Internet and computer security
Hello, dear friend, you can consult us at any time if you have any questions, add WeChat: THEend8_
COMP4108 A – Fall
Project 2.
Project worth: 25%
Due: Dec 17th, 2021 at midnight ET.
Submission: Upload a single PDF file to the module on Brightspace called “Project 2 Dropbox”.
Objective
The objective of this project is to understand and learn to apply the 20 Security Design Principles we
discussed in Chapter 1 of our textbook (Computer Security and the Internet: Tools and Jewels),
Section~1.7 (Page 20).
Requirement
Write a report, no more than 5 pages of content (11-point font) with regular margins and line spacing,
discussing examples from the textbook, Chapters 8-12, where any of the design principles is either
followed or violated. Be specific, and avoid vague and/or generic statements.
Report Structure
No introduction is required at all; no need for an introductory section, paragraph, or even a sentence.
Arrange your report by chapter. Have a clearly-marked heading for each of the five chapters (8-12), and
then two paragraphs underneath each heading—one for each example. For each paragraph:
• Identify the location from the textbook where the application/violation of a principle can be
found (section and page numbers, paragraph).
• Mention which principle it illustrates. Please state the principle’s number (e.g., P9) AND name
(e.g., TIME-TESTED-TOOLS), not just the number.
• Explain how that part in the textbook illustrates the principle: whether it follows or violates the
principle, how, why, and, if the principle is violated, what can be done to follow it. Be thorough
in your explanation, defining any notation/terminology that you use.
Your report should contain at least ten examples of illustrated principles, and at least two from each of
the five chapters (8-12). If you cannot find two from a chapter, come up with a hypothetical scenario
related to a specific text in the chapter where a principle would be followed or violated. The more
examples you find, the merrier.
Grading
• Be specific: avoid mentioning multiple principles for one piece of text in the textbook. For
example, submitting that a piece in the textbook violates principles P3, P4, P13, P18, and P19,
and follows principles P1, P2, P9, and P10 is NOT being specific. Doing so will lead to loss of
marks, even if some of the mentioned principles is truly relevant (followed/violated).
• You are required to find and discuss at least two examples from each chapter. However, you are
welcome (and encouraged) to add more.
• Sometimes examples of principles being followed/violated are explicitly mentioned in the
textbook. For example, on the first page of Chapter 2, Page 30, footnote 1 mentions that the
advice to avoid designing your own cryptographic protocols is an example of Principle P9,
TIME-TESTED-TOOLS). You can use these in your report, but they will be worth fewer
marks.
• In contrast to the above point, you are free to use explicitly mentioned principles in Exercises.
For example, on Page 206 (Chapter 7), the Exercise labelled “Design principles” asks you to
explain how principle P1 (among others) is related to malware. Using this will not be subject to
the deductions of the above point.
Notes for a stronger report
Your grade will be commensurate with the quality of the examples you find, writing quality
(formatting, grammar/spelling), comprehensiveness and professionalism of writing, novelty (if
applicable), proper explanation and clarity, and your own insights.
Note that a good technical writing should typically have enough details to explain technical material in
depth, yet should be to the point. Having a lot of fluffy text about irrelevant or tangential material,
and/or being vague about how a principle is violated or followed, can lead to loss of marks.
The textbook is dedicated to Internet and computer security, so naturally teaches about various security
defences, one at a time. As you read about every defence independently from each chapter, one can
almost always argue that it violates P13 (DEFENCE-IN-DEPTH) or P18 (INDEPENDENT-
CONFIRMATION), because it is not coupled with other defences. This is the case in virtually every
part of the textbook (passwords, crypto protocols, anti-virus software, firewalls). Simply claiming that
a piece from the textbook is an example of violating P13 or P18, when it is not necessarily the case in
practice, will lead to loss of marks. You are encouraged to avoid reporting on violations of P13 and
P18.
Avoid using a principle repeatedly for the same cause. For example, if you report that network protocol
X follows P3 (OPEN-DESIGN), avoid simply reporting on another network protocol, Y, that also
follows P3. It would be more acceptable if you report on something else other than a network protocol
following/violating P3. This also applies to P9 (TIME-TESTED-TOOLS).
Finally, and perhaps most obviously, avoid claiming that a principle is followed/violated in a situation
where the principle is hardly related. For example, storing salted hashes of passwords is not related to
P6 (LEAST-PRIVILEGE). Note however that you can almost always create a long chain of reasoning
to explain how any two things are related. (A salted hash exhausts rainbow table attacks, which require
large memory allocation, which is often done only by privileged programs; so storing salted hashes
follows P6! That’s too long, thus unacceptable) Tip: if you find yourself having to stretch the
explanation too much to make it fit the situation from the textbook, then the principle is probably not
related.
Plagiarism
All forms of plagiarism are prohibited, including plagiarizing from external sources or from colleagues
in class. This is an individual report – NO GROUP EFFORT. Violations will be subject to total loss of
mark, and/or other penalties under the Plagiarism section of the course outline.