CS5430 System Security

CS5430 Project: Spring 2013

CS5430 students are expected to participate in a group project to build a system that has non-trivial security functionality. Here is the schedule.

Phase I: Form a group of 2 - 4 students, and decide on what system you will build.

Deliverable (due 1/29 at 11:59pm): Written description submitted to CMS.

Phase II: Describe the security properties your system will satisfy.
Deliverable (due 2/5 at 11:59pm): Written description submitted to CMS.

Phase III: Design, implement, and test interfaces so your system can access cryptographic routines provided by a standard run-time library in conjunction, if needed, with routines to send/receive message and/or to read/write files. Also construct the modest infrastructure needed for demonstrating to a grader that these routines operate as you desire.
Deliverable (due 2/24 at 11:59pm): Code and summary documentation submitted to CMS. Group meetings with graders to demo operation as well as to review design and code.
Weight: 4

Phase IV: Design, implement, and test interfaces so your system can authenticate its human user.
Deliverable (due 3/31 at 11:59pm): Code and summary documentation submitted to CMS. Group meetings with graders to demo operation as well as to review design and code.
Weight: 4

Phase V: Complete implementation of system functionality.
Deliverable (due 4/28 at 11:59pm): Code and summary documentation for entire system submitted to CMS. Also submit PPT slides for a 10 minute overview presentation about system operation and the testing regime. Group meetings with graders to hear presentation, demo system operation, and to review design and code.
Weight: 12

Forming a Group

Groups of 2 - 4 students are allowed, but groups of size 3 seem to work best. Smaller groups almost always produce lower-quality projects and, consequently, get lower grades; groups larger than 3 have difficulty coordinating---for example, finding times that all members can meet.

Beyond these pragmatics, working in groups offers other benefits:

Discussing ideas with others is a powerful tool that far offsets the additional time required for coordination within a small group.
Working in a group affords the opportunity for parallel development activities (although all members of your group are ultimately responsible for understanding all aspects of the system you build).
Working in a group helps hone skills needed to be effective in the workplace (where groups are the norm) and impresses potential employers.

MEng Project Option

MEng students may use their CS5430 project as the basis for the required MEng project. If this is your intention, then your group members must all be MEng students who are all electing to use the project in this manner. Your group will then not only be expected to satisfy the project requirements outlined below but will also be expected to:

Implement some additional functionality, as agreed upon between your group and the course staff.
Provide a written "project report" for the entire project. This report should document the problem solved, design alternatives, a rationale for design selected, the implementation, the testing strategy employed, and give instructions for both installation and use.

You may start working on these additional MEng-project tasks at any point during the semester. They need not be completed before the end of the semester, but the project without that additional functionality must be completed and submitted according to the above schedule for phases I through V.

Project Choices

You have considerable flexibility in choosing a system to build. The course project is intended to provide an opportunity for you to use the material we cover in lectures, however, so projects much involve the following elements.

Use of Cryptography. The system must implement functionality for which some use of cryptography is essential. Typical uses of cryptography include: authentication of computers, enforcing confidentiality for data in transit (i.e., messages) or data at rest (i.e., files), and enforcing integrity for data in transit (i.e., messages) or data at rest (i.e., files).

Human users who must be authenticated. The system must serve human users whose identity must be authenticated because different functionality (operations or data) is available to different human users.

Any interesting system will also involve other security functionality, too. Most systems, for example, will need to provide infrastructure for audit or other means of establishing accountability for actions. Many systems will need to implement authorization. The list above defines only a subset of the security functionality your project must implement. What is the rest of that functionality? Answering that question is one of the tasks in Phases 1 and 2.

Here are sketches for a few example systems. Each sketch has important elements missing from its description, as befits a sketch. So you'll need to identify and describe those elements if you elect to build a system that is inspired the sketch. But feel free to invent your own project idea if none of the sketches is appealing.

Grade Management System. This system allows student grades to be stored by graders and retrieved by students. Only certain users are allowed to display or alter certain information. For example, a student may not see the grades of other students and may not alter any grades; a TA may view all grades but alter the grades only of those assignments the TA has graded; the professor can view or alter any grade. Grade information is stored in a back-end file system.

Networked Banking System. This system manages the bank accounts of customers for a multi-branch bank. Each branch has a separate computing system. This computing system is connected to the Internet so communication with other branches is possible. The bank allows a customer to deposit funds in any account, to withdraw funds from an account for which the customer has privileges (provided sufficient funds are available), and to transfer funds from one account for which the customer has privileges to another (possibly at a different branch).

Multi-player Game Service. This system might implement a game (e.g., cards or battleship) where clients are players that have secret state; or it might implement a virtual world, where clients control avatars or other elements. There might be a back-end server or the game might be implemented as a peer-to-peer system that runs on each player's computer.

Social Networking System. This system supports a social network, where users upload content to and/or read from posting boards. There might be a single back-end server for the entire social network or there might be a separate back-end server for each sub-community of the social network (e.g., the original per-university implementation of Facebook).

Remote Payment System. This system facilitates mag-strip ID cards being accepted by participating merchants as the basis for payments. Acquire an inexpensive magnetic card reader (with its driver software) and integrate it with a PC or other mobile device to create a prototype of the terminal that merchants run. And build a back-end server to accumulate information about purchases and send monthly bills to each client who has an outstanding debt. Clients who don't pay their debts monthly should not be permitted to make subsequent purchases.

E-book Distribution Server. This system allows people who run specific e-book software to purchase from the service and then view electronic content on their PC or other mobile devices. The challenge is to prevent illicit transfers and other forms of piracy under a realistic set of assumptions. You might, for example, limit client systems to those that incorporate a TPM or other hardware root of trust. (Some laptops do incorporate the specialized hardware but few OS's export relevant interfaces, so this is an ambitious project).

An Electronic Marketplace. This system provides operations that clients can trust to facilitate buying and selling objects according to various auction schemes. The challenge is to prevent price manipulations, but the system might also allow users to upload "programmed trading" bots that participate in auctions without human intervention.

Choice of Tools

Select a programming environment, programming language, and target platforms that make sense for your project. Our evaluation of what you build will be based, in part, on your choice of tools (and our ability to understand your source code, so don't pick anything too obscure). Java and C# are safe choices.

If you elect to program in C or C++ then we will be interested in how you ensure that buffer overflows and other vulnerabilities that frequent C programs have been eliminated. There are tools for analyzing C and C++ source code for vulnerabilities, but running these tools (if you can get access to them) is a non-trivial undertaking.

When building a system in industry, it is generally a good idea to extend existing components rather than build your own. For example, there are many 3rd-party systems and tools available for building web services (including web servers) and for implementing databases. But using these tools in CS5430 would preclude parts of the learning-experience the project is supposed to promote. This is because, when you use a 3rd-party tool, you must: (i) accept somebody else's choices about what is useful security functionality and (ii) accept somebody else's assurance argument. We therefore impose the following ground rules about using code or systems written by others:

Standard libraries (i.e., those part of the distribution) for Java and C# may be used. This includes various cryptographic routines, which you shouldn't be writing yourself anyway. It also includes GUI-builders that are distributed by Microsoft and Java.
Operating systems installed on the CS department public machines may be used. This includes the networking infrastructures and file systems native to those operating systems.
You may not use existing web servers, database systems, or any other web services infrastructure.