The University of Melbourne SWEN90010: High Integrity Systems Engineering
Assignment 1
Due Date: 11:59pm (Melbourne time), Monday 28 March, 2022
This assignment is worth 10% of your total mark.
Copyright By Assignmentchef assignmentchef
You will work in pairs for the assignment. Each pair will submit only one solution, produced jointly by both partners. Working in pairs is important since a significant part of the assign- ment is brainstorming security threats to a system, using the STRIDE methodology discussed in lectures. As with other brainstorming activities, security threat enumeration is an inher- ently creative process that will benefit from being performed by a pair, rather than by a single individual.
Your assignment solution will consist of a written report that answers the questions, and carries out the tasks, listed below.
1 Background
A fictitious government wants to deploy an online census system, called CensusWhale. The system comprises a public-facing web application (web site) through which citizens can complete the census. Completing the census is compulsory: each household must complete the census. The government has sent (via postal mail) to each household a unique ID string. When completing the census a user has to enter that ID string into the website.
The census collects a range of information about the people who are residing at each household. Some of this information could be considered highly personal, and together the information collected should be assumed to be sufficient to allow individuals to be identified. That is, by looking at the information submitted by a household, you should assume that an attacker might be able to deduce who lives in that household, and also learn sensitive information about those people (e.g. their religious affiliation, income status, etc.).
The information collected in the census is also likely to be valuable to attackers (e.g. to carry out identity theft, or targeted attacks on individuals). Therefore the data collected in the census must be kept secure.
At the same time, census data is collected to allow the government (e.g. the Australian Bureau of Statistics, ABS) to learn about demographic and population trends. Specifically, certain government agency employees are authorised to run queries over the census data. For instance, an ABS employee might query the census data to produce a histogram of the average salary for people in different age groups. There are of course many other queries that such personnel might run; depending on the query, some queries might reveal sensitive information about individuals.
Finally, data obtained from some of those queries is made available to the public for research purposes (e.g. economics researchers carrying out studies on income, etc.).
2 System overview
The system contains a number of distinct components.
User Browsers and devices, Census Web Application, and ID Strings Ordinary citi- zens complete the census via the Census Web Application, a web site that they access using a web browser. When completing the census, a citizen must first enter the ID String that was mailed to their household: this ensures that the census is only completed once for each household, and also allows the government to work out which households havent completed the census. Having entered their household ID string, the citizen completes a series of questions that ask for a range of information about the people staying in that household at that time. As explained above, you should assume this information is sensitive and would allow the individuals in the household to be identified, even if their names are not provided.
Those question can take a long time to complete. Therefore, the Census Web Application allows users to save a draft of their answers. They can then log back in later on, using their ID String, to finish their answers or amend existing ones.
The ID Strings are printed by the government agency running the census (e.g. the ABS), and delivered by households by standard postal service (e.g. Australia Post).
Citizens web browsers you should assume are under their own control. Those web browsers of course run on ordinary computers and mobile phones etc. which might have vulnerabilities.
The Census Web Application is administered and run by an external company, under contract with the government.
Central Database Information entered into the Census Web Application is stored in a Central Database, which the Census Web Application communicates with.
That database is stored on a separate set of servers, which are under the control of the govern- ment agency administering the census.
Query Portal and Public Reports Government agency employees may query the central database via a separate web interface called the Query Portal. That portal allows authorised government employees to make certain queries over the census data.
The data from those queries may then be included in public reports that are published by the government agency. Those reports include both written documents as well as public data sets that the government agency might publish, for researchers.
Government Employee Devices Government agency employees access the Query Portal via computers and devices supplied to them by the government. You should assume that such devices are administered and under the control of the government.
Government agencies are not allowed to access the Query Portal from their personal devices (e.g. personal mobile phone or laptop computer), since such devices cannot be assumed to be trustworthy (e.g. they might be compromised by malware).
Your Tasks
1. [(1 mark)] Draw a block diagram of the architecture of the system, including its main components and the legitimate channels of communication between them.
For each component, describe in no more than a few sentences:
(a) Who has control over that component?
(b) What is its role in the system and how is it intended to interact with the other components?
On your diagram, indicate the trust boundaries that exist within the system. For each trust boundary, describe who controls the components within that boundary.
Trust boundaries can only exist between components (not within them, i.e. a single compo- nent can live inside only one trust boundary). If you have think you need to draw a trust boundary that passes through a component, this indicates that that component should be split into multiple ones, each of which then resides in a separate trust boundary. Toby showed an example of this in the Live Lecture 4.
2. [(4 marks)] Use the STRIDE methodology to enumerate potential security threats to the system. For each threat that you identify you should document:
(a) Who is the potential attacker that might try to exploit this threat?
(b) What is the security goal that the attack or threat would violate if it were successful?
(c) How might the attacker exploit this threat?
Importantly, your report should document and justify any assumptions you make while carrying out your analysis. The system description provided above is intentionally am- biguous. You might therefore need to make certain assumptions when carrying out your analysis. You should make sure that your assumptions are reasonable, by including with each a brief justification.
When documenting how an attacker might exploit a particular threat, try to be as specific as you can and to draw on past incidents to justify your choice.
For example, the threat that an attacker might try to impersonate an authorised govern- ment agency employee is a bit vague. How might they try to impersonate the employee and for what purpose? Have such attacks been carried out in the past and if so, how?
For this question we are expecting you to find a range of potential threats, from relatively simple threats to sophisticated ones. There is no fixed number of threats you are aiming to find. Instead, we want to see that you have been methodical and creative: if you are methodical in how you apply STRIDE, you should be unlikely to miss simple threats. If you are creative and do your research (see next paragraph) you will find some interesting potential threats in this system. As a rough guide: around five is far too few threats. 40 is likely to be excessive (by that point you may be splitting hairs).
To get full marks for this part of the assignment you should expect to have to do some re- search on past vulnerabilities and attacks on similar systems. Remember from the lectures on safety engineering the importance of learning from past incidents.
If you believe a certain threat might be realistic but cannot find evidence of it being exploited in the past, justify why you think it is realistic and any assumptions you are
making when drawing that conclusion. This can include citing research papers in which certain threats have been theorised about.
3. [(2 marks)] For each of the threats that you identified, which are the most serious? To work this out, for each threat you should think about what are its potential consequences. For each you should briefly describe the potential impacts that could arise if this threat were exploited. When thinking about impacts you should consider impacts on individuals, government, and society (if applicable), with appropriate justification for your reasoning.
4. [(3 marks)] Based on the assessment of the severity of each threat, derive a corresponding set of security requirements for the system that would address or mitigate that threat, if that threat can be mitigated. Any threats that you think cannot be reasonably mitigated you should explain why. That might include why certain mitigation methods are not applicable under the assumptions you are making (which you should document).
List for each threat the requirements that are needed to mitigate it. As before, try to be specific. If you think authentication needs to be employed in a certain part of the system, what kind of authentication?
Number each of your security requirements that you derive. That way, if one security requirement helps to address multiple threats, you dont need to repeat it.
As an example, if you decided that one threat was that an attacker might try to imperson- ate an authorised government agency employee to the Query Portal, then a corresponding security requirement for the system would be that the Portal needs to properly authenti- cate authorised government agency employees, e.g. via a username and password.
Of course, you might then worry that the password could be stolen by the attacker while in transit on the network from the government employees device to the Query Portal. So you might decide that the network connection between the employees device and the portal needs to be encrypted.
Note: this is not a subject about encryption. You dont need to specify the precise en- cryption scheme or protocol to be used. However it may help to have a high-level un- derstanding of basic cryptographic techniques like public key encryption, digital signa- tures, symmetric key encryption, message authentication codes, as covered in a subject like COMP90043 Cryptography and Security or basic overview references like http: // ccss. usc. edu/ 499/ lecture2. html .
Note also that to get full marks in this part of the assignment you should expect to have to do some research on appropriate security mitigations to defend against certain threats.
As a graduate student, we expect to see real creativity and a desire to push the boundaries of your knowledge. This assignment is designed to be an ideal opportunity to educate yourself on common security threats and defences, as relevant to this kind of system.
Marking Criteria
There is not a set of right or wrong answers for this assignment. Instead, it is testing your ability to understand and apply the concepts presented in lectures about security and safety engineering.
If you think that some of the requirements are ambiguous, then you should decide on an ap- propriate interpretation and, very importantly, you should document what your interpretation was. That way, you cannot be penalised for making an assumption that is different to what I or the markers had in mind.
You are also free to discuss the requirements on the LMS, especially where you think they are ambiguous, to help clarify them.
If you are not sure about whether a particular threat is realistic, or how an attacker might exploit a particular threat, or you are not sure what kind of security mitigation to require to defend against it, you are free to email Toby to discuss, or to ask during a live consultation session.
Please try to avoid giving away information about your potential threats and security require- ments while discussing with other students, especially on the LMS. Ask Toby in the first instance.
5 Submission
One of your pair should create a pdf file called your username.pdf, containing your joint answers to the questions. Submit it via the LMS.
6 Communication Rules
You may discuss the questions freely within your pair, and write up your joint answers together. You may also consult any other materials you find on the Internet (or in the library), as long as you give proper references in your report. You may not discuss this with anyone other than your project partner, except to clarify the requirements of the assignment. In particular, cross-pair collaboration is not allowed. However, you may ask or answer any question you like on the LMS discussion boardthis is up to you. You may share answers or raise interesting questions if you like, for the benefit of all. This allows ideas to be shared but mitigates the (unfair) advantage of having clever friends.
7 Late submissions
Please submit on time. Its much better to submit a not-quite-finished version on time than a perfect version late. 1 mark will be deducted each day (or part thereof) after the submission deadline. If you have a real reason for needing an extension, please ask permission in advance. I will usually ask to see some form of evidence, e.g. a medical certificate.
8 Academic Misconduct
The University misconduct policy applies to this assignment.
The subject staff take plagiarism very seriously. In the past, we have successfully prosecuted several students that have breached the university policy. Often this results in receiving 0 marks
for the assessment, and in some cases, has resulted in failure of the subject.
CS: assignmentchef QQ: 1823890830 Email: [email protected]
Reviews
There are no reviews yet.