/
Introduction to Computer Security Introduction to Computer Security

Introduction to Computer Security - PowerPoint Presentation

karlyn-bohler
karlyn-bohler . @karlyn-bohler
Follow
451 views
Uploaded On 2017-04-06

Introduction to Computer Security - PPT Presentation

David Brumley dbrumleycmuedu Carnegie Mellon University Today Overview Course Staff Trusting Trust Course Overview Example Applications Course Mechanics CMU CTF Team 2 You will find a ID: 534250

software security cmu goals security software goals cmu adversary team ctf thompson time person clever eve channel cryptography bob alice network trust

Share:

Link:

Embed:

Download Presentation from below link

Download Presentation The PPT/PDF document "Introduction to Computer Security" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.


Presentation Transcript

Slide1

Introduction to Computer Security

David Brumley

dbrumley@cmu.edu

Carnegie Mellon UniversitySlide2

Today: OverviewCourse Staff

Trusting Trust

Course Overview

Example ApplicationsCourse MechanicsCMU CTF Team

2Slide3

You will finda

t least one

error

on each set of slides.

:)

3Slide4

4

David Brumley

B.A. Math UNC 1998

M.S. CS Stanford 2003

Ph.D. CS

CMU 2008

Computer security officer, Stanford University, 1998-2002

Assistant Professor, CMU, Jan 2009Slide5

Current Research ThrustsAutomatic Exploit Generation

AEG and Mayhem

Binary code analysis

Decompilation

Vetting whole systems

5Slide6

Teaching Assistants

Zack Weinberg

Peter Chapman

6Slide7

Trust

Trusting

7Slide8

Do you trust his

Software

?

8

Photo

from http://

culturadigitalbau.wikispaces.com

/

file

/view/thompson.c1997.102634882.lg.jpg/212982274/thompson.c1997.102634882.lg.jpgSlide9

Ken Thompson

Co-Creator of

UNIX

and

C

Turing Award: 1983

9Slide10

10

Compiler

011001001111010Slide11

11

Compiler

011001001111010

...

if(program == “login”)

add-login-backdoor();

if(program == “compiler”)

add-compiler-backdoor()

;Slide12

Ken Thompson

Co-Creator of

UNIX

and

C

Turing Award: 1983

12

HackerSlide13

Would you trust

Mother Teresa’s

software?

13Slide14

14

Sanitize the environment when invoking external programs

Do not call system() if you do not need a command processor

Exclude user input from format strings

Use the

readlink

() function properly

Do not subtract or compare pointers that do not refer to the same array

Mask signals handled by

noninterruptible

signal handlers

Ensure that unsigned integer operations do not wrap

Guarantee that array and vector indices are within bounds

Would you trust

Mother Teresa’s

software?Slide15

15

Surely cryptographers code must be secure?

Ron

Rivest

Adi

Shamir

Len

Adleman

Picture from http://

www.usc.edu

/

dept

/molecular-science/RSA-2003.

htmSlide16

Perfect Cryptography Exists!

We’re no better off guessing what an encrypted message contains given the

ciphertext

.

- Claude Shannon

16Slide17

But implementations may still leak...

17

message

decrypt

(

ciphertext

c

,

private_key

k

){

plaintext

m

;

if(

k

==

1

)

m

= time t

1

decryption ops; return

m

;

if(

k

==

2

)

m

= time t

2

decryption ops; return

m

;

if(

k

==

3

)

m

= time t

3

decryption ops; return

m

;

....

}Slide18

18

Isn’t this networking?

Routers run an

operating system

,

which hackers now targetSlide19

Even GPS runs:

Webservers

FTP servers

Network time daemons

19Slide20

20

Security is many thingsSlide21

This Class: Introduction to the Four Research Cornerstones of Security

21

Software Security

Network Security

OS Security

CryptographySlide22

22

Course Topics

Your job: become conversant in these topicsSlide23

Software Security

23Slide24

Control Flow Hijacks

24

shellcode

(aka payload)

padding

&

buf

computation

+

control

Allow attacker ability to run arbitrary code

Install malware

Steal secrets

Send spamSlide25

25Slide26

26Slide27

27Slide28

Software Security

Recognize and exploit vulnerabilities

Format string

Buffer overflowGist of other control flow hijacks, e.g., heap overflow

Understand defenses in theory and practice

ASLRDEP

Canaries

Know the limitations!

28Slide29

Cryptography

29Slide30

Everyday Cryptography

ATM’s

On-line banking

SSHKerberosSlide31

Alice

Bob

M

Public Channel

Adversary Eve:

A very clever personSlide32

Alice

Bob

M

Public Channel

Adversary Eve:

A very clever person

Cryptography’s Goals:

Data Privacy

Data Integrity

Data AuthenticitySlide33

Alice

Bob

M

Public Channel

Adversary Eve:

A very clever person

Cryptonium

PipeSlide34

Alice

Bob

M

Public Channel

Adversary Eve:

A very clever person

Cryptonium

Pipe

Cryptography’s Goals:

Privacy

Integrity

AuthenticitySlide35

35Slide36

GoalsUnderstand and believe you should never, ever invent your own algorithm

Goals

Encryption

Integrity

Authentication

ConceptsSymmetric key crypto

Hashes

Macs

Signatures

Example pitfalls

36Slide37

OS/Systems Security

37Slide38

38

Principal

Reference

Monitor

Object

Requested

Operation

Approved

Operation

Source

Guard

Resource

Authentication

Authorization

In security, we isolate reasoning

about the guardSlide39

39Slide40

OS GoalsKnow Lampson’s “gold” standard

Au

thorization

AuthenticationAu

dit

Know currently used security architectures

40Slide41

Network Security

41Slide42

42Slide43

43Slide44

44Slide45

Networking GoalsUnderstand the base rate fallacy and it’s application to IDS

Be able to recognize and perform basic web attacks

State what a

DDoS

is, and how CDN’s mitigate their effect

45Slide46

Course Mechanics

46Slide47

BasicsPre-

req

:

Basic UNIX development (gcc,

gdb

, etc.)15-213 or similar is recommended

Read

all

papers before lecture

ReadUnderlineQuestionReview

Course website:

http://

www.ece.cmu.edu

/~

dbrumley

/courses/18487-f14/www

47Slide48

Workload3 homework assignments

3 exams, keep highest 2 grades

CTF

48Slide49

CTF Component: Learn Outside the Course

Solve 10 CTF problems

Not

picoctf.com

Videotape the solutions, put on a private

youtube.

Make videos private

for now

See livectf.com for fun

49Slide50

Basic Mechanics

Grading based on:

3

homeworks (35%)Highest 2 out of 3 tests (30% each)

Participation and CTF (5%)

No late days except under exceptional circumstances.

I guarantee at least the following:

90-100%: A

80-89%: B

70-79%: C60-69%: D< 59%: F

50Slide51

ETHICS!

Obey the law

Do not be a nuisance

Don’t cheat, copy others work, let others copy, etc.

51Slide52

Capture the Flag

52Slide53

53

CMU Capture the Flag TeamSlide54

54

Red Team

Vulnerability Discovery

Exploitation

Network mapping

Web security

Blue Team

Intrusion detection

Hot-patching

Firewalls

Work-

aroundsSlide55

55Slide56

56Slide57

10,000 Students in 2,000 teams

57

Size of circle proportional to number of teamsSlide58

58Slide59

59Slide60

Example Network Forensics

60Slide61

PicoCTF10,000 students

600 teams solving advanced problems

ROP attacks

Breaking incorrect use of modern crypto

Identified the best of the best

“I learned more in one week than the last two years in CS courses.”

61

If you get an A, you may be eligible to help with PicoCTF 2014Slide62

62

Questions?Slide63

END