Reference no: EM132882506
Scenario - Security Analysis and Solutions to Conference Management Systems
A conference manage system is a web-based management system which allows researchers submit research papers, the program committee (PC) members (reviewers) to browse papers and contribute reviews, scores and discussion, and release decisions (such as rejection or accept) via the Web. In one arrangement, the conference chair downloads and hosts the appropriate server software.
The system allows users to submit papers, enter reviews & scores and access reviews & scores associated with events (conferences or workshops) regarding to the role of the uses. A user is granted access to the system by providing a role (chair, reviewer, or author) along with a user-id and associated password. Permissible roles for each user are specified at the time a new event is added to the management system. Reviews & scores on papers are initially assigned by chairs (chairs assign papers to reviewers for reviewing, one reviewers can be assigned multiple papers, one paper can be allocated to multiple reviewers). Reviewing are done by reviewers. And a chair can perform any and/or all of these actions, but a chair's updates can only be changed by the chair. An author, in addition to learning about his or her reviews & grades on individual papers, is entitled to learn the acceptance statistics (but not other papers' reviews), and the conference program.
Threat model: The adversary is a user who desires to learn the reviews & scores, changes reviews & scores, or prevent others from learning or changing reviews & scores. The adversary has access to the management system and also can read, delete, and/or update network messages in transit. The adversary cannot physically access or run programs on a user's machine that is running a browser to access the management system. And the adversary cannot physically access or run programs on the server hosting the management system.
Your tasks: You are asked to produce a report (1500-2000words) to provide contemplate descriptions of the above Web-based Conference Management System and identify the following:
A. Assets and security properties: what objects should be protected, what security properties might we expect the system to enforce? For each such security property, label it with one of: confidentiality, integrity, or availability?
B. Vulnerability: explain the vulnerability in the system and use an attack tree/model to describe how an attack could be mounted. Restrict your consideration to the threat model provided.
C. Protection: explain what cost-effective protections are available against the threats that you identify. Remember the focus is on software vulnerabilities.
Hint: Assuming that the manager is not a technical person, craft your explanation in a way that can be explained to a layman and include figures where necessary.