Introduction to computer and network security

Let's play

➢ Can we redraw this graph so that the edges don’t intersect?

Still want to play?

➢ What about this one?

Computer Security, it's all about curiosity and imagination

Let me hack the discussion ...

Computer security is all about hacking. So learning about computer security, it's learning how to do attacks!

Yes, we are going to study some attacksBut NO, security is not about hacking ....

... it's more than that!

Yes but ....

But, I really really want to be a hacker,tell me what should I learn?

To be a hacker, you should learn what is in15-21315-21215-25115-34915-44115-45115-447and so on ...

and spend your free time at the library!

Lucky you of being Carnegie Mellon Students!!

So what is hacking?

Doing an attack that you learned IS NOT hacking ...... it's knowing how to use Google!

Hacking is

- knowing and understanding all the details about a system, its about been curious

- using the system in a way that nobody have thought,it's about been imaginative

Learning computer and network security

➢ What we learn in 15-349Introduction to computer and network security

• We show you that some people think outside of the box: hackers and security experts

• We show you where is the risk and how to be “security aware”

• We show you attacks and explain how and why they works• We show you how to protect your system and lower the risk

of attacks➢ ... and we have fun during recitations

• Movies, games and real hacking :)

Check out the webpage: www.qatar.cmu.edu/cs/15349/

What is security?

Computer Security

Cryptography

Law

Operatingsystems

Mathematics

Networking

Programminglanguages

Economics

Psychology

Humancomputer

interaction

➢ Lowering the risk or preventing that something bad can happen

Why do we care about security?

➢ What are the bad things that can happen?

What is a good security?

➢ Is there a silver bullet?

Let's play a game

➢ Threat• “Someone can break into my apartment and

steal or destroy my stuff”

➢ Attacks and Counter-measures• I have a basic protection, but worse things can

happen, help me to fnd what and how to mitigate them

My apartment and its basic protection

Classic Wooden door with a 3 points lock

On the balcony (2nd floor), PVC windows with a single

point lock

But ... what do I have in my apartment?

999 QR999 QR299 QR

What do we learn from the game

➢ You never prevent a threat• .... you lower the risk!

➢ Performing an attack is more or less diffcult• It's a balance between

• the assets that you want to protect• the efforts an attacker will make

➢ Deploying a counter-measures has a cost• It's a balance between

• the cost of recovering from the attack • the cost of a deploying a protection mechanism

Do your own risk analysis

➢ How important are the data in your laptop?• What if someone accesses, copies, distributes

modifes, deletes my data?• What if the system is down or not working well?

➢ But your information is larger than just your laptop, what about ...• the other machines you are using? Your (i)phone

and other digital devices? • your CMU account, your Gmail address, your MSN,

your Facebook?

Now, let's talk about us

Iliano Cervesato

Thierry Sans

● Verifcation of security protocols● Foundations of Programming Languages

● Access Control and Information Flow● Managing Digital Rights

● Web Application Security

Web applications are booming

Security issues on the Web

source “Web Application Security Statistics 2008”from The Web Application Security Consortium

Cross-Site Scripting Attacks (XSS)

“Twitter has put a stop to a worm that posted obscene messages to victims' Twitter feeds. It's the second worm attack the site has suffered in a week.”

“Twitter has been hit with an attack as the result of a flaw in the site's coding. Last week it closed a cross-site scripting (XSS) flaw that could allow an attacker to steal data.”

source PC World - September 27 2010

Information Leakage

“AT&T Inc. apologized to Apple Inc. iPad 3G tablet computer users whose e-mail addresses were exposed during a security breach disclosed last week.”

“There’s no hack, no infiltration, and no breach, just a really poorly designed web application that returns e-mail address when ICCID is passed to it.”

source Business Week - June 14 2010

source Praetorian Prefect - June 9 2010

Design Secure Programming Languages

Qwesst – A programming language to develop secure web applications• Strongly typed and homogene between the client

and server

✔Protects against XSS Attacks• Language primitives to control data dessimination

and information fow

✔Protects against information leakage

22

Computer Security is a Big Field!

➢ We are going to look at a tiny speck

➢ Security Protocols

Computersecurity

SecurityProtocols

23

Protocols

Expected behaviors when engaging in communication

• When 2 people want to talk• Buying something at the souq• Driving conventions• Calling up your friend, …

• When interacting with an organization• Bureaucracy• Offcial visits by head of states, …

• …• When computers want to talk

24

Computer Protocols

➢ What sets them apart?• No human involved!

• Automated• Infexible• No common-sense

➢ What protocols are there in a computer?• Hundreds!• Communication protocols

• Email, http, Ethernet, …• Security protocols

25

Security Protocols

➢ Communication protocols ensure that communication actually happens

➢ Security protocols ensure that communication is not abused• Protect contents• Protect communicating parties• Protect intent of communication• Protect possibility of communication

26

Common Security Goals

➢ Confdentiality• Message cannot be observed in transit

• Achieved using some form of encryption

Secret Channel

27

Authentication

➢ Ensure that we are talking with who we think• Much more subtle

than secrecy• How to establish a secret

channel in the frst place• Negotiate parameters of channel• Ensure channel remains trusted

➢ Authentication protocols

28

Example: Kerberos

➢ Log in to your computer➢ Access other computers without

logging in again• Email, “i-drive”, printers, directory, …

… for 1 day

➢ Goals• Repeatedly authenticate a client to multiple servers• Transparent to user

➢ Ubiquitous

29

How Kerberos works

UserU Kerberos

ServiceS

ClientC

KAS TGS Server

Authenticate C for U

Credentials (TGT)

Want to use S; here’s the TGT

Credentials to use S (ST)

Want to use S; here’s the ST

Ok

Application messages

Acc

ess

requ

est

1st time

othertimes

Log on

ClientC

KAS TGS Server

Authenticate C for U

Credentials (TGT)

Want to use S; here’s the TGT

Credentials to use S (ST)

Want to use S; here’s the ST

Ok

Application messages

Acc

ess

requ

est

1st time

othertimes

Log on

30

Other Popular Protocols

➢ SSL / TLS protocol• Authenticates client to server• Encrypts communication

• HTTPS (secures web page)• Secure email download (POP3S, IMAPS)

➢ SSH protocol• PuTTY (Log to remote computer, copy fles, …)

➢ PGP• Send encrypted/authenticated email

• Enigmail

31

The Problem

➢ Security protocols are extremely hard to get right• Minuscule programs• Extremely complex interactions

• Bugs can take years to discover

• Generally it’s not the crypto• It’s the piping

32

Correctness vs. Security

➢ Correctness: satisfy specifcations• For reasonable inputs,

get reasonable output

➢ Security: resist attacks• For unreasonable inputs,

output not completely disastrous

Difference:• Random events vs. active attacker

33

Attacks

➢Got the piping wrong

✗ Attacker can breakauthentication

✗ Attacker can breaksecrecy of thechannel

34

Example: Kerberos

➢ Discovered 10 years after exchange was designed ➢ Immediately fxed in all implementations

C KASAuthenticate C for U

Credentials (TGT)

C IAuthenticate C for U

Credentials for C

KAS

Authenticate I for U

Credentials for I

✗ C believes he is talking to KAS✗ KAS believes he is talking to I✗ I knows the key that C obtained

from KAS