computer security and privacy
play

Computer Security and Privacy Autumn 2018 Tadayoshi (Yoshi) Kohno - PowerPoint PPT Presentation

Aug 29, 2022 •107 likes •501 views

CSE 484 / CSE M 584: Computer Security and Privacy Autumn 2018 Tadayoshi (Yoshi) Kohno yoshi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Ada Lerner, John Manferdelli, John Mitchell, Franziska Roesner, Vitaly

  1. CSE 484 / CSE M 584: Computer Security and Privacy Autumn 2018 Tadayoshi (Yoshi) Kohno yoshi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Ada Lerner, John Manferdelli, John Mitchell, Franziska Roesner, Vitaly Shmatikov, Bennet Yee, and many others for sample slides and materials ...

  2. Announcements / Answers • If you’re on the class mailing list, you should have received an email (about office hours this week). • Ethics form: Due next Wednesday (10/3). • Homework #1: Due next Friday (10/5) – start forming groups, feel free to use forum. 9/29/2018 CSE 484 / CSE M 584 2

  3. Announcements / Answers • No quiz section on Thanksgiving Day • No lecture on the Wednesday before Thanksgiving day: Video assignment instead 9/29/2018 CSE 484 / CSE M 584 3

  4. Last Time + Quiz Section • Importance of the security mindset – Challenging design assumptions – Thinking like an attacker • There’s no such thing as perfect security – But, attackers have limited resources – Make them pay unacceptable costs to succeed! • Defining security per context: identify assets, adversaries, motivations, threats, vulnerabilities, risk, possible defenses 9/29/2018 CSE 484 / CSE M 584 4

  5. Example: Modern Automobiles Modern automobiles contain dozens of computers. Those computers control nearly everything in the car, including locks, lights, brakes, the engine, the airbags, etc. Who might want to attack? Why, and how? 9/29/2018 CSE 484 / CSE M 584 5

  6. Practicing Security Mindset • See worksheet, Q3 9/29/2018 CSE 484 / CSE M 584 6

  7. SECURITY GOALS (“CIA”) (QUIZ SECTION AND TODAY) 9/29/2018 CSE 484 / CSE M 584 7

  8. Confidentiality (Privacy) • Confidentiality is concealment of information. Eavesdropping, packet sniffing, illegal copying network 9/29/2018 CSE 484 / CSE M 584 8

  9. Integrity • Integrity is prevention of unauthorized changes. Intercept messages, tamper, release again network 9/29/2018 CSE 484 / CSE M 584 9

  10. Authenticity • Authenticity is knowing who you’re talking to. Unauthorized assumption of another’s identity network 9/29/2018 CSE 484 / CSE M 584 10

  11. Availability • Availability is ability to use information or resources. Overwhelm or crash servers, disrupt infrastructure network 9/29/2018 CSE 484 / CSE M 584 11

  12. THREAT MODELING 9/29/2018 CSE 484 / CSE M 584 12

  13. Threat Modeling (Security Reviews) • Assets: What are we trying to protect? How valuable are those assets? • Adversaries: Who might try to attack, and why? • Vulnerabilities: How might the system be weak? • Threats: What actions might an adversary take to exploit vulnerabilities? • Risk: How important are assets? How likely is exploit? • Possible Defenses 9/29/2018 CSE 484 / CSE M 584 13

  14. Example: Electronic Voting • Popular replacement to traditional paper ballots 9/29/2018 CSE 484 / CSE M 584 14

  15. Pre-Election Ballot definition file Poll worker Pre-election: Poll workers load “ballot definition files” on voting machine. 9/29/2018 CSE 484 / CSE M 584 15

  16. Active Voting Voter token Voter token Ballot definition file Interactively vote Poll worker Voter Active voting: Voters obtain single-use tokens from poll workers. Voters use tokens to activate machines and vote. 9/29/2018 CSE 484 / CSE M 584 16

  17. Active Voting Voter token Voter token Ballot definition file Interactively vote Poll worker Voter Encrypted votes Active voting: Votes encrypted and stored. Voter token canceled. 9/29/2018 CSE 484 / CSE M 584 17

  18. Post-Election Voter token Voter token Ballot definition file Interactively vote Poll worker Voter Encrypted votes Post-election: Stored votes Recorded votes transported to tabulation center. si.edu 9/29/2018 CSE 484 / CSE M 584 18 Tabulator si.edu

  19. Security and E-Voting (Simplified) • Functionality goals: – Easy to use, reduce mistakes/confusion • Security goals: – Adversary should not be able to tamper with the election outcome • By changing votes ( integrity ) • By voting on behalf of someone ( authenticity ) • By denying voters the right to vote ( availability ) – Adversary should not be able to figure out how voters vote ( confidentiality ) 9/29/2018 CSE 484 / CSE M 584 19

  20. Can You Spot Any Potential Issues? Voter token Voter token Ballot definition file Interactively vote Poll worker Voter Encrypted votes Recorded votes si.edu 9/29/2018 CSE 484 / CSE M 584 20 Tabulator si.edu

  21. Q1 and Q2 on the Worksheet 9/29/2018 CSE 484 / CSE M 584 21

  22. Potential Adversaries • Voters • Election officials • Employees of voting machine manufacturer – Software/hardware engineers – Maintenance people • Other engineers – Makers of hardware – Makers of underlying software or add-on components – Makers of compiler • ... • Or any combination of the above 9/29/2018 CSE 484 / CSE M 584 22

  23. What Software is Running? Problem: An adversary (e.g., a poll worker, software developer, or company representative) able to control the software or the underlying hardware could do whatever he or she wanted. 9/29/2018 CSE 484 / CSE M 584 23

  24. 9/29/2018 CSE 484 / CSE M 584 24

  25. Problem: Ballot definition files are not authenticated. Example attack: A malicious poll worker could modify ballot definition files so that votes cast for “ Mickey Mouse ” are recorded for “ Donald Duck .” Voter token Ballot definition file Bad file Interactively vote Poll worker Voter Encrypted votes Recorded votes Tabulator

  26. Problem: Smartcards can perform cryptographic operations. But there is no authentication from voter token to terminal. Example attack: A regular voter could make his or her own voter token and vote multiple times. Voter token Ballot definition file Interactively vote Poll worker Voter Encrypted votes Recorded votes Tabulator

  27. Problem: Encryption key (“F2654hD4”) hard-coded into the software since (at least) 1998. Votes stored in the order cast. Example attack: A poll worker could determine how voters vote. Voter token Ballot definition file Interactively vote Poll worker Voter Voter Encrypted votes Recorded votes Tabulator

  28. Problem: When votes transmitted to tabulator over the Internet or a dialup connection, they are decrypted first; the cleartext results are sent the the tabulator. Example attack: A sophisticated outsider could determine how voters vote. Voter token Ballot definition file Interactively vote Poll worker Voter Encrypted votes Recorded votes Tabulator

  29. Tables Often Help!

  30. Example Table 1 Attacker Machine Poll Worker Voter Power “Positions” Manufacturer Company Employee Voter Privacy Vote Integrity Voting Machine Availability … • What can different parties do? Each cell would have an action or actions that these parties might try do • Note that some parties could collaborate

  31. Example Table 2 Attack Modify Produce Fake Steal Flash Intercept Methods Software Voter Tokens Drive Network Connections Voter Privacy Vote Integrity Voting Machine Availability … • What different attack methods are there? (Columns) • Who could mount these different attacks? What are the attack details (the cells) • How easy is it to implement each of these attack methods?

  32. Table from Paper https://homes.cs.washington.edu/~yoshi/papers/eVoting/vote.pdf 9/29/2018 CSE 484 / CSE M 584 32

  33. TOWARDS DEFENSES 9/29/2018 CSE 484 / CSE M 584 33

  34. Approaches to Security • Prevention – Stop an attack • Detection – Detect an ongoing or past attack • Response – Respond to attacks • The threat of a response may be enough to deter some attackers 9/29/2018 CSE 484 / CSE M 584 34

  35. Whole System is Critical • Securing a system involves a whole-system view – Cryptography – Implementation – People – Physical security – Everything in between • This is because “security is only as strong as the weakest link,” and security can fail in many places – No reason to attack the strongest part of a system if you can walk right around it. 9/29/2018 CSE 484 / CSE M 584 35

  36. Whole System is Critical • Securing a system involves a whole-system view – Cryptography – Implementation – People – Physical security – Everything in between • This is because “security is only as strong as the weakest link,” and security can fail in many places – No reason to attack the strongest part of a system if you can walk right around it. 9/29/2018 CSE 484 / CSE M 584 36

  37. Whole System is Critical • Securing a system involves a whole-system view – Cryptography – Implementation – People – Physical security – Everything in between • This is because “security is only as strong as the weakest link,” and security can fail in many places – No reason to attack the strongest part of a system if you can walk right around it. 9/29/2018 CSE 484 / CSE M 584 - Fall 2017 37

  38. Whole System is Critical • Securing a system involves a whole-system view – Cryptography – Implementation – People – Physical security – Everything in between • This is because “security is only as strong as the weakest link,” and security can fail in many places – No reason to attack the strongest part of a system if you can walk right around it. 9/29/2018 CSE 484 / CSE M 584 - Fall 2017 38

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CSE 484 / CSE M 584: Computer Security and Privacy

CSE 484 / CSE M 584: Computer Security and Privacy

CSE 484 / CSE M 584: Computer Security and Privacy Spring 2015 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter

531 views • 31 slides
CSE 484 / CSE M 584: Computer Security and Privacy

CSE 484 / CSE M 584: Computer Security and Privacy

CSE 484 / CSE M 584: Computer Security and Privacy Spring 2016 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter

708 views • 34 slides
Web Privacy Professor Adam Bates Fall 2018 Security & Privacy Research at Illinois (SPRAI)

Web Privacy Professor Adam Bates Fall 2018 Security & Privacy Research at Illinois (SPRAI)

CS 563 - Advanced Computer Security: Web Privacy Professor Adam Bates Fall 2018 Security & Privacy Research at Illinois (SPRAI) Administrative Learning Objectives : Consider the difference between security and privacy Discuss work

814 views • 43 slides
Admin Today: finish web privacy, start mobile security Friday: Lab #2 due (8pm)

Admin Today: finish web privacy, start mobile security Friday: Lab #2 due (8pm)

CSE 484 / CSE M 584: Computer Security and Privacy Web Privacy [finish] Mobile Platform Security [start] Spring 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner,

535 views • 29 slides
CS573 Data Privacy and Security Li Xiong Department of Mathematics and Computer Science Emory

CS573 Data Privacy and Security Li Xiong Department of Mathematics and Computer Science Emory

CS573 Data Privacy and Security Li Xiong Department of Mathematics and Computer Science Emory University Today Meet everyone in class Course overview Why data privacy and security What is data privacy and security What we

810 views • 70 slides
Layer Optimization: Security and Privacy CS 118 Computer Network Fundamentals Peter Reiher

Layer Optimization: Security and Privacy CS 118 Computer Network Fundamentals Peter Reiher

Layer Optimization: Security and Privacy CS 118 Computer Network Fundamentals Peter Reiher Lecture 18 CS 118 Page 1 Winter 2016 Another type of layer deficiency Some layers of protocol do not provide any security or privacy What if

708 views • 59 slides
CS573 Data Privacy and Security Data Privacy and Security in Healthcare Data Privacy and Security

CS573 Data Privacy and Security Data Privacy and Security in Healthcare Data Privacy and Security

CS573 Data Privacy and Security Data Privacy and Security in Healthcare Data Privacy and Security in Healthcare Li Xiong Healthcare security and privacy HIPAA overview Research survey on information security and privacy in healthcare

1.05k views • 57 slides
Security and Privacy 12A. Operating Systems Security Operating Systems Principles 12B.

Security and Privacy 12A. Operating Systems Security Operating Systems Principles 12B.

5/18/2016 Security and Privacy 12A. Operating Systems Security Operating Systems Principles 12B. Authentication 12C. Authorization Security and Privacy 12D. Trust 12E. At-Rest Encryption Mark Kampe (markk@cs.ucla.edu) Security and Privacy

116 views • 8 slides
SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY

SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY

SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY Christian Kaestner with slides from Eunsuk Kang Required reading: Hulten, Geoff. "Building Intelligent Systems: A Guide to Machine Learning

1.95k views • 113 slides
S & P SECURITY & PRIVACY GROUP Security and Privacy for Payment Channel Networks

S & P SECURITY & PRIVACY GROUP Security and Privacy for Payment Channel Networks

FAKULTT FR !NFORMATIK Faculty of Informatics S & P SECURITY & PRIVACY GROUP Security and Privacy for Payment Channel Networks Pedro Moreno-Sanchez Blockchain Summer School BDLT19 Vienna, Sep 2nd 2019 Blockchain Research

1.41k views • 73 slides
Introduction to Computer Security Session 4.4 Web Privacy Prof. Nadim Kobeissi 4.4a Web

Introduction to Computer Security Session 4.4 Web Privacy Prof. Nadim Kobeissi 4.4a Web

CSCI-UA.9480 Introduction to Computer Security Session 4.4 Web Privacy Prof. Nadim Kobeissi 4.4a Web Privacy Goals 2 CSCI-UA.9480: Introduction to Computer Security Nadim Kobeissi Web privacy goals. Preventing websites from learning:

337 views • 14 slides
Web Security [Privacy] Spring 2020 Earlence Fernandes earlence@cs.wisc.edu Thanks to Dan

Web Security [Privacy] Spring 2020 Earlence Fernandes earlence@cs.wisc.edu Thanks to Dan

CS 642: Computer Security and Privacy Web Security [Privacy] Spring 2020 Earlence Fernandes earlence@cs.wisc.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner, John Manferdelli, John Mitchell, Franzi Roesner,

839 views • 32 slides
CSE 484 / CSE M 584: Computer Security and Privacy Fall2016 Adam (Ada) Lerner

CSE 484 / CSE M 584: Computer Security and Privacy Fall2016 Adam (Ada) Lerner

CSE 484 / CSE M 584: Computer Security and Privacy Fall2016 Adam (Ada) Lerner lerner@cs.washington.edu Thanks to Franzi Roesner, Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet

654 views • 51 slides
Privacy Computer Security Peter Reiher December 11, 2014 Lecture 16 Page 1 CS 136, Fall 2014

Privacy Computer Security Peter Reiher December 11, 2014 Lecture 16 Page 1 CS 136, Fall 2014

Privacy Computer Security Peter Reiher December 11, 2014 Lecture 16 Page 1 CS 136, Fall 2014 Privacy Data privacy issues Network privacy issues Some privacy solutions Lecture 16 Page 2 CS 136, Fall 2014 What Is Privacy?

789 views • 63 slides
Syllabus Professor Adam Bates Fall 2018 Security & Privacy Research at Illinois (SPRAI)

Syllabus Professor Adam Bates Fall 2018 Security & Privacy Research at Illinois (SPRAI)

CS 563 - Advanced Computer Security: Syllabus Professor Adam Bates Fall 2018 Security & Privacy Research at Illinois (SPRAI) Learning Objectives Before CS 563: Intermediate knowledge of computer security topics Experience working

775 views • 38 slides
Be,er Privacy and Security via Secure Computa9on Jonathan Katz Security/privacy would be much

Be,er Privacy and Security via Secure Computa9on Jonathan Katz Security/privacy would be much

Be,er Privacy and Security via Secure Computa9on Jonathan Katz Security/privacy would be much easier if there were someone we could all TRUST with our data Be8er data mining -- using MORE data, while respec@ng users PRIVACY

888 views • 35 slides
Intrusion Detection Computer Security Peter Reiher November 18, 2014 Lecture 11 Page 1 CS

Intrusion Detection Computer Security Peter Reiher November 18, 2014 Lecture 11 Page 1 CS

Intrusion Detection Computer Security Peter Reiher November 18, 2014 Lecture 11 Page 1 CS 136, Fall 2014 Outline Introduction Characteristics of intrusion detection systems Some sample intrusion detection systems Lecture 11

737 views • 63 slides
Notes Mute your computer speakers to minimize audio feedback from your phone. Music will

Notes Mute your computer speakers to minimize audio feedback from your phone. Music will

1/25/2017 Notes Mute your computer speakers to minimize audio feedback from your phone. Music will play until the webinar begins at 10:00 AM . Dawn Thomas Dr. Lara Belliston Nicole Schiesler Rachael Kenter Christi Valentini- OhioMHAS

417 views • 8 slides
World 2012 T o the i Cloud Jon Rhoades St Vincents Institute & The University of

World 2012 T o the i Cloud Jon Rhoades St Vincents Institute & The University of

World 2012 T o the i Cloud Jon Rhoades St Vincents Institute & The University of Melbourne jrhoades@unimelb.edu.au or @jjr XW12 2011 The year of deployment MDMs Profiles Apps XW12 iPad Usage Email Web

562 views • 44 slides
relationships, not just transactions. E-commerce for SAP and Microsoft Dynamics 95 % Buying

relationships, not just transactions. E-commerce for SAP and Microsoft Dynamics 95 % Buying

Prioritize relationships, not just transactions. E-commerce for SAP and Microsoft Dynamics 95 % Buying habits have changed By 2040 , as much as 95 % of purchases will be facilitated by e-commerce. . Source: Nasdaq, 2017 95 % 75 % Buying

884 views • 59 slides
CSE 484 / CSE M 584: Computer Security and Privacy Spring 2017 Franziska (Franzi) Roesner

CSE 484 / CSE M 584: Computer Security and Privacy Spring 2017 Franziska (Franzi) Roesner

CSE 484 / CSE M 584: Computer Security and Privacy Spring 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner, John Manferdelli, John Mitchell, Vitaly Shmatikov,

419 views • 37 slides
Introduction Attacks Security Goals Fall 2010 CS 334 Computer Security 1 What is Computer

Introduction Attacks Security Goals Fall 2010 CS 334 Computer Security 1 What is Computer

Introduction Attacks Security Goals Fall 2010 CS 334 Computer Security 1 What is Computer Security? Generally concerned with protection of computer related assets Risk analysis and management! Manage could mean prevention of

537 views • 26 slides
Defeating Android security solutions by exploiting fuzzy hashing (updated) Arash Vahidi RISE

Defeating Android security solutions by exploiting fuzzy hashing (updated) Arash Vahidi RISE

Defeating Android security solutions by exploiting fuzzy hashing (updated) Arash Vahidi RISE resund Security Day, 2019 The early morning opening slide... There are two types of crypto talks... 1. We present a third preimage attack on

435 views • 21 slides
Decision Support for Geo- Enabled Battle Command Eric Nielsen U.S. Army Topographic Engineering

Decision Support for Geo- Enabled Battle Command Eric Nielsen U.S. Army Topographic Engineering

2/4/09 Decision Support for Geo- Enabled Battle Command Eric Nielsen U.S. Army Topographic Engineering Center 4 February 2009 Definitions Command and Control The exercise of authority and directionover assigned and attached

390 views • 11 slides

More recommend