Assignment 1 – Due Wednesday, September 9

This assignment has two parts, which are submitted separately in Canvas: Written questions (questions 1-5), which must be submitted as a PDF file, and a Labtainer exercise (question 6), which must be submitted as a Zip file (created by the Labtainer system). Note that Canvas will only accept a PDF file for the written portion, and will only accept a Zip file for the Labtainer portion. Written solutions can be either electronically prepared or neatly handwritten and scanned. If you must use a phone camera rather than a scanner, you should use a “scan to PDF” app to produce a proper and readable PDF document.

If you want to use a tool to electronically create your diagrams, you should use an appropriate tool to draw neat diagrams (e.g., LucidChart or Visio). It is almost impossible to make a neat, professional-looking diagram in Word or some other tool that is not designed for this, so do not try.

On this and all other assignments, remember to fully explain your answers, and cite all sources of information!

  1. Find a news story of a recent security incident that involved a malicious attacker (that shouldn’t be hard!), and describe what happened. Your description should include a statement about each of the “big three” security goals, indicating whether it was violated (and if it was, how it was violated). Also speculate on what type of attacker was involved and what the attacker’s motive may have been.

  2. In this question, you are to get a feel for how vulnerable modern systems are by exploring the “National Vulnerability Database” that NIST maintains, which is at https://nvd.nist.gov/.

    1. Locate the full list of vulnerabilities, and pick a random month from last year (e.g., maybe your birthday month) and see how many vulnerabilities were reported that month. Report how many there were for the month, and calculate the average number of vulnerabilities reported per day. If you were a security professional, and spent on average 5 minutes looking at each CVE to see if it applied to systems you manage, how much time per week would you spend reviewing CVEs?

    2. Look into some of these vulnerabilities (you can just click randomly on the CVEs in your chosen month) to see how they are reported. Can you find any that give vulnerabilities associated with software or systems that you use? Report on your findings, and describe how you can determine the risk to the “big three” security goals based on the information reported in the CVE entry. Looking into the information reported in a CVE, how could you filter reports (e.g., with an automated tool) to reduce the amount of time you would need to spend reviewing CVEs that are relevant to your systems?

  3. Consider a chat system, where users connect to a chat server and can send private messages back and forth with other users. Draw out a model of such a system, identify locations for data at rest, data in motion, and data in use, and define confidentiality, integrity, and availability concerns for data and systems in your model (like we did for the payment system in class). Ideally, only the two participants in a chat should be able to understand the messages – in particular, the chat server should not be able know what the users are saying to each other.

  4. Consider the following set of subjects and objects in the Bell-LaPadula model, with clearances and classifications as shown (C, S, and TS stand for “Classified”, “Secret” and “Top Secret”, which is in increasing level of classification):

    Subject clearances:
    • C3PO: (C, {DEATHSTAR})
    • Luke: (S, {DEATHSTAR,SHIPS,FORCE})
    • Han: (S, {SHIPS})
    • Leia: (TS, {SHIPS})

    Object classifications:
    • Locations: (C, {DEATHSTAR})
    • ShipSpecs: (S, {SHIPS})
    • AttackPlans: (TS, {SHIPS,DEATHSTAR})


    Write out the access control matrix that shows both read and write permissions for all four subjects and three objects (use “R” to denote read permission, and “W” to denote write permission).

  5. In the Bell-LaPadula model, there is typically a classification label of ("Unclassified", {}). What users will be able to read a file with this label? Justify your answer by working through the definition of the “simple security property” and the definition of the BLP partial ordering (given on page 453 of the textbook).

  6. Labtainer setup and exercise. For this question, you are to set up your computer to run “Labtainer” exercises, and then perform a straightforward lab on basic Unix/Linux commands. This is being assigned so that you go ahead and get the Labtainer virtual machine environment set up and working on your computer, which poses a few challenges: First, the image you need to download is large (4.5 GB), which can take a long time if your Internet connection is slow. If you have a particularly slow or unreliable connection, I would recommend coming to campus or finding some other place with a fast connection in order to do the download. Second, for good VirtualBox performance, you’ll need a decent amount of RAM (at least 8GB, but more is better) and your computer BIOS settings need to have hardware virtualization support enabled. Modern systems, purchased within the last 4 years, should probably support this without any problems. If you have significant problems, you should talk to me to either get things set up properly on your computer or to arrange an alternative.

    Here’s what you need to do: First, install VirtualBox if you do not currently have it installed. If you use Linux, then you can probably use your regular software installation program to install a recent version. If you are using Windows or OSX, see https://www.virtualbox.org/ to download and install this free software.

    Next, go to the Labtainer web page ( https://nps.edu/web/c3o/labtainers ), click on “Virtual Machine Images” and download the “VirtualBox VM Appliance” from that page. The one-line “Directions” right below the link to the image is all you need to do in order to get this installed and usable with VirtualBox.

    Finally, start the virtual machine image from VirtualBox. After it boots up and stabilizes, you will see a Linux desktop with a terminal window and command prompt. This is the normal “starting point” for Labtainer exercises. You should download the “Student Guide” from the Labtainer web page, and read through Section 2 to understand how the Labtainer system works in general. It’s also worth your time to poke around a little on the Labtainer web site to see what is there – for example, the “Labtainer Lab Summary” and “Lab Manuals” are good things to be familiar with.

    Finally, you should complete the nix-commands lab. To do this, you type “labtainer nix-commands” at the command prompt of your Labtainer virtual machine. The first time you run this it will ask for your email address, which is needed to identify your work after you submit it – use your UNCG email address! After the first time, the Labtainer system will remember your email address and present it to you as the default. After getting the lab started, the system will print out some links to the information needed for the lab; alternatively, you can directly access the instructions from the Labtainer web site. When you are finished, type “stoplab nix-commands” in your original terminal window.

    After you have completed everything, including typing the “stoplab” command, there will be a Zip file created in directory /home/student/labtainer_xfer/nix-commands — you should use the Web browser from insider the Labtainer VM to submit this Zip file in Canvas. From this Zip file, I will be able to see all of the commands you executed, and whether you followed the directions in the lab will be the basis of your grade, so make sure you do everything stated in the lab instructions!