CS 443 Semester project Fall, 2008 Important dates: Part I due: September 22 Part II due: October 6 Part III due: October 27 Part IV due: November 10 Part V due: December 1 This project is to be done in groups of 3-4 students. The goal of this project is to design a social networking system for highly secretive people. The primary focus of the system should be security and privacy preservation for members. You will set the security policies, create a design, and implement and demonstrate a prototype of the system. You will also perform a design review of another group's project as well as a security review of the other group's project. Part I Identify the functional requirements of your system. This includes the features that you will support. Examples of features that can be supported are the ability to invite others to your social network, the ability to limit what others can see, the ability of others to comment on your content, the ability to control who sees these comments, etc. Another one to consider is the ability to include third party applications. However, remember that security is paramount. You must support at least a core set of features that one would expect to find in a useful social networking site. Your grade will be affected by the quality of the features you support, while keeping security and privacy in mind. You should incorporate at least 2 features that are novel and not found in popular social networking sites such as facebook or myspace. Be sure to pick enough features so that you will have a challenging project. You will be given a "degree of difficulty" score (in the spirit of the olympic games last summer), so if you do not pick enough features, you will be hurt on that score. What to turn in: Turn in a 2-3 page write-up describing your social networking system and the features it will support. Due date: Sept. 22 Part I Grade Sheet: Quality of functional requirements: (10) ________ Quality of security requirements: (10) ___________ Quality of the novel features: (10) ______________ Quality of the write-up (presentation): (7) _____________________ Degree of difficulty score: (20) _________________ Total score for part I: (57) _____________________ Part II Identify the security and privacy requirements of your system. The security and privacy requirements state things like how you will require users to log in, how you will keep them logged in, how you will perform authentication of the identity of new users, what information can be seen by which users. Next, once you've identified the requirements, establish security and privacy policies for your social networking system. Policies should state clearly what users can and cannot do. At this point, you should start implementation. Begin building the parts of the system that are not security critical and that you don't expect to change. Start planning things like your interface and your design. You will not be graded on the quality of your user interface or human factors, so do not put too much effort into those aspects of the system. What to turn in: Turn in a write-up (maximum 6 pages) describing your security and privacy requirements as well as your policies. Due date: Oct 6. Part II Grade Sheet: Quality of the requirements: (30) ___________________ Quality of the write-up: (10) _______________________ Total score for part II: (40) _____________________ Part III Design your system. Identify the mechanisms you will use to enforce your social networking system. Consider different design possibilities and pick the one that you think will provide the most security and be easiest to evaluate. The design should include all the information needed to implement the system. Identify software components that you will write, hardware and software platforms, programming languages for each component, and any third party software that you will utilize. In your design, assign tasks to your group members so it is clear who will be responsible for implementing which component. Identify the task assignments in your report. Next, design a testing and evaluation plan to test the security and privacy of your social networking system. At this point, you should be making progress on your implementation. You should identify libraries you will use and develop familiarity with them. What to turn in: You will turn in three documents for this part of the project. The first is a full design document for your system. Include in the design documentation the justification for various components and design decisions. For example, if you use virtualization to protect something, explain how it helps and what it buys you. Same if you use any cryptography. The second document to turn in is the testing and evaluation plan document. The third document is a one page status report on the implementation. Due date: October 27 In class presentations: On 10/27 and 10/29 each group will have a chance to present their system to the rest of the class. The groups should present their requirements, their supported features, their design, and their testing and evaluation plan, Part III grade sheet: Quality of the design: (40) __________ Quality of the design writeup: (10) _________________ Quality of the task breakdown for team members: (10) ________________ Quality of testing and evaluation plan: (15) ______________________ Status report on the implementation: (10) __________________________ Quality of the class presentation: (15) ______________________ Total score for part III: (85) _______________________ Part IV You will be given another group's documents - everything they have turned in to date (and another group will be given yours). Each group will perform a design review of the other group's design. Identify areas of weakness in security, and attempt to improve the security of their design. Be sure to describe your evaluation methodology. In the meantime, you should be making significant progress on your own implementation. Try to save items that you expect the other group to criticize for last, but you should expect that you might have to go back and change things. What to turn in: You will turn in a security evaluation document. It should contain all of the security and privacy weaknesses found in the other project, as well as recommendations for fixing them. Due date: November 10 Part IV grade sheet: Quality of the evaluation: (15) ______________ Quality of the problems identified: (10) _____________ Quality of the recommendations to fix problems: (10) ________________ Quality of the methodology used: (10) ________________ Quality of the write-up: (10) _______________________ Total score for part IV: (55) ____________________ Part V Review the report from the group that evaluated your project, and make any improvements to your design document. If you decide not to follow the advice and recommendations of the other group (a decision you should not make lightly), then instead, explain why their evaluation was lacking, and justify your decision not to make their changes. Your grade for this section will be based on how good a job you do convincing us that you are right and that the evaluation was lacking. Implement a prototype of your social networking system. Don't pay too much attention to interface and GUI issues, just get the basic functionality working. Most importantly, focus on the security components. You may use any third party software, but be careful to document what software you have written, and what software is from third parties. You should produce a working system that can be demoed and that can show how your system is used. You are free to use any development platform and programming languages that you like. But remember, that certain programming languages are more secure than others in certain situations. What to turn in: Turn in a CD which contains all of your code listings and installation and usage instructions. Also, turn in an implementation report that documents your implementation and describes all the components, how they fit together, and anything that the graders will need to help understand your system. Also, identify which issues you addressed from the other group and how you handled their feedback. Due date: December 1 On 12/1 and 12/3 each group will demo their system to the class and describe the security and privacy features. Part V grade sheet: Quality of response to other group's suggestions: (15) _____________ Overall quality of the implementation: (35) _______________________ Ease of installation and configuration: (5) ______________________ Quality of code and system documentation: (20) __________________ Quality of presentation: (15) _______________ Overall score for part V: (90) _____________________ Overall score for the project: (327) _________________________