cs 598 - computer security in the physical world: …...cloud computing security (ijis’14,...
TRANSCRIPT
Security & Privacy Research at Illinois (SPRAI)
Professor Adam BatesFall 2016
CS 598 - Computer Security in the Physical World:
Introduction
AdamBatesResearchInterests:➢ TrustworthyProvenance-AwareSystems(CCS’16,
SecDev’16,Security’15,TAPP’15,SENT’14,CODASPY'13)➢ CommunicationsSecurity(NDSS’12,Security’15,JCS’14)➢ EmbeddedDeviceSecurity(ACSAC’15,NDSS’14)➢ MobilePhoneSecurity&Privacy(Security’15)➢ SSL/HTTPSTrustEnhancements(CCS’14,IMC’14)➢ CloudComputingSecurity(IJIS’14,CCSW’13)
CareerHighlights:1. ResearchcoveredbyWallStreet
Journal,PCWorld,MobileWorldLive.
2. 17Peer-Reviewedpublications(8ConferenceMajors)
3. OrganizingCommittee,IEEESP’16,‘17ProgramCommittee,ACSAC(2015)SessionChair,ACMCCS(2015)ProgramCommittee,MCS(2015)
Prov
enan
ce P
lane
Infor
mat
ion Fl
ow P
lanesshd_t
shadow_t
etc_tsyslog_tsysadm_t
Policy USB Mediator
Device ClaimsMNF, Product, Interfaces
User ExpectationsMNF, Product, Features
Security & Privacy Research at Illinois (SPRAI)
Course Goals
3
• Exposure to how computer security concepts interact with and inform the ‘real’ world
• Look at impactful applications of security in the literature
• Explore interesting topics related to systems security through
+
Security & Privacy Research at Illinois (SPRAI)
Class Logistics
4
• Tuesday & Thursday 3:30 - 4:45
• 1302 Siebel Center
• Website: http://adambates.org/courses/cs598-fa16/
• 14 weeks, each exploring a different topic
• Most sessions will be student-driven, I’m merely here to facilitate
• Emails go to [email protected]
• Start email subject with [CS598] please!
Security & Privacy Research at Illinois (SPRAI)
Grading
5
• Paper Summaries (20%)
• Paper Presentations (30%)
• Class Participation (10%)
• Project (40%)
Security & Privacy Research at Illinois (SPRAI)
Paper Reviews
6
• Each student must email brief reviews for assigned papers.
• One paragraph summary of paper content, followed by 2-3 criticisms, praises, or confusing points. What makes this approach different/novel?
• Expect approx. 0.5 pages, limit to1 page.
• Structure similar to the first half of a peer review
• Due by 11:59 PM the night before class
• Do this for the 2 papers next lecture.
Security & Privacy Research at Illinois (SPRAI)
Paper Presentations
7
• Two discussion leaders/presenters per session
• Responsibilities of the Presenter:
‣ Create a 15-20 minute presentation on the topic to be discussed
‣ Discuss the paper assigned as a jumping off point for the general (20-25 minutes)
‣ Share slides with me at least one day before class (email OK, or stop by office hours).
• Each student will be a presenter for 2-3 papers
Security & Privacy Research at Illinois (SPRAI)
How to fail at class
8
• Do a crummy job with your presentation, or skip it altogether
• Do a crummy job with reviews, or skip them altogether
• Show total lack of comprehension indicative of having read the papers before class
• Have three or more unexplained absences (Reasonable absences: attending conference, job interview, etc.).
Security & Privacy Research at Illinois (SPRAI)
Course Projects
9
• The course project requires the students execute some original research in security
• Demonstrate applied knowledge
• Don’t try to learn some new non-security field
• Be realistic about what is possible in a one quarter.
• However, the work should reflect real thought and effort.
• The grade will be based on: novelty, depth, correctness, clarity of presentation, and effort.
• 1-3 students per group; single person suggested if you want to work in security.
Security & Privacy Research at Illinois (SPRAI)
Deliverables
10
• The chief product of the project will be a 10-15 page conference style paper. There will be several milestones:
• Project Choice (9/06/16)
• Abstract, Background and Related Work (10/04/16)
• Experiment Proposal (10/18/16)
• Project Status Slides (11/08/16)
• Project Presentation (12/08/16)
• Final Project Write-up (TBD during finals week)
• This is a very important factor in your grade!
Security & Privacy Research at Illinois (SPRAI)
Project Choice
11
• Due on September 6, 5:00 PM
• Ordered list of projects
• Choose 3 projects in order of interest
• Choose up to 2 collaborators (optional)
• Bigger expectations for bigger groups
• I will (hopefully) resolve all constraints and approve/choose your project and group
Security & Privacy Research at Illinois (SPRAI)
Picking a topic
12
• Skim course schedule for ideas
• I will work with you to acquire research equipment
• Be realistic — I’m not buying a car.
• I *can* potentially connect you to IoT, CPS, Medical, and Mobile devices.
• Realistically, we can make any topic from OS security or NetSec (feat. Layer 2 or below) fit.
• Picking a topic is very important, and should almost certainly involve an area you already know well.
Security & Privacy Research at Illinois (SPRAI)
• Locks, Keys
• Financial Security
• USB Security
• Mobile Security
• Data Provenance
• Smart Grid
• Cyber Physical
• Internet of Things
• Medical Devices
• Voting Systems
• Telephony
• Network Infrastructure
• Wiretapping
• Automotive
Tentative Topic List
Security & Privacy Research at Illinois (SPRAI)
Ethics Statement
14
This course considers topics involving personal and public privacy and security. As part of this investigation we will cover technologies whose abuse may infringe on the rights of others. As an instructor, I rely on the ethical use of these technologies. Unethical use may include circumvention of existing security or privacy measurements for any purpose, or the dissemination, promotion, or exploitation of vulnerabilities of these services. Exceptions to these guidelines may occur in the process of reporting vulnerabilities through public and authoritative channels. Any activity outside the letter or spirit of these guidelines will be reported to the proper authorities and may result in dismissal from the class.
When in doubt, please contact the instructor for advice. Do not undertake any action which could be perceived as technology misuse anywhere and/or under any circumstances unless you have received explicit permission from Professor Bates.
Security & Privacy Research at Illinois (SPRAI)
Next Class
15
• USB Security — 2 conference papers
• Reviews due by the end of the day tomorrow
• Assignments and paper links available at
http://adambates.org/courses/cs598-fa16
(Note: This is easily reachable from adambates.org)
Security & Privacy Research at Illinois (SPRAI)
Reading Papers
16
• Why do we read papers?
• How do you read papers?
• What should you get out of a paper?
• Did you read the paper for today?
Security & Privacy Research at Illinois (SPRAI)
Understanding Papers
17
• What is the central idea expressed in this paper?
• Where do you find this information?
• What is the context of this paper?
• Related work, details pertinent details and justifies paper
• What is the methodology?
• Proofs, experiments, simulation, rhetoric
• What are the claimed results?
• New scientific discovery, if it is not novel it is not research
• What do you need to remember about this work?
Security & Privacy Research at Illinois (SPRAI)
Thompson Paper
18
• What is the contribution?
• Related Work?
• Methodology?
• Results?
• Takeaway?
Security & Privacy Research at Illinois (SPRAI)
Sample Summary
19
• Contribution: Ken Thompson shows how hard it is to trust the security of software in this paper. He describes an approach whereby he can embed a Trojan horse in a compiler that can insert malicious code on a trigger (e.g., recognizing a login program).
• Related Work: This approach is an example of a Trojan horse program. A Trojan horse is a program that serves a legitimate purpose on the surface, but includes malicious code that will be executed with it (e.g., Sony/BMG rootkit).
• Methodology: The approach works by generating a malicious binary that is used to compile compilers. Since the compiler code looks OK and the malice is in the binary compiler compiler, it is difficult to detect.
• Results: The resulting system identifies construction of login programs and miscompiles the command to accept a particular password known to the attacker.
• Take Away: Thompson states the “obvious” moral that “you cannot trust code that you did not totally create yourself.” We all depend on code, but constructing a basis for trusting it is very hard, even today.
Security & Privacy Research at Illinois (SPRAI)
How to Read a Paper
20
• Prepare your environment
• Decide what to read
• Read in generalities (10-20 minutes)
• Skim intro, headings, figures, definitions, conclusions, related work, references.
• Read in depth (1-4+ hours)
• Consider methodology, challenge arguments, examine assumptions/methods, become invested in the work!
• Make notes, mark up a copy, summarize paper
Security & Privacy Research at Illinois (SPRAI)
Systems Security Papers
21
• What is the security model?• threat model, trust model, participants/adversaries
• What is the environment and the resulting constraints?• e.g., resource-constrained devices, patrolling security guards
• What is the solution?• how are the threats addressed? how is the solution evaluated?
• What is the key idea that drives the design?• should be a concept, not an engineering detail
• Takeaway: Why should someone care about this work?
Security & Privacy Research at Illinois (SPRAI)
Presenting a Paper
22
• Requires the technical preparation necessary for writing a summary, but also much more!
• Audience engagement is vital• Construct a narrative
• Engage the audience
• Identify an insight
• Argue a point
• Extend an argument
• Relate what you’ve learned, and what strikes you about the work: be engaged with the content
Security & Privacy Research at Illinois (SPRAI)
Presentation Advice
23
• Keep your points simple and repeat key insights
• Know the jargon that you will be using
• Present a narrative - tell a story
• Pace the talk so that you’re not rushing or dragging
• Think about the goals of your presentation
• Leave audience with the high points in their head
• Practice and prepare!
• Read http://pages.cs.wisc.edu/~markhill/conference-talk.html
Security & Privacy Research at Illinois (SPRAI)
Professor Adam BatesFall 2016
CS 598 - Computer Security in the Physical World:
Locks & Keys
Security & Privacy Research at Illinois (SPRAI)
Security Traditions*
2
cypherpunks
phone freaks
* Note: Extremely reductive taxonomy presented on this slide
Security & Privacy Research at Illinois (SPRAI)
Lock Picking in Com Sci?
3
• Mechanical locks influenced the foundation of computer security (e.g., crypto secrets are “keys”)
• People who break open digital systems also like breaking open analog systems (e.g., locks, telephony)
• Physical locks remain a useful metaphor for thinking about computer security, and vice versa
Security & Privacy Research at Illinois (SPRAI)
Pin Tumbler Locks
4
Animations via http://toool.us
Key Pins
Plug
Driver Pins
Shear Point
Keyway
• Common to cylinder locks
• n pins inserted in plug
• pins cut in two at various heights
• without correct key, plug cannot rotate (i.e., locked)
• when correct key is inserted, gaps in pins line up with shear point, allowing plug to rotate
Security & Privacy Research at Illinois (SPRAI)
Pin Tumbler Locks
5
• Common to cylinder locks
• n pins inserted in plug
• pins cut in two at various heights
• without correct key, plug cannot rotate (i.e., locked)
• when correct key is inserted, gaps in pins line up with shear point, allowing plug to rotate
Animations via http://toool.us
Key Pins
Plug
Driver Pins
Shear Point
Keyway
Security & Privacy Research at Illinois (SPRAI)
Pin Tumbler Locks
6
Animations via http://toool.us
Shear Point
• Common to cylinder locks
• n pins inserted in plug
• pins cut in two at various heights
• without correct key, plug cannot rotate (i.e., locked)
• when correct key is inserted, gaps in pins line up with shear point, allowing plug to rotate
Security & Privacy Research at Illinois (SPRAI)
View from side:
7
Animations via http://toool.us
Pin Tumbler Locks
Security & Privacy Research at Illinois (SPRAI)
Enter Lock Picking
8
Animations via http://toool.us
In an ideal world, pins would fit into the plug like this:
(wrong key)
Security & Privacy Research at Illinois (SPRAI)
Enter Lock Picking
9
Animations via http://toool.us
In the real world, pins fit into the plug like this:
(wrong key)
Security & Privacy Research at Illinois (SPRAI)
Reality
Real Plug
Real Pins
Enter Lock PickingExpectation
Security & Privacy Research at Illinois (SPRAI)
Enter Lock Picking
11
Animations via http://toool.us
Mechanical imperfections make lock picking possible:
Security & Privacy Research at Illinois (SPRAI) 12
• Tension wrench applies (gentle) torque to the cylinder
• This causes one pin to stop the cylinder from turning.
• Pushing that one pin up causes the cylinder to turn slightly, “setting” that pin.
• Repeat until all pins are set.
Enter Lock Picking
Security & Privacy Research at Illinois (SPRAI)
Cryptanalysis of Locks
13
SharedSecret / Password
OracleAttack
Brute Force Attack
Keying of Lock (or the key)
Try all possible keys (or kick door down?)
Mechanical imperfection reduces search space
(i.e., lock picking)
Security & Privacy Research at Illinois (SPRAI)
Info. Theoretic Security
14
• What are the security parameters?
• Number of Pins (Pin Stacks), P
• Number of key bitting depths, D
• Consider an ideal world (i.e., unpickable) 5 pin lock with 4 bitting depths. How large is the key space?
• D^P = 4^5 = 1024
• Consider an real world (i.e., pickable) 5 pin lock with 4 bitting depths. How large is the search space?
• If you’re good, approximately linear with D?
Security & Privacy Research at Illinois (SPRAI)
Real World Security
15
• Caveats
• Lock picking is conspicuous, intruder is unlikely to have authorized access to area
• Lock picking takes time, at least on the order of seconds
• Security Theater: Locks deter, create the perception of security
• There are many other lock picking techniques not covered here (e.g., shims, bump keys, rakes) which vary in use-case and covertness.
Security & Privacy Research at Illinois (SPRAI)
Master-Keyed Locks
16
• Easiest way to make a master key?
Photo via http://united-locksmith.net
Security & Privacy Research at Illinois (SPRAI)
Info. Theoretic Security
17
• Master keys necessarily reduce security. Why?
• Introduce single point of failure
• Cross Keying / Key Interchange attack
• Consider a real world (i.e., pickable) master-keyed 5 pin lock with 4 bitting depths. How large is the key space?
• D^P - 2^P = 4^5 - 2^5 = 992
• Security reduced, but not too bad… right?
Security & Privacy Research at Illinois (SPRAI)
Adaptive Oracle Attack
18
• Change Key is 11111, Master Key is 44444
• 2^5 keys open the lock: 14111, 11411, etc.
• For each pin position, prepare D-1 test keys (all bitting except for known bitting of the change key).
• Try all test keys for p=1. The bitting of the test key that opens the door corresponds to the master key bitting.
• Repeat for all pin positions.
• Note: Number of required test keys can be reduced from P(D-1) to P by filing keys down in real time.
Security & Privacy Research at Illinois (SPRAI)
Countermeasures?
19
• Master Ring Locks
• Drawbacks: Uncommon, more vuln. to lock picking
• Control distribution of blank keys
• Drawbacks: Impractical, many 3rd party vendors
• Obfuscate TMK with more cuts
• Add one cut, 2^P different possible TMK’s per lock
• Drawback: Reduces key space s.t. key interchange attacks are easier, creates sub-masters, impractical for small locks.
Security & Privacy Research at Illinois (SPRAI)
Why did we read this?
20
• Cautionary Tale: Computer Security and the physical world interact in complex and unexpected ways.
• Here, cryptanalytic techniques trivially expose a systemic vuln. in the world’s #1 security mechanism.
• Problems only become more complex as we enter the cyber physical domain.