CS 181S includes a semester-long group project designed to offer students practical experience with the design and construction of secure computing systems.
CS 181S students are expected to participate in a group project to build a software system that has non-trivial security functionality. A high-level introduction to the project is given in the project overview. More details will be supplied throughout the semester as part of each project milestone.
Milestone | Description | Due Date |
---|---|---|
M0 | Charter | Wed September 26 at 11:59pm |
M1 | Requirements | Wed October 3 at 11:59pm |
M2 | Prototype | Wed October 24 at 11:59pm |
M3 | Alpha Release | Wed November 14 at 11:59pm |
M4 | Beta Release | Wed December 5 at 11:59pm |
M5 | Final Project Deadline | Wed December 19 at 11:59pm |
Final Presentations | Thu December 20 at 2:00pm |
Your charter defines the members of your team and proposes the software system you intend to build. Your charter should include the following information:
Prepare a Requirements Document that contains the six sections detailed below. This will be a living document: you will continue to update it in the remaining milestones of the project. It is also a critical document, because your final system will be evaluated, in part, against your requirements. You should think of the Requirements Document as a contract between your team and me. You are responsible for fulfilling that contract.
1. Personnel. Identify your team members, including names and emails.
2. System Purpose. In a couple of paragraphs, explain the purpose of your system. The basis for this explanation should be the one-page system summary you wrote for Milestone 0. Update that summaryas necessary, based on the functional requirements and security goals you develop in the current milestone, as well as any comments I gave you on your Milestone 0 submission.
3. Functional Requirements. Invent a list of functional requirements for the system you are building. For the purposes of this project, a functional requirement comprises the following data:
You might find it helpful to organize your requirements in a spreadsheet, so that you can sort them in various ways.
Here is an (incomplete!) example of four functional requirements, based on a grade management system for academic courses:
User type | Assets | Importance | User story |
---|---|---|---|
professor | assignment | M | As a professor, I can create a new assignment by specifying its name, number of possible points, and due date. |
student | submission | S | As a student, I can submit a file as a solution to an assignment. |
grader | grade | M | As a grader, I can assign a number of points as a grade to a student for an assignment. |
student | grade | S | As a student, I can view my grades for all assignments. |
Good user stories satisfy the following "INVEST" criteria:
The above user story examples satisfy the INVEST criteria reasonably well. But here's an example that doesn't satisfy the criteria:
U. type | Assets | Import. | User story |
---|---|---|---|
professor | survey | C | As a professor, I can conduct online surveys of students, so that I don't have to print and collect paper surveys. |
This user story doesn't specify what a survey is, how students will take it, how results will be tabulated and presented, etc. It should be broken down into smaller stories. And this is likely how you will proceed with inventing user stories: write stories that are too "big" at first, then refine them.
How many requirements should we invent? It's impossible to give a general answer to this question: teams write at different levels of detail, have differently scoped projects, and build systems with different tradeoffs between feature set size and implementation difficulty. After I see your set of requirements, I'll give you individualized feedback.
4. Threat Model. Identify threats of concern to your system. What kinds of attackers will your system defend against? What are their motivations, resources, and capabilities? Don't just list vague, generic threats. Make them specific to your system and its functionality. If there are any non-threats, you should identify them, too. For example, you may wish to assume that some system components execute on hardware that is located in a physically secured machine room reachable only by trustworthy system operators.
5. Security Goals. Identify the assets and stakeholders involved with your system. This step should be easy, because you already identified assets and users for each functional requirement. For each asset, identify what its value is to stakeholders.
Perform a harm analysis on assets. Use the template "performing action on/to/with asset could cause harm." (Although you are encouraged to rewrite statements made with that template into more natural English.) Be as thorough and creative here as possible; this is the step at which you're most likely to overlook something that's important and relevant to security.
Transform the harms you've identified into security goals, using the template "the system shall prevent action on/to/with asset." Label each goal as being exactly one of confidentiality, integrity, or availability. Examine the feasibility of each goal in light of your threat analysis. If necessary, relax goals so that it is feasible to achieve them.
You must document all of these steps, showing me your asset analysis, harm analysis, feasibility analysis, and security goals.
6. Essential Security Elements Document why each of the essential security elements (authentication, authorization, audit, confidentiality, and integrity) is indeed essential to your system. If you can't construct a persuasive argument for an element E, you need to revisit your system purpose and invent new features that will cause E to be essential.
Submission: As a group, submit a single PDF to the Milestone 1 (M1) assignment on Sakai.
Due: October 3, 2018 at 11:55pm.
Evaluation: I will evaluate your Requirements Document against the following criteria:
All the remaining milestones for the project involve the same essential work. You will engage in a sprint, which is a fixed length of time during which you build a "shippable" increment of your system. Your sprints will last two weeks. At the end of each sprint, you will ship the latest increment of your system to the course staff and demo it for us. You have four sprint cycles—named prototype, alpha, beta, and final—to implement your project. Read the project sprint overview to find out more.
When to implement what. You are empowered to decide what features you will deliver as part of each sprint. However, your prototype for Milestone 2 should include some fully-functional, core functionality. Your design and implementation should be compatible your threat model and security goals, but complete implementation of "gold standard" security functionality will not be required until future milestones: Alpha (authentication), Beta (authorization), and Final (audit).
Source Control. You are strongly encouraged to keep your project in a source control system. There are many free possibilities [GitHub, Bitbucket, SourceForge, etc.] that provide code hosting, bug tracking, and wikis. Under no circumstances should you resort to emailing your entire source code between team members.
Submission. (Due: October 24, 2018)
Demo. As a group, arrange a 15 minute time slot to demo your project to me October 25-26. You should bring laptops (or use lab machines) that have your system installed and running. Attendance of all team members is required at your team's demo. Demos typically involve some or all of the following events, though there is necessarily some flexibility involved:
Evaluation. The design and implementation of your system, including your code, will be evaluated on how well it exemplifies the various principles of security. Readability, simplicity, documentation, and assurance matter. We'll also, of course, be looking for vulnerabilities.
Your demo will be evaluated on how well it demonstrates the functionality you are delivering for this milestone (i.e., the system backlog items that you have marked as completed), particularly security functionality. You should demo only completed (that is, working and tested) functionality. We will be especially unimpressed by any bugs we see during your demo, if those bugs relate to functionality that you claim to have completed.
Complete another sprint and ship the latest increment of your system. Your alpha release should exhibit new features and new security functionality, including complete authentication features. Remember that you might need to authenticate humans, machines, and/or programs.
Submission. (Due: November 14, 2018)
Submission requirements are essentially the same as for Milestone 2. Submit your revised requirements, design, and assurance documents, along with another sprint report. You will also submit the source code for your alpha release; remember to include a plain text file named "README" in the root of your source detailing specifically how to install, compile, and run your system. In addition, you should submit any results from automated bug-finding tools you used.
Demo. As a group arrange a time to demo your project November 15-16, 2018.
Evaluation. This will be the same as for Milestone 2.
Complete another sprint and ship the latest increment of your system. Your beta release should exhibit new features and new security functionality, including complete authentication and authorization features.
Submission. (Due: December 5, 2018)
Submission requirements are the same as for Milestone 2.
Demo. As a group, arrange a time to demo your project December 6-7, 2018.
Evaluation. This will be the same as for Milestone 2.
Complete your last sprint and ship the final version of your system. Your final release should include full functionality and security features. This is your opportunity to impress us with the system you built!
Submission. (Due: December 19, 2018)
Final Presentation. You will present and demo your final release on December 20, 2018 at 2-4pm. Your presentation should be about 20 minutes and should describe the functionality of your system and the design and implementation of your security mechanisms (including threat model, security goals, etc.). You are also encouraged to demo your project. This will be your chance to show the rest of the class what you've built!
Evaluation. The design and implementation of your system, including your code, will be evalutated on how well it exemplifies the principles of security. Readability, simplicity, documentation, and testing matter. I will also, of course, be looking for bugs and vulnerabilties. Extra points will be awarded for systems that successfully implement more ambitious goals.
Your final presentation will be evaluated on how well you explain the purpose, features, security goals, and security design of your project. You will also be evaluated on how well you demonstrate the functionality and security features of your system. When preparing your presentation and demo, you should assume that your audience has no prior knowledge of your system.