Information Assurance - F17

CSE 465

Assignment 1

Assignment 1 is due 9/21/17 on or before 11:59:59pm MST.

Part 1 (5 points)

Sign up for the course mailing list. Please provide your ASURITE ID number when you register so that we can give you credit for signing up.

Part 2 — You’re the (security) boss (30 points)

You are the CISO of a new startup. The startup’s main product is a website and corresponding app. This startup has 10 employees, in the areas of engineering, marketing, and human resources.

You are in charge of securing this new organization. Write a description of your plan to secure this organization, including the threats the company will face, your analysis of the threats, a security policy for the company, and the mechanisms that you will deploy to enforce the policy.

The astute reader (which is all of you, right?) will notice that the company is not fully realized. In your description create additional details as need (what the company sells or does to attract users). These new details must be consistent with the original company description.

Your description must argue for the effectiveness of your policy from both a business and security perspective.

Submission Instructions

You will need to submit your description as a text file. This means no pictures or diagrams, only writing. Also no PDF, DOCX, or other file types, just an ASCII file.

Submit a file called description.txt. This file should contain your name and ASU ID at the top of the page.

Part 3 — Critique ASU’s Computer Use Policy (30 points)

Read ASU’s ACD 125: Computer, Internet, and Electronic Communications Information Management Policy. Write an analysis of the policy: specify the threats that it counters, the threats that it does not counter (along with your analysis of the probability of those threats), and your overall opinion of the policy. Include at least one change that you would make to the policy, and include thorough arguments and business justifications for making the change.

Submission Instructions

You will need to submit your description as a text file. This means no pictures or diagrams, only writing. Also no PDF, DOCX, or other file types, just an ASCII file.

Submit a file called policy_critique.txt. This file should contain your name and ASU ID at the top of the page.

Part 4 — Secure this house (35 points)

Your goal is to write, in any language, a program which implements the given security policy. The security policy will be based on our in-class discussion of the security policy for a house.

The name of your house simulator will be called secure_house.

Policy

Only users with an authorized key can enter the house. To enter the house, the user must first put their key in the lock then enter the house, only if the key is valid. A house can be rekeyed with new keys only by the owner, and only if the owner is in the house.

Firefighters can enter with the secret key FIREFIGHTER_SECRET_KEY.

Police can enter as long as their user_name starts with officer_with_warrant and their key is POLICE_SECRET_KEY.

Interface

You must implement the following command-line interface for your server:

./secure_house <owner_name> <key_1> <key_2> ... <key_n>

All inputs to the program (keys and user_names) will be [a-zA-Z0-9_\-] (alphanumeric, underscore, and dash). All matching is case-sensitive.

The input to your program (on standard input) will be a series of events separated by a newline. Your program must track these events and respond appropriately, while enforcing the security policy.

Every input will end in a newline and every response must end in a newline.

INSERT KEY <user_name> <key>

<user_name> inserts key key into the door. Response should be: KEY <key> INSERTED BY <user_name>

ENTER HOUSE <user_name>

<user_name> enters the house. Possible responses are: ACCESS DENIED or ACCESS ALLOWED.

WHO'S INSIDE?

Who is currently inside the house? Response should be a comma-separated list of user names, ordered by access time (earlier access first): <user_name_1>, <user_name_2>, <user_name_3>... or NOBODY HOME if there are no users in the house.

CHANGE LOCKS <user_name> <key_1> <key_2> ... <key_n>

<user_name> wishes to rekey the house with new given keys <key_1>, <key_2>, ..., <key_n>. Possible responses are: ACCESS DENIED or OK

LEAVE HOUSE <user_name>

<user_name> leaves the house. Possible responses are: OK or <user_name> NOT HERE

If any events are received that are not according to this specification, the response must be: ERROR.

Example

Running the program as follows:

./secure_house selina foobar

Given the input:

INSERT KEY adam key
ENTER HOUSE adam
INSERT KEY pat foobar
ENTER HOUSE pat
WHO'S INSIDE?

The program will produce the following output:

KEY key INSERTED BY adam
ACCESS DENIED
KEY foobar INSERTED BY pat
ACCESS ALLOWED
pat

Implementation

Your program must work on Ubuntu 16.04 64-bit with the default packages installed. You’ll probably need to set up a virtual machine to do your development.

If you wish to use packages that are not installed on Ubuntu 16.04 64-bit by default, please submit a file with your code entitled packages, with a list of the Ubuntu 16.04 64-bit packages that you would like installed before calling make. Each line of packages must be a valid package name, one package per line. The submission system will automatically install all the dependencies that the package lists.

For example, if you were going to write your assignment in Haskell, you could install the GHC compiler with the following packages file:

ghc
ghc-dynamic

Submission Instructions

You will need to submit your source code, along with a Makefile and README. The Makefile must create your executable, called secure_house, when the command make is ran. Your README file should contain your name, ASU ID, and a description of how your program works.

A prior TA compiled some resources on how to write a Makefile which might be helpful:

Submission Site

Create an account to submit your assignment for all parts on the course submisison site.

Please don’t forget your password.