computer and network security - home | eecs · eecs 588 introduction january 12, 2016 alex...
TRANSCRIPT
![Page 1: Computer and Network Security - Home | EECS · EECS 588 Introduction January 12, 2016 Alex Halderman Computer and Network Security](https://reader031.vdocuments.us/reader031/viewer/2022022007/5acfe0047f8b9a71028d3758/html5/thumbnails/1.jpg)
EECS 588
Introduction
January 12, 2016Alex Halderman
Computer and
Network Security
![Page 2: Computer and Network Security - Home | EECS · EECS 588 Introduction January 12, 2016 Alex Halderman Computer and Network Security](https://reader031.vdocuments.us/reader031/viewer/2022022007/5acfe0047f8b9a71028d3758/html5/thumbnails/2.jpg)
Today’s Class
Welcome! Goals for the course Topics, what interests you? Introduction to security research Components of your grade Legal and ethical concerns
![Page 3: Computer and Network Security - Home | EECS · EECS 588 Introduction January 12, 2016 Alex Halderman Computer and Network Security](https://reader031.vdocuments.us/reader031/viewer/2022022007/5acfe0047f8b9a71028d3758/html5/thumbnails/3.jpg)
Who am I?
J. Alex Halderman
CSE Prof.
Web: https://jhalderm.com
Email: jhalderm@eecs
Office: 4717 Beyster
Hours: TuTh 3:30-4:30or by appointment
Mobile: 609-558-2312
![Page 4: Computer and Network Security - Home | EECS · EECS 588 Introduction January 12, 2016 Alex Halderman Computer and Network Security](https://reader031.vdocuments.us/reader031/viewer/2022022007/5acfe0047f8b9a71028d3758/html5/thumbnails/4.jpg)
How I spent my winter vacation
![Page 5: Computer and Network Security - Home | EECS · EECS 588 Introduction January 12, 2016 Alex Halderman Computer and Network Security](https://reader031.vdocuments.us/reader031/viewer/2022022007/5acfe0047f8b9a71028d3758/html5/thumbnails/5.jpg)
![Page 6: Computer and Network Security - Home | EECS · EECS 588 Introduction January 12, 2016 Alex Halderman Computer and Network Security](https://reader031.vdocuments.us/reader031/viewer/2022022007/5acfe0047f8b9a71028d3758/html5/thumbnails/6.jpg)
How I spent my winter vacation
![Page 7: Computer and Network Security - Home | EECS · EECS 588 Introduction January 12, 2016 Alex Halderman Computer and Network Security](https://reader031.vdocuments.us/reader031/viewer/2022022007/5acfe0047f8b9a71028d3758/html5/thumbnails/7.jpg)
How I spent my winter vacation
![Page 8: Computer and Network Security - Home | EECS · EECS 588 Introduction January 12, 2016 Alex Halderman Computer and Network Security](https://reader031.vdocuments.us/reader031/viewer/2022022007/5acfe0047f8b9a71028d3758/html5/thumbnails/8.jpg)
![Page 9: Computer and Network Security - Home | EECS · EECS 588 Introduction January 12, 2016 Alex Halderman Computer and Network Security](https://reader031.vdocuments.us/reader031/viewer/2022022007/5acfe0047f8b9a71028d3758/html5/thumbnails/9.jpg)
![Page 10: Computer and Network Security - Home | EECS · EECS 588 Introduction January 12, 2016 Alex Halderman Computer and Network Security](https://reader031.vdocuments.us/reader031/viewer/2022022007/5acfe0047f8b9a71028d3758/html5/thumbnails/10.jpg)
![Page 11: Computer and Network Security - Home | EECS · EECS 588 Introduction January 12, 2016 Alex Halderman Computer and Network Security](https://reader031.vdocuments.us/reader031/viewer/2022022007/5acfe0047f8b9a71028d3758/html5/thumbnails/11.jpg)
![Page 12: Computer and Network Security - Home | EECS · EECS 588 Introduction January 12, 2016 Alex Halderman Computer and Network Security](https://reader031.vdocuments.us/reader031/viewer/2022022007/5acfe0047f8b9a71028d3758/html5/thumbnails/12.jpg)
![Page 13: Computer and Network Security - Home | EECS · EECS 588 Introduction January 12, 2016 Alex Halderman Computer and Network Security](https://reader031.vdocuments.us/reader031/viewer/2022022007/5acfe0047f8b9a71028d3758/html5/thumbnails/13.jpg)
![Page 14: Computer and Network Security - Home | EECS · EECS 588 Introduction January 12, 2016 Alex Halderman Computer and Network Security](https://reader031.vdocuments.us/reader031/viewer/2022022007/5acfe0047f8b9a71028d3758/html5/thumbnails/14.jpg)
![Page 15: Computer and Network Security - Home | EECS · EECS 588 Introduction January 12, 2016 Alex Halderman Computer and Network Security](https://reader031.vdocuments.us/reader031/viewer/2022022007/5acfe0047f8b9a71028d3758/html5/thumbnails/15.jpg)
![Page 16: Computer and Network Security - Home | EECS · EECS 588 Introduction January 12, 2016 Alex Halderman Computer and Network Security](https://reader031.vdocuments.us/reader031/viewer/2022022007/5acfe0047f8b9a71028d3758/html5/thumbnails/16.jpg)
![Page 17: Computer and Network Security - Home | EECS · EECS 588 Introduction January 12, 2016 Alex Halderman Computer and Network Security](https://reader031.vdocuments.us/reader031/viewer/2022022007/5acfe0047f8b9a71028d3758/html5/thumbnails/17.jpg)
![Page 18: Computer and Network Security - Home | EECS · EECS 588 Introduction January 12, 2016 Alex Halderman Computer and Network Security](https://reader031.vdocuments.us/reader031/viewer/2022022007/5acfe0047f8b9a71028d3758/html5/thumbnails/18.jpg)
![Page 19: Computer and Network Security - Home | EECS · EECS 588 Introduction January 12, 2016 Alex Halderman Computer and Network Security](https://reader031.vdocuments.us/reader031/viewer/2022022007/5acfe0047f8b9a71028d3758/html5/thumbnails/19.jpg)
![Page 20: Computer and Network Security - Home | EECS · EECS 588 Introduction January 12, 2016 Alex Halderman Computer and Network Security](https://reader031.vdocuments.us/reader031/viewer/2022022007/5acfe0047f8b9a71028d3758/html5/thumbnails/20.jpg)
![Page 21: Computer and Network Security - Home | EECS · EECS 588 Introduction January 12, 2016 Alex Halderman Computer and Network Security](https://reader031.vdocuments.us/reader031/viewer/2022022007/5acfe0047f8b9a71028d3758/html5/thumbnails/21.jpg)
Goals for this Course
Gain hands-on experienceBuilding secure systems
Evaluating system security
Prepare for researchComputer security subfield
Security-related issues in other areas
Generally, improve research, writing, and presentation skills
Learn to be a 1337 hax0r, but an ethical one!
![Page 22: Computer and Network Security - Home | EECS · EECS 588 Introduction January 12, 2016 Alex Halderman Computer and Network Security](https://reader031.vdocuments.us/reader031/viewer/2022022007/5acfe0047f8b9a71028d3758/html5/thumbnails/22.jpg)
Getting In, Getting an A
Waitlist?
Prereqs: EECS482 or EECS489 or grad standing
We’ll grant everybody overrides, but can’tguarantee hard work will bring success, unless you have the prerequisites.
![Page 23: Computer and Network Security - Home | EECS · EECS 588 Introduction January 12, 2016 Alex Halderman Computer and Network Security](https://reader031.vdocuments.us/reader031/viewer/2022022007/5acfe0047f8b9a71028d3758/html5/thumbnails/23.jpg)
![Page 24: Computer and Network Security - Home | EECS · EECS 588 Introduction January 12, 2016 Alex Halderman Computer and Network Security](https://reader031.vdocuments.us/reader031/viewer/2022022007/5acfe0047f8b9a71028d3758/html5/thumbnails/24.jpg)
Building BlocksThe security mindset, thinking like an attacker, reasoning about risk, research ethicsSymmetric ciphers, hash functions, message authentication codes, pseudorandom generatorsKey exchange, public-key cryptography, key management, the SSL protocol
Software SecurityExploitable bugs: buffer overflows and other common vulnerabilities – attacks and defensesMalware: viruses, spyware, rootkits – operation and detectionAutomated security testing and tools for writing secure codeVirtualization, sandboxing, and OS-level defenses
Web SecurityThe browser security modelWeb site attacks and defenses: cross-site scripting, SQL injection, cross-site reference forgeryInternet crime: spam, phishing, botnets – technical and nontechnical responses
Network SecurityNetwork protocols security: TCP and DNS – attacks and defensesPolicing packets: Firewalls, VPNs, intrusion detectionDenial of service attacks and defensesData privacy, anonymity, censorship, surveillance
Advanced TopicsHardware security – attacks and defensesTrusted computing and digital rights managementElectronic voting – vulnerabilities, cryptographic voting protocols
Not a crypto course
![Page 25: Computer and Network Security - Home | EECS · EECS 588 Introduction January 12, 2016 Alex Halderman Computer and Network Security](https://reader031.vdocuments.us/reader031/viewer/2022022007/5acfe0047f8b9a71028d3758/html5/thumbnails/25.jpg)
Getting to Know You
Who are you?
What topics interest you?
What would you like to learn in this course?
![Page 26: Computer and Network Security - Home | EECS · EECS 588 Introduction January 12, 2016 Alex Halderman Computer and Network Security](https://reader031.vdocuments.us/reader031/viewer/2022022007/5acfe0047f8b9a71028d3758/html5/thumbnails/26.jpg)
What is Computer Security?
Philosophy?
Engineering?
Natural Sciences?
Math?
![Page 27: Computer and Network Security - Home | EECS · EECS 588 Introduction January 12, 2016 Alex Halderman Computer and Network Security](https://reader031.vdocuments.us/reader031/viewer/2022022007/5acfe0047f8b9a71028d3758/html5/thumbnails/27.jpg)
Meet the Adversary
“Computer security studies how systems behave in the presence of an adversary.”
* An intelligence that actively tries to cause the system to misbehave.
![Page 28: Computer and Network Security - Home | EECS · EECS 588 Introduction January 12, 2016 Alex Halderman Computer and Network Security](https://reader031.vdocuments.us/reader031/viewer/2022022007/5acfe0047f8b9a71028d3758/html5/thumbnails/28.jpg)
What’s the Difference?
![Page 29: Computer and Network Security - Home | EECS · EECS 588 Introduction January 12, 2016 Alex Halderman Computer and Network Security](https://reader031.vdocuments.us/reader031/viewer/2022022007/5acfe0047f8b9a71028d3758/html5/thumbnails/29.jpg)
Why is Security its own Area of CS?
![Page 30: Computer and Network Security - Home | EECS · EECS 588 Introduction January 12, 2016 Alex Halderman Computer and Network Security](https://reader031.vdocuments.us/reader031/viewer/2022022007/5acfe0047f8b9a71028d3758/html5/thumbnails/30.jpg)
Who does Security Research?
Academia Industry Military Hobbyists
Bad guys…
![Page 31: Computer and Network Security - Home | EECS · EECS 588 Introduction January 12, 2016 Alex Halderman Computer and Network Security](https://reader031.vdocuments.us/reader031/viewer/2022022007/5acfe0047f8b9a71028d3758/html5/thumbnails/31.jpg)
“Insecurity”?
HierarchyLevel-2 Problem: “Weakness”
Factors that predispose systems to vulnerability
Level-1 Problem: “Vulnerability”Specific errors that could be exploited in an assault.
Level-0 Problem: “Assault”Actual malicious attempt to cause harm.
“Attack”Assault recipe,vulnerabilities are ingredients
![Page 32: Computer and Network Security - Home | EECS · EECS 588 Introduction January 12, 2016 Alex Halderman Computer and Network Security](https://reader031.vdocuments.us/reader031/viewer/2022022007/5acfe0047f8b9a71028d3758/html5/thumbnails/32.jpg)
High-Level Approaches
Attacks Defenses
![Page 33: Computer and Network Security - Home | EECS · EECS 588 Introduction January 12, 2016 Alex Halderman Computer and Network Security](https://reader031.vdocuments.us/reader031/viewer/2022022007/5acfe0047f8b9a71028d3758/html5/thumbnails/33.jpg)
Why Study Attacks?
Identify vulnerabilities so they can be fixed.Create incentives for vendors to be careful.Learn about new classes of threats.
Determine what we need to defend against.
Help designers build stronger systems.
Help users more accurately evaluate risk.
![Page 34: Computer and Network Security - Home | EECS · EECS 588 Introduction January 12, 2016 Alex Halderman Computer and Network Security](https://reader031.vdocuments.us/reader031/viewer/2022022007/5acfe0047f8b9a71028d3758/html5/thumbnails/34.jpg)
Thinking Like an Attacker
Look for weakest links – easiest to attack.
Identify assumptions that security depends on.Are they false?
Think outside the box:Not constrained by system designer’s worldview.
Practice thinking like an attacker:
For every system you interact with, thinkabout what it means for it to be secure, and
image how it could be exploited by an attacker.
![Page 35: Computer and Network Security - Home | EECS · EECS 588 Introduction January 12, 2016 Alex Halderman Computer and Network Security](https://reader031.vdocuments.us/reader031/viewer/2022022007/5acfe0047f8b9a71028d3758/html5/thumbnails/35.jpg)
![Page 36: Computer and Network Security - Home | EECS · EECS 588 Introduction January 12, 2016 Alex Halderman Computer and Network Security](https://reader031.vdocuments.us/reader031/viewer/2022022007/5acfe0047f8b9a71028d3758/html5/thumbnails/36.jpg)
Exercises
Breaking into the CSE building?
![Page 37: Computer and Network Security - Home | EECS · EECS 588 Introduction January 12, 2016 Alex Halderman Computer and Network Security](https://reader031.vdocuments.us/reader031/viewer/2022022007/5acfe0047f8b9a71028d3758/html5/thumbnails/37.jpg)
Exercises
Stealing my password
![Page 38: Computer and Network Security - Home | EECS · EECS 588 Introduction January 12, 2016 Alex Halderman Computer and Network Security](https://reader031.vdocuments.us/reader031/viewer/2022022007/5acfe0047f8b9a71028d3758/html5/thumbnails/38.jpg)
Exercises
What are some security systems thatyou interact with in everyday life?
![Page 39: Computer and Network Security - Home | EECS · EECS 588 Introduction January 12, 2016 Alex Halderman Computer and Network Security](https://reader031.vdocuments.us/reader031/viewer/2022022007/5acfe0047f8b9a71028d3758/html5/thumbnails/39.jpg)
Thinking as a Defender
Security policy What are we trying to protect? What properties are we trying to enforce?
Threat model Who are the attackers? Capabilities? Motivations? What kind of attack are we trying to prevent?
Risk assessment What are the weaknesses of the system? What will successful attacks cost us? How likely?
Countermeasures Costs vs. benefits? Technical vs. nontechnical?
Challenge is to think rationally and rigorously about risk.
Rational paranoia.
![Page 40: Computer and Network Security - Home | EECS · EECS 588 Introduction January 12, 2016 Alex Halderman Computer and Network Security](https://reader031.vdocuments.us/reader031/viewer/2022022007/5acfe0047f8b9a71028d3758/html5/thumbnails/40.jpg)
Exercises
Should you lock your door?
Assets?
Adversaries?
Risk assessment?
Countermeasures?
Costs/benefits?
![Page 41: Computer and Network Security - Home | EECS · EECS 588 Introduction January 12, 2016 Alex Halderman Computer and Network Security](https://reader031.vdocuments.us/reader031/viewer/2022022007/5acfe0047f8b9a71028d3758/html5/thumbnails/41.jpg)
Exercises
Using a credit card safely?
![Page 42: Computer and Network Security - Home | EECS · EECS 588 Introduction January 12, 2016 Alex Halderman Computer and Network Security](https://reader031.vdocuments.us/reader031/viewer/2022022007/5acfe0047f8b9a71028d3758/html5/thumbnails/42.jpg)
Secure Design
Common mistake: Trying to convince yourself that the system is secure
Better approach:Identify the weaknesses of your design and focus on correcting them
Secure design is a processMust be practiced continuously; can’t be retrofitted
![Page 43: Computer and Network Security - Home | EECS · EECS 588 Introduction January 12, 2016 Alex Halderman Computer and Network Security](https://reader031.vdocuments.us/reader031/viewer/2022022007/5acfe0047f8b9a71028d3758/html5/thumbnails/43.jpg)
Where to Focus Defenses
Trusted componentsParts that must function correctly for the system to be secure.
Attack surfaceParts of the system exposed to the attacker
Complexity vs. security?
![Page 44: Computer and Network Security - Home | EECS · EECS 588 Introduction January 12, 2016 Alex Halderman Computer and Network Security](https://reader031.vdocuments.us/reader031/viewer/2022022007/5acfe0047f8b9a71028d3758/html5/thumbnails/44.jpg)
Selfie Time!
3 minutes. Go!
> What name should we call you?
> What’s your year and major?
> What would you like to learn in 588?
Subject: <your_uniqname>
![Page 45: Computer and Network Security - Home | EECS · EECS 588 Introduction January 12, 2016 Alex Halderman Computer and Network Security](https://reader031.vdocuments.us/reader031/viewer/2022022007/5acfe0047f8b9a71028d3758/html5/thumbnails/45.jpg)
Recall Goals for this Course
Gain hands-on experienceBuilding secure systems
Evaluating system security
Prepare for researchComputer security subfield
Security-related issues in other areas
Generally, improve research and communication skills
Learn to be a 1337 hax0r, but an ethical one!
![Page 46: Computer and Network Security - Home | EECS · EECS 588 Introduction January 12, 2016 Alex Halderman Computer and Network Security](https://reader031.vdocuments.us/reader031/viewer/2022022007/5acfe0047f8b9a71028d3758/html5/thumbnails/46.jpg)
Grading
Class Participation (5%)
Paper Responses (15%)
Attack Presentation (30%)
Research Project (50%)
No exams, no problem sets!
![Page 47: Computer and Network Security - Home | EECS · EECS 588 Introduction January 12, 2016 Alex Halderman Computer and Network Security](https://reader031.vdocuments.us/reader031/viewer/2022022007/5acfe0047f8b9a71028d3758/html5/thumbnails/47.jpg)
Class Participation (5%)
~2 required papers for discussion in each session(other readings optional but recommended)
Come prepared to contribute! Full points for speaking up and contributing substantial ideas Lose points for being silent, missing class, Facebook, etc.
![Page 48: Computer and Network Security - Home | EECS · EECS 588 Introduction January 12, 2016 Alex Halderman Computer and Network Security](https://reader031.vdocuments.us/reader031/viewer/2022022007/5acfe0047f8b9a71028d3758/html5/thumbnails/48.jpg)
Paper Responses (15%)
Brief written response to each paper (~400 words)
In the first paragraph:State the problem that the paper tries to solve; and
Summarize the main contributions.
In one or more additional paragraphs:Evaluate the paper's strengths and weaknesses;
Discuss something you would have done differently if you had written the paper; and
Suggest interesting open problems on related topics.
![Page 49: Computer and Network Security - Home | EECS · EECS 588 Introduction January 12, 2016 Alex Halderman Computer and Network Security](https://reader031.vdocuments.us/reader031/viewer/2022022007/5acfe0047f8b9a71028d3758/html5/thumbnails/49.jpg)
Attack Presentation (30%)
With a partner, choose a specific attack from recent research and implement a demonstration
Give a 15 minute presentation:
(1) describe the attack
(2) talk about how you implemented it, give a demo
(3) discuss possible defenses
Course schedule will list topics later today
Each group send me ratings for each choice by 5pm Friday
![Page 50: Computer and Network Security - Home | EECS · EECS 588 Introduction January 12, 2016 Alex Halderman Computer and Network Security](https://reader031.vdocuments.us/reader031/viewer/2022022007/5acfe0047f8b9a71028d3758/html5/thumbnails/50.jpg)
Research Project (50%)
In groups, investigate new attack/defense/toolAim for a publishable workshop paper.
Components (more detail on website): Preproposal presentation Project proposal Project checkpoint Workshop-style presentation in class Final workshop-style report
![Page 51: Computer and Network Security - Home | EECS · EECS 588 Introduction January 12, 2016 Alex Halderman Computer and Network Security](https://reader031.vdocuments.us/reader031/viewer/2022022007/5acfe0047f8b9a71028d3758/html5/thumbnails/51.jpg)
Communication
Course Web Sitehttps://eecs588.orgschedule, reading list, reading response submission
Email [email protected], suggestions, questions, concerns
Piazzaannouncements, discussion, find a partner or group
![Page 52: Computer and Network Security - Home | EECS · EECS 588 Introduction January 12, 2016 Alex Halderman Computer and Network Security](https://reader031.vdocuments.us/reader031/viewer/2022022007/5acfe0047f8b9a71028d3758/html5/thumbnails/52.jpg)
Law and Ethics
Don’t be evil! Ethics requires you to refrain from doing harm
Always respect privacy and property rights
Otherwise you will fail the course
Federal/state laws criminalize computer intrusion, wiretapping e.g. Computer Fraud and Abuse Act (CFAA)
You can be sued or go to jail
University policies prohibit tampering with campus systems You can be disciplined, even expelled
![Page 53: Computer and Network Security - Home | EECS · EECS 588 Introduction January 12, 2016 Alex Halderman Computer and Network Security](https://reader031.vdocuments.us/reader031/viewer/2022022007/5acfe0047f8b9a71028d3758/html5/thumbnails/53.jpg)
Your Assignments…
First paper discussion Thursday (2 MD5 papers)See course site for required reading (under construction)submit written responses via eecs588.org by start of class!
Find a partner and rate the topics for attack presentation;updated topic list available tomorrow;email topic ratings by 5pm on Friday
Start thinking about your course project;Form a group, present topic idea February 18 in class