Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

Introduction to Computer Security

advertisement 
Introduction to Computer Security
David Brumley
dbrumley@cmu.edu
Carnegie Mellon University
Today: Overview
•
•
•
•
•
•
Course Staff
Trusting Trust
Course Overview
Example Applications
Course Mechanics
CMU CTF Team
2
You will find
at least one error
on each set of slides. :)
3
David Brumley
• B.A. Math UNC 1998
• M.S. CS Stanford 2003
• Ph.D. CS CMU 2008
• Computer security
officer, Stanford
University, 1998-2002
• Assistant Professor,
CMU, Jan 2009
4
Current Research Thrusts
• Automatic Exploit Generation
– AEG and Mayhem
• Binary code analysis
– Decompilation
• Vetting whole systems
5
Teaching Assistants
1. Zack Weinberg
2. Peter Chapman
6
Trusting
Trust
7
Do you trust his
Software?
Photo from http://culturadigitalbau.wikispaces.com/
file/view/thompson.c1997.102634882.lg.jpg/212982274/thompson.c1997.102634882.lg.jpg
8
Ken Thompson
Co-Creator of
UNIX and C
Turing Award: 1983
9
Compiler
011001001111010
10
Compiler
...
if(program == “login”)
add-login-backdoor();
if(program == “compiler”)
add-compiler-backdoor();
011001001111010
11
Ken Thompson
Co-Creator of
UNIX and C
Turing Award: 1983
12
Would you trust
Mother Teresa’s
software?
13
Would you trust
Mother Teresa’s
software?
14
Ron Rivest
Adi Shamir
Len Adleman
Surely cryptographers code must be
secure?
Picture from http://www.usc.edu/dept/molecular-science/RSA-2003.htm
15
Perfect Cryptography Exists!
We’re no better off
guessing what an
encrypted message
contains given the
ciphertext.
- Claude Shannon
16
But implementations may still leak...
message decrypt(ciphertext c, private_key k){
plaintext m;
if(k == 1) m = time t1 decryption ops; return m;
if(k == 2) m = time t2 decryption ops; return m;
if(k == 3) m = time t3 decryption ops; return m;
....
}
17
Isn’t this networking?
Routers run an
operating system,
which hackers now
target
18
Even GPS runs:
• Webservers
• FTP servers
• Network time daemons
19
Security is many
things
20
This Class: Introduction to the Four
Research Cornerstones of Security
Software Security
OS Security
Network Security
Cryptography
21
Course Topics
Control Flow Hijack
Software Security
Execution Safety
Information Flow
Goals of Crypto
Stream Ciphers
Cryptography
Block Ciphers
Asymmetric Crypto
Authentication/Integrity
Intro to Computer Security
Common Defenses
OS Security
Authorization
Security Architectures
Web Security
Network Security
Denial of Service
Protocols
Intrusion Detection
Your job: become conversant in these topics
22
Software Security
23
Control Flow Hijacks
shellcode (aka payload) padding
computation
+
&buf
control
Allow attacker ability to run arbitrary code
– Install malware
– Steal secrets
– Send spam
24
25
26
27
Software Security
• Recognize and exploit vulnerabilities
– Format string
– Buffer overflow
– Gist of other control flow hijacks, e.g., heap overflow
• Understand defenses in theory and practice
–
–
–
–
ASLR
DEP
Canaries
Know the limitations!
28
Cryptography
29
Everyday Cryptography
•
•
•
•
ATM’s
On-line banking
SSH
Kerberos
M
Alice
Public Channel
Bob
Adversary Eve:
A very clever person
M
Alice
Public Channel
Bob
Adversary Eve:
A very clever person
Cryptography’s Goals:
– Data Privacy
– Data Integrity
– Data Authenticity
M
Alice
Cryptonium
Pipe
Public Channel
Bob
Adversary Eve:
A very clever person
Public Channel
M
Alice
Bob
Cryptonium
Pipe
Adversary Eve:
A very clever person
Cryptography’s Goals:
– Privacy
– Integrity
– Authenticity
35
Goals
• Understand and believe you should never, ever invent your own
algorithm
• Goals
– Encryption
– Integrity
– Authentication
• Concepts
–
–
–
–
Symmetric key crypto
Hashes
Macs
Signatures
• Example pitfalls
36
OS/Systems Security
37
Requested
Operation
Approved
Operation
Principal
Reference
Monitor
Object
Source
Guard
Resource
Authentication
Authorization
In security, we isolate reasoning
about the guard
38
Authentication
Authorization
Principles
Reference monitors
Access control lists
OS Security
Auditing
Security Architectures
Virtual Machines
Software Fault Isolation
39
OS Goals
• Know Lampson’s “gold” standard
– Authorization
– Authentication
– Audit
• Know currently used security architectures
40
Network Security
41
XSS
Stored XSS
Reflected XSS
SQL Injection
Defense
Sanitization
Bots
CDN
Stored procedures
Denial of Service
Attacks
Web Security
Basic syntax
Kerberos
BGP
Comments
Protocols
Network Security
Probes
CSRF
Stateful
Stateless
Attack
Intrusion Detection
Defense
Base Rate
Referer Validation
Custom Header
Token validation
42
XSS
Stored XSS
Reflected XSS
SQL Injection
Defense
Sanitization
Bots
CDN
Stored procedures
Denial of Service
Attacks
Web Security
Basic syntax
Kerberos
BGP
Comments
Protocols
Network Security
Probes
CSRF
Stateful
Stateless
Attack
Intrusion Detection
Defense
Base Rate
Referer Validation
Custom Header
Token validation
43
XSS
Stored XSS
Reflected XSS
SQL Injection
Defense
Sanitization
Bots
CDN
Stored procedures
Denial of Service
Attacks
Web Security
Basic syntax
Kerberos
BGP
Comments
Protocols
Network Security
Probes
CSRF
Stateful
Stateless
Attack
Intrusion Detection
Defense
Base Rate
Referer Validation
Custom Header
Token validation
44
Networking Goals
• Understand the base rate fallacy and it’s
application to IDS
• Be able to recognize and perform basic web
attacks
• State what a DDoS is, and how CDN’s
mitigate their effect
45
Course Mechanics
46
Basics
• Pre-req:
– Basic UNIX development (gcc, gdb, etc.)
– 15-213 or similar is recommended
• Read all papers before lecture
–
–
–
–
Read
Underline
Question
Review
• Course website:
http://www.ece.cmu.edu/~dbrumley/courses/18487-f14/www
47
Workload
• 3 homework assignments
• 3 exams, keep highest 2 grades
• CTF
48
CTF Component:
Learn Outside the Course
• Solve 10 CTF problems
– Not picoctf.com
• Videotape the solutions, put on a private
youtube.
– Make videos private for now
• See livectf.com for fun
49
Basic Mechanics
• Grading based on:
– 3 homeworks (35%)
– Highest 2 out of 3 tests (30% each)
– Participation and CTF (5%)
• No late days except under exceptional circumstances.
• I guarantee at least the following:
–
–
–
–
–
90-100%: A
80-89%: B
70-79%: C
60-69%: D
< 59%: F
50
• Obey the law
• Do not be a nuisance
• Don’t cheat, copy others
work, let others copy, etc.
51
Capture the Flag
52
CMU Capture the Flag Team
53
Red Team
•
•
•
•
Vulnerability Discovery
Exploitation
Network mapping
Web security
Blue Team
•
•
•
•
Intrusion detection
Hot-patching
Firewalls
Work-arounds
54
55
56
10,000 Students in 2,000 teams
Size of circle proportional to number of teams
57
58
59
Example Network Forensics
60
PicoCTF
• 10,000 students
• 600 teams solving advanced problems
– ROP attacks
– Breaking incorrect use of modern crypto
• Identified the best of the best
“I learned more in one week than the last two years in CS courses.”
If you get an A, you may be eligible to
help with PicoCTF 2014
61
Questions?
62
END
Related documents
Darpa Presentation - Electrical and Computer Engineering
Darpa Presentation - Electrical and Computer Engineering
sylla_454_s14
sylla_454_s14
presentation - Institute for Security Technology Studies (ISTS)
presentation - Institute for Security Technology Studies (ISTS)
plaintext version
plaintext version
Powerpoint Slides
Powerpoint Slides
File
File
Document13512563 13512563
Document13512563 13512563
Damn Vulnerable web application
Damn Vulnerable web application
Syllabus - החוג למדעי המחשב
Syllabus - החוג למדעי המחשב
10.1.A.CSRF(跨站偽冒請求)攻擊的分析與防護
10.1.A.CSRF(跨站偽冒請求)攻擊的分析與防護
XSS
XSS
Marek Zmysłowski
Marek Zmysłowski
Download
advertisement