cse 484 cse m 584 computer security and privacy
play

CSE 484 / CSE M 584: Computer Security and Privacy Fall2016 Adam - PowerPoint PPT Presentation

Dec 31, 2023 •135 likes •654 views

CSE 484 / CSE M 584: Computer Security and Privacy Fall2016 Adam (Ada) Lerner lerner@cs.washington.edu Thanks to Franzi Roesner, Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet

  1. CSE 484 / CSE M 584: Computer Security and Privacy Fall2016 Adam (Ada) Lerner lerner@cs.washington.edu Thanks to Franzi Roesner, Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee, and many others for sample slides and materials ...

  2. Announcements • CSE M 584 research readings are posted, with due dates. Get started, the first paper review is due October 7! 9/30/16 CSE 484 / CSE M 584 - Fall 2016 2

  3. More Announcements • Form groups of up to 3 and start working on your security reviews! • Please write your student number on your worksheets, and please write your last name VERY CLEARLY . It helps us out a lot when recording them in the gradebook. 9/30/16 CSE 484 / CSE M 584 - Fall 2016 3

  4. Answers to Questions from the Survey • There is no written midterm or final exam 9/30/16 CSE 484 / CSE M 584 - Fall 2016 4

  5. Answers to Questions from the Survey • All the labs and the final project are for groups of 1-3. You may have the same group each time, or you may have different groups each time. • Working alone is fine, though it may be challenging! 9/30/16 CSE 484 / CSE M 584 - Fall 2016 5

  6. Answers to Questions from the Survey • Hours per week will vary dramatically through the quarter – expect to work a lot on the labs, and somewhat less on other things. 9/30/16 CSE 484 / CSE M 584 - Fall 2016 6

  7. Answers to Questions from the Survey • I use they/them or she/her pronouns. Both are great. Thanks for asking! 9/30/16 CSE 484 / CSE M 584 - Fall 2016 7

  8. Last Time • “You won’t believe what happens when you adopt this mindset! Engineers hate it!”) – (challenging design assumptions, thinking like an attacker) • #ClickbaitSyllabus – Post up to 2 on the forums for extra credit (and tweet @AdamRLerner, if you like) 9/30/16 CSE 484 / CSE M 584 - Fall 2016 8

  9. Security Mindset Anecdote • SmartWater? • No, a liquid with a unique identifier, sold to mark your stuff as yours 9/30/16 CSE 484 / CSE M 584 - Fall 2016 9

  10. Topics du Jour • There is no perfect security • The attacker’s asymmetric advantage • Confidentiality, Integrity, Authenticity – Side dish: Availability • People are important • Threat modeling 9/30/16 CSE 484 / CSE M 584 - Fall 2016 10

  11. There is no perfect security • “Security is not a binary property” • But, attackers have limited resources – Make them pay unacceptable costs to succeed 9/30/16 CSE 484 / CSE M 584 - Fall 2016 11

  12. There is no perfect security • Example: Pharmaceutical spam is a business – They sell real (possibly unsafe) medications • If operating costs > income, they can’t profit and won’t spam 9/30/16 CSE 484 / CSE M 584 - Fall 2016 12

  13. There is no perfect security • Example: CAPTCHAs • CAPTCHA solving is a service you can pay for! Economics (labor availability, supply, demand) determine the price! 9/30/16 CSE 484 / CSE M 584 - Fall 2016 13

  14. Approaches to Security • Prevention – Stop an attack • Detection – Detect an ongoing or past attack • Response – Respond to attacks • The threat of a response may be enough to deter some attackers 9/30/16 CSE 484 / CSE M 584 - Fall 2016 14

  15. Attackers Need Motivation • Adversarial motivations: – Money , fame, malice, revenge – Curiosity, politics, terror – International relations, war, convenience... 9/30/16 CSE 484 / CSE M 584 - Fall 2016 15

  16. Whole System is Critical • Securing a system involves a whole-system view – Cryptography – Implementation – People – Physical security – Everything in between 9/30/16 CSE 484 / CSE M 584 - Fall 2016 16

  17. Whole System is Critical • Securing a system involves a whole-system view – Cryptography – Implementation – People – Physical security – Everything in between 9/30/16 CSE 484 / CSE M 584 - Fall 2016 17

  18. Topics du Jour • There is no perfect security • The attacker’s asymmetric advantage • Confidentiality, Integrity, Authenticity – Side dish: Availability • People are important • Threat modeling 9/30/16 CSE 484 / CSE M 584 - Fall 2016 18

  19. The Attacker’s Asymmetric Advantage 9/30/16 CSE 484 / CSE M 584 - Fall 2016 19

  20. The Attacker’s Asymmetric Advantage • Attacker only needs to win in one place • Defender’s response: Defense in depth 9/30/16 CSE 484 / CSE M 584 - Fall 2016 20

  21. Defense in Depth • Answer Q1 on your worksheet. 9/30/16 CSE 484 / CSE M 584 - Fall 2016 21

  22. Defense In Depth • Example: Two-factor authentication • Example: Account compromise defenses 9/30/16 CSE 484 / CSE M 584 - Fall 2016 22

  23. Topics du Jour • There is no perfect security • The attacker’s asymmetric advantage • Confidentiality, Integrity, Authenticity – Side dish: Availability • People are important • Threat modeling 9/30/16 CSE 484 / CSE M 584 - Fall 2016 23

  24. Confidentiality (Privacy) • Confidentiality: concealing information Eavesdropping, packet sniffing, illegal copying network 9/30/16 CSE 484 / CSE M 584 - Fall 2016 24

  25. Confidentiality (Privacy) • I send an email which is meant only for the class. – If someone outside the class can read it, they’ve violated the message’s confidentiality . • Many security goals rely on confidentiality. This is one reason security and privacy are so closely related. 9/30/16 CSE 484 / CSE M 584 - Fall 2016 25

  26. Integrity • Integrity: prevention of unauthorized changes Intercept messages, tamper, release again network 9/30/16 CSE 484 / CSE M 584 - Fall 2016 26

  27. Integrity • If someone can edit my email before it gets to the class, they’ve violated the message’s integrity. • Imagine taking whiteout to a postcard. 9/30/16 CSE 484 / CSE M 584 - Fall 2016 27

  28. Authenticity • Authenticity : knowing who you’re talking to. Unauthorized assumption of another’s identity network 9/30/16 CSE 484 / CSE M 584 - Fall 2016 28

  29. Authenticity • If someone else can send email that appears to be from me, they’ve violated the authenticity of our email system. 9/30/16 CSE 484 / CSE M 584 - Fall 2016 29

  30. Availability • Availability : ability to use information or resources Overwhelm or crash servers, disrupt infrastructure network 9/30/16 CSE 484 / CSE M 584 - Fall 2016 30

  31. Topics du Jour • There is no perfect security • The attacker’s asymmetric advantage • Confidentiality, Integrity, Authenticity – Side dish: Availability • People are important • Threat modeling 9/30/16 CSE 484 / CSE M 584 - Fall 2016 31

  32. From Policy to Implementation • Security problems can originate at all stages of a project: – Requirements/goals • Incorrect or problematic goals – Design bugs • Poor use of cryptography • Poor sources of randomness • ... – Implementation bugs • Buffer overflow attacks • ... Don’t forget the users! They – Usability bugs are a critical component! 9/30/16 CSE 484 / CSE M 584 - Fall 2016 32

  33. People are important • Many parties involved – System developers – Companies deploying the system – The end users – The adversaries (possibly one of the above) 9/30/16 CSE 484 / CSE M 584 - Fall 2016 33

  34. People are Important • Different parties have different goals – System developers and companies may wish to optimize cost – End users may desire security, privacy, and usability – But the relationship between these goals is quite complex (will customers choose not to buy the product if it is not secure?) 9/30/16 CSE 484 / CSE M 584 - Fall 2016 34

  35. Topics du Jour • There is no perfect security • The attacker’s asymmetric advantage • Confidentiality, Integrity, Authenticity – Side dish: Availability • People are important • Threat modeling 9/30/16 CSE 484 / CSE M 584 - Fall 2016 35

  36. Threat Modeling • Assets: What are we trying to protect? How valuable are those assets? • Adversaries: Who might try to attack, and why? • Vulnerabilities: How might the system be weak? • Threats: What actions might an adversary take to exploit vulnerabilities? • Risk: How important are assets? How likely is exploit? • Possible Defenses 9/30/16 CSE 484 / CSE M 584 - Fall 2016 36

  37. Example: Electronic Voting • Popular replacement to traditional paper ballots 9/30/16 CSE 484 / CSE M 584 - Fall 2016 37

  38. Electronic Voting: Answer Q2 • Popular replacement to traditional paper ballots 9/30/16 CSE 484 / CSE M 584 - Fall 2016 38

  39. Pre-Election Ballot definition file Poll worker Pre-election: Poll workers load “ballot definition files” on voting machine. 9/30/16 CSE 484 / CSE M 584 - Fall 2016 39

  40. Active Voting Voter token Voter token Ballot definition file Interactively vote Poll worker Voter Active voting: Voters obtain single-use tokens from poll workers. Voters use tokens to activate machines and vote. 9/30/16 CSE 484 / CSE M 584 - Fall 2016 40

  41. Active Voting Voter token Voter token Ballot definition file Interactively vote Poll worker Voter Encrypted votes Active voting: Votes encrypted and stored. Voter token canceled. 9/30/16 CSE 484 / CSE M 584 - Fall 2016 41

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CSE 484 / CSE M 584: Computer Security and Privacy

CSE 484 / CSE M 584: Computer Security and Privacy

CSE 484 / CSE M 584: Computer Security and Privacy Spring 2015 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter

531 views • 31 slides
CSE 484 / CSE M 584: Computer Security and Privacy

CSE 484 / CSE M 584: Computer Security and Privacy

CSE 484 / CSE M 584: Computer Security and Privacy Spring 2016 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter

708 views • 34 slides
Web Privacy Professor Adam Bates Fall 2018 Security & Privacy Research at Illinois (SPRAI)

Web Privacy Professor Adam Bates Fall 2018 Security & Privacy Research at Illinois (SPRAI)

CS 563 - Advanced Computer Security: Web Privacy Professor Adam Bates Fall 2018 Security & Privacy Research at Illinois (SPRAI) Administrative Learning Objectives : Consider the difference between security and privacy Discuss work

814 views • 43 slides
Admin Today: finish web privacy, start mobile security Friday: Lab #2 due (8pm)

Admin Today: finish web privacy, start mobile security Friday: Lab #2 due (8pm)

CSE 484 / CSE M 584: Computer Security and Privacy Web Privacy [finish] Mobile Platform Security [start] Spring 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner,

535 views • 29 slides
CS573 Data Privacy and Security Li Xiong Department of Mathematics and Computer Science Emory

CS573 Data Privacy and Security Li Xiong Department of Mathematics and Computer Science Emory

CS573 Data Privacy and Security Li Xiong Department of Mathematics and Computer Science Emory University Today Meet everyone in class Course overview Why data privacy and security What is data privacy and security What we

810 views • 70 slides
Layer Optimization: Security and Privacy CS 118 Computer Network Fundamentals Peter Reiher

Layer Optimization: Security and Privacy CS 118 Computer Network Fundamentals Peter Reiher

Layer Optimization: Security and Privacy CS 118 Computer Network Fundamentals Peter Reiher Lecture 18 CS 118 Page 1 Winter 2016 Another type of layer deficiency Some layers of protocol do not provide any security or privacy What if

708 views • 59 slides
CS573 Data Privacy and Security Data Privacy and Security in Healthcare Data Privacy and Security

CS573 Data Privacy and Security Data Privacy and Security in Healthcare Data Privacy and Security

CS573 Data Privacy and Security Data Privacy and Security in Healthcare Data Privacy and Security in Healthcare Li Xiong Healthcare security and privacy HIPAA overview Research survey on information security and privacy in healthcare

1.05k views • 57 slides
Security and Privacy 12A. Operating Systems Security Operating Systems Principles 12B.

Security and Privacy 12A. Operating Systems Security Operating Systems Principles 12B.

5/18/2016 Security and Privacy 12A. Operating Systems Security Operating Systems Principles 12B. Authentication 12C. Authorization Security and Privacy 12D. Trust 12E. At-Rest Encryption Mark Kampe (markk@cs.ucla.edu) Security and Privacy

116 views • 8 slides
SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY

SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY

SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY Christian Kaestner with slides from Eunsuk Kang Required reading: Hulten, Geoff. "Building Intelligent Systems: A Guide to Machine Learning

1.95k views • 113 slides
S & P SECURITY & PRIVACY GROUP Security and Privacy for Payment Channel Networks

S & P SECURITY & PRIVACY GROUP Security and Privacy for Payment Channel Networks

FAKULTT FR !NFORMATIK Faculty of Informatics S & P SECURITY & PRIVACY GROUP Security and Privacy for Payment Channel Networks Pedro Moreno-Sanchez Blockchain Summer School BDLT19 Vienna, Sep 2nd 2019 Blockchain Research

1.41k views • 73 slides
Introduction to Computer Security Session 4.4 Web Privacy Prof. Nadim Kobeissi 4.4a Web

Introduction to Computer Security Session 4.4 Web Privacy Prof. Nadim Kobeissi 4.4a Web

CSCI-UA.9480 Introduction to Computer Security Session 4.4 Web Privacy Prof. Nadim Kobeissi 4.4a Web Privacy Goals 2 CSCI-UA.9480: Introduction to Computer Security Nadim Kobeissi Web privacy goals. Preventing websites from learning:

337 views • 14 slides
Web Security [Privacy] Spring 2020 Earlence Fernandes earlence@cs.wisc.edu Thanks to Dan

Web Security [Privacy] Spring 2020 Earlence Fernandes earlence@cs.wisc.edu Thanks to Dan

CS 642: Computer Security and Privacy Web Security [Privacy] Spring 2020 Earlence Fernandes earlence@cs.wisc.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner, John Manferdelli, John Mitchell, Franzi Roesner,

839 views • 32 slides
Privacy Computer Security Peter Reiher December 11, 2014 Lecture 16 Page 1 CS 136, Fall 2014

Privacy Computer Security Peter Reiher December 11, 2014 Lecture 16 Page 1 CS 136, Fall 2014

Privacy Computer Security Peter Reiher December 11, 2014 Lecture 16 Page 1 CS 136, Fall 2014 Privacy Data privacy issues Network privacy issues Some privacy solutions Lecture 16 Page 2 CS 136, Fall 2014 What Is Privacy?

789 views • 63 slides
Syllabus Professor Adam Bates Fall 2018 Security & Privacy Research at Illinois (SPRAI)

Syllabus Professor Adam Bates Fall 2018 Security & Privacy Research at Illinois (SPRAI)

CS 563 - Advanced Computer Security: Syllabus Professor Adam Bates Fall 2018 Security & Privacy Research at Illinois (SPRAI) Learning Objectives Before CS 563: Intermediate knowledge of computer security topics Experience working

775 views • 38 slides
Be,er Privacy and Security via Secure Computa9on Jonathan Katz Security/privacy would be much

Be,er Privacy and Security via Secure Computa9on Jonathan Katz Security/privacy would be much

Be,er Privacy and Security via Secure Computa9on Jonathan Katz Security/privacy would be much easier if there were someone we could all TRUST with our data Be8er data mining -- using MORE data, while respec@ng users PRIVACY

888 views • 35 slides
Security, Privacy and Trust in DOSNs: State-Of-The-Art Approaches and Open Challenges Panagiotis

Security, Privacy and Trust in DOSNs: State-Of-The-Art Approaches and Open Challenges Panagiotis

Security, Privacy and Trust in DOSNs: State-Of-The-Art Approaches and Open Challenges Panagiotis Ilia Institute of Computer Science Foundation for Research and Technology Hellas (FORTH) <pilia@ics.forth.gr> Security, Privacy and Trust

272 views • 25 slides
PUBLIC RECORDS OVERVIEW October 3, 10, 2017 This presentation is posted at:

PUBLIC RECORDS OVERVIEW October 3, 10, 2017 This presentation is posted at:

PUBLIC RECORDS OVERVIEW October 3, 10, 2017 This presentation is posted at: http://www.flsheriffs.org/webinars/ Wayne Evans General Counsel, FSA Allen, Norton & Blue, P.A. 850-561-3503 revans@anblaw.com 3 Art. 1 24, Fla. Const.

316 views • 31 slides
Security CSE473 - Spring 2008 Professor Jaeger www.cse.psu.edu/~tjaeger/cse473-s08/ CSE473

Security CSE473 - Spring 2008 Professor Jaeger www.cse.psu.edu/~tjaeger/cse473-s08/ CSE473

Security CSE473 - Spring 2008 Professor Jaeger www.cse.psu.edu/~tjaeger/cse473-s08/ CSE473 Operating Systems - Spring 2008 - Professor Jaeger Protection Protect yourself from untrustworthy users in a common space If protection is so

578 views • 28 slides
System 2016 Oregon Association of County Clerks Mid-Winter Conference February 2 nd 2016

System 2016 Oregon Association of County Clerks Mid-Winter Conference February 2 nd 2016

Electronic Marriage Registration System 2016 Oregon Association of County Clerks Mid-Winter Conference February 2 nd 2016 Presenters: Krystalyn Salyer Karen Cooper Steve Taylor, Helion Software, Inc. Jennifer Woodward Salem Convention

834 views • 35 slides
Computer Security HKUST, Hong Kong Computer Security Cunsheng Ding, HKUST COMP4631

Computer Security HKUST, Hong Kong Computer Security Cunsheng Ding, HKUST COMP4631

CUNSHENG DING Computer Security HKUST, Hong Kong Computer Security Cunsheng Ding, HKUST COMP4631 CUNSHENG DING Computer Security HKUST, Hong Kong Lecture 15: Electronic Mail Security Outline of this Lecture 1. Email security

580 views • 31 slides
WELCOME TO THE HR LIAISON NETWORK SPRING MEETING Human Resources & Organizational

WELCOME TO THE HR LIAISON NETWORK SPRING MEETING Human Resources & Organizational

WELCOME TO THE HR LIAISON NETWORK SPRING MEETING Human Resources & Organizational Effectiveness February 26, 2020 Celebrate Black History Month! Several on- and -off- campus events are held at Texas A&M in observance of Black History

540 views • 22 slides
Chapter 13 Object-Oriented Software Engineering Outline of the Lecture Configuration Purpose

Chapter 13 Object-Oriented Software Engineering Outline of the Lecture Configuration Purpose

Chapter 13 Object-Oriented Software Engineering Outline of the Lecture Configuration Purpose of Software Configuration Management (SCM) ! Motivation: Why software configuration management? Management ! Definition: What is software

502 views • 5 slides
Problems Configuration Ambiguity as to what thing is meant Management Inconsistent combinations

Problems Configuration Ambiguity as to what thing is meant Management Inconsistent combinations

Problems Configuration Ambiguity as to what thing is meant Management Inconsistent combinations Lost files, lost changes Software Engineering & Technology Tom Verhoeff Undocumented, unapproved changes Not knowing the composition of

230 views • 4 slides
WHY CM? Multiple people are working on changing software Jyrki Nummenmaa University of

WHY CM? Multiple people are working on changing software Jyrki Nummenmaa University of

WHY CM? Multiple people are working on changing software Jyrki Nummenmaa University of Tampere, CS Department Jyrki Nummenmaa University of Tampere, CS Department More than one version of the software needs to be supported:

342 views • 3 slides

More recommend