Partner or alone, as you wish.
Hand in by creating a folder named "stride" at the top level of your CS231 repository, and putting a stride.pdf or stride.txt file with your answers in that folder.
In this assignment, you will perform a STRIDE-based analysis of a security scenario.
In a security certification course or something similar, there would doubtless be a strict set of rules for structuring and formatting your threat analysis. My pedagogical goals for this assignment, however, are not to turn you into certified threat modelers, but rather to get you into the habit of thinking in a structured way about threats. Though STRIDE does get you into some "thinking like an attacker," it is more focused on security at the system design stage rather than on reactive defense in the face of attacks. By analyzing your system's structure, you can try to build security into the system from the start.
The scenario
Santiago Urquijo/Getty
The phone rings. It's David.
"Jeff! The lemurs—lemurs!"
I check my hearing aids.
"Hi David. What about the...um...lemurs?"
"They're rampaging—rampaging!"
"Well, I guess rampaging lemurs could be a problem. How can I help? Do you need me to maybe construct a spanning tree or something?"
He makes a little scoffing sound.
"Oh, that's so sweet of you to think I would want a Minnesotan to do something algorithmic. No no, it's best if you leave that sort of thing to the experts from...well, from a bit further east, where we really know how to deploy mathematical thinking."
There's a long pause.
"Now why did I call again? Oh yes! I need to tell you about DLN!"
"Uh...."
"David's Lemur Network! I've put together a website to help the citizens of Northfield share sightings of rampaging lemurs. They can make accounts, login, search for lemur types, post photos, determine how many degrees of separation between them and a given RL..."
Checking my hearing aids again.
"RL?"
"Rampaging lemur. Try to keep up, Jeff."
RL. Of course. David continues:
Anyway, I've coded it up. I mean, I haven't actually coded it up, but I know what the code would be like in theory, which is pretty much the same thing. But I'm a little worried about security. Can you help?"
Now we're getting somewhere. Maybe I can actually help David with his little problem. I assure him I'll think about his project's security architecture and get back to him. He says something about needing to buy nuts, fruit, netting, and antibiotics and signs off.
Your job
This is where you come in. You're going to do a STRIDE analysis of David's Lemur Network. David's users will require privacy and confidentiality, data integrity, service availability, etc., so threats to any of those attributes of the system need to be identified and (if possible) mitigated.
The service will consist of:
- A database server. The database will contain user account information (including names, addresses, credit cards, lemur descriptions and locations, photos, videos, etc.).
- A web server that serves data upon request, enabling user login, browsing of lemurs, chat between users to discuss lemur management techniques, etc.
- A web client (i.e. web pages served from the web server, supporting all the features of the service, optimized for phone, tablet, and desktop).
- Client apps for iOS and Android that access an HTTP-based API on the web server to support the apps' features.
What to hand in
- A data flow diagram for the system.
- A list of threats and their corresponding mitigations, labeled by which element of STRIDE the threat corresponds to. For example, one threat might be "eavesdropper on user's network reads user's interaction with the DLN web server" and its corresponding mitigation might be "all interactions with the DLN server occur over HTTPS." The STRIDE label for this threat would be I (information disclosure). You can submit your list in tabular form, or as a bulleted or numbered list, or something similar. Make sure it's easy to read.
Include in your list as many realistic threats as you can think of, with at least one or two in each STRIDE category.
Have fun!