CS5430 System Security (Fall 2022)

CS5430 Homework 1: Articulating Security Goals (Fall 2022)

General Instructions. You are expected to work alone on this assignment.

Due: Sept 11, 11:59pm. No late assignments will be accepted.

Submit your solution using CMS. Prepare your solution as .pdf, as follows:

Use 10 point or larger font.
Put each problem into a separate file and submit it to the correct CMS submission box for that problem.
Use at most 1 page per problem.

This assignment has 3 separate problems.

PROBLEM 1: To assert that a system S is trustworthy, we first must understand what S is expected to do, and what S is expected not to do. One step toward reaching that level of understanding is to write a description of the system in terms of the following elements (in this order)

Types of users. Each different user type is allowed to engage in potentially different activities. Enumerate the list of user types. For each user type, describe what those allowed activities are (including interfaces that would be accessed).
Assets and threat. What are the threats? What are the capabilities of each threat? What system assets is each threat motivated to compromise? Here, assets are system state and/or system operations (such as input/output).
Security policies. What security policies should be enforced to prevent threats from achieving their goals. List at most 6 of the security policies that you believe are the most critical. For each security policy, identify whether it is confidentiality, integrity, or availability.

Example. Using this structure, a simple grade management system like CMS might be described as follows.

Types of users: All access to the system is through a web interface. Nobody has physical access to the server itself.
- student. Submits assignments provided the due date has not passed. Learns grade (perhaps with a grader's comments) for an assignment he/she submitted that has been graded. Learns summary statistics for any graded assignment.
- teaching assistant. Assigns grades to assignments, adding comments to explain flaws; can create new assignments; can alter submission deadline and other assignment characteristics.
- course administrator. Adds/removes students from class; adds/removes teaching assistants.
- professor. Can do anything a teaching assistant or course administrator can do.
Assets and threat: Assets include: system state that is recording the deadline and other characteristics of an assignmernt, assignment submission made by any student, grade assigned to any student for an assignment.
The threat is students who will attempt to access the server through its web site and read/change the values of any asset. The capabilities of this threat are the ability to write programs and the ability to send messages to the hosting system either directly or by using a web browser.
Security policies: The list given below is abbreviated and only intended to illustrate the appropriate level of detail---you might well include additional policies (up to a total of 6).

Write a description using the above style for the following system. The description should be structured as three separate parts (types of users, assets and threat, security policies), where each part has roughly the same level of detail as given above.

Contract-tracing app for monkeypox. Contact tracing for controlling the spread of a disease like monkeypox might be implemented by having a cellphone app --- we will call it APP --- and a set of protocols, whereby each person is informed after they have come into contact with a contagious person but never learns the identity of that contagious person. We assume

A contagious person who has a cellphone will run APP and will (eventually) register the earliest time he/she might have been contagious.

If two cell phones that each are running that APP are ever in close-enough proximity to use NFC (near-field communication) then each cell phone communicates with the other, and both cell phones report to CDC that the owner of each phone would have been close enough to spread the disease to the owner of the other phone.

Many contact tracing protocols in this class employ a third party, which we call CDC, that maintains a database but might not be trusted.

PROBLEM 2: Cornell faculty members are permitted to make casual use of Cornell-owned computing systems to support outside activities, such as advising governments and advising companies. That means Cornell-owned computing systems, which are controlled by Cornell's CIT staff, are storing information about non-Cornell activities.

A new policy statement is being written to define the reasonable expectations by faculty engaged in this use of Cornell-owned computing systems. Cornell's legal team has asked your help in choosing between two wordings for a statement about expectations faculty can have about information Cornell is storing:

"Cornell will keep private any information it is storing"

"Cornell will keep confidential any information it is storing"

What do you recommend? Why?

PROBLEM 3: A new company --- Web Auth services --- has made considerable investments to test and verify a new authorization module AS that they will sell. In light of those investments, Web Auth services claims that AS is trustworthy, and there is reason to believe that claim is valid.

Module AS assumes that any request R it receives already has been authenticated. Upon receipt of a request, AS outputs "Approved" or "Denied" depending on whether the principal named in R should be allowed to access the file named in R.

You are going to build a service that depends on a distributed system D that uses AS to implement authorization. Given that AS is trustworthy, should your system trust authorization decisions that D makes? Explain why or why not.