CSE 127: Introduction to Computer Security
Spring 2022 Lecture 1
• Instructor: , • Office Hours: Wednesday 9:00-10:00am
Copyright By PowCoder代写 加微信 powcoder
• OfficeHours:Tuesday4:00pm-5:00pm
• OfficeHours:Thursday3:00pm-4:00pm
• OfficeHours:Wednesday3:00pm-4:00pm
• OfficeHours:Monday11:00am-Noon
Many amazing folks at UCSD working on security
Savage Voelker
Theory Applied
Nadia L & Verification
Networking
Lawrence Tullsen
ML Embedded Arch
• Computer Science Education, Data Science and Data Ethics
• 11+ years in Industry and Academia
• Qualifications: PhD, MSc, and BSc – all in Computer
• Currently a Postdoctoral Fellow at UCSD.
• Studying CS student attrition – root causes behind drop-outs in CS.
Topics Covered and Course Goals
Topics Covered
• The Security Mindset
• Principlesandthreatmodeling
• Systems/Software Security
• Classicattacksanddefensesonmemorysafety,isolation
• Web Security
• Webarchitecture,webattacks,webdefenses
• Network Security
• Networkprotocols,networkattacks,networkdefenses
• Cryptography
• Publicandprivate-keycryptography,TLS,PKI
• Privacy, Anonymity, Ethics, Legal Issues
Course Goals
• Critical thinking
• Howtothinklikeanattacker
• Howtoreasonaboutthreatsandrisks
• Howtobalancesecuritycostsandbenefits
Course Goals
• Critical thinking
• Howtothinklikeanattacker
• Howtoreasonaboutthreatsandrisks
• Howtobalancesecuritycostsandbenefits
• Technical skills
• Howtoprotectyourself
• Howtomanageanddefendsystems
• Howtodesignandimplementsecuresystems
Course Goals
• Critical thinking
• Howtothinklikeanattacker
• Howtoreasonaboutthreatsandrisks
• Howtobalancesecuritycostsandbenefits
• Technical skills
• Howtoprotectyourself
• Howtomanageanddefendsystems
• Howtodesignandimplementsecuresystems
• Learn to be a security-conscious citizen
Course Goals
• Critical thinking
• Howtothinklikeanattacker
• Howtoreasonaboutthreatsandrisks
• Howtobalancesecuritycostsandbenefits
• Technical skills
• Howtoprotectyourself
• Howtomanageanddefendsystems
• Howtodesignandimplementsecuresystems
• Learn to be a security-conscious citizen • Learn to be a leet h4x0r
Course Goals
• Critical thinking
• Howtothinklikeanattacker
• Howtoreasonaboutthreatsandrisks
• Howtobalancesecuritycostsandbenefits
• Technical skills
• Howtoprotectyourself
• Howtomanageanddefendsystems
• Howtodesignandimplementsecuresystems
• Learn to be a security-conscious citizen
• Learn to be a leet h4x0r, but an ethical one!
Course Mechanics
40% (Project 0 to Project 5)
• Work in groups of two
• Do your own programming and writeup • General discussion is encouraged
Course Mechanics
40% (Project 0 to Project 5)
• Work in groups of two
• Do your own programming and writeup • General discussion is encouraged
20% Midterm exam 05/04 in class
• On Canvas
• Open-book, independent work
Course Mechanics
40% (Project 0 to Project 5)
• Work in groups of two
• Do your own programming and writeup • General discussion is encouraged
20% Midterm exam 05/04 in class • On Canvas
• Open-book, independent work 40% Final exam 06/06 (To confirm time)
• Closed book
• Might be on Canvas too – To advise later
Course Policies
Late days and extensions:
• You have two late days to use as you wish
• Both you and your partner must have late days to use them
Course Policies
Late days and extensions:
• You have two late days to use as you wish
• Both you and your partner must have late days to use them
Regrade policy:
• Regrades should be the exception not the norm • Incorrect regrade request =⇒ negative points
Course Policies
Late days and extensions:
• You have two late days to use as you wish
• Both you and your partner must have late days to use them
Regrade policy:
• Regrades should be the exception not the norm • Incorrect regrade request =⇒ negative points
Academic integrity:
• UC San Diego policy:
https://academicintegrity.ucsd.edu
• We have to report suspected cases, don’t make it weird
• If you are not sure if something is cheating, ask
Talk to us, it’s a weird time
Course Resources
• No official textbook. Optional books:
• SecurityEngineeringbyRossAnderson
• Hacking:TheArtofExploitationbyJonErikon
Course Resources
• No official textbook. Optional books:
• SecurityEngineeringbyRossAnderson
• Hacking:TheArtofExploitationbyJonErikon
• Assignments and readings on course site:
https://cseweb.ucsd.edu/classes/sp22/cse127-a/
Course Resources
• No official textbook. Optional books:
• SecurityEngineeringbyRossAnderson
• Hacking:TheArtofExploitationbyJonErikon
• Assignments and readings on course site:
https://cseweb.ucsd.edu/classes/sp22/cse127-a/
• Questions? Post to Piazza.
https://piazza.com/ucsd/spring2022/cse127_sp22_a00
Course Resources
• No official textbook. Optional books:
• SecurityEngineeringbyRossAnderson
• Hacking:TheArtofExploitationbyJonErikon
• Assignments and readings on course site:
https://cseweb.ucsd.edu/classes/sp22/cse127-a/
• Questions? Post to Piazza.
https://piazza.com/ucsd/spring2022/cse127_sp22_a00
• Lectures and office hours:
• Lectures:Inpersonwitharecordedcomponentvia
• Discussion:ThiswillbeheldviaZoom(Wednesday
5:00pm-5:50pm)
• Officehourswillnotberecorded
We will be discussing and implementing real-world attacks.
Using some of these techniques in the real world may be unethical, a violation of university policies, or a violation of federal law.
This includes the course assignment infrastructure (e.g., grading system).
We will be discussing and implementing real-world attacks.
Using some of these techniques in the real world may be unethical, a violation of university policies, or a violation of federal law.
This includes the course assignment infrastructure (e.g., grading system).
Be an ethical hacker:
• Ethics requires you to refrain from doing harm
• Always respect human, privacy, property rights
• There are many legitimate hacking capture-the-flag competitions (mostly for hackers!)
18 U.S. CODE 1030 – FRAUD AND RELATED ACTIVITY IN CONNECTION WITH COMPUTERS
Whoever intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information from any protected computer…
18 U.S. CODE 1030 – FRAUD AND RELATED ACTIVITY IN CONNECTION WITH COMPUTERS
Whoever intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information from any protected computer…
The punishment for an offense…
– a fine under this title or imprisonment for not more than one year, or both…,
– a fine under this title or imprisonment for not more than 5 years, or both… if:
(i) the offense was committed for purposes of commercial advantage or private financial gain;
(ii) the offense was committed in furtherance of any criminal or tortious act…; or
(iii) the value of the information obtained exceeds $5,000
Real-World Cases
Computer Fraud and Abuse Act (CFAA) Cases
• In 2011, FBI prosecuted , also known as “Weev” for exposing data of 114K AT&T iPad users
• CriminalCFAAcharge.
• Foundguiltyandsenttoprison.
Computer Fraud and Abuse Act (CFAA) Cases
• In 2011, FBI prosecuted , also known as “Weev” for exposing data of 114K AT&T iPad users
• CriminalCFAAcharge.
• Foundguiltyandsenttoprison.
• In 2011, Sony sued , also known as “Geohot” for jailbreaking PlayStation 3
• CivilCFAAandDMCAcomplaints. • Settledoutofcourt.
Computer Fraud and Abuse Act (CFAA) Cases
• In 2011, FBI prosecuted , also known as “Weev” for exposing data of 114K AT&T iPad users
• CriminalCFAAcharge.
• Foundguiltyandsenttoprison.
• In 2011, Sony sued , also known as “Geohot” for jailbreaking PlayStation 3
• CivilCFAAandDMCAcomplaints. • Settledoutofcourt.
• In 2011, FBI prosecuted for downloading academic articles on MIT network from JSTOR
• IndictedforwirefraudandCFAA.
• Prosecutioncontinueduntilhisdeathin2013.
Computer Fraud and Abuse Act (CFAA) Cases
• In 2011, FBI prosecuted , also known as “Weev” for exposing data of 114K AT&T iPad users
• CriminalCFAAcharge.
• Foundguiltyandsenttoprison.
• In 2011, Sony sued , also known as “Geohot” for jailbreaking PlayStation 3
• CivilCFAAandDMCAcomplaints. • Settledoutofcourt.
• In 2011, FBI prosecuted for downloading academic articles on MIT network from JSTOR
• IndictedforwirefraudandCFAA.
• Prosecutioncontinueduntilhisdeathin2013.
• In 2021, Buren was charged with “exceeding authorized access” under CFAA
• Apoliceofficerwhomisusedlicenseplatedatabase
• Supremecourtruledthatauthorizedaccessfor
improper purposes is not “exceeding authorized access”
Famous Hackers
Other famour hackers:
• : Infiltrated Digital Equipment Corporation (DEC) and copied their software.
• : Hacked NASA and US military systems • : Largest credit card heist (170 million
credit cards, etc)
• : Juvenile, broke into NASA server and stole sensitive information.
Source: https://www.kaspersky.com/resource-center/threats/top-ten-greatest-hackers
What is security?
What makes it different from robustness?
What makes it different from robustness?
“Computer security studies how systems behave in the presence of an adversary.”
*Actively tries to cause the system to misbehave.
Good engineering involves thinking about how things can be made to work; the security mindset involves thinking about how things can be made to fail.
The Security Mindset
• Thinking like an attacker
• Understandtechniquesforcircumventingsecurity • Lookforwayssecuritycanbreak,notwhyitwon’t
The Security Mindset
• Thinking like an attacker
• Understandtechniquesforcircumventingsecurity • Lookforwayssecuritycanbreak,notwhyitwon’t
• Thinking like a defender
• Knowwhatyou’redefending,andagainstwhom. • Weigh benefits vs. costs:
** No system is ever completely secure**.
Thinking like an Attacker
• Look for weakest links
• Identify assumptions that security depends on Are they false?
Thinking like an Attacker
• Look for weakest links
• Identify assumptions that security depends on Are they false?
• Think outside the box
Thinking like an Attacker
• Look for weakest links
• Identify assumptions that security depends on Are they false?
• Think outside the box
Not constrained by system designer’s worldview!
Thinking like an Attacker
• Look for weakest links
• Identify assumptions that security depends on Are they false?
• Think outside the box
Not constrained by system designer’s worldview!
Start practicing: When you interact with a system, think about what it means to be secure, and how it might be exploited.
How would you break into the CSE building?
How would you steal my email password?
What security systems do you interact with?
Thinking like a Defender
• Security policy
• Whatarewetryingtoprotect?
• Whatpropertiesarewetryingtoenforce?
• Threat model
• Who are the attackers? Capabilities? Motivation? • Whatkindofattackarewetryingtoprevent?
• Risk assessment
• Whataretheweaknessesofthesystem?
• Whatwillsuccessfulattackscostus? • Howlikely?
• Countermeasures
• Costs vs. benefits?
• Technical vs. nontechnical?
Security Policies
• What assets are we trying to protect? • Password(hashes)
• Browsinghistory
• What properties are we trying to enforce?
• Confidentiality • Integrity
• Availability
• Authenticity
Threat Models
• Who are our adversaries?
• Motives?
• Capabilities?
• What kinds of attacks do we need to prevent? (Think like the attacker!)
• Limits: What kinds of attacks should we ignore?
Example of Threat Modeling
“This World of Ours”
Example of Threat Modeling
Assessing Risk
Remember: Controlled paranoia
• What would security breaches cost us?
• Directcosts:Money,property,safety,…
• Indirectcosts:Reputation,futurebusiness,wellbeing,
• How likely are these costs?
• Probabilityofattacks? • Probabilityofsuccess?
Countermeasures
• Technical countermeasures
• Nontechnical countermeasures
Law, policy (government, institutional), procedures, training, auditing, incentives, etc.
How do we protect classified satellites?
Security Costs
• No security mechanism is free
• Directcosts:
Design, implementation, enforcement, false positives
• Indirectcosts:
Lost productivity, added complexity
• Challenge is to rationally weigh costs vs. risk
• Humanpsychologymakesreasoningabouthigh cost/low probability events hard
Should you lock your door?
• Adversaries?
• Risk assessment?
• Countermeasures? • Costs/benefits?
Should you use automatic software updates?
• Adversaries?
• Risk assessment?
• Countermeasures? • Costs/benefits?
Should we protect the CSE bear?
• Adversaries?
• Risk assessment?
• Countermeasures? • Costs/benefits?
Secure Design
• Common mistake:
Convince yourself that the system is secure
• Better approach:
Identify weaknesses of design, focus on correcting them Formally prove that design is secure (soon)
• Secure design is a process
Must be practiced continuously Retrofitting security is super hard
Where to focus defenses
• Trusted components
Parts that must function correctly for the system to be secure.
• Attack surface
Parts of the system exposed to the attacker
Security Principles
• Simplicity, open design, and maintainability • Privilege separation and least privilege
• Defense-in-depth and diversity
• Complete mediation and fail-safe
Preventing cheating on an online exam?
Preventing you from stealing my password?
Next lecture: Buffer overflows!
程序代写 CS代考 加微信: powcoder QQ: 1823890830 Email: powcoder@163.com