intro to computer security
play

Intro to Computer Security Lujo Bauer lbauer@cmu.edu - PowerPoint PPT Presentation

Jan 16, 2024 •271 likes •647 views

Carnegie Mellon Intro to Computer Security Lujo Bauer lbauer@cmu.edu http://www.ece.cmu.edu/~lbauer Fall 2011 Carnegie Mellon Plan for Today What is computer security and why is it important? Types of computer misuse

  1. Carnegie Mellon Intro to Computer Security Lujo Bauer lbauer@cmu.edu http://www.ece.cmu.edu/~lbauer Fall 2011

  2. Carnegie Mellon Plan for Today  What is computer security …  … and why is it important?  Types of computer misuse  Basic security analysis  A taxonomy of computer security 2

  3. Carnegie Mellon What Is Computer Security?  Protecting computers against misuse and interference  Broadly comprised of three types of properties  Confidentiality : information is protected from unintended disclosure  Secrecy, privacy  Integrity : system and data are maintained in a correct and consistent condition  Availability : systems and data are usable when needed  Also includes timeliness  These concepts overlap (and clash)  These concepts are (perhaps) not all-inclusive  Spam?  “Non-business related” surfing? 3

  4. Carnegie Mellon Why Is Computer Security Important? 4

  5. Carnegie Mellon There Are Lots of Bugs! [ http://www.cert.org/stats ] Vulnerabilities reported to CERT/CC 9000 8000 7000 6000 5000 4000 3000 2000 1000 0 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 5

  6. Carnegie Mellon There Are Lots of Bugs!  But is it a computer security problem?  Computer security = protecting computers against misuse and interference  Bugs can be (and are) purposefully exploited 6

  7. Carnegie Mellon Exploiting Bugs as a Nuisence  To be annoying  Newsday technology writer & hacker critic found …  Email box jammed with thousands of messages  Phone reprogrammed to an out of state number where caller’s heard an obscenity-loaded recorded message [ Time Magazine, December 12, 1994 ] 7

  8. Carnegie Mellon Exploiting Bugs for Profit  Hacker convicted of breaking into a business’ computer system, stealing confidential information and threatening disclosure if $200,000 not paid [ U.S. Dept. of Justice Press Release, Jul 2003 ]  11 people indicted for stealing more than 40 million credit card and debit card numbers [ CNN, Aug 2008 ] 8

  9. Carnegie Mellon Costs Can Be Staggering  MyDoom (2004) - $38.5 billon  SoBig (2003) - $37.1 billion  Love Bug (2000) - $15 billion  Code Red (2001) - $2 billion 9

  10. Carnegie Mellon Is It Just About Cost? 10

  11. Carnegie Mellon Software Bugs in the News Unmanned European rocket explodes on first flight Europe's newest unmanned satellite-launching rocket, the Ariane 5, intentionally was blown up Tuesday just seconds after taking off on its maiden flight. … [ http://edition.cnn.com/WORLD/9606/04/rocket.explode/ ] … The internal SRI software exception was caused during execution of a data conversion from 64-bit floating point to 16-bit signed integer value. The floating point number which was converted had a value greater than what could be represented by a 16-bit signed integer. This resulted in an Operand Error. The data conversion instructions (in Ada code) were not protected from causing an Operand Error, although other conversions of comparable variables in the same place in the code were protected. … [ ARIANE 5 Flight 501 Failure, Report by the Inquiry Board , Paris, Jul 19 1996 ] 11

  12. Carnegie Mellon Software Bugs in the News … A previously-unknown software flaw in a widely-deployed General Electric energy management system contributed to the devastating scope of the August 14th northeastern U.S. blackout … [ Security Focus , Feb 11 2004 ] The Northeast Blackout of August 2003, the largest in North American history, shut down 62,000 MW of generation capacity, and cost businesses an estimated $13 billion in productivity. … [ IEEE-USA Today’s Engineer , Feb 2005] … “There was a couple of processes that were in contention for a common data structure, and through a software coding error in one of the application processes, they were both able to get write access to a data structure at the same time … And that corruption led to the alarm event application getting into an infinite loop and spinning.” … [ Security Focus , Apr 7 2004 ] 12

  13. Carnegie Mellon Software Bugs in the News E-voting vendor: Programming errors caused dropped votes … E-voting machines from Premier Election Solutions, formerly called Diebold Election Systems, dropped hundreds of votes in 11 Ohio counties during the primary election, as the machine's memory cards uploaded to vote-counting servers. … [ Network World , Aug 22 2008 ] 13

  14. Carnegie Mellon Software Bugs in the News … Software bugs in a Soviet early-warning monitoring system nearly brought on nuclear war in 1983, according to news reports in early 1999. The software was supposed to filter out false missile detections caused by Soviet satellites picking up sunlight reflections off cloud-tops, but failed to do so. Disaster was averted when a Soviet commander, based on a what he said was a ‘…funny feeling in my gut’, decided the apparent missile attack was a false alarm. The filtering software code was rewritten. . … [ http://rajasriengg.wordpress.com/2008/07/16/recent-major-computer-system- failures-caused-by-software-bugs/ ] 14

  15. Carnegie Mellon Software Bugs in the News  Accidents  Monetary loss  Effect on political process?  Military conflict? 15

  16. Carnegie Mellon Types of Computer Misuse (1) [Neumann and Parker 1989]  External  Visual spying Observing keystrokes or screens  Misrepresentation Deceiving operators and users  Physical scavenging “Dumpster diving” for printouts  Hardware misuse  Logical scavenging Examining discarded/stolen media  Eavesdropping Intercepting electronic or other data  Interference Jamming, electronic or otherwise  Physical attack Damaging or modifying equipment  Physical removal Removing equipment & storage media 16

  17. Carnegie Mellon Types of Computer Misuse (2) [Neumann and Parker 1989]  Masquerading  Impersonation Using false identity external to computer  Piggybacking Usurping workstations, communication  Spoofing Using playback, creating bogus systems  Network weaving Masking physical location or routing  Pest programs  Trojan horses Implanting malicious code  Logic bombs Setting time or event bombs  Malevolent worms Acquiring distributed resources  Viruses Attaching to programs and replicating  Bypasses  Trapdoor attacks Utilizing existing flaws  Authorization attacks Password cracking 17

  18. Carnegie Mellon Types of Computer Misuse (3) [Neumann and Parker 1989]  Active misuse  Basic Creating false data, modifying data  Denials of service Saturation attacks  Passive misuse  Browsing Making random or selective searches  Inference, aggregation Exploiting traffic analysis  Covert channels Covert data leakage  Inactive misuse Failing to perform expected duties  Indirect misuse Breaking crypto keys 18

  19. Carnegie Mellon The Internet Worm (Nov 2, 1988)  Probably the most famous exploit ever unleashed  Program was released that iteratively spread itself across Berkeley Unix systems, and crippled those it infected  Exploited three different vulnerabilities  debug option of sendmail  gets , used in the implementation of finger  Remote logins exploiting .rhost files  Perpetrator was convicted under the Computer Fraud and Abuse Act of 1986  Largely the cause for the creation of the Computer Emergency Response Team (CERT) 19

  20. Carnegie Mellon A Cautionary Tale  Perpetrator was Robert Morris, a Cornell CS graduate student at the time  Morris intended the worm as a “benign” experiment  The worm’s propagating behavior was intended  The worm’s destructive behavior was not  Lesson: DO NOT try hacking experiments  even “benign” ones  on public networks 20

  21. Carnegie Mellon Basic Security Analysis  How do you secure X? Is X secure? What are we protecting? 1. Who is the adversary? 2. What are the security requirements? 3. What security approaches are effective? 4. 21

  22. Carnegie Mellon 1. What Are We Protecting?  Enumerate assets and their value  Understand architecture of system  Useful questions to ask  What is the operating value, i.e., how much would we lose per day/hour/minute if the resource stopped?  What is the replacement cost? How long would it take to replace it? 22

  23. Carnegie Mellon 2. Who Is the Adversary?  Identify potential attackers  How motivated are they?  Estimate attacker resources  Time and money  Estimate number of attackers, probability of attack 23

  24. Carnegie Mellon Common (Abstract) Adversaries  Attacker action  Passive attacker: eavesdropping  Active attacker: eavesdropping + data injection  Attacker sophistication  Ranges from script kiddies to government-funded group of professionals  Attacker access  External attacker: no knowledge of cryptographic information, no access to resources  Internal attacker: complete knowledge of all cryptographic information, complete access  Result of system compromise 24

  25. Carnegie Mellon 3. What Are the Security Requirements?  Enumerate security requirements  Confidentiality  Integrity  Authenticity  Availability  Auditability  Access control  Privacy  … 25

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Quick Intro to Computer Security What is computer security? Securing communication

Quick Intro to Computer Security What is computer security? Securing communication

Carnegie Mellon Quick Intro to Computer Security What is computer security? Securing communication Cryptographic tools Access control User authentication Computer security and usability Thanks to Mike Reiter for the

412 views • 38 slides
A Brief Intro to Security December 5th, 2013 What is Computer Security? The protection

A Brief Intro to Security December 5th, 2013 What is Computer Security? The protection

A Brief Intro to Security December 5th, 2013 What is Computer Security? The protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability, and

296 views • 14 slides
Security Metrics, Security Investment Models and Intro to R Tyler Moore CSE 7338 Computer

Security Metrics, Security Investment Models and Intro to R Tyler Moore CSE 7338 Computer

Notes Security Metrics, Security Investment Models and Intro to R Tyler Moore CSE 7338 Computer Science & Engineering Department, SMU, Dallas, TX Lecture 2 Notes Outline Managing security investment 1 Security metrics 2 R 3

605 views • 16 slides
Cryptography Well, a gentle intro to cryptography Fall 2014 CS 334: Computer Security 1

Cryptography Well, a gentle intro to cryptography Fall 2014 CS 334: Computer Security 1

Cryptography Well, a gentle intro to cryptography Fall 2014 CS 334: Computer Security 1 Special Thanks: to our friends at the Australian Defense Force Academy for providing the basis for these slides Fall 2014 CS 334: Computer Security 2

730 views • 47 slides
Cryptography Well, a gentle intro to cryptography Fall 2010 CS 334: Computer Security 1

Cryptography Well, a gentle intro to cryptography Fall 2010 CS 334: Computer Security 1

Cryptography Well, a gentle intro to cryptography Fall 2010 CS 334: Computer Security 1 Special Thanks: to our friends at the Australian Defense Force Academy for providing the basis for these slides Fall 2010 CS 334: Computer Security 2

626 views • 43 slides
Fundamentals of Computer Security Spring 2015 Radu Sion Intro Encryption Hash Functions A

Fundamentals of Computer Security Spring 2015 Radu Sion Intro Encryption Hash Functions A

Fundamentals of Computer Security Spring 2015 Radu Sion Intro Encryption Hash Functions A Message From Our Sponsors Computer Security Fundamentals Fundamentals System/Network Security, crypto How do things work Why How to

824 views • 26 slides
Intro to Web Security What is the Internet? global system of interconnected computer

Intro to Web Security What is the Internet? global system of interconnected computer

Intro to Web Security What is the Internet? global system of interconnected computer networks that use the Internet protocol suite (TCP/ IP) to link devices worldwide - Wikipedia and why do we care? The interconnectedness of

485 views • 37 slides
Computer Security: Intro B. Jacobs Institute for Computing and Information Sciences Digital

Computer Security: Intro B. Jacobs Institute for Computing and Information Sciences Digital

Organisation Introduction Radboud University Nijmegen A security protocol example Computer Security: Intro B. Jacobs Institute for Computing and Information Sciences Digital Security Radboud University Nijmegen Version: fall 2015 B.

633 views • 50 slides
Outline Security risk and management Some terminology CSci 5271 Introduction to Computer

Outline Security risk and management Some terminology CSci 5271 Introduction to Computer

Outline Security risk and management Some terminology CSci 5271 Introduction to Computer Security Logistics intermission Day 2: Intro to Software and OS Security Example security failures Stephen McCamant University of Minnesota, Computer

608 views • 8 slides
Outline Security risk and management Some terminology CSci 5271 Introduction to Computer

Outline Security risk and management Some terminology CSci 5271 Introduction to Computer

Outline Security risk and management Some terminology CSci 5271 Introduction to Computer Security Logistics intermission Day 2: Intro to Software and OS Security Example security failures Stephen McCamant University of Minnesota, Computer

395 views • 7 slides
Security Overview Security Goals The Attack Space Security Mechanisms

Security Overview Security Goals The Attack Space Security Mechanisms

CSCE Intro to Computer Systems Security Security Overview Security Goals The Attack Space Security Mechanisms Introduction to Cryptography Authentication Authorization Confidentiality Case Studies Security

472 views • 20 slides
Introduction to Computer Security Rev. Sept 2015 What is Computer Security? 2 Computer

Introduction to Computer Security Rev. Sept 2015 What is Computer Security? 2 Computer

Introduction to Computer Security Rev. Sept 2015 What is Computer Security? 2 Computer Security is the protection of computing systems and the data that they store or access 3 Why is Computer Security Important? Computer Security allows

690 views • 19 slides
Cryptography Well, a gentle intro to cryptography. Actually, a fairly hand-wavy intro to

Cryptography Well, a gentle intro to cryptography. Actually, a fairly hand-wavy intro to

Cryptography Well, a gentle intro to cryptography. Actually, a fairly hand-wavy intro to crypto (well discuss why) Fall 2018 CS 334: Computer Security 1 Special Thanks: to our friends at the Australian Defense Force Academy for

1.2k views • 51 slides
Software$Security$ (finish) $ & $ Cryptography $(brief$intro) $ Spring'2016' '

Software$Security$ (finish) $ & $ Cryptography $(brief$intro) $ Spring'2016' '

CSE$484$/$CSE$M$584:$$Computer$Security$and$Privacy$ $ Software$Security$ (finish) $ & $ Cryptography $(brief$intro) $ Spring'2016' ' Franziska'(Franzi)'Roesner'' franzi@cs.washington.edu'

419 views • 29 slides
Course Overview, Introduction to Economics and Security Tyler Moore CSE 7338 Computer Science

Course Overview, Introduction to Economics and Security Tyler Moore CSE 7338 Computer Science

Notes Course Overview, Introduction to Economics and Security Tyler Moore CSE 7338 Computer Science & Engineering Department, SMU, Dallas, TX Lecture 1 Notes Outline Logistics 1 Motivation 2 Intro to Economics: Key notions 3 Intro

769 views • 32 slides
Software Security Continued + Cryptography Intro Autumn 2018 Tadayoshi (Yoshi) Kohno

Software Security Continued + Cryptography Intro Autumn 2018 Tadayoshi (Yoshi) Kohno

CSE 484 / CSE M 584: Computer Security and Privacy Software Security Continued + Cryptography Intro Autumn 2018 Tadayoshi (Yoshi) Kohno yoshi@cs.Washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Ada Lerner, John Manferdelli,

445 views • 22 slides
B l a c k B o x Lightweight Security Monitoring for COTS Binaries Byron Hawkins and Brian

B l a c k B o x Lightweight Security Monitoring for COTS Binaries Byron Hawkins and Brian

B l a c k B o x Lightweight Security Monitoring for COTS Binaries Byron Hawkins and Brian Demsky University of California, Irvine, USA Michael B. Taylor University of California, San Diego, USA Why Security Monitoring? Motjvatjon #1:

1.18k views • 75 slides
Lifelong Learning CS 330 Logistics Project milestone due Wednesday. Two guest lectures next week!

Lifelong Learning CS 330 Logistics Project milestone due Wednesday. Two guest lectures next week!

Lifelong Learning CS 330 Logistics Project milestone due Wednesday. Two guest lectures next week! Je ff Clune Sergey Levine 2 Plan for Today The lifelong learning problem statement Basic approaches to lifelong learning Can we do better than the

585 views • 33 slides
Paul and Barnabas encounter paganism in Lystra Acts 14:8-18 Now at Lystra there was a man

Paul and Barnabas encounter paganism in Lystra Acts 14:8-18 Now at Lystra there was a man

Paul and Barnabas encounter paganism in Lystra Acts 14:8-18 Now at Lystra there was a man sitting who could not use his feet. He was crippled from birth and had never walked. He listened to Paul speaking. And Paul, looking intently at him and

717 views • 30 slides
Training in a Cyber-active Environment Using C2-Simulation Interoperation Dr. Mark Pullen George

Training in a Cyber-active Environment Using C2-Simulation Interoperation Dr. Mark Pullen George

Training in a Cyber-active Environment Using C2-Simulation Interoperation Dr. Mark Pullen George Mason University C4I & Cyber Center, USA James Ruth Trideum, Inc. Overview Introduction: Importance of cyber-active training

540 views • 24 slides
KJSEmbed and QtScript What is application scripting? What is KJSEmbed? What is QtScript? How do

KJSEmbed and QtScript What is application scripting? What is KJSEmbed? What is QtScript? How do

KJSEmbed and QtScript What is application scripting? What is KJSEmbed? What is QtScript? How do KJSEmbed and QtScript compare? What would we need to do to make QtScript usable for KDE? Where do we go from here? Akademy 2007, KJSEmbed and

455 views • 16 slides
Free At Last! David Knight Westview Bible Church August 25, 2019 "I Have A Dream ...

Free At Last! David Knight Westview Bible Church August 25, 2019 "I Have A Dream ...

Free At Last! David Knight Westview Bible Church August 25, 2019 "I Have A Dream ... August 28, 1963 Luke 13:10-17 One Sabbath day as Jesus was teaching in a synagogue, he saw a woman who had been crippled by a spirit of weakness.

405 views • 26 slides
Destructors, Finalizers, and Destructors, Finalizers, and Synchronization Synchronization

Destructors, Finalizers, and Destructors, Finalizers, and Synchronization Synchronization

Destructors, Finalizers, and Destructors, Finalizers, and Synchronization Synchronization Hans-J. Boehm HP Laboratories Hans.Boehm@hp.com Object cleanup C++ destructors Executed synchronously at specific program point. Convenient notation.

303 views • 17 slides
(Un)Ordinary Time Matthew 14:13-21 When the gospel writers want to sum up Jesus entire

(Un)Ordinary Time Matthew 14:13-21 When the gospel writers want to sum up Jesus entire

Sermon: Nelson Boschman (Un)Ordinary Time Matthew 14:13-21 When the gospel writers want to sum up Jesus entire ministry, they frequently say things like this: Jesus announced the good news of the kingdom and healed every disease

415 views • 19 slides

More recommend