Lecture notes for EEC685/785 - Academic Csuohio

advertisement
EEC 693/793
Special Topics in Electrical Engineering
Secure and Dependable Computing
Lecture 1
Wenbing Zhao
Department of Electrical and Computer Engineering
Cleveland State University
wenbing@ieee.org
2
Outline
• Motivation
• Syllabus
Monday, March 14, 2016
Wenbing Zhao
3
Motivation
• Why secure and dependable computing is important?*
– Increased reliance on software to optimize everything from
business processes to engine fuel economy
– Relentlessly growing scale and complexity of systems and
systems-of-systems
– Near-universal reliance on a commodity technology base that is
not specifically designed for dependability
– Growing stress on legacy architectures (both hardware and
software) due to ever-increasing performance demands
– Worldwide interconnectivity of systems
– Continual threats of malicious attacks on critical systems
*Taken from “A high dependability computing consortium”, James H. Morris,
CSMU, http://www.cs.cmu.edu/%7Ejhm/hdcc.htm
Monday, March 14, 2016
Wenbing Zhao
4
More Motivation
• The cost of poor software is very high
– Annual cost to US economy of poor quality software: $60B
– source: US NIST Report 7007.011, May 2002.
• Industry needs greater dependability and security
– Improved quality of products
– Improved quality of development processes
– Better system and network security, to avoid:
• viruses, trojans, denial of service, ...
• network penetration, loss of confidential data, ...
• Improved customer satisfaction
Monday, March 14, 2016
Wenbing Zhao
5
(1996 Cost of Downtime Study – by Contingency Planning Research)
Monday, March 14, 2016
Wenbing Zhao
2001 Cost of Downtime per Hour – by
Contingency Planning Research
Monday, March 14, 2016
Wenbing Zhao
6
7
More Motivation – An Example
• Amazon 2001: Revenue $3.1B, 7744 employees
• Revenue (24x7): $350k per hour
• Employee productivity costs: $250k per hour
– Assuming average annual salary and benefits is $85,000
and 50 working hours week
• Total Downtime Costs: $600,000 per hour
• Note: Employee cost/hour comparable to
revenue, even for an Internet company
Source: D. Patterson A simple way to estimate the cost of downtime.
16th Systems Administration Conference, November 2002.
Monday, March 14, 2016
Wenbing Zhao
8
Problem of Data Breach
• Compromised computer systems
• Lost laptop, backup tapes
• Well-known incidents
– Massive confidential data loss in a UC Berkley system
(1.4 million people are affected)
• http://www.securityfocus.com/news/9758
– Potential revealing of personal data of 26.5 million
veterans due to loss of laptops
• http://searchsecurity.techtarget.com/originalContent/0,289142,s
id14_gci1189759,00.html
Monday, March 14, 2016
Wenbing Zhao
9
Cost of Data Breach
• Data loss costs U.S. businesses more than $18
billion a year (according to a 2003 study)
– http://www.usatoday.com/tech/news/computersecurity
/2006-06-11-lost-data_x.htm?csp=2
• Data breaches cost companies an average of
$182 per compromised record => typically
several million dollars per incident
– http://searchsecurity.techtarget.com/originalContent/0
,289142,sid14_gci1227119,00.html
Monday, March 14, 2016
Wenbing Zhao
Industry is Embracing
Secure and Dependable Computing
• The hardware platforms are changing:
– Smartcards
– Pervasive computing / embedded systems
• IBM, Sun “autonomic computing”
• Major PC dependability and security initiatives
under way:
– Trusted Computing Group
• Promoters: Intel, HP, Compaq, IBM, Microsoft
– Microsoft’s trustworthy computing push
– Intel’s LaGrande dependable hardware
Monday, March 14, 2016
Wenbing Zhao
10
11
Course Objectives
• Have solid understanding of the basic theory of
secure and dependable computing
• Getting familiar with some basic building blocks
(tools and APIs) needed to build secure and
dependable systems
• No attempt to be comprehensive: topics covered
are what I am interested in and what I think
important
• Focus on basic knowledge and skills, rather than
cutting edge state of the art
Monday, March 14, 2016
Wenbing Zhao
12
Prerequisite
• Operating system principles
– Processes, scheduling, file systems, etc.
• Computer networks
– TCP, UDP, IP, Ethernet, etc.
• Java programming language
– At least you should know how to write a Hello
World program
– You don’t have to be a Java expert
Monday, March 14, 2016
Wenbing Zhao
13
Grading Policy
• Class participation (10%)
• Two midterms (40%)
• 5 labs (20%)
– Mandatory attendance
• Course project (30%)
Monday, March 14, 2016
Wenbing Zhao
14
Grading Policy
•
•
•
•
•
•
•
A: 90-100%
A-: 85-89%
B+: 75-84%
B: 65-74%
B-: 55-64%
C: 50-54%
F: <50%
Monday, March 14, 2016
Wenbing Zhao
15
Class Participation
• 10% of the course credit
• In general, there is a mock quiz in the beginning
of each lecture, so that
– I know who is here & I get feedback for my teaching
• To obtain the full credit for class participation,
you must satisfy ALL of the following conditions:
– You do not miss more than 2 lectures
– You do not miss any exam and lab sessions
– You asked at least 10 questions during the semester
• You will lose all 10% credit if you miss more than
6 lectures/labs
Monday, March 14, 2016
Wenbing Zhao
16
Class Participation
• Send me an email with the following information
for each question you have asked within 24
hours after each lecture:
– The question you asked
– My response
– Your comment on my response and suggestion for
improvement, if any
Monday, March 14, 2016
Wenbing Zhao
17
Class Participation
• You are also encouraged to give me
comments/suggestions on how you would like
me to improve my teaching to make it more
conducive
• For each piece of comment/suggestion, it will be
counted as 2 questions
Monday, March 14, 2016
Wenbing Zhao
18
Outline of Lectures
•
•
•
•
•
•
•
Dependability concepts
Security and cryptography
Secure communication
Intrusion detection and prevention
Faults and their manifestation
Dependability techniques
Byzantine fault tolerance
Monday, March 14, 2016
Wenbing Zhao
19
Outline of Labs
•
•
•
•
•
Lab 0 – Getting familiar with Linux
Lab 1 – Secure shell
Lab 2 – Secure computing in Java
Lab 3 – Traffic analysis and intrusion detection
Lab 4 – Group communication with Spread
toolkit
Monday, March 14, 2016
Wenbing Zhao
20
Course Project
• Build an interesting secure and/or dependable
system/application
• Course project must be original. You cannot
use research project to substitute the course
project
• Example course project topics
–
–
–
–
–
Gmail secure data backup and recovery
Causally ordered reliable multicast
Token-based totally ordered reliable multicast
Public-key based authentication service
Traffic analysis of Telnet traffic
Monday, March 14, 2016
Wenbing Zhao
21
Course Project
• Team of up to two (2) persons
• You define the project you want to work on
– A secure Java application
– A dependable Java service based on replication
• Deliverables
– Project proposal: must have my approval
– Progress report to help you keep good pace
– Final project report
• Design documentation
• Source code of your system/application
• Performance measurement and analysis
– Demonstration and presentation
Monday, March 14, 2016
Wenbing Zhao
22
What You Should Not Do
• Steal other’s project and use it as yours
• Join a team but do not work on it at all
• Why it is not a good idea to do so?
– If you can find it from the Internet, I can find it too =>
You get F grade
– During presentation, I will ask you questions
=> Your grade on the project will be reduced
significantly if I determine you don’t know what you
are talking about
– You lose the chance of learning something practical
and useful for your future career
Monday, March 14, 2016
Wenbing Zhao
23
What You Should Do
• Make your own design, code your own system
• Write in your own words and create your own
power point slides
– Don’t copy and paste => I can detect it easily
• If you are on a team, make your best
contribution to the project
– Different grade might be assigned to different team
members
• Start early and don’t wait until the last week of
the semester to start
• Communicate with me often and ask for help
Monday, March 14, 2016
Wenbing Zhao
24
Project Presentation
• Each team is required to give an oral
presentation in class (10-15min)
– Describe briefly your design, implementation,
correctness and performance evaluation
– Don’t spend too much time on background info
– Don’t mention something you don’t know: I will ask
you questions
– It is best to show a demo of your work
• Top 3 projects voted by students will get full
credit automatically
Monday, March 14, 2016
Wenbing Zhao
25
Project Report Requirement
• Introduction: define the problem domain and your
implementation. Provide motivation on your system
• System model: assumption, restrictions, models
• Design: component diagram, class diagram, pseudo
code, algorithms, header explanation
• Implementation: what language, tools, libraries did you
use, a simple user guide on how to user your system
• Performance and testing: throughput, latency, test
cases
• Related work
• Conclusion and future work
Monday, March 14, 2016
Wenbing Zhao
26
Project Report Requirement
• Report format: IEEE Transactions format. 4-10 pages
– MS Word Template
• http://www.ieee.org/portal/cms_docs/pubs/transactions/TRANS-JOUR.DOC
– LaTex Template
• http://www.ieee.org/portal/cms_docs/pubs/transactions/
IEEEtran.zip (main text)
• http://www.ieee.org/portal/cms_docs/pubs/transactions/
IEEEtranBST.zip (bibliography)
• Report due: May 7 midnight (no extensions!)
– Electronic copy of the report & source code is required
Monday, March 14, 2016
Wenbing Zhao
27
Exams
• Two midterms
• Exams are closed book and closed notes,
except that you are allowed to bring with you a
one-page cheat sheet no larger than the US
letter size (double-sided allowed)
• There is no makeup exam!
Monday, March 14, 2016
Wenbing Zhao
28
Do not cheat!
• Do not copy other student’s lab report, exams or
projects
• Do not copy someone else’s work found on the
Internet
– Including project implementation and report
– You can quote a sentence or two, but put those in
quote and give reference
– You can build your projects on top of open source
libraries, but again, you need to explicitly give
acknowledgement and state clearly which parts are
implemented by you
Monday, March 14, 2016
Wenbing Zhao
29
Consequences for Cheating
• You get 0 credit for the project/lab/exam
that you have cheated
• If the task is worth more than 25% of the
course, it is considered a major infraction
• Otherwise, it is considered a minor
infraction
Monday, March 14, 2016
Wenbing Zhao
30
Consequences for Cheating
• For major infraction and repeated minor
infractions
– You will get an F grade, and
– You may be suspended or repulsed from CSU
• CSU Code of Conduct
– http://www.csuohio.edu/studentlife/conduct/St
udentCodeOfConduct2004.pdf
Monday, March 14, 2016
Wenbing Zhao
31
Reference Texts
• Security in Computing (4th Edition), by Charles P.
Pfleeger, Shari Lawrence Pfleeger, Prentice Hall,
2006
• Computer Networks (4th Edition), by Andrew S.
Tanenbaum, Prentice Hall, 2003
• Cryptography and Network Security: Principles and
Practices (3rd Edition), by William Stallings, Prentice
Hall, 2003
• SSH, the Secure Shell (2nd Edition), by Daniel J.
Barrett, Robert G. Byrnes, Richard E. Silverman,
O'Reilly, 2005
Monday, March 14, 2016
Wenbing Zhao
32
Reference Texts
• Reliable Computer Systems: Design and Evaluation
(3rd Edition), by Daniel P. Siewiorek and Robert S.
Swarz, A K Peters, 1998
• Distributed Systems: Principles and Paradigms, by
Andrew S. Tanenbaum, and Maarten van Steen,
Prentice Hall, 2002
• Reliable Distributed Systems: Technologies, Web
Services, and Applications, by Kenneth P. Birman,
Springer, 2005
• Network Intrusion Detection (3rd Edition), by
Stephen Northcutt, Judy Novak, New Riders
Publishing, 2002
Monday, March 14, 2016
Wenbing Zhao
33
Instructor Information
• Instructor: Dr. Wenbing Zhao
– Email: wenbing@ieee.org
– Lecture hours: MW 6:00-7:50pm
– Office hours: MW 2:00-4:00pm and by appointment
• Anonymous email:
– teachingcsu@gmail.com
– Password:
– if you are not happy, please do let me know
• Course Web site:
– http://academic.csuohio.edu/zhao_w/teaching/EEC6
93-S08/eec693.htm
Monday, March 14, 2016
Wenbing Zhao
34
Homework
• Due Jan 16, 11:59pm
• Email me the following information with
“EEC693” in the subject line
– The amount of time per week you commit to this
course
– The grade you expect to get
– If your schedule conflicts with my office hours, what is
the best time for you to talk to me?
– Any topics you are most interested in but not listed, if
any
– Comments and suggestions, if any
Monday, March 14, 2016
Wenbing Zhao
Download