CS代考 CSE 127: Introduction to Computer Security

CSE 127: Introduction to Computer Security
Spring 2022 Lecture 1

• Instructor: , • Office Hours: Wednesday 9:00-10:00am

Copyright By PowCoder代写 加微信 powcoder

• OfficeHours:Tuesday4:00pm-5:00pm
• OfficeHours:Thursday3:00pm-4:00pm
• OfficeHours:Wednesday3:00pm-4:00pm
• OfficeHours:Monday11:00am-Noon

Many amazing folks at UCSD working on security
Savage Voelker
Theory Applied
Nadia L & Verification
Networking
Lawrence Tullsen
ML Embedded Arch

• Computer Science Education, Data Science and Data Ethics
• 11+ years in Industry and Academia
• Qualifications: PhD, MSc, and BSc – all in Computer
• Currently a Postdoctoral Fellow at UCSD.
• Studying CS student attrition – root causes behind drop-outs in CS.

Topics Covered and Course Goals

Topics Covered
• The Security Mindset
• Principlesandthreatmodeling
• Systems/Software Security
• Classicattacksanddefensesonmemorysafety,isolation
• Web Security
• Webarchitecture,webattacks,webdefenses
• Network Security
• Networkprotocols,networkattacks,networkdefenses
• Cryptography
• Publicandprivate-keycryptography,TLS,PKI
• Privacy, Anonymity, Ethics, Legal Issues

Course Goals
• Critical thinking
• Howtothinklikeanattacker
• Howtoreasonaboutthreatsandrisks
• Howtobalancesecuritycostsandbenefits

Course Goals
• Critical thinking
• Howtothinklikeanattacker
• Howtoreasonaboutthreatsandrisks
• Howtobalancesecuritycostsandbenefits
• Technical skills
• Howtoprotectyourself
• Howtomanageanddefendsystems
• Howtodesignandimplementsecuresystems

Course Goals
• Critical thinking
• Howtothinklikeanattacker
• Howtoreasonaboutthreatsandrisks
• Howtobalancesecuritycostsandbenefits
• Technical skills
• Howtoprotectyourself
• Howtomanageanddefendsystems
• Howtodesignandimplementsecuresystems
• Learn to be a security-conscious citizen

Course Goals
• Critical thinking
• Howtothinklikeanattacker
• Howtoreasonaboutthreatsandrisks
• Howtobalancesecuritycostsandbenefits
• Technical skills
• Howtoprotectyourself
• Howtomanageanddefendsystems
• Howtodesignandimplementsecuresystems
• Learn to be a security-conscious citizen • Learn to be a leet h4x0r

Course Goals
• Critical thinking
• Howtothinklikeanattacker
• Howtoreasonaboutthreatsandrisks
• Howtobalancesecuritycostsandbenefits
• Technical skills
• Howtoprotectyourself
• Howtomanageanddefendsystems
• Howtodesignandimplementsecuresystems
• Learn to be a security-conscious citizen
• Learn to be a leet h4x0r, but an ethical one!

Course Mechanics
40% (Project 0 to Project 5)
• Work in groups of two
• Do your own programming and writeup • General discussion is encouraged

Course Mechanics
40% (Project 0 to Project 5)
• Work in groups of two
• Do your own programming and writeup • General discussion is encouraged
20% Midterm exam 05/04 in class
• On Canvas
• Open-book, independent work

Course Mechanics
40% (Project 0 to Project 5)
• Work in groups of two
• Do your own programming and writeup • General discussion is encouraged
20% Midterm exam 05/04 in class • On Canvas
• Open-book, independent work 40% Final exam 06/06 (To confirm time)
• Closed book
• Might be on Canvas too – To advise later

Course Policies
Late days and extensions:
• You have two late days to use as you wish
• Both you and your partner must have late days to use them

Course Policies
Late days and extensions:
• You have two late days to use as you wish
• Both you and your partner must have late days to use them
Regrade policy:
• Regrades should be the exception not the norm • Incorrect regrade request =⇒ negative points

Course Policies
Late days and extensions:
• You have two late days to use as you wish
• Both you and your partner must have late days to use them
Regrade policy:
• Regrades should be the exception not the norm • Incorrect regrade request =⇒ negative points
Academic integrity:
• UC San Diego policy:
https://academicintegrity.ucsd.edu
• We have to report suspected cases, don’t make it weird
• If you are not sure if something is cheating, ask

Talk to us, it’s a weird time

Course Resources
• No official textbook. Optional books:
• SecurityEngineeringbyRossAnderson
• Hacking:TheArtofExploitationbyJonErikon

Course Resources
• No official textbook. Optional books:
• SecurityEngineeringbyRossAnderson
• Hacking:TheArtofExploitationbyJonErikon
• Assignments and readings on course site:
https://cseweb.ucsd.edu/classes/sp22/cse127-a/

Course Resources
• No official textbook. Optional books:
• SecurityEngineeringbyRossAnderson
• Hacking:TheArtofExploitationbyJonErikon
• Assignments and readings on course site:
https://cseweb.ucsd.edu/classes/sp22/cse127-a/
• Questions? Post to Piazza.
https://piazza.com/ucsd/spring2022/cse127_sp22_a00

Course Resources
• No official textbook. Optional books:
• SecurityEngineeringbyRossAnderson
• Hacking:TheArtofExploitationbyJonErikon
• Assignments and readings on course site:
https://cseweb.ucsd.edu/classes/sp22/cse127-a/
• Questions? Post to Piazza.
https://piazza.com/ucsd/spring2022/cse127_sp22_a00
• Lectures and office hours:
• Lectures:Inpersonwitharecordedcomponentvia
• Discussion:ThiswillbeheldviaZoom(Wednesday
5:00pm-5:50pm)
• Officehourswillnotberecorded

We will be discussing and implementing real-world attacks.
Using some of these techniques in the real world may be unethical, a violation of university policies, or a violation of federal law.
This includes the course assignment infrastructure (e.g., grading system).

We will be discussing and implementing real-world attacks.
Using some of these techniques in the real world may be unethical, a violation of university policies, or a violation of federal law.
This includes the course assignment infrastructure (e.g., grading system).
Be an ethical hacker:
• Ethics requires you to refrain from doing harm
• Always respect human, privacy, property rights
• There are many legitimate hacking capture-the-flag competitions (mostly for hackers!)

18 U.S. CODE 1030 – FRAUD AND RELATED ACTIVITY IN CONNECTION WITH COMPUTERS
Whoever intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information from any protected computer…

18 U.S. CODE 1030 – FRAUD AND RELATED ACTIVITY IN CONNECTION WITH COMPUTERS
Whoever intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information from any protected computer…
The punishment for an offense…
– a fine under this title or imprisonment for not more than one year, or both…,
– a fine under this title or imprisonment for not more than 5 years, or both… if:
(i) the offense was committed for purposes of commercial advantage or private financial gain;
(ii) the offense was committed in furtherance of any criminal or tortious act…; or
(iii) the value of the information obtained exceeds $5,000

Real-World Cases

Computer Fraud and Abuse Act (CFAA) Cases
• In 2011, FBI prosecuted , also known as “Weev” for exposing data of 114K AT&T iPad users
• CriminalCFAAcharge.
• Foundguiltyandsenttoprison.

Computer Fraud and Abuse Act (CFAA) Cases
• In 2011, FBI prosecuted , also known as “Weev” for exposing data of 114K AT&T iPad users
• CriminalCFAAcharge.
• Foundguiltyandsenttoprison.
• In 2011, Sony sued , also known as “Geohot” for jailbreaking PlayStation 3
• CivilCFAAandDMCAcomplaints. • Settledoutofcourt.

Computer Fraud and Abuse Act (CFAA) Cases
• In 2011, FBI prosecuted , also known as “Weev” for exposing data of 114K AT&T iPad users
• CriminalCFAAcharge.
• Foundguiltyandsenttoprison.
• In 2011, Sony sued , also known as “Geohot” for jailbreaking PlayStation 3
• CivilCFAAandDMCAcomplaints. • Settledoutofcourt.
• In 2011, FBI prosecuted for downloading academic articles on MIT network from JSTOR
• IndictedforwirefraudandCFAA.
• Prosecutioncontinueduntilhisdeathin2013.

Computer Fraud and Abuse Act (CFAA) Cases
• In 2011, FBI prosecuted , also known as “Weev” for exposing data of 114K AT&T iPad users
• CriminalCFAAcharge.
• Foundguiltyandsenttoprison.
• In 2011, Sony sued , also known as “Geohot” for jailbreaking PlayStation 3
• CivilCFAAandDMCAcomplaints. • Settledoutofcourt.
• In 2011, FBI prosecuted for downloading academic articles on MIT network from JSTOR
• IndictedforwirefraudandCFAA.
• Prosecutioncontinueduntilhisdeathin2013.
• In 2021, Buren was charged with “exceeding authorized access” under CFAA
• Apoliceofficerwhomisusedlicenseplatedatabase
• Supremecourtruledthatauthorizedaccessfor
improper purposes is not “exceeding authorized access”

Famous Hackers
Other famour hackers:
• : Infiltrated Digital Equipment Corporation (DEC) and copied their software.
• : Hacked NASA and US military systems • : Largest credit card heist (170 million
credit cards, etc)
• : Juvenile, broke into NASA server and stole sensitive information.
Source: https://www.kaspersky.com/resource-center/threats/top-ten-greatest-hackers

What is security?

What makes it different from robustness?

What makes it different from robustness?
“Computer security studies how systems behave in the presence of an adversary.”
*Actively tries to cause the system to misbehave.

Good engineering involves thinking about how things can be made to work; the security mindset involves thinking about how things can be made to fail.

The Security Mindset
• Thinking like an attacker
• Understandtechniquesforcircumventingsecurity • Lookforwayssecuritycanbreak,notwhyitwon’t

The Security Mindset
• Thinking like an attacker
• Understandtechniquesforcircumventingsecurity • Lookforwayssecuritycanbreak,notwhyitwon’t
• Thinking like a defender
• Knowwhatyou’redefending,andagainstwhom. • Weigh benefits vs. costs:
** No system is ever completely secure**.

Thinking like an Attacker
• Look for weakest links
• Identify assumptions that security depends on Are they false?

Thinking like an Attacker
• Look for weakest links
• Identify assumptions that security depends on Are they false?
• Think outside the box

Thinking like an Attacker
• Look for weakest links
• Identify assumptions that security depends on Are they false?
• Think outside the box
Not constrained by system designer’s worldview!

Thinking like an Attacker
• Look for weakest links
• Identify assumptions that security depends on Are they false?
• Think outside the box
Not constrained by system designer’s worldview!
Start practicing: When you interact with a system, think about what it means to be secure, and how it might be exploited.

How would you break into the CSE building?

How would you steal my email password?

What security systems do you interact with?

Thinking like a Defender
• Security policy
• Whatarewetryingtoprotect?
• Whatpropertiesarewetryingtoenforce?
• Threat model
• Who are the attackers? Capabilities? Motivation? • Whatkindofattackarewetryingtoprevent?
• Risk assessment
• Whataretheweaknessesofthesystem?
• Whatwillsuccessfulattackscostus? • Howlikely?
• Countermeasures
• Costs vs. benefits?
• Technical vs. nontechnical?

Security Policies
• What assets are we trying to protect? • Password(hashes)
• Browsinghistory
• What properties are we trying to enforce?
• Confidentiality • Integrity
• Availability
• Authenticity

Threat Models
• Who are our adversaries?
• Motives?
• Capabilities?
• What kinds of attacks do we need to prevent? (Think like the attacker!)
• Limits: What kinds of attacks should we ignore?

Example of Threat Modeling
“This World of Ours”

Example of Threat Modeling

Assessing Risk
Remember: Controlled paranoia
• What would security breaches cost us?
• Directcosts:Money,property,safety,…
• Indirectcosts:Reputation,futurebusiness,wellbeing,
• How likely are these costs?
• Probabilityofattacks? • Probabilityofsuccess?

Countermeasures
• Technical countermeasures
• Nontechnical countermeasures
Law, policy (government, institutional), procedures, training, auditing, incentives, etc.

How do we protect classified satellites?

Security Costs
• No security mechanism is free
• Directcosts:
Design, implementation, enforcement, false positives
• Indirectcosts:
Lost productivity, added complexity
• Challenge is to rationally weigh costs vs. risk
• Humanpsychologymakesreasoningabouthigh cost/low probability events hard

Should you lock your door?
• Adversaries?
• Risk assessment?
• Countermeasures? • Costs/benefits?

Should you use automatic software updates?
• Adversaries?
• Risk assessment?
• Countermeasures? • Costs/benefits?

Should we protect the CSE bear?
• Adversaries?
• Risk assessment?
• Countermeasures? • Costs/benefits?

Secure Design
• Common mistake:
Convince yourself that the system is secure
• Better approach:
Identify weaknesses of design, focus on correcting them Formally prove that design is secure (soon)
• Secure design is a process
Must be practiced continuously Retrofitting security is super hard

Where to focus defenses
• Trusted components
Parts that must function correctly for the system to be secure.
• Attack surface
Parts of the system exposed to the attacker
Security Principles
• Simplicity, open design, and maintainability • Privilege separation and least privilege
• Defense-in-depth and diversity
• Complete mediation and fail-safe

Preventing cheating on an online exam?

Preventing you from stealing my password?

Next lecture: Buffer overflows!

程序代写 CS代考 加微信: powcoder QQ: 1823890830 Email: powcoder@163.com