cse 484 cse m 584 computer security and privacy
play

CSE 484 / CSE M 584: Computer Security and Privacy Spring 2017 - PowerPoint PPT Presentation

Jun 05, 2023 •49 likes •419 views

CSE 484 / CSE M 584: Computer Security and Privacy Spring 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner, John Manferdelli, John Mitchell, Vitaly Shmatikov,

  1. CSE 484 / CSE M 584: Computer Security and Privacy Spring 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee, and many others for sample slides and materials ...

  2. Announcements / Answers • If you’re on the class mailing list, you should have received a test email. • Late days: everyone in the group uses them simultaneously • Example final projects: we will post some! • Prereqs… 3/29/17 CSE 484 / CSE M 584 - Spring 2017 2

  3. Prerequisites (CSE 484) • Required: Data Structures (CSE 326) or Data Abstractions (CSE 332) • Required: Hardware/Software Interface (CSE 351) or Machine Org and Assembly Language (CSE 378) • Assume: Working knowledge of C and assembly – One of the labs will involve writing buffer overflow attacks in C – You must have detailed understanding of x86 architecture, stack layout, calling conventions, etc. • Assume: Working knowledge of software engineering tools for Unix environments (gdb, etc) • Assume: Working knowledge of Java and JavaScript 3/29/17 CSE 484 / CSE M 584 - Spring 2017 3

  4. Prerequisites (CSE 484) • Strongly recommended: Computer Networks; Operating Systems – Will help provide deeper understanding of security mechanisms and where they fit in the big picture • Recommended: Complexity Theory; 
 Discrete Math; Algorithms – Will help with the more theoretical aspects of this course. 3/29/17 CSE 484 / CSE M 584 - Spring 2017 4

  5. Last Time • Importance of the security mindset – Challenging design assumptions – Thinking like an attacker • There’s no such thing as perfect security – But, attackers have limited resources – Make them pay unacceptable costs to succeed! • Defining security per context: identify assets, adversaries, motivations, threats, vulnerabilities, risk, possible defenses 3/29/17 CSE 484 / CSE M 584 - Spring 2017 5

  6. SECURITY GOALS (“CIA”) 3/29/17 CSE 484 / CSE M 584 - Spring 2017 6

  7. Confidentiality (Privacy) • Confidentiality is concealment of information. Eavesdropping, packet sniffing, illegal copying network 3/29/17 CSE 484 / CSE M 584 - Spring 2017 7

  8. Integrity • Integrity is prevention of unauthorized changes. Intercept messages, tamper, release again network 3/29/17 CSE 484 / CSE M 584 - Spring 2017 8

  9. Authenticity • Authenticity is knowing who you’re talking to. Unauthorized assumption of another’s identity network 3/29/17 CSE 484 / CSE M 584 - Spring 2017 9

  10. Availability • Availability is ability to use information or resources. Overwhelm or crash servers, disrupt infrastructure network 3/29/17 CSE 484 / CSE M 584 - Spring 2017 10

  11. THREAT MODELING 3/29/17 CSE 484 / CSE M 584 - Spring 2017 11

  12. What Drives Attackers? • Money, theft, fun • Malice, revenge, wreak havoc • Curiosity, fun • Politics, terror 3/29/17 CSE 484 / CSE M 584 - Spring 2017 12

  13. Threat Modeling (Security Reviews) • Assets: What are we trying to protect? How valuable are those assets? • Adversaries: Who might try to attack, and why? • Vulnerabilities: How might the system be weak? • Threats: What actions might an adversary take to exploit vulnerabilities? • Risk: How important are assets? How likely is exploit? • Possible Defenses 3/29/17 CSE 484 / CSE M 584 - Spring 2017 13

  14. Example: Electronic Voting • Popular replacement to traditional paper ballots 3/29/17 CSE 484 / CSE M 584 - Spring 2017 14

  15. Pre-Election Ballot definition file Poll worker Pre-election: Poll workers load “ballot definition files” on voting machine. 3/29/17 CSE 484 / CSE M 584 - Spring 2017 15

  16. Active Voting Voter token Voter token Ballot definition file Interactively vote Poll worker Voter Active voting: Voters obtain single-use tokens from poll workers. Voters use tokens to activate machines and vote. 3/29/17 CSE 484 / CSE M 584 - Spring 2017 16

  17. Active Voting Voter token Voter token Ballot definition file Interactively vote Poll worker Voter Encrypted votes Active voting: Votes encrypted and stored. Voter token canceled. 3/29/17 CSE 484 / CSE M 584 - Spring 2017 17

  18. Post-Election Voter token Voter token Ballot definition file Interactively vote Poll worker Voter Encrypted votes Post-election: Stored votes Recorded votes transported to tabulation center. si.edu 3/29/17 CSE 484 / CSE M 584 - Spring 2017 18 Tabulator si.edu

  19. Security and E-Voting (Simplified) • Functionality goals: – Easy to use, reduce mistakes/confusion • Security goals: – Adversary should not be able to tamper with the election outcome • By changing votes ( integrity ) • By voting on behalf of someone ( authenticity ) • By denying voters the right to vote ( availability ) – Adversary should not be able to figure out how voters vote ( confidentiality ) 3/29/17 CSE 484 / CSE M 584 - Spring 2017 19

  20. Can You Spot Any Potential Issues? Voter token Voter token Ballot definition file Interactively vote Poll worker Voter Encrypted votes Recorded votes si.edu 3/29/17 CSE 484 / CSE M 584 - Spring 2017 20 Tabulator si.edu

  21. Potential Adversaries • Voters • Election officials • Employees of voting machine manufacturer – Software/hardware engineers – Maintenance people • Other engineers – Makers of hardware – Makers of underlying software or add-on components – Makers of compiler • ... • Or any combination of the above 3/29/17 CSE 484 / CSE M 584 - Spring 2017 21

  22. What Software is Running? Problem: An adversary (e.g., a poll worker, software developer, or company representative) able to control the software or the underlying hardware could do whatever he or she wanted. 3/29/17 CSE 484 / CSE M 584 - Spring 2017 22

  23. 3/29/17 CSE 484 / CSE M 584 - Spring 2017 23

  24. Problem: Ballot definition files are not authenticated. Example attack: A malicious poll worker could modify ballot definition files so that votes cast for “Mickey Mouse” are recorded for “Donald Duck.” Voter token Ballot definition file Bad file Interactively vote Poll worker Voter Encrypted votes Recorded votes Tabulator

  25. Problem: Smartcards can perform cryptographic operations. But there is no authentication from voter token to terminal. Example attack: A regular voter could make his or her own voter token and vote multiple times. Voter token Ballot definition file Interactively vote Poll worker Voter Encrypted votes Recorded votes Tabulator

  26. Problem: Encryption key (“F2654hD4”) hard-coded into the software since (at least) 1998. Votes stored in the order cast. Example attack: A poll worker could determine how voters vote. Voter token Ballot definition file Interactively vote Poll worker Voter Voter Encrypted votes Recorded votes Tabulator

  27. Problem: When votes transmitted to tabulator over the Internet or a dialup connection, they are decrypted first; the cleartext results are sent the the tabulator. Example attack: A sophisticated outsider could determine how voters vote. Voter token Ballot definition file Interactively vote Poll worker Voter Encrypted votes Recorded votes Tabulator

  28. TOWARDS DEFENSES 3/29/17 CSE 484 / CSE M 584 - Spring 2017 28

  29. Approaches to Security • Prevention – Stop an attack • Detection – Detect an ongoing or past attack • Response – Respond to attacks • The threat of a response may be enough to deter some attackers 3/29/17 CSE 484 / CSE M 584 - Spring 2017 29

  30. Whole System is Critical • Securing a system involves a whole-system view – Cryptography – Implementation – People – Physical security – Everything in between • This is because “security is only as strong as the weakest link,” and security can fail in many places – No reason to attack the strongest part of a system if you can walk right around it. 3/29/17 CSE 484 / CSE M 584 - Spring 2017 30

  31. Whole System is Critical • Securing a system involves a whole-system view – Cryptography – Implementation – People – Physical security – Everything in between • This is because “security is only as strong as the weakest link,” and security can fail in many places – No reason to attack the strongest part of a system if you can walk right around it. 3/29/17 CSE 484 / CSE M 584 - Spring 2017 31

  32. Whole System is Critical • Securing a system involves a whole-system view – Cryptography – Implementation – People – Physical security – Everything in between • This is because “security is only as strong as the weakest link,” and security can fail in many places – No reason to attack the strongest part of a system if you can walk right around it. 3/29/17 CSE 484 / CSE M 584 - Spring 2017 32

  33. Attacker’s Asymmetric Advantage 3/29/17 CSE 484 / CSE M 584 - Spring 2017 33

  34. Attacker’s Asymmetric Advantage • Attacker only needs to win in one place • Defender’s response: Defense in depth 3/29/17 CSE 484 / CSE M 584 - Spring 2017 34

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CSE 484 / CSE M 584: Computer Security and Privacy

CSE 484 / CSE M 584: Computer Security and Privacy

CSE 484 / CSE M 584: Computer Security and Privacy Spring 2015 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter

531 views • 31 slides
CSE 484 / CSE M 584: Computer Security and Privacy

CSE 484 / CSE M 584: Computer Security and Privacy

CSE 484 / CSE M 584: Computer Security and Privacy Spring 2016 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter

708 views • 34 slides
Web Privacy Professor Adam Bates Fall 2018 Security & Privacy Research at Illinois (SPRAI)

Web Privacy Professor Adam Bates Fall 2018 Security & Privacy Research at Illinois (SPRAI)

CS 563 - Advanced Computer Security: Web Privacy Professor Adam Bates Fall 2018 Security & Privacy Research at Illinois (SPRAI) Administrative Learning Objectives : Consider the difference between security and privacy Discuss work

814 views • 43 slides
Admin Today: finish web privacy, start mobile security Friday: Lab #2 due (8pm)

Admin Today: finish web privacy, start mobile security Friday: Lab #2 due (8pm)

CSE 484 / CSE M 584: Computer Security and Privacy Web Privacy [finish] Mobile Platform Security [start] Spring 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner,

535 views • 29 slides
CS573 Data Privacy and Security Li Xiong Department of Mathematics and Computer Science Emory

CS573 Data Privacy and Security Li Xiong Department of Mathematics and Computer Science Emory

CS573 Data Privacy and Security Li Xiong Department of Mathematics and Computer Science Emory University Today Meet everyone in class Course overview Why data privacy and security What is data privacy and security What we

810 views • 70 slides
Layer Optimization: Security and Privacy CS 118 Computer Network Fundamentals Peter Reiher

Layer Optimization: Security and Privacy CS 118 Computer Network Fundamentals Peter Reiher

Layer Optimization: Security and Privacy CS 118 Computer Network Fundamentals Peter Reiher Lecture 18 CS 118 Page 1 Winter 2016 Another type of layer deficiency Some layers of protocol do not provide any security or privacy What if

708 views • 59 slides
CS573 Data Privacy and Security Data Privacy and Security in Healthcare Data Privacy and Security

CS573 Data Privacy and Security Data Privacy and Security in Healthcare Data Privacy and Security

CS573 Data Privacy and Security Data Privacy and Security in Healthcare Data Privacy and Security in Healthcare Li Xiong Healthcare security and privacy HIPAA overview Research survey on information security and privacy in healthcare

1.05k views • 57 slides
Security and Privacy 12A. Operating Systems Security Operating Systems Principles 12B.

Security and Privacy 12A. Operating Systems Security Operating Systems Principles 12B.

5/18/2016 Security and Privacy 12A. Operating Systems Security Operating Systems Principles 12B. Authentication 12C. Authorization Security and Privacy 12D. Trust 12E. At-Rest Encryption Mark Kampe (markk@cs.ucla.edu) Security and Privacy

116 views • 8 slides
SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY

SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY

SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY Christian Kaestner with slides from Eunsuk Kang Required reading: Hulten, Geoff. "Building Intelligent Systems: A Guide to Machine Learning

1.95k views • 113 slides
S & P SECURITY & PRIVACY GROUP Security and Privacy for Payment Channel Networks

S & P SECURITY & PRIVACY GROUP Security and Privacy for Payment Channel Networks

FAKULTT FR !NFORMATIK Faculty of Informatics S & P SECURITY & PRIVACY GROUP Security and Privacy for Payment Channel Networks Pedro Moreno-Sanchez Blockchain Summer School BDLT19 Vienna, Sep 2nd 2019 Blockchain Research

1.41k views • 73 slides
Introduction to Computer Security Session 4.4 Web Privacy Prof. Nadim Kobeissi 4.4a Web

Introduction to Computer Security Session 4.4 Web Privacy Prof. Nadim Kobeissi 4.4a Web

CSCI-UA.9480 Introduction to Computer Security Session 4.4 Web Privacy Prof. Nadim Kobeissi 4.4a Web Privacy Goals 2 CSCI-UA.9480: Introduction to Computer Security Nadim Kobeissi Web privacy goals. Preventing websites from learning:

337 views • 14 slides
Web Security [Privacy] Spring 2020 Earlence Fernandes earlence@cs.wisc.edu Thanks to Dan

Web Security [Privacy] Spring 2020 Earlence Fernandes earlence@cs.wisc.edu Thanks to Dan

CS 642: Computer Security and Privacy Web Security [Privacy] Spring 2020 Earlence Fernandes earlence@cs.wisc.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner, John Manferdelli, John Mitchell, Franzi Roesner,

839 views • 32 slides
CSE 484 / CSE M 584: Computer Security and Privacy Fall2016 Adam (Ada) Lerner

CSE 484 / CSE M 584: Computer Security and Privacy Fall2016 Adam (Ada) Lerner

CSE 484 / CSE M 584: Computer Security and Privacy Fall2016 Adam (Ada) Lerner lerner@cs.washington.edu Thanks to Franzi Roesner, Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet

654 views • 51 slides
Privacy Computer Security Peter Reiher December 11, 2014 Lecture 16 Page 1 CS 136, Fall 2014

Privacy Computer Security Peter Reiher December 11, 2014 Lecture 16 Page 1 CS 136, Fall 2014

Privacy Computer Security Peter Reiher December 11, 2014 Lecture 16 Page 1 CS 136, Fall 2014 Privacy Data privacy issues Network privacy issues Some privacy solutions Lecture 16 Page 2 CS 136, Fall 2014 What Is Privacy?

789 views • 63 slides
Syllabus Professor Adam Bates Fall 2018 Security & Privacy Research at Illinois (SPRAI)

Syllabus Professor Adam Bates Fall 2018 Security & Privacy Research at Illinois (SPRAI)

CS 563 - Advanced Computer Security: Syllabus Professor Adam Bates Fall 2018 Security & Privacy Research at Illinois (SPRAI) Learning Objectives Before CS 563: Intermediate knowledge of computer security topics Experience working

775 views • 38 slides
Be,er Privacy and Security via Secure Computa9on Jonathan Katz Security/privacy would be much

Be,er Privacy and Security via Secure Computa9on Jonathan Katz Security/privacy would be much

Be,er Privacy and Security via Secure Computa9on Jonathan Katz Security/privacy would be much easier if there were someone we could all TRUST with our data Be8er data mining -- using MORE data, while respec@ng users PRIVACY

888 views • 35 slides
Computer Security and Privacy Autumn 2018 Tadayoshi (Yoshi) Kohno yoshi@cs.washington.edu

Computer Security and Privacy Autumn 2018 Tadayoshi (Yoshi) Kohno yoshi@cs.washington.edu

CSE 484 / CSE M 584: Computer Security and Privacy Autumn 2018 Tadayoshi (Yoshi) Kohno yoshi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Ada Lerner, John Manferdelli, John Mitchell, Franziska Roesner, Vitaly

501 views • 38 slides
Intrusion Detection Computer Security Peter Reiher November 18, 2014 Lecture 11 Page 1 CS

Intrusion Detection Computer Security Peter Reiher November 18, 2014 Lecture 11 Page 1 CS

Intrusion Detection Computer Security Peter Reiher November 18, 2014 Lecture 11 Page 1 CS 136, Fall 2014 Outline Introduction Characteristics of intrusion detection systems Some sample intrusion detection systems Lecture 11

737 views • 63 slides
Notes Mute your computer speakers to minimize audio feedback from your phone. Music will

Notes Mute your computer speakers to minimize audio feedback from your phone. Music will

1/25/2017 Notes Mute your computer speakers to minimize audio feedback from your phone. Music will play until the webinar begins at 10:00 AM . Dawn Thomas Dr. Lara Belliston Nicole Schiesler Rachael Kenter Christi Valentini- OhioMHAS

417 views • 8 slides
World 2012 T o the i Cloud Jon Rhoades St Vincents Institute & The University of

World 2012 T o the i Cloud Jon Rhoades St Vincents Institute & The University of

World 2012 T o the i Cloud Jon Rhoades St Vincents Institute & The University of Melbourne jrhoades@unimelb.edu.au or @jjr XW12 2011 The year of deployment MDMs Profiles Apps XW12 iPad Usage Email Web

562 views • 44 slides
Introduction Attacks Security Goals Fall 2010 CS 334 Computer Security 1 What is Computer

Introduction Attacks Security Goals Fall 2010 CS 334 Computer Security 1 What is Computer

Introduction Attacks Security Goals Fall 2010 CS 334 Computer Security 1 What is Computer Security? Generally concerned with protection of computer related assets Risk analysis and management! Manage could mean prevention of

537 views • 26 slides
Defeating Android security solutions by exploiting fuzzy hashing (updated) Arash Vahidi RISE

Defeating Android security solutions by exploiting fuzzy hashing (updated) Arash Vahidi RISE

Defeating Android security solutions by exploiting fuzzy hashing (updated) Arash Vahidi RISE resund Security Day, 2019 The early morning opening slide... There are two types of crypto talks... 1. We present a third preimage attack on

435 views • 21 slides
Decision Support for Geo- Enabled Battle Command Eric Nielsen U.S. Army Topographic Engineering

Decision Support for Geo- Enabled Battle Command Eric Nielsen U.S. Army Topographic Engineering

2/4/09 Decision Support for Geo- Enabled Battle Command Eric Nielsen U.S. Army Topographic Engineering Center 4 February 2009 Definitions Command and Control The exercise of authority and directionover assigned and attached

390 views • 11 slides
The Cluster Soft Excess A possible reservoir of baryons (and maybe dark matter) at the outskirts

The Cluster Soft Excess A possible reservoir of baryons (and maybe dark matter) at the outskirts

The Cluster Soft Excess A possible reservoir of baryons (and maybe dark matter) at the outskirts of galaxy clusters Massimiliano Bonamente & Richard Lieu University of Alabama in Huntsville Outline 1) A brief history of the Cluster Soft

441 views • 21 slides

More recommend