Assignment-03-Solutions

SYSC 4810: Introduction to Network and Software Security Module 3 Assignment Fall 2021 Dr. J. Jaskolka Carleton University Department of Systems and Computer Engineering Posted: October 7, 2021 Due: November 1, 2021 Due on Monday, November 1, 2021 by 11:59PM This assignment contains 15 pages (including this cover page) and 5 problems. You are responsible for ensuring that your copy of the assignment is complete. Bring any discrepancy to the attention of your instructor. Special Instructions: 1. Do as many problems as you can. 2. Start early as this assignment is much more time consuming than you might initially think! 3. The burden of communication is upon you. Solutions not properly explained will not be considered correct. Part of proper communication is the appearance and layout. If we cannot “decode” what you wrote, we cannot grade it as a correct solution. 4. You may consult outside sources, such as textbooks, but any use of any source must be documented in the assignment solutions. 5. You are permitted to discuss general aspects of the problem sets with other students in the class, but you must hand in your own copy of the solutions. 6. Your assignment solutions are due by 11:59PM on the due date and must be submitted on Brightspace . • Late assignments will be graded with a late penalty of 20% of the full grade per day up to 48 hours past the deadline . 7. You are responsible for ensuring that your assignment is submitted correctly and without corruption. Problem 1 2 3 4 5 Total Points: 25 25 25 25 10 110 Page 1 of 15

SYSC 4810 — Module 3 Assignment Due Date: November 1, 2021 In this assignment, you will participate in activities related to the operation and use of user authentication and access control mechanisms. This assignment aims to assess your understanding of security policies, as well as protocols to implement such policies. It also aims to assess your ability to develop basic security enhancements in stand-alone applications by implementing and using basic security tools to enhance and enforce user authentication and access control policies. Background Research A significant portion of this assignment is to do the required background research on working with basic cryptographic libraries and tools to support user authentication and access control such as Python Cryptographic Services and/or the C OpenSSL library. Keep in mind that a substantial component of any software or computer systems project is to solve and/or eliminate the underlying technical difficulties. This often means exploring user manuals and documentation. Submission Requirements Please read the following instructions very carefully and follow them precisely when submitting your assignment! The following items are required for a complete assignment submission: 1. PDF Assignment Report : Submit a detailed report that carefully and concisely describes what you have done and what you have observed. Include appropriate code snippets and listings, as well as screenshots of program outputs and results. You also need to provide an adequate explanation of the observations that are interesting or surprising. You are encouraged to pursue further investigation beyond what is required by the assignment description. 2. ZIP Archive of Source Code : In addition to embedding source code listings in your assignment report, create and submit a ZIP archive of all programs that you write for this assignment. Please name each of your source code files appropriately to indicate the purspose of each file and. A simple naming scheme may be to name files according to the problem number to which they correspond (e.g., for Problem 7(a), the source code file should be named Problem7a.c ). Your source code must compile and run in the VM environment, producing the desired output. Also, please remember to provide sufficient comments in your code to describe what it does and why. 3. ZIP Archive of Screenshot Image Files : In addition to embedding screenshots of program outputs and results in your assignment report, create and submit a ZIP archive of all of the raw screenshot images that you capture for this assignment. Grading Notes An important part of this assignment is following instructions. As such, the following grade penalties will be applied for failure to comply with the submission requirements outlined above: • Failure to submit an Assignment Report will result in a grade of 0 for the assignment. • Failure to submit the Source Code files will result in deduction of 10% of the full grade of the assignment. • Failure to submit the Screenshot Image files will result in deduction of 10% of the full grade of the assignment. • Failure of Source Code to compile/run will result in a grade of 0 for the corresponding problem(s). – You are required to ensure that your code will compile and run in the VM! • Failure to submit any deliverable in the required format (PDF or ZIP) will result in deduction of 5% of the full grade of the assignment. Page 2 of 15

SYSC 4810 — Module 3 Assignment Due Date: November 1, 2021 In addition to the access control policy, the prototype must implement a proactive password checker that ensures all passwords adhere to the following password policy: • Passwords must be least 8-12 characters in length • Password must include at least: – one upper-case letter; – one lower-case letter; – one numerical digit, and – one special character from the set: { ! , @ , # , $ , % , ? , ∗} • Passwords found on a list of common weak passwords (e.g., Password1 , Qwerty123 , or Qaz123wsx ) must be prohibited – Special Note : The list should be flexible to allow for the addition of new exclusions over time. • Passwords matching the format of calendar dates, license plate numbers, telephone numbers, or other common numbers must be prohibited • Passwords matching the user ID must be prohibited In addition to the access control and password policies described above, MedView Imaging has expressed the following requirements and constraints of their system, which must be considered in the eventual design and implementation of the prototype. 1. A balance between performance and security is required. 2. Selected algorithms should not have any well-known weaknesses or vulnerabilities. MedView Imaging has provided a sketch of what is expected from the prototype system (see Figure 1 ). Once a user logs in, the prototype shall display a list of the operations that the user is able to perform in the system (these do not need to be implemented). MedView Imaging has expressed that the prototype does not require any “fancy” user interface as they have already contracted another firm for that purpose. Instead, they are interested specifically in the design and implementation of the security mechanisms and a prototype that is able to demonstrate that the system will meet their needs. Figure 1: Sample prototype interface for the MedView Imaging medical information management system Page 4 of 15

SYSC 4810 — Module 3 Assignment Due Date: November 1, 2021 To assist with testing and validation of the system, MedView Imaging has provided the following sample list of employees and clients: Name Role Name Role Howard Linkler Radiologist Rahul Garza Patient Veronica Perez Radiologist Arjun Singh Patient Winston Callahan Physician Heather Anderson Administrator Leslie Stewart Physician Keikilana Kapahu Administrator Kelsey Chang Nurse Harold Zakara Technical Support James Preston Nurse Malina Romanova Technical Support 3 Obligations At the end of this assignment, you will be required to deliver the following information and outcomes to MedView Imaging : 1. Provide a detailed report documenting the design choices and details of the prototype implementation. This is necessary to enable MedView Imaging to make important decisions about whether to proceed with the implementation of the prototype. 2. Provide a functioning prototype system. You must demonstrate and provide a convincing argument that the system satisfies all of the requirements outlined by MedView Imaging . Page 5 of 15

SYSC 4810 — Module 3 Assignment Due Date: November 1, 2021 Part III Designing and Implementing a User Authentication and Access Control Prototype 1 Introduction The principal objectives of computer security are to prevent unauthorized users from gaining access to resources, to prevent legitimate users from accessing resources in an unauthorized manner, and to enable legitimate users to access resources in an authorized manner. We can view user authentication and access control as two of the most central elements of computer security. In most computer security contexts, user authentication is the basis for most types of access control and for user accountability. User authentication encompasses two functions. First, the user identifies themself to the system by presenting a credential, such as user ID. Second, the system verifies the user by the exchange of authentication information. Once authenticated, authorization decisions can be made for the user. This involves enforcing an access control policy that determines the set of rights or permissions of the user to access a system resource or perform a specific system function. In this part of the assignment, you will perform a variety of tasks that are designed to guide you in the design and implementation of a software prototype of a user authentication and access control system to satisfy the needs of MedView Imaging as outlined in Part I . 2 Background 2.1 Maintaining a Password File A widely used password security technique is the use of hashed passwords and a salt value stored in a password file. The following procedure is employed (see Figure 2 ). Slow Hash Function Salt Password Password File User ID Plaintext Salt Hash Code of Password Load … Slow Hash Function Password Password File Select User ID Salt Compare Hashed Password Loading a new Password Verifying a Password User ID Plaintext Salt Hash Code of Password Figure 2: Loading and Verifying an Password in a Password File Page 7 of 15

SYSC 4810 — Module 3 Assignment Due Date: November 1, 2021 2.1.1 User Enrolment: Loading a Password To load a new password into the system, the user selects a password. This password is combined with a fixed-length salt value. In older implementations, this value is related to the time at which the password is assigned to the user. Newer implementations typically use a pseudorandom or random number. The password and salt serve as inputs to a hashing algorithm to produce a fixed-length hash code. The hash algorithm is designed to be slow to execute in order to thwart attacks. There are a number of hash functions that can be used for this purpose. Popular choices often include MD5 (even though it has been found to suffer from extensive vulnerabilities), variants of SHA, and Bcrypt. The hashed password is then stored, together with a plaintext copy of the salt, in the password file for the corresponding user ID. 2.1.2 User Verification: Verifying a Password When a user attempts to log on to the system, the user provides an ID and a password. The system uses the ID to index into the password file and retrieve the plaintext salt and the encrypted password. The salt and user-supplied password are used as input to the encryption routine. If the result matches the stored value, the password is accepted. 2.1.3 Password Files In many UNIX-based systems, the /etc/passwd file is a text-based database of information about users that may log into the system. The /etc/passwd file typically has file system permissions that allow it to be readable by all users of the system, although it may only be modified by the superuser or by using a few special purpose privileged commands. The /etc/passwd file is a text file with one record per line, each describing a user account. Each record consists of seven fields separated by colons. The ordering of the records within the file is generally unimportant. An example record may be: jsmith:saltedhash:1001:1000:Joe Smith,Room 1007,(234)555-8910,email:/home/jsmith:/bin/sh The fields, in order from left to right, are: • jsmith : User name: the string a user would type in when logging into the system; it must be unique across users listed in the file. • saltedhash : Information used to validate a user’s password; this field would typically contain a cryptographic hash of the user’s password (in combination with a salt). • 1001 : User identifier number, used by the system for internal purposes; it need not be unique. • 1000 : Group identifier number, which identifies the primary group of the user. • Room 1007... : Commentary that describes the user; typically, this is a set of comma-separated values including the user’s full name and contact details. • /home/jsmith : Path to the user’s home directory. • /bin/sh : Program that is started every time the user logs into the system. For an interactive user, this is usually one of the system’s command line interpreters (shells). Note that for this assignment, you may not require all of the above-listed fields in your password file. Page 8 of 15

SYSC 4810 — Module 3 Assignment Due Date: November 1, 2021 3 Problems and Tasks *Important Notes* 1. This is largely a design-focussed assignment, which means that there may be many suitable (alternative) solutions to the problems. You should focus your attention on providing adequate justification of the design decisions that you make. 2. You may need to work on more than one problem at a time, as the following tasks cannot necessarily be clearly delineated and carried out independently. You are encouraged to consider how your solutions to one problem may affect how to approach another problem. For this reason, it is highly recommended that you carefully read and understand what is required for each of the following problems and tasks before you begin. 3. When developing your solutions for each of the following problems and tasks, you are encouraged to consider and incorporate the fundamental security design principles into your solutions to the best of your ability. *Common Pitfalls to Avoid* • Make sure that you provide full and detailed explanations of what your code is doing. DO NOT respond to problems that ask you to “implement X ” with “I implemented X , here is a screenshot of the whole code for X .” Provide smaller code fragments and point to specific line numbers in your screenshots to explain your solutions. • Make sure you provide a convincing argument that you have tested your code. DO NOT respond to problems asking how you tested your code with “I tested X with many values.” Provide a description of what those values are, and how and why you chose them. • Make sure you read the problems and tasks carefully and fully understand what is expected. DO NOT over-complicate the problem. Stay focussed on the tasks and what they are asking you to do. It is very easy to make this assignment much more difficult than it intends to be. • Make sure you give yourself plenty of time to complete this assignment. DO NOT try to complete this assignment in its entirety close to the deadline. Open-ended design problems with implementations are time-consuming and require some thinking and planning. Page 10 of 15

SYSC 4810 — Module 3 Assignment Due Date: November 1, 2021 Problem 1 [25 points] Design the Access Control Mechanism: Consider the problem context outlined in Part I , and in particular, the access control policy provided by MedView Imaging . In this problem, you are required to design and implement an access control mechanism that is suitable for control access the various functions/objects in the system. At this stage, assume that you are able to authenticate users. To complete this problem, do the following: (a) [2 points] Select the access control model : Choose an appropriate access control model (e.g., DAC, MAC, RBAC, ABAC, some combination) to be used in the development of your proptype. Justify your selection. Solution: Award 1 point for a suitable selection of access control model. Award 1 point for a reasonable justification. The most suitable choices given the problem context are RBAC or ABAC. Points should be awarded for a reasonable decision and justification. (b) [3 points] Select the access control representation : Choose an appropriate representation for your access control policy control model (e.g., access control matrix, access control list, policy store, etc.) to be used in the development of your proptype. Justify your selection. Solution: Award 1 point for a suitable selection of access control representation. Award 2 points for a reasonable justification. The choice should correspond to the decision made in Task (a). For example, access control matrices or access control lists are appropriate for RBAC. Policy stores are appropriate for ABAC. (c) [5 points] Sketch a design of the access control mechanism : Provide a sketch of the access control mechanism using your chosen access control model from Task (a), and your chosen representation from Task (b). For example, if you choose to design a DAC model using an access control matrix, sketch what the access control matrix will look like for the access control policy provided by MedView Imaging . If you choose to design an ABAC model, specify the policy rules for the access control policy provided by MedView Imaging . If you choose to design an ABAC model, describe the security labels including levels and compartments for the access control policy provided by MedView Imaging . Solution: Award 1 point for a design that corresponds to the choice in Tasks (a) and (b). Award up to 4 points for a design that matches the policy specified in Part I . The solution depends on the choices made in Tasks (a) and (b). (d) [10 points] Implement the access control mechanism : Provide an implementation of the access control mechanism that you designed in Task (c). Be sure to include code fragments in your report and to clearly describe how you implemented your design. Solution: Award 5 points for an implementation matching the design from Task (c) with code fragments documented in the report. Award 5 points for a clear description and explanation of the implementation. Implementation details will vary. Points should be awarded for describing how the implementation satisfies the design and matches the given access control policy. Page 11 of 15

SYSC 4810 — Module 3 Assignment Due Date: November 1, 2021 (d) [5 points] Test the password file mechanism : Provide a description of how you tested the password file mechanism. Solution: Award 2 points for basic testing of the implementation. Award 2 points for including additional test cases covering exceptional cases. Award 1 point for a clear description of the testing procedure. Specific test cases will vary. Points should be awarded for describing the testing procedure and being thorough in the test case selection. Problem 3 [25 points] Enrol Users: In this problem, you are required to design and implement a mechanism to enrol users in the system. To complete this problem, do the following: (a) [5 points] Design a simple user interface : Provide the design of a simple user interface that enables a user to enter their user ID and chosen password, as well as any other information that may be required. For this problem, you should ensure that you only ask for information that is necessary to operate the system, or that is required for user authentication and access control. Solution: Award 2 points for a suitable interface design. Award 3 points for describing required information to be entered by the user. There are many suitable alternatives. An interface similar to that shown in Figure 1 is what is expected. (b) [5 points] Design the proactive password checker : Provide the design of a proactive password checker to enforce the password policy outlined in Part I . For this problem, you may wish to use pseudocode or another appropriate tool to sketch the design of the password checker. Be sure to justify your design decisions. Solution: Award 3 points for a design that matches the password policy specified in Part I . Award 2 points for clear explanation and justification of the design decisions. There are many suitable alternatives. An important aspect of this problem is implementing a blocklist in such a way that it can be updated without having to modify source code. (c) [10 points] Implement the enrolment mechanism and the proactive password checker : Provide an implementation of the enrolment interface and the proactive password checker that you designed in Tasks (a) and (b). Be sure to include code fragments in your report and to clearly describe how you implemented your designs. Solution: Award 5 points for an implementation matching the design from Tasks (a) and (b) with code fragments documented in the report. Award 5 points for a clear description and explanation of the implementation. Implementation details will vary. Points should be awarded for describing how the implementation satisfies the design. (d) [5 points] Test the enrolment mechanism and the proactive password checker : Provide a description of how you tested the enrolment mechanism and the proactive password checker. Solution: Award 2 points for basic testing of the implementation. Award 2 points for including additional test cases covering exceptional cases. Award 1 point for a clear description of the testing procedure. Page 13 of 15

SYSC 4810 — Module 3 Assignment Due Date: November 1, 2021 Specific test cases will vary. Points should be awarded for describing the testing procedure and being thorough in the test case selection. Problem 4 [25 points] Login Users: In this problem, you are required to design and implement a mechanism to enable users to login to the system. To complete this problem, do the following: (a) [2 points] Design a simple user interface : Provide the design of a simple login user interface that enables a user to enter their user ID and password. Solution: Award 1 point for a suitable interface design. Award 1 point for describing required information to be entered by the user. There are many suitable alternatives. An interface similar to that shown in Figure 1 is what is expected. (b) [10 points] Implement the password verification mechanism : Provide an implementation of the password verification mechanism that corresponds to the password file mechanism you designed in Problem 2. Be sure to include code fragments in your report and to clearly describe how you implemented your designs. Solution: Award 5 points for an implementation matching the design from Tasks (a) and (b) with code fragments documented in the report. Award 5 points for a clear description and explanation of the implementation. Implementation details will vary. Points should be awarded for describing how the implementation satisfies the design. (c) [8 points] Enforce the access control mechanism : Upon successful user authentication, provide an implementation to enforce the access control mechanism developed in Problem 1. Once logged in, the following information must be displayed for the authenticated user: user ID, role/attributes/labels associated with that user and that have been used for access control purposes, and a list of the access rights or permissions according to the access control policy provided by MedView Imaging . Solution: Award 4 points for an implementation matching the design from Tasks (a) and (b) with code fragments documented in the report. Award 4 points for a clear description and explanation of the implementation. Implementation details will vary. Points should be awarded for describing how the implementation satisfies the design. (d) [5 points] Test the user login and access control enforcement mechanism : Provide a description of how you tested the user login and access control enforcement mechanism. Solution: Award 2 points for basic testing of the implementation. Award 2 points for including additional test cases covering exceptional cases. Award 1 point for a clear description of the testing procedure. Specific test cases will vary. Points should be awarded for describing the testing procedure and being thorough in the test case selection. Page 14 of 15