Informatics 523 - Assignment #1 -- Fall 2019

Due: Friday 20 September 2019, before class

Analyze threats to a simple on-line payment system

• A (simple) on-line payment system runs on a web server
• Users connect using a web browser via HTTPS
• Users authenticate using passwords
• The server runs the payment application
• The application consults a back-end authorization database
• The application connects to a back-end DB server to record payments
• The DB server stores credit card information
• An attacker wants to steal credit card information

Your assigmment

• Submit your assignment by email as a PDF file to inf523@csclass.info.
• Remember, you can help each other understand the assignment, the concepts, and the tools, but the work you turn in must be your own

1. Create a plain attack tree.
   • Use difficult and trivial as node values.
   • What is the easiest route?
2. Create a corresponding A-D tree
   • Use ADTool (requires Java 6 or later) - http://satoss.uni.lu/members/piotr/adtool/
   • Include defensive measures and attacks on defensive measures
   • Give the propositional interpretation of the tree
3. Write-up R/P capabilities and a concept for an attack on this system via the web connection
4. Create a STRIDE threat model
   • Show all processes, interactors, stores, flows, and boundaries
   • Use Threat Modeling Tool if you have a Windows machine
   • Identify threats and some countermeasures