Wrapup CSE443 - Spring 2012 Introduction to Computer and Network - - PowerPoint PPT Presentation

CSE443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger

Wrapup

CSE443 - Spring 2012 Introduction to Computer and Network Security Professor Jaeger

www.cse.psu.edu/~tjaeger/cse443-s12/

Page CSE443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger

Final

• The final is on

– Thursday, May 3, 2:30 in 101 Althouse

• Be late at your own peril (We may lock the door at 2:40)
• You will have the full time to take the test, but no more
• Coverage:

– Anything we talked about in class … – or appeared in the readings – Mainly topics since mid-term

• Types of questions

– Constructive (here is scenario, design X and explain it) – Philosophical (why does Z argue that …) – Explanatory (what is the key tradeoff between A and B …)

2

Page CSE443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger

Prior Topics

• Terminology

– Any term defined in the early lectures

• Crypto Algorithms

– Diffie-Hellman and RSA

• Crypto protocols

– Public key – Secret key – Integrity, Authenticity, Secrecy

• Authentication

– Kerberos, SSH, SSL, IPsec

• Program Security

– Buffer and other overflows, name resolution attacks

• Access Control

– Protection v Security, Mandatory Protection System, Reference Monitor

3

Page CSE443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger

Topics Since Midterm

• Capabilities and Sandboxes
• Network Security
• Web Security
• Intrusion Detection
• Stuxnet
• MAC systems
• Return-oriented programming
• Virtual machine systems
• Trusted Computing
• Wireless Security

4

Page CSE443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger

Capabilities

• Problems

– Confused deputy

• Considerations

– Chroot – Sandboxing and TOCTTOU – Capability definition – Crypto capabilities – Forgery – Confine access using capabilities – Usability

5

Page CSE443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger

Network Security

• Problems

– Network protocol vulnerabilities, network access, secure communication at IP level (IPsec), worms, bots

• Considerations

– Basis for the various vulnerabilities – Firewall rule specification – IPsec principles – Worm propagation – Botnets and command & control

6

Page CSE443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger

Web Security

• Problems

– Secure communication (SSL/TLS), cookie, server vulnerabilities, client vulnerabilities, client defenses

• Considerations

– SSL protocol tasks and results – Secure cookie design – Dynamic content processing – Javascript, applets, ... – Client security architectures

7

Page CSE443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger

Intrusion Detection

• Anomaly and misuse detection
• Network and host IDS
• Positives/Negatives
• Bayes’ Rate Fallacy

8

Page CSE443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger

Modern Attacks

• Problems

– Stuxnet and Return-oriented programming

• Considerations

– Stuxnet threats – Limitations that made these threats viable – Relationship between overflows and ROP – ROP execution model – Gadgets

9

Page CSE443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger

MAC Systems VM Systems

• MAC systems

– how does SELinux confine root processes? – how does SELinux prevent access to setuid programs? – why used for confining network facing daemons?

• VM systems

– virtualization types – tasks for securing VM computation (VAX VMM) – IOMMU

10

Page CSE443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger

Trusted Computing

• Extend

– TPM hash chain operation over PCRs

• Quote/Attest

– Sign PCR using challenge-response protocol

11

Page CSE443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger

Wireless Security

• Attacks on wireless

– radio channel

• Attacks on WEP
• NIST recommendations

– Why?

12

Page CSE443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger

The state of security …

• … issues are in public consciousness

– Press coverage is increasing … – Losses mounting … (billions and billions) – Affect increasing …… (ATMs, commerce)

• What are we doing?

“… sound and fury signifying nothing …”

• W. Shakespeare

(well, its not quite that bad)

13

Page CSE443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger

The problems …

• What is the root cause?

– Security is not a key goal … – … and it never has been … … so, we need to figure out how to change the way we do engineering (and science) … … to make computers secure.

• Far too much misunderstanding about basic security

and the use of technology

• This is also true physical security

14

Page CSE443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger

The current solutions …

• Make better software

– “we mean it” - B. Gates (2002) – “no really …” - B. Gates (2003) – “Linux is bad too …” - B. Gates (2005) – “it’s in longhorn ...” - B. Gates (2006)

• CERT/SANS-based problem/event tracking

– Experts tracking vulnerabilities – Patch system improving

• Destructive research

– Back-pressure on product developers – Arms-race with bad guys

• Problem: reactive, rather than proactive

15

Page CSE443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger

The real solutions …

• Fix the economic incentive equation …

– Eventually, MS/Sun/Apple/*** will be in enough pain that they change the way they make software

• Education

– Things will get better when people understand when how to use technology

• Fix engineering practices

– Design for security

• Apply technology

– What we have been talking about

16

Page CSE443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger

The bottom line

• The Web/Internet and new technologies are being

limited by their ability to address security and privacy concerns …

• … it is incumbent in us as scientists to meet these

challenges.

– Evangelize importance of security … – Provide sound technologies … – Define better practices …

17

Page CSE443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger

Thank You!!!

18

tjaeger@cse.psu.edu