Assignment 1 – Due Monday, February 3

This assignment has two parts, which are submitted separately in Canvas: Written questions (questions 1-4), which must be submitted as a PDF file, and a Labtainer exercise (question 5), which must be submitted as a “lab” file (created by the Labtainer system). Note that Canvas will only accept a PDF file for the written portion, and will only accept a lab file for the Labtainer portion. Written solutions can be either electronically prepared or neatly handwritten and scanned. If you must use a phone camera rather than a scanner, you should use a “scan to PDF” app to produce a proper and readable PDF document. Check the file that Canvas received as your submission. I will grade only what is there, using the timestamp in Canvas. I will not accept a file after the fact because your upload failed or because the file was corrupt or you submitted the wrong file…

If you want to use a tool to electronically create your diagrams, you should use an appropriate tool to draw neat diagrams (e.g., LucidChart or Visio). It is almost impossible to make a neat, professional-looking diagram in Word or some other tool that is not designed for this, so do not try.

On this and all other assignments, remember to fully explain your answers, and cite all sources of information!

  1. Find a news story of a security incident from this past year that involved a malicious attacker (that shouldn’t be hard!), and describe in at least some detail what happened. Your description should include a statement about each of the “big three” security goals, indicating whether it was violated (and if it was, how it was violated). Also speculate on what type of attacker was involved and what the attacker’s motive may have been. Make sure that the incident occurred in 2024, and cite your source(s) of information.

  2. In this question, you are to get a feel for how vulnerable modern systems are by exploring the “National Vulnerability Database” that NIST maintains, which is at https://nvd.nist.gov/. Take a look around that website and familiarize yourself with what the NVD provides, and then look for specific items as described below.

    1. Find the vulnerability search page, and look under “Advanced” search to find how to search by date of publication for vulnerabilities. Pick a random month from last year (e.g., maybe your birthday month) and see how many vulnerabilities were reported that month. Report how many there were for the month, and calculate the average number of vulnerabilities reported per day. If you were a security professional, and spent on average 5 minutes looking at each CVE to see if it applied to systems you manage, how much time per week would you spend reviewing CVEs?

    2. Look into some of these vulnerabilities (you can just click randomly on the CVEs in your search result, but avoid those that say “AWAITING ANALYSIS” at the top) to see how they are reported. Can you find any that give vulnerabilities associated with software or systems that you use? Examine the various information reported for a CVE, looking in particular for anything that identifies risks to the “big three” security goals that we talked about in class, and report on what you find.

    3. Imagine that you are managing a collection of systems, and want to stay up-to-date on vulnerabilities. In part (a) of this question you should have seen that trying to follow every vulnerability is not practical. How can you improve the efficiency of this? In particular, what is a “CPE” and how can you use that to identify CVEs that are relevant to your systems?

  3. Consider the following set of subjects and objects in the Bell-LaPadula model, with clearances and classifications as shown (C, S, and TS stand for “Classified”, “Secret” and “Top Secret”, which is in increasing level of classification):

    Subject Clearances:

    • Andy: (C, {TOYS})
    • Woody: (S, {SNAKES,TOYS})
    • Buzz: (TS, {SPACE,TOYS})


    Objects and Object Classifications:

    • ToyInventory: (C, {TOYS})
    • SnakeTypes: (S, {SNAKES})
    • SpaceMissions: (TS, {SPACE,SNAKES,TOYS})


    1. Write out the access control matrix that shows both read and write permissions for all three subjects and three objects (use “R” to denote read permission, and “W” to denote write permission).

    2. Which objects can Woody read?

    3. Is there a file classification and label that would allow Buzz to write to such a file, and Woody to read from it? Why? Is there a way around this?

  4. These questions relate to the “Secure Design Principles” from Section 1.1.4 in the textbook (and that we discussed in class).

    1. Using compartments and need-to-know labels in the Bell-LaPadula model is similar to one of the secure design principles. State which one, and describe how these two concepts are related.

    2. Back in the 1800’s, Auguste Kerckhoffs stated that the security of a cryptographic systems should not require the secrecy of the algorithm (only the key used) – this is now known as “Kerckhoffs’s Principle.” This is similar to one of the secure design principles. State which one, and describe how these two concepts are related.

  5. Labtainer setup and exercise. For this question, you are to set up your computer to run “Labtainer” exercises, and then perform a straightforward lab on basic Unix/Linux commands. This is being assigned so that you go ahead and get the Labtainer virtual machine environment set up and working on your computer, which poses a few challenges: First, the image you need to download is large (6.3 GB), which can take a long time if your Internet connection is slow. Second, if you have a recent Apple Mac, using an Apple Silicon (M1 or M2) CPU, you cannot do this without emulation and a fairly serious performance hit. While I have gotten this to work, the instructions as given on the Labtainer website didn’t work as written. I have written up alternative instructions here. Alternatively, we have remote desktop solutions that Mac users can use, but if you need this then you must let me know ASAP so I can set it up for you.

    If you have a particularly slow or unreliable connection, I would recommend coming to campus or finding some other place with a fast connection in order to do the download. Second, for good VirtualBox performance, you’ll need a decent amount of RAM (at least 8GB, but more is better) and your computer BIOS settings need to have hardware virtualization support enabled. Modern Intel-based systems (meaning anything except the recent Apple Silicon-based Macs), purchased within the last 4 years, should probably support this without any problems. If you have significant problems, you should talk to me to either get things set up properly on your computer or to arrange an alternative.

    Here’s what you need to do: First, if you don’t already have it installed, install VirtualBox – see https://www.virtualbox.org/ to download and install this free software.

    Next, go to the Labtainer web page ( https://nps.edu/web/c3o/labtainers ), click on “Virtual Machine Images” and download the “VirtualBox VM Appliance” from that page. The one-line “Directions” right below the link to the image is all you need to do in order to get this installed and usable with VirtualBox.

    For some reason, the latest version of the Labtainer VM image is set up by default using display scaling, which makes it look horrible on my system. Look at the VM settings, and if it has a “Scale-factor” other than 1 listed, consider changing it to 1 (or 100%). You can adjust this to your preference later. If you have any issues with the virtual system crashing/logging you out, try powering the virtual system off and changing the “Graphics Controller” in the Display settings from VMSVGA to VBoxVGA — I had to do that on one system for some reason, but that corrected the problem.

    Finally, start the virtual machine image from VirtualBox. After it boots up and stabilizes, you will see a Linux desktop with a terminal window and command prompt. You can adjust the size of the desktop and the terminal window to your liking. This is the normal “starting point” for Labtainer exercises. You should open the “Student Guide” from the Labtainer web page, and read Section 3 (“Performing a Lab”) to understand how the Labtainer system works in general. Note that the more involved parts of Sections 1 and 2 are not necessary and are simply confusing if you’re using the VirtualBox image - just skip those. It’s worth your time to poke around a little on the Labtainer web site to see what is there – for example, the “Labtainer Lab Summary” and “Lab Manuals” are good things to be familiar with.

    Finally, you should complete the nix-commands lab. To do this, you type “labtainer nix-commands” at the command prompt of your Labtainer virtual machine. The first time you run this it will ask for your email address, which is needed to identify your work after you submit it – use your UNCG email address! After the first time, the Labtainer system will remember your email address and present it to you as the default. After getting the lab started, the system will print out some links to the information needed for the lab; alternatively, you can directly access the instructions from the Labtainer web site. Note that the lab starts up a new terminal window with a shell running inside the lab container and this is very different from the shell you just used to start the lab, which is running in the VM system. Keep these separate in your mind because they are two separate and different environments. While the two windows look almost the same, you can tell the difference in the window’s title bar – the labtainer window(s) will have a title that looks like “student@nix-commands” (or whatever other lab you’re running later), while the VM window will have a title that looks like “student@LabtainersVM”. Yes, it can get confusing…. When you are finished, type “stoplab nix-commands” in your original terminal window (the VM window).

    After you have completed everything, including typing the “stoplab” command, there will be a file with a .lab extension created in directory /home/student/labtainer_xfer/nix-commands — you should use the Web browser from insider the Labtainer VM to submit this file in Canvas. From this file, I will be able to see all of the commands you executed, and whether you followed the directions in the lab will be the basis of your grade, so make sure you do everything stated in the lab instructions!