Informatics 523 - Assignment #1 -- Fall 2019
Due: Friday 20 September 2019, before class
Analyze threats to a simple on-line payment system
- A (simple) on-line payment system runs on a web server
- Users connect using a web browser via HTTPS
- Users authenticate using passwords
- The server runs the payment application
- The application consults a back-end authorization database
- The application connects to a back-end DB server to record payments
- The DB server stores credit card information
- An attacker wants to steal credit card information
- Submit your assignment by email as a PDF file to email@example.com.
- Remember, you can help each other understand the assignment, the
concepts, and the tools, but the work you turn in must be your own
- Create a plain attack tree.
- Use difficult and trivial as node values.
- What is the easiest route?
- Create a corresponding A-D tree
- Use ADTool (requires Java 6 or later) - http://satoss.uni.lu/members/piotr/adtool/
- Include defensive measures and attacks on defensive measures
- Give the propositional interpretation of the tree
- Write-up R/P capabilities and a concept for an attack on this system via the web connection
- Create a STRIDE threat model
- Show all processes, interactors, stores, flows, and boundaries
- Use Threat Modeling Tool if you have a Windows machine
- Identify threats and some countermeasures