Cybersecurity Project
Western Illinois University
 
 
Welcome to Cybersecurity Education Project Home Page
  

CS395 Computer Privacy and Security

Secure System Design Project

Purpose of this project is to train you to analyze the security requirements of a system, design a secure system based on these requirements, and produce necessary documentation to help users, administrators, and developers to ensure the overall security of your system. Analyze the system from three different perspectives -- defense, offense and use. In defense perspective, you will think about how to protect your system from threats. In offense view point, you will analyze how the system may be attacked by a potential adversary. In use perspective, you will consider the human factors influencing security.

Select a security relevant application. Discuss the application with the instructor in advance and come up a project description. Your proposed system should have (or need) the following security properties:

  1. Confidentiality: Information should not be disclosed to an unauthorized entity.
  2. Integrity: Information should not be modified by an unauthorized entity.
  3. Non-repudiation: Ability to prove committed actions.
  4. Availability: The system should be available for use when users need to use it.
  5. Cybersecurity: System design should be such that:
    1. users should be made aware of the security tasks they need to perform
    2. provide comfortable interface for users to perform security functions
    3. users can figure out how to complete these functions
    4. software does not allow users to make dangerous errors
    5. software has to inform users when their task finishes
    6. software has to update users about the current state of the system.


Milestone 1: Requirement Analysis

Please prepare documents addressing the following:
  1. How is the system going to be used?
  2. What are the features users would like to have in the system?
  3. Security:
    1. What are the confidentiality requirements?
    2. What are the integrity requirements?
    3. What are the non-repudiation requirements?
    4. What are the availability requirements?
    5. What are the authenticity requirements?
    6. What are the usable security requirements? (Conduct a user survey and find out how users currently approach the problem; if you are redesigining an existing system perform a usability test; if there are similar systems, study them.)
  4. Draft User Manual: instructions for user to (securely)use the system.

Milestone 2: Preliminary Design

  1. What kind of architecture do you plan to use?
  2. What operations users will perform?
  3. How will you define the user interface? (Parallel Design: please develop interface designs of key security functions (e.g., user login page); one from each member developed independently. Perform cognitive walkthrough, make low-fidelity prototypes, and conduct user testing. Iterate the above steps as needed.)
  4. How is the information going to be stored? (database, file storage, cloud storage etc.)
  5. How are you planning to achieve each of the security requirements determined in the analysis phase?
    1. What operating systems security mechanisms will be used?
    2. What network security mechanisms will be used?
    3. What application security mechanisms will be used?(provided by other applications and your own application)

Milestone 3: Detailed Design

  1. System Modules: Module description List all modules the system will have. For each module:
    1. Describe what each module does
    2. Specify relationships between modules
    3. Specify inputs and outputs of modules
    4. Testing Plan: describe how you are going to test each module
  2. Develop a Threat Model (See Assignment 3 and Threat Modeling References below) In addition, look for threats arising from Usability and Human factors: Sample threats:
    1. Shoulder surfing
    2. Keyboard loggers and spyware
    3. Users' bad memory
    4. Users' selecting predictable or easy to break passwords
    5. Phishing attacks
    6. Hackers obtaining passwords by misusing the password recovery mechanism, etc.
  3. Develop safeguards; repeat the process until all threats are mitigated.

Milestone 4: Final Presentation and Demo

  1. Develop (e.g., Powerpoint) Slides.
  2. Present the project.
  3. Demo and User Testing results (if applicable)

Milestone 5: Project and Documentation Submission

  1. All Design Documentation
  2. Users' Manual
  3. Source code (if applicable)

References

  1. Microsoft Threat Modeling Documentation
  2. SANS Institute Threat Modeling Paper
Cybersecurity Education
Stipes 447I
Computer Science Department
Western Illinois University
1 University Circle
Macomb IL-61455		 Western Illinois University Valid XHTML 1.0 Transitional Valid XHTML 1.0 Transitional National Science Foundation
 
 
 
 

This material is based upon work supported by the National Science Foundation under Grant No. 0736643. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.