CSE 484 / CSE M 584: Computer Security and Privacy

43
CSE 484 / CSE M 584: Computer Security and Privacy Fall 2016 Ada (Adam) Lerner [email protected] Thanks to Franzi Roesner, Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee, and many others…

Transcript of CSE 484 / CSE M 584: Computer Security and Privacy

Page 1: CSE 484 / CSE M 584: Computer Security and Privacy

CSE484/CSEM584:ComputerSecurityandPrivacy

Fall2016

Ada(Adam)[email protected]

ThankstoFranziRoesner,DanBoneh,DieterGollmann,DanHalperin,YoshiKohno,JohnManferdelli,JohnMitchell,VitalyShmatikov,BennetYee,andmanyothers…

Page 2: CSE 484 / CSE M 584: Computer Security and Privacy

9/29/16 CSE484/CSEM584-Fall2016 2

Page 3: CSE 484 / CSE M 584: Computer Security and Privacy

What’sWrongWithThisPicture?

9/29/16 CSE484/CSEM584-Fall2016 3

Page 4: CSE 484 / CSE M 584: Computer Security and Privacy

What’sWrongWithThisPicture?

9/29/16 CSE484/CSEM584-Fall2016 4

Page 5: CSE 484 / CSE M 584: Computer Security and Privacy

QuizSection

•  Quizsections:– Thursday,1:30-2:20pm,LOW105– Thursday,2:30-3:20pm,LOW105

9/29/16 CSE484/CSEM584-Fall2016 5

Page 6: CSE 484 / CSE M 584: Computer Security and Privacy

OfficeHours

•  Officehours– Ada:Wednesdays4:30-5:30pm,CSE220(ImmediatelyafterWednesdayclass!)

– TAs:Mondays11:00-noon,CSE220

9/29/16 CSE484/CSEM584-Fall2016 6

Page 7: CSE 484 / CSE M 584: Computer Security and Privacy

HowtoContactMeandtheTAs

•  [email protected]

9/29/16 CSE484/CSEM584-Fall2016 7

Page 8: CSE 484 / CSE M 584: Computer Security and Privacy

Prerequisites(CSE484)

•  Required:DataStructures(CSE326)orDataAbstractions(CSE332)

•  Required:Hardware/SoftwareInterface(CSE351)orMachineOrgandAssemblyLanguage(CSE378)

•  Assume:WorkingknowledgeofCandassembly–  OneofthelabswillinvolvewritingbufferoverflowattacksinC–  Youmusthavedetailedunderstandingofx86architecture,stack

layout,callingconventions,etc.

•  Assume:WorkingknowledgeofsoftwareengineeringtoolsforUnixenvironments(gdb,etc)

•  Assume:WorkingknowledgeofJavaandJavaScript

9/29/16 CSE484/CSEM584-Fall2016 8

Page 9: CSE 484 / CSE M 584: Computer Security and Privacy

Prerequisites(CSE484)

•  Stronglyrecommended:ComputerNetworks;OperatingSystems– Willhelpprovidedeeperunderstandingofsecurity

mechanismsandwheretheyfitinthebigpicture

•  Recommended:ComplexityTheory;DiscreteMath;Algorithms– Willhelpwiththemoretheoreticalaspectsofthis

course.

9/29/16 CSE484/CSEM584-Fall2016 9

Page 10: CSE 484 / CSE M 584: Computer Security and Privacy

Prerequisites(CSE484)

•  Mostofall:Eagernesstolearn!–  Thisisa400levelcourse.– Weexpectyoutopushyourselftolearnasmuchas

possible.– Weexpectyoutobeastrong,independentlearner

capableoflearningnewconceptsfromthelectures,thereadings,andonyourown.

9/29/16 CSE484/CSEM584-Fall2016 10

Page 11: CSE 484 / CSE M 584: Computer Security and Privacy

CourseLogistics(CSE484)

•  Lectures:MWF:3:30-4:20pm;

•  Sections:Thurs:1:30-2:20pmand2:30-3:20pm•  Securityisacontactsport!

9/29/16 CSE484/CSEM584-Fall2016 11

Page 12: CSE 484 / CSE M 584: Computer Security and Privacy

LatePolicy

•  Emailusfora2daygraceperiod,noquestionsasked,onanyassignment

•  Ifyouwon’tfinishwithinthosetwodays,youMUSTmeetwithmetotalkaboutascheduleforcompletingtheassignment

9/29/16 CSE484/CSEM584-Fall2016 12

Page 13: CSE 484 / CSE M 584: Computer Security and Privacy

ParticipationGrade

•  In-classactivities(liketheonefromtoday!)–  Youmaymiss(atleast)3ofthese,noquestionsasked

•  Regularcontributionstoclassforums–  Don’tbesilentfor9weeksandthenmake10postson

thelastdayofthequarter

•  Inclass:harderinalargeclass,butworthit!

9/29/16 CSE484/CSEM584-Fall2016 13

Page 14: CSE 484 / CSE M 584: Computer Security and Privacy

CourseMaterials

•  Textbook:–  Daswani,Kern,Kesavan,“FoundationsofSecurity”–  Additionalmaterialslinkedtofromcoursewebsite

•  Attendlectures–  Lectureswillnotfollowthetextbookandwillcoverasignificant

amountofmaterialthatisnotinthetextbook–  Lectureswillfocuson“big-picture”principlesandideas

•  Attendsections–  Detailsnotcoveredinlecture,especiallyabouthomeworksandlabs

9/29/16 CSE484/CSEM584-Fall2016 14

Page 15: CSE 484 / CSE M 584: Computer Security and Privacy

OtherHelpfulBooks(Online)

•  RossAnderson,“SecurityEngineering”–  Focusesondesignprinciplesforsecuresystems– Widerangeofentertainingexamples:banking,nuclear

commandandcontrol,burglaralarms

•  Menezes,vanOorschot,andVanstone,“HandbookofAppliedCryptography”

•  Manymanyotherusefulbooksexist,notallonline

9/29/16 CSE484/CSEM584-Fall2016 15

Page 16: CSE 484 / CSE M 584: Computer Security and Privacy

OtherBooks,Movies,…•  Pleasurebooksinclude:

–  LittleBrotherbyCoryDoctorow•  Availableonlineherehttp://craphound.com/littlebrother/download/

–  CryptonomiconandREAMDEbyNealStephenson–  TheArtofIntrusionandTheArtofDeceptionbyKevinMitnick–  Manymore--pleasefeelfreetopostyourfavoritesontheforum!

•  Moviesinclude:–  Hackers–  Sneakers–  DieHard4–  WarGames–  Manymore--pleasefeelfreetopostyourfavoritesontheforum!

•  Historicaltextsinclude:–  TheCodebreakersbyDavidKahn–  TheCodeBookbySimonSingh

9/29/16 CSE484/CSEM584-Fall2016 16

Page 17: CSE 484 / CSE M 584: Computer Security and Privacy

GuestLectures

•  Wewillhaveafewguestlecturesthroughoutthequarter– Usefultogiveyouadifferentperspective:research,industry,lawenforcement,government,legal

– Mostalreadyscheduled,othersTBD

9/29/16 CSE484/CSEM584-Fall2016 17

Page 18: CSE 484 / CSE M 584: Computer Security and Privacy

Ethics

•  Tolearntodefendsystems,youwilllearntoattackthem.Youmustusethisknowledgeethically.

•  Inordertogetanon-zerogradeinthiscourse,youmustelectronicallysignthe“SecurityandPrivacyCodeofEthics”formby5pmonOctober5

9/29/16 CSE484/CSEM584-Fall2016 18

Page 19: CSE 484 / CSE M 584: Computer Security and Privacy

MailingList

[email protected]

•  Makesureyou’reonthemailinglist– We’llsendatestmailafterclass;everyoneenrolledshouldreceiveit

•  URLformailinglistoncoursewebsite•  Usedforannouncements

9/29/16 CSE484/CSEM584-Fall2016 19

Page 20: CSE 484 / CSE M 584: Computer Security and Privacy

Forum

•  We’vesetupaforumforthiscoursetodiscussassignments–  https://catalyst.uw.edu/gopost/board/lerner/43195/

•  Pleaseuseittodiscussthehomeworkassignmentsandlabsandothergeneralclassmaterials

•  Youcanalsouseittoexercisethe“securitymindset”–  (Includingdiscussionsofmovies,books,andsecurityin

therealworld)

9/29/16 CSE484/CSEM584-Fall2016 20

Page 21: CSE 484 / CSE M 584: Computer Security and Privacy

Labs

•  Generalplan:–  3labs(timelineTBD,tentativedatesonwebsite)

•  FirstlaboutapproximatelynextWednesday

–  SubmittoCatalystsystem(URLonwebsite)–  Groupsofuptothreegenerallyallowed(checkeach

projectpagefordetails)

•  http://courses.cs.washington.edu/courses/cse484/16au/assignments.html

9/29/16 CSE484/CSEM584-Fall2016 21

Page 22: CSE 484 / CSE M 584: Computer Security and Privacy

Labs

•  Firstlab:Softwaresecurity– Bufferoverflowattacks,double-freeexploits,formatstringexploits,...

•  Secondlab:Websecurity– XSSattacks,SQLinjection,...

•  Thirdlab:Mobilesecurity– Android

9/29/16 CSE484/CSEM584-Fall2016 22

Page 23: CSE 484 / CSE M 584: Computer Security and Privacy

Homework

•  3or4homeworksdistributedacrossthequarter(tentativedatesonwebsite)– http://courses.cs.washington.edu/courses/cse484/16au/assignments.html

•  Donow:signethicsform!

9/29/16 CSE484/CSEM584-Fall2016 23

Page 24: CSE 484 / CSE M 584: Computer Security and Privacy

Waitlist/OverloadInstructions

•  Ifyouarenotyetenrolled:– Overloadrequestlink:http://tinyurl.com/zlarys2

– Codeword:<redacted>– Honorsystem:Pleasedon’tsharethiscodewordwithstudentswhodidnotattendclass.

9/29/16 CSE484/CSEM584-Fall2016 24

Page 25: CSE 484 / CSE M 584: Computer Security and Privacy

Theme:TheSecurityMindset

9/29/16 CSE484/CSEM584-Fall2016 25

Page 26: CSE 484 / CSE M 584: Computer Security and Privacy

Theme:TheSecurityMindset

• Thinkingcriticallyaboutthedesignofasystem,andchallengingassumptions

9/29/16 CSE484/CSEM584-Fall2016 26

Page 27: CSE 484 / CSE M 584: Computer Security and Privacy

Theme:TheSecurityMindset

• Beingcurious• Thinkinglikeanattacker

9/29/16 CSE484/CSEM584-Fall2016 27

Page 28: CSE 484 / CSE M 584: Computer Security and Privacy

Theme:TheSecurityMindset

•  “ThatnewproductXsoundsawesome,Ican’twaittouseit!”versus…•  “ThatnewproductXsoundscool,butIwonderwhatwouldhappenifsomeonedidYwithit…”

9/29/16 CSE484/CSEM584-Fall2016 28

Page 29: CSE 484 / CSE M 584: Computer Security and Privacy

Theme:TheSecurityMindset

•  Whyit’simportant– Technologychanges,solearningtothinklikeasecuritypersonismoreimportantthanlearningspecificsoftoday

– Willhelpyoudesignbettersystems/solutions–  Interactionswithbroadercontext:law,policy,ethics,etc.

9/29/16 CSE484/CSEM584-Fall2016 29

Page 30: CSE 484 / CSE M 584: Computer Security and Privacy

NotjustTechnology–SocialSystemsareSystemstoo

• SocialEngineering– Lying– Beingnicetopeople– Actinglikeyoubelong

9/29/16 CSE484/CSEM584-Fall2016 30

Page 31: CSE 484 / CSE M 584: Computer Security and Privacy

Q2

Answerquestion2ontheworksheet

9/29/16 CSE484/CSEM584-Fall2016 31

Page 32: CSE 484 / CSE M 584: Computer Security and Privacy

HowSystemsFail

•  Systemsmayfailformanyreasons,including•  Reliabilitydealswithaccidentalfailures•  Usabilitydealswithproblemsarisingfromoperatingmistakesmadebyusers

•  Securitydealswithintentionalfailurescreatedbyintelligentparties–  Securityisaboutcomputinginthepresenceofanadversary

– Butsecurity,reliability,andusabilityareallrelated

9/29/16 CSE484/CSEM584-Fall2016 32

Page 33: CSE 484 / CSE M 584: Computer Security and Privacy

HowSystemsFail

•  Systemsmayfailformanyreasons,including•  Reliabilitydealswithaccidentalfailures•  Usabilitydealswithproblemsarisingfromoperatingmistakesmadebyusers

•  Securitydealswithintentionalfailurescreatedbyintelligentparties–  Securityisaboutcomputinginthepresenceofanadversary

– Butsecurity,reliability,andusabilityareallrelated

9/29/16 CSE484/CSEM584-Fall2016 33

Page 34: CSE 484 / CSE M 584: Computer Security and Privacy

ApparentlyHarmlessFailures

• donotreply.com

•  Somewebsitesusethis“fake”domain,sendingmailwithreply-toof:[email protected]

9/29/16 CSE484/CSEM584-Fall2016 34

Page 35: CSE 484 / CSE M 584: Computer Security and Privacy

TwoKeyThemesofthisCourse

1.  Howtothinkaboutsecurity–  The“SecurityMindset”–a“new”waytothinkaboutsystems

2.  Technicalaspectsofsecurity–  Vulnerabilitiesandattacktechniques– Defensivetechnologies–  Topicsincluding:softwaresecurity,cryptography,malware,websecurity,webprivacy,smartphonesecurity,authentication,usablesecurity,anonymity,physicalsecurity,securityforemergingtechnologies

9/29/16 CSE484/CSEM584-Fall2016 35

Page 36: CSE 484 / CSE M 584: Computer Security and Privacy

WhatThisCourseisNotAbout•  Notacomprehensivecourseoncomputersecurity–  Computersecurityisabroaddiscipline!–  Impossibletocovereverythinginonequarter–  Sobecarefulinindustryorwhereveryougo!

•  Notaboutallofthelatestandgreatestattacks–  Readnews

•  Notacourseonethical,legal,oreconomicissues– Wewilltouchontheseissues,butthetopicishuge

•  Notacourseonhowto“hack”or“crack”systems–  Yes,wewilllearnaboutattacks...buttheultimategoal

istodevelopanunderstandingofattackssothatyoucanbuildmoresecuresystems

9/29/16 CSE484/CSEM584-Fall2016 36

Page 37: CSE 484 / CSE M 584: Computer Security and Privacy

Security:NotJustforPCs

9/29/16 CSE484/CSEM584-Fall2016 37

smartphones

wearables

gameplatforms

cars

medicaldevicesEEGheadsetsvotingmachines

RFID mobilesensingplatforms

airplanes

Page 38: CSE 484 / CSE M 584: Computer Security and Privacy

Example:ModernAutomobiles

Modernautomobilescontaindozensofcomputers.

Thosecomputerscontrolnearlyeverythinginthecar,includinglocks,lights,brakes,theengine,theairbags,etc.

9/29/16 CSE484/CSEM584-Fall2016 38

Whomightwanttoattack?Why,andhow?

Page 39: CSE 484 / CSE M 584: Computer Security and Privacy

LearningtheSecurityMindset

•  Severalapproachesfordeveloping“TheSecurityMindset”andforexploringthebroadercontextualissuessurroundingcomputersecurity–  Homework#1

•  Currenteventreflectionsandsecurityreviews•  Mayworkingroupsofupto3people(groupsareencouraged–lotsofvalueindiscussingsecuritywithothers!)

–  Inclassdiscussionsandactivities–  Participationinforums(e.g.,critiquingmovies)

9/29/16 CSE484/CSEM584-Fall2016 39

Page 40: CSE 484 / CSE M 584: Computer Security and Privacy

“Homework#0”:ClassSurvey

•  FinditfromtheScheduleorAssignmentspageofthecoursewebsite

•  FillitoutbyFriday(simplequestionsaboutyouandhowIcanhelpyoulearn)

9/29/16 CSE484/CSEM584-Fall2016 40

Page 41: CSE 484 / CSE M 584: Computer Security and Privacy

EthicsForm

•  FinditfromtheScheduleorAdministriviapageofthecoursewebsite

•  Signit(digitally)byOctober5toreceiveanon-zerogradeintheclass.

9/29/16 CSE484/CSEM584-Fall2016 41

Page 42: CSE 484 / CSE M 584: Computer Security and Privacy

Homework#1:TheSecurityMindset

•  DueMonday,October10

•  Review1)acurrenteventand2)atechnology,topracticethesecuritymindset,threatmodeling,andexplainingsecuritytopicstodifferentaudiences.

9/29/16 CSE484/CSEM584-Fall2016 42

Page 43: CSE 484 / CSE M 584: Computer Security and Privacy

Todo

•  Classsurvey!(ByFriday–doitnow!)•  Ethicsform!(Oct5–doitnow!)

•  Securityreviews(Oct10)– Startforminggroups(forumsareavailable)andthinkingabouteventsandtechnologiesyou’dliketoreview.

9/29/16 CSE484/CSEM584-Fall2016 43


CSE 484 / CSE M 584: Computer Security and Privacy Software Security€¦ · –Crypto failures may not be (immediately) detected • Cryptography helps after you’ve identified

CSE 484 / CSE M 584: Computer Security and Privacy Software Security€¦ · –Crypto failures may not be (immediately) detected • Cryptography helps after you’ve identified

CSE$484$/$CSE$M$584:$$Computer$Security$and$Privacy ...courses.cs.washington.edu/courses/cse484/16sp/slides/cse484-lect… · PS3$and$Randomness$ • 2010/2011:'Hackers'found/released'private'root'key'for'Sony’s'PS3'

CSE$484$/$CSE$M$584:$$Computer$Security$and$Privacy ...courses.cs.washington.edu/courses/cse484/16sp/slides/cse484-lect… · PS3$and$Randomness$ • 2010/2011:'Hackers'found/released'private'root'key'for'Sony’s'PS3'

CSE 484 / CSE M 584: Computer Security and Privacy · 11/8/2019 CSE 484 / CSE M 584 44 serial number validity period real cert domain name real cert RSA key X.509 extensions signature

CSE 484 / CSE M 584: Computer Security and Privacy · 11/8/2019 CSE 484 / CSE M 584 44 serial number validity period real cert domain name real cert RSA key X.509 extensions signature

COS 484/584 (Advanced) Natural Language Processing

COS 484/584 (Advanced) Natural Language Processing

CSE$484$/$CSE$M$584:$ · PDF fileMitchell,Vitaly’Shmatikov,Bennet’Yee,and’many’others’for’sample’slides’and ... com/littlebrother/download/ ... Antilock* Braking* System

CSE$484$/$CSE$M$584:$ · PDF fileMitchell,Vitaly’Shmatikov,Bennet’Yee,and’many’others’for’sample’slides’and ... com/littlebrother/download/ ... Antilock* Braking* System

CSE 484 / CSE M 584: Computer Security and Privacy ... · 10/20/20 CSE 484 / CSE M 584 -Autumn 2020 8 Block of plaintext S S S S S S S S S S S S Key Add some secret key bits to provide

CSE 484 / CSE M 584: Computer Security and Privacy ... · 10/20/20 CSE 484 / CSE M 584 -Autumn 2020 8 Block of plaintext S S S S S S S S S S S S Key Add some secret key bits to provide

CSE 484 / CSE M 584 Computer Security: Passwords€¦ · Password Managers •Allows the user to use one secure password to secure all other passwords •Generate strong password

CSE 484 / CSE M 584 Computer Security: Passwords€¦ · Password Managers •Allows the user to use one secure password to secure all other passwords •Generate strong password

Security and Networks - courses.cs.washington.edu€¦ · CSE 484 / CSE M 584 (Autumn 2011) Security and Networks Thanks to Dan Boneh, Dieter Gollmann, John Manferdelli, ... presentation

Security and Networks - courses.cs.washington.edu€¦ · CSE 484 / CSE M 584 (Autumn 2011) Security and Networks Thanks to Dan Boneh, Dieter Gollmann, John Manferdelli, ... presentation

CSE 484 / CSE M 584 Computer Security: More Cryptographycourses.cs.washington.edu/courses/cse484/17sp/section_slides/cse484...Logistics • Lab 1 Final due TOMORROW (11:59pm). •

CSE 484 / CSE M 584 Computer Security: More Cryptographycourses.cs.washington.edu/courses/cse484/17sp/section_slides/cse484...Logistics • Lab 1 Final due TOMORROW (11:59pm). •

Web$Security: Web$Application$Security...CSE$484$/$CSE$M$584:$Computer$Security$and$Privacy$ $ Web$Security: Web$Application$Security $ Spring2015 ’ Franziska’(Franzi)Roesner’’

Web$Security: Web$Application$Security...CSE$484$/$CSE$M$584:$Computer$Security$and$Privacy$ $ Web$Security: Web$Application$Security $ Spring2015 ’ Franziska’(Franzi)Roesner’’

EEC-484/584 Computer Networks

EEC-484/584 Computer Networks

CSE$484$/$CSE$M$584:$Computer$Security$and$Privacy$ › courses › cse484 › ... · Announcements$ • Rememberto’sign’theethics’form’ • Please’start’forming’groups’of’3’for’lab’1’

CSE$484$/$CSE$M$584:$Computer$Security$and$Privacy$ › courses › cse484 › ... · Announcements$ • Rememberto’sign’theethics’form’ • Please’start’forming’groups’of’3’for’lab’1’

Web Security: Web Application Securitycourses.cs.washington.edu/courses/cse484/17sp/slides/cse...Dynamic Web Application 5/5/17 CSE 484 / CSE M 584 -Spring 2017 3 Browser Web server

Web Security: Web Application Securitycourses.cs.washington.edu/courses/cse484/17sp/slides/cse...Dynamic Web Application 5/5/17 CSE 484 / CSE M 584 -Spring 2017 3 Browser Web server

Computer Security: Clickjacking - University of Washington · CSE 484 / CSE M 584 Computer Security: Clickjacking Jared Moore jlcmoore@cs.washington.edu Thanks to Franzi Roesner,

Computer Security: Clickjacking - University of Washington · CSE 484 / CSE M 584 Computer Security: Clickjacking Jared Moore [email protected] Thanks to Franzi Roesner,

CSE 484 / CSE M 584: Computer Security and Privacy ...

CSE 484 / CSE M 584: Computer Security and Privacy ...

CSE 484 / CSE M 584 Computer Security: Lab 2 & …...CSE 484 / CSE M 584 Computer Security: Lab 2 & Click Jacking TA: Thomas Crosley tcrosley@cs Thanks to Franzi Roesner, Adrian Sham,

CSE 484 / CSE M 584 Computer Security: Lab 2 & …...CSE 484 / CSE M 584 Computer Security: Lab 2 & Click Jacking TA: Thomas Crosley tcrosley@cs Thanks to Franzi Roesner, Adrian Sham,

CSE 484 / CSE M 584: Computer Security and Privacy...–Android 3/27/17 CSE 484 / CSE M 584 -Spring 2017 22. Homework •2 or 3 homeworksdistributed across the ... and this class can’t

CSE 484 / CSE M 584: Computer Security and Privacy...–Android 3/27/17 CSE 484 / CSE M 584 -Spring 2017 22. Homework •2 or 3 homeworksdistributed across the ... and this class can’t

CSE 484 / CSE M 584 Computer Security: Malware and Online ... · Viruses vs. Worms 5/26/16 CSE 484 / CSE M 584 - Spring 2015 10 VIRUS • Propagates by infecting other programs •

CSE 484 / CSE M 584 Computer Security: Malware and Online ... · Viruses vs. Worms 5/26/16 CSE 484 / CSE M 584 - Spring 2015 10 VIRUS • Propagates by infecting other programs •