CO CO 447 CO COURSE INTRODUCTION SE SECU CURIT RITY P PROP - - PowerPoint PPT Presentation

co co 447 co course introduction se secu curit rity p
SMART_READER_LITE
LIVE PREVIEW

CO CO 447 CO COURSE INTRODUCTION SE SECU CURIT RITY P PROP - - PowerPoint PPT Presentation

Nov 12, 2023 711 likes •992 views

CO CO 447 CO COURSE INTRODUCTION SE SECU CURIT RITY P PROP OPER ERTIE IES SE SECU CURE D RE DESIG SIGN Dr. Ben Livshits Hi High-Le Level el Course e Lo Logistics cs 2 https://co447.doc.ic.ac.uk/ Cou Course Log ogistics

slide-1
SLIDE 1

CO CO 447 CO COURSE INTRODUCTION SE SECU CURIT RITY P PROP OPER ERTIE IES SE SECU CURE D RE DESIG SIGN

  • Dr. Ben Livshits
slide-2
SLIDE 2

Hi High-Le Level el Course e Lo Logistics cs

2

https://co447.doc.ic.ac.uk/

slide-3
SLIDE 3

Cou Course Log

  • gistics

3

Monday, Wednesday 2-hour time slot for the class Instructors Dr Ben Livshits, Dr Soteris Dimitriou Course TAs

  • Ms. Dominika Woszczyk, Mr. Daniel Perez

Email doc-staff-447@imperial.ac.uk Piazza https://piazza.com/class/k0r3cj25uu0137

slide-4
SLIDE 4

Wh What Helps You to Be Prepared for the Class

¨

You should ideally have maturity in both the mathematics of computer science and in the engineering of computer systems

¨

This means that you should: have a good understanding of data structures and algorithms; be comfortable writing programs from scratch in C, Java, and a scripting language like Python or JavaScript; be comfortable writing and debugging assembly code; and be reasonably comfortable in a command-line Unix development environment (gdb, gcc, etc).

¨

You should also have a good understanding of computer architecture, operating systems, and computer networks. It would also help to know a bit about programming languages and

  • compilers. It would also be helpful to be

comfortable with web technologies such as HTML and JavaScript

¨ Recommended (not required)

prerequisites are CO331 (Web and network security)

¨ CO211 Operating systems ¨ CO212 Networks and

Communications

¨ Related courses: ¤ CO408H Privacy Enhancing

Techniques

¤ CO409 Cryptography ¤ CO440 Software Reliability ¤ CO470 Program Analysis.

Cl Classes Pr Practica cal knowledge

slide-5
SLIDE 5

Fi First-Da Day y Su Survey

5

https://docs.google.com/f

  • rms/d/1nL2hquKDC4-

eUG67X9yIBeD- xhust97pLkuyN5SnafE

slide-6
SLIDE 6

Do Do NOT Be Be Scared

¨ Likely, nobody here has satisfied ev

every single pr prerequi

  • quisite. This is not the point.

¨ Most important thing of all: Eagerness to learn! ¤ ThisWe expect you to push yourself to learn as much as

possible

¤ is a 400-level course. ¤ We expect you to be a strong, independent learner capable

  • f learning new concepts from the lectures, the readings,

and on your own.

slide-7
SLIDE 7

Participation M Matters! s!

¨ This is an optional course ¨ I assume you are here because you want to be here ¨ I also assume that you intend to use what you learn

later in life

¨ We only have a few chances to interact during the

term

¨ You don’t get as much from this course if you don’t

participate

slide-8
SLIDE 8

Cou Course Reading: Textbook

  • ok

¨ The book is easy to read ¨ Not nearly as dry as an

average textbook

¨ Has read-world

illustrations and war stories

¨ Has lots of details not

covered in lecture

¨ Proposes a different

narrative focusing on the developer, which is good

8

slide-9
SLIDE 9

Other Helpful Bo Books (online)

¨ Ross Anderson, “Security Engineering” (1st edition) ¤ Focuses on design principles for secure systems ¤ Wide range of entertaining examples: banking, nuclear

command and control, burglar alarms

¤ You should all at least look at the Table of Contents for this

book (2nd edition available for purchase)

¨ Menezes, van Oorschot, and Vanstone, “Handbook of

Applied Cryptography”

¨ Many many other useful books exist (not all online)

slide-10
SLIDE 10

Ro Role of Research

10 10

¨ This is a 400-level course ¨ It is one of the goals to ge

get you interested you in research in computer science

slide-11
SLIDE 11

Re Reading Re Research Papers

11 11

slide-12
SLIDE 12

Pa Paper Summaries

12 12

slide-13
SLIDE 13

Cou Course Structure

Ba Basics We Web To Topics Mo Mobile

slide-14
SLIDE 14

Se Secu curity y Con Conce cepts

  • 1. Authentication
  • 2. Authorization
  • 3. Confidentiality
  • 4. Data/message integrity
  • 5. Accountability
  • 6. Availability
  • 7. Non-repudiation
slide-15
SLIDE 15

1) A Authentication

¨ Identity Verification ¨ How can Bob be sure that he is

communicating with Alice?

¨ Three general strategies:

¤Something you kn

know w (i (i.e., Passwo words)

¤Something you hav

have (i.e .e., ., Tokens) ns)

¤Something you are

are (i.e .e., ., Biometri trics) cs)

slide-16
SLIDE 16

Something Y You K Know

¨ Example: Passwords ¤ Pros: n Simple to implement n Simple for users to understand ¤ Cons: n Easy to crack (unless users choose strong ones) n Passwords are reused many times ¨ One-time Passwords (OTP): different password used

each time, but it is difficult for user to remember all

  • f them
slide-17
SLIDE 17

Something Y You H Have

¨ OTP Cards (e.g. SecurID): generates new

password each time user logs in

¨ Smart Card: tamper-resistant, stores secret

information, entered into a card-reader

¨ Strength of authentication depends on

difficulty of forging

slide-18
SLIDE 18

Yb Ybikey

18 18

slide-19
SLIDE 19

Or Or Maybe I Have a Browser Cookie

19 19

Cookie is part of subsequent requests

slide-20
SLIDE 20

Bi Biom

  • metrics

cs

¨ Pros: “raises the bar” ¨ Cons: false

negatives/positives, social acceptance, key management

¤ False positive: authentic

user rejected

¤ False negative: impostor

accepted

20 20

Technique Effectiveness Acceptance Palm Scan 1 6 Iris Scan 2 1 Retinal Scan 3 7 Fingerprint 4 5 Voice Id 5 3 Facial Recognition 6 4 Signature Dynamics 7 2

slide-21
SLIDE 21

Final N Notes

¨ Two-factor Authentication: Methods can be combined

(i.e. ATM card & PIN)

¨ Who is authenticating who? ¤ Person-to-computer? ¤ Computer-to-computer? ¨ Three types (e.g. SSL): ¤ Client Authentication: server verifies client’s id ¤ Server Authentication: client verifies server’s id ¤ Mutual Authentication (Client & Server) ¨ Authenticated user is a “Pr

Principal”

slide-22
SLIDE 22

2) 2) Au Authorization

¨ Checking whether a user has permission to

conduct some action

¨ Identity vs. Authority ¨ Is a “subject” (Alice) allowed to access an “object”

(open a file)?

¨ Access Control List: mechanism used by many

  • perating systems to determine whether users

are authorized to conduct different actions

slide-23
SLIDE 23

Co Configuring Mailing List Permissions

23 23

slide-24
SLIDE 24

Ac Access Control Lists (ACL

CLs)

¨ Set of three-tuples ¤ <User, Resource,

Privilege>

¤ Specifies which users

are allowed to access which resources with which privileges

¨ Privileges can be

assigned based on roles (e.g. ad admin)

User Resource Privilege

Alice /home/Alice/* Read, write, execute Bob /home/Bob /* Read, write, execute Table 1-1. A Simple ACL

slide-25
SLIDE 25

Access C ss Control M Models

¨ ACLs used to implement these models ¨ Ma

Mandatory: computer system decides exactly who has access to which resources

¨ Di

Discretionary (e.g. UNIX): users are authorized to determine which other users can access files or other resources that they create, use, or own

¨ Ro

Role-Ba Based (Non-Discretionary): user’s access & privileges determined by role