) format a message for delivery to another ordinary user U' or
(ii) read messages that were sent by another ordinary user U' for
delivery to U.
The recipient of a message does not learn the sender's identity
but can issue a reply that
will be delivered back to that sender.
- A law enforcement user may request that the system generate and
provide a communications graph for a
given set S of ordinary users and a given past interval of time Int.
The nodes of this graph correspond to ordinary users in S;
an edge from U to U' in this graph signifies that ordinary
users U and U' are members of S and that, during the past interval Int,
ordinary user U communicated with ordinary user U' by using a message
A web-based app that allows users to view their holdings in some selected set of
The app also allows users to request the conversion of a holding in one crypto-currency
to another crypto-currency.
Per-user holdings are stored and managed by a server running in a third-party cloud.