Outline CSci 5271 Big-Picture Introduction Introduction to Computer Security Day 1: Introduction and Logistics Course Logistics Stephen McCamant University of Minnesota, Computer Science & Engineering What is computer security? Two sides of security Defenders / white-hats / good guys[sic] Keep “bad things” from happening Attackers / black-hats / bad guys[sic] Distinguished by presence of an Each side’s strategy depends on the adversary other In some ways like a game Classic security goals Managing risk Confidentiality Threat model, likely adversary goals Integrity Expected damage Authenticity Expected attack rate Availability
Course areas Software security Security bugs aka vulnerabilities Software security Some specific to low-level languages like C, others not OS security Arms race Cryptography Attack techniques Network application security Defenses against unknown bugs Countermeasures against defenses Other topics Defensive programming and design OS security Cryptography Classic area for secure design and Mathematical techniques for protecting security policies information Some specific examples from Unix/Linux Symmetric-key techniques (e.g. AES) Access control and capabilities Public-key techniques (e.g. RSA) Multi-level security and information flow Cryptographic protocols Assurance and trust What can go wrong (lots!) Security and the network Short topics Network protocols, basic and “S” Privacy-enhancing network overlays Firewalls, NATs, intrusion detectors Security and usability Web servers and web clients Electronic voting Network malware and network DoS Electronic cash (e.g., Bitcoin)
Learning goals Outline Think like your adversary Big-Picture Introduction Recognize and eliminate vulnerabilities Design and build systems securely Course Logistics Apply security principles to research problems Instructor information Teaching assistant Stephen McCamant Office: 4-225E Keller Travis Carlson Office hours: Monday 10-11am, Tuesday Office hours Wednesday 3-4, Thursday 11-12, in Keller 2-246 2-3pm, or by appointment Email: ♠❝❝❛♠❛♥t❅❝s✳✉♠♥✳❡❞✉ Prerequisites Reading materials Undergraduate-level OS, e.g. 4061 Posted on the course web site Machine code and compilation Download, perhaps with library proxy E.g. 2021, transitive for 4061 Useful: networks (4211) Read before corresponding lecture Graduate level maturity and Readings and lecture may not match resourcefulness Both may appear on exams C, Unix, (Perl ❥ Python ❥ Ruby ❥ ✁ ✁ ✁ )
Textbook Evaluation components 10% Written exercise sets (5) 15% Hands-on assignments (2) 20% Midterm exam 25% Final exam 30% Group research project Exercises Hands-on assignments Two assignments, by large topic Five sets, roughly by topic areas divisions Do individually or in groups of up to 3 Do individually or in groups of up to 3 Mostly thinking and writing, not much Mostly programming and attacking programming Draws heavily on your C and Unix skills Submit one set per group in PDF, via Canvas First up: penetrate-and-patch HA1 Exams Group research project Open book, open notes, no laptops/calculators/phones Single most important and Mix of multiple-choice/true-false and time-consuming part of course short-answer Groups of 4-5, preferably 5 or 6 Midterm: Monday October 21st in class Engage with a recent research paper Final: Saturday December 14th Reproduce and extend, or Reproduce and attack 10:30am-12:30pm Mark your calendars!
Project milestones Pre-proposal (Sep. 18) Pre-proposal (due Sep. 18) Who: group members Progress meetings and reports What: paper you’re engaging with (monthly) Why: are you suited for this project Short in-class presentation (last two How: preliminary action plan weeks) When: available times for progress Paper-style final report (due Dec. 11) meetings Project evaluation Late assignments Due dates usually 11:59pm Central Time 15% Originality 1 sec late - 23:59:59 late: 75% 15% Scholarship 24 hrs - 47:59:59 late: 50% 30% Strength of evaluation 48 hrs - 71:59:59 late: 25% 40% Individual contribution After that: 0 Collaboration, within groups Collaboration, between groups Main kind of collaboration expected in Be careful: “no spoilers” class OK to discuss general concepts Think about how you structure your OK to help with side tech issues collaboration Sharing code or written answers is For best results, but also to learn from never OK teammates
External sources Security ethics Many assignments will allow or recommend outside (library, Internet) Don’t use techniques discussed in class sources to attack the security of other people’s computers! But you must appropriately acknowledge any outside sources you If we find you do, you will fail, along with use other applicable penalties Failure to do so is plagiarism Academic misconduct generally Course web site Don’t cheat, plagiarize, help others cheat, etc. Department web site under ❝s❝✐✺✷✼✶ Minimum penalty: 0 on assignment, Also linked from my home page report to OCS ⑦♠❝❝❛♠❛♥t More serious: F in course, other OCS penalties Canvas Challenging course aspects Stressing C, low-level, and Unix skills Assignment submissions Thinking like an attacker Discussion forums Thinking like a researcher Including: group formation Time management
Hands-on Assignment 1 Exploiting BCMTA BCMTA runs as super-user (“root”) Weekly attacks 9/20-10/18 Bugs allow a regular user to gain root Attack a badly coded mail server privileges (shell) (BCMTA 2.0) Challenge: many steps from bug to Test your attacks using Linux virtual working exploit machines Challenge: bugs fixed over time Detailed material starts next week Readings, projects, exercise 1 See you on Monday!
Recommend
More recommend
