This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
1
CMPS 122: Computer Security
Introduction
Introduction 2CMPS 122, UC Santa Cruz
Today’s goals
• Course introduction◆ Course overview◆ Course logistics (details on the syllabus)
• Introduction to computer security◆ What is computer security?◆ Goals◆ Attacks
• To pass the class, you must◆ Take both exams◆ Turn in a final project◆ Have at least a 50% average on exams and 50% average on homework
– Satisfying both conditions does not guarantee a passing grade
Introduction 8CMPS 122, UC Santa Cruz
Other ways to change your grade…
• Up…◆ Solve a challenge problem (not normal homework)◆ Find a security hole and have it published by a national
organization (CERT, Mercury News, Time magazine…)• Down…
◆ Send me a virus (email or otherwise)– Doesn’t count if the virus is “neutralized” and sent as an FYI– Email viruses that attack your address book do count
◆ Get arrested for a computer security attack◆ Get convicted for a computer security attack
• To an F/U/NP (i.e., fail!)◆ Get me arrested for something you do related to this class◆ Cheat (we will catch you)
5
Introduction 9CMPS 122, UC Santa Cruz
Homework
• Homework lets you◆ Try to solve (or create) computer security problems◆ Test your knowledge and understanding of the subject
• Homework isn’t optional!• Homework must be your own work!• Programming may be required
◆ Use any language you want◆ Use any sources you like, if you cite them
– Keep in mind that I’ll take a dim view of copying someone else in class…– If the assignment requires that you write your own code, you may not get
full credit for using someone else’s code…
• In many cases, the biggest benefit is the process!
Introduction 10CMPS 122, UC Santa Cruz
Challenge problems
• Open until solved or last day of class• First satisfactory answer gets bonus
◆ Later answer might still get bonus if it’s better◆ Solving in groups is OK
– Each member gets √n/n * value (e.g., 3 people = √3/3 = 0.58)• Unlike homework, there’s not necessarily a correct
answer (or even a solution!)• Challenge problems will be listed on the course
Web page
6
Introduction 11CMPS 122, UC Santa Cruz
Final project
• Write a paper on a topic related to computer security◆ Review several research papers◆ Analyze the security of a particular system◆ Compare the security or performance of several
cryptosystems◆ Evaluate security products (firewalls, software, etc.)◆ Explore ways to write more secure code◆ Lots of other possibilities…
• Suggested topics will be posted on the class web site• Papers should be about 7–8 pages long
Introduction 12CMPS 122, UC Santa Cruz
Getting help
• Computer security can be a tough subject—get helpif you need it!◆ I’m here to help you learn the material◆ It’s up to you to ask for help◆ Don’t wait too long!
• Ask questions in class• Visit office hours• Ask general questions on the course newsgroup• Ask specific questions by email
◆ Expect short answers, not long explanations
7
Introduction 13CMPS 122, UC Santa Cruz
What is cheating?
• Cheating is:◆ Copying answers from your fellow students◆ Having someone else do your project for you◆ Using material without attribution
• Cheating is not:◆ Studying in a group: your fellow students are a great resource for
understanding difficult material◆ Discussing homework in general terms◆ Using information from the Web, assuming you write down where
you got it– Copying answers off the Web may be cheating, though….
• Everything you turn in should be yours◆ Document completely if it’s not!
• Use common sense: if you’re not sure, ask me before doing it
Introduction 14CMPS 122, UC Santa Cruz
The Simpsons rule
• You may discusshomework with others◆ General issues only
• You may not take notes• You must take a 30 minute
break before working onany CMPS 122 assignments◆ Watch the Simpsons or good
Warner Brothers cartoons◆ Watch mindless TV◆ Work on other classes◆ Take a nap
8
Introduction 15CMPS 122, UC Santa Cruz
Why should you take this course?
• Reason #1: Fate of Humanity◆ Cryptography plays a central role in human history◆ Survival of humanity depends on computer security
• Reason #2: Intellectual Curiosity◆ Cryptology and computer security are about making and
solving puzzles◆ It’s fun to do this!
• Reason #3: $$$◆ Computer security is a growing business◆ There are always jobs for people who know how to keep
vital computer resources safe
Introduction 16CMPS 122, UC Santa Cruz
Bad reasons for taking this class
• You want to write the ultimate virus to wipe theworld’s hard drives clean
• You want to show (by doing) just how insecureWindows is
• You want to break into (UCSC’s | the NSA’s | yourbank’s) computer systems
• You’re bored, and there’s nothing better to take thisquarter (I guess this isn’t so bad)
9
Introduction 17CMPS 122, UC Santa Cruz
What is security?
• Keeping something (information in our case) secureagainst◆ Someone stealing it◆ Someone destroying it◆ Someone changing it◆ Someone preventing me from using it
• More specifically◆ Confidentiality: nobody else can see it◆ Integrity: nobody else can change it◆ Availability: I can get at it whenever I want
Introduction 18CMPS 122, UC Santa Cruz
Security on physical things
• Use physical security rather than computer security◆ Access to valuables was more difficult to obtain
– Had to be physically present in many cases!– Moving the valuable could be difficult
◆ Alteration was easier to notice– Physical marks were left if you tried to change something
◆ Physical goods had one copy– If you have the copy, I don’t– No notion of multiple parties sharing the item
• Physical security could be◆ Expensive: need to hire guards◆ Difficult & dangerous: people got injured or killed
10
Introduction 19CMPS 122, UC Santa Cruz
Security on information: the old way
• Information isn’t like a physical object◆ Copies can be made inexpensively
– A copy doesn’t prevent the original from being used◆ Easy to transport◆ Less need for physical presence◆ Value can be very high for small data
• Before computers, some things were still easy◆ Integrity easier to check: look for signs of alteration◆ Confidentiality: keep it a locked bank vault (and hope
there are no bank robbers)◆ Availability: only when the bank is open
Introduction 20CMPS 122, UC Santa Cruz
Security in computing
• More difficult because of the nature of computers• Confidentiality
◆ Easier to break into a networked computer without physical presence◆ Easy to spread information around the world in minutes
• Integrity◆ No signs that information has been altered◆ Can’t easily check to see if someone might have had access to the
information to alter it• Availability
◆ All the old ways of denying access still work– Physical attacks– Destroying the information
◆ New ways exist– Keep the computer too busy to respond– Prevent authorized users from seeing the information
11
Introduction 21CMPS 122, UC Santa Cruz
Addressing security issues
• What are the risks?◆ How likely is each one?◆ How expensive would it be if the risk came to pass?
• What are the available countermeasures?◆ How expensive are they to implement?◆ How inconvenient are they?
• What are the vulnerabilities?◆ Simple design flaws more than basic problems
• How can they be addressed?◆ Bug fixes◆ Workarounds
Introduction 22CMPS 122, UC Santa Cruz
Computer intrusions
• This is (usually) a crime!• Typically done for one of two reasons
◆ Commercial gain◆ Fun
• Commercial gain◆ Go after the most valuable item: often information◆ Information can be
– Destroyed: loss of use to the owner– Copied: used by a competitor for commercial advantage
• Fun◆ “Because it’s there”◆ “Because I disagree with their policies”
• In both cases, intrusions follow the path of least resistance◆ Strong security in one area doesn’t cover for weak security elsewhere◆ Relative security of different mechanisms can change over time
12
Introduction 23CMPS 122, UC Santa Cruz
Attacks: terminology
• Attacks can be made on any of◆ Hardware◆ Software◆ Data (information)
• Terms◆ Threat: circumstances that may lead to loss or harm◆ Vulnerability: weakness in the security system◆ Control: something that reduces or removes a vulnerability
• Types of attacks◆ Interception: unauthorized party gets access to an asset◆ Interruption: asset becomes unusable (lost or destroyed)◆ Modification: existing asset is changed◆ Fabrication: fake asset is planted in the system
Introduction 24CMPS 122, UC Santa Cruz
Goals of computer security
• Ensure that the system maintains◆ Confidentiality◆ Integrity
– May have many different (conflicting) meanings– Must specify what it means in this case
◆ Availability– Responds at all?– Responds in a timely fashion?– Can be used as it was intended?– Has sufficient capacity?– Others…