CSE 484 / CSE M 584: Computer Security and Privacy
Transcript of CSE 484 / CSE M 584: Computer Security and Privacy
CSE484/CSEM584:ComputerSecurityandPrivacy
Fall2016
Ada(Adam)[email protected]
ThankstoFranziRoesner,DanBoneh,DieterGollmann,DanHalperin,YoshiKohno,JohnManferdelli,JohnMitchell,VitalyShmatikov,BennetYee,andmanyothers…
9/29/16 CSE484/CSEM584-Fall2016 2
What’sWrongWithThisPicture?
9/29/16 CSE484/CSEM584-Fall2016 3
What’sWrongWithThisPicture?
9/29/16 CSE484/CSEM584-Fall2016 4
QuizSection
• Quizsections:– Thursday,1:30-2:20pm,LOW105– Thursday,2:30-3:20pm,LOW105
9/29/16 CSE484/CSEM584-Fall2016 5
OfficeHours
• Officehours– Ada:Wednesdays4:30-5:30pm,CSE220(ImmediatelyafterWednesdayclass!)
– TAs:Mondays11:00-noon,CSE220
9/29/16 CSE484/CSEM584-Fall2016 6
Prerequisites(CSE484)
• Required:DataStructures(CSE326)orDataAbstractions(CSE332)
• Required:Hardware/SoftwareInterface(CSE351)orMachineOrgandAssemblyLanguage(CSE378)
• Assume:WorkingknowledgeofCandassembly– OneofthelabswillinvolvewritingbufferoverflowattacksinC– Youmusthavedetailedunderstandingofx86architecture,stack
layout,callingconventions,etc.
• Assume:WorkingknowledgeofsoftwareengineeringtoolsforUnixenvironments(gdb,etc)
• Assume:WorkingknowledgeofJavaandJavaScript
9/29/16 CSE484/CSEM584-Fall2016 8
Prerequisites(CSE484)
• Stronglyrecommended:ComputerNetworks;OperatingSystems– Willhelpprovidedeeperunderstandingofsecurity
mechanismsandwheretheyfitinthebigpicture
• Recommended:ComplexityTheory;DiscreteMath;Algorithms– Willhelpwiththemoretheoreticalaspectsofthis
course.
9/29/16 CSE484/CSEM584-Fall2016 9
Prerequisites(CSE484)
• Mostofall:Eagernesstolearn!– Thisisa400levelcourse.– Weexpectyoutopushyourselftolearnasmuchas
possible.– Weexpectyoutobeastrong,independentlearner
capableoflearningnewconceptsfromthelectures,thereadings,andonyourown.
9/29/16 CSE484/CSEM584-Fall2016 10
CourseLogistics(CSE484)
• Lectures:MWF:3:30-4:20pm;
• Sections:Thurs:1:30-2:20pmand2:30-3:20pm• Securityisacontactsport!
9/29/16 CSE484/CSEM584-Fall2016 11
LatePolicy
• Emailusfora2daygraceperiod,noquestionsasked,onanyassignment
• Ifyouwon’tfinishwithinthosetwodays,youMUSTmeetwithmetotalkaboutascheduleforcompletingtheassignment
9/29/16 CSE484/CSEM584-Fall2016 12
ParticipationGrade
• In-classactivities(liketheonefromtoday!)– Youmaymiss(atleast)3ofthese,noquestionsasked
• Regularcontributionstoclassforums– Don’tbesilentfor9weeksandthenmake10postson
thelastdayofthequarter
• Inclass:harderinalargeclass,butworthit!
9/29/16 CSE484/CSEM584-Fall2016 13
CourseMaterials
• Textbook:– Daswani,Kern,Kesavan,“FoundationsofSecurity”– Additionalmaterialslinkedtofromcoursewebsite
• Attendlectures– Lectureswillnotfollowthetextbookandwillcoverasignificant
amountofmaterialthatisnotinthetextbook– Lectureswillfocuson“big-picture”principlesandideas
• Attendsections– Detailsnotcoveredinlecture,especiallyabouthomeworksandlabs
9/29/16 CSE484/CSEM584-Fall2016 14
OtherHelpfulBooks(Online)
• RossAnderson,“SecurityEngineering”– Focusesondesignprinciplesforsecuresystems– Widerangeofentertainingexamples:banking,nuclear
commandandcontrol,burglaralarms
• Menezes,vanOorschot,andVanstone,“HandbookofAppliedCryptography”
• Manymanyotherusefulbooksexist,notallonline
9/29/16 CSE484/CSEM584-Fall2016 15
OtherBooks,Movies,…• Pleasurebooksinclude:
– LittleBrotherbyCoryDoctorow• Availableonlineherehttp://craphound.com/littlebrother/download/
– CryptonomiconandREAMDEbyNealStephenson– TheArtofIntrusionandTheArtofDeceptionbyKevinMitnick– Manymore--pleasefeelfreetopostyourfavoritesontheforum!
• Moviesinclude:– Hackers– Sneakers– DieHard4– WarGames– Manymore--pleasefeelfreetopostyourfavoritesontheforum!
• Historicaltextsinclude:– TheCodebreakersbyDavidKahn– TheCodeBookbySimonSingh
9/29/16 CSE484/CSEM584-Fall2016 16
GuestLectures
• Wewillhaveafewguestlecturesthroughoutthequarter– Usefultogiveyouadifferentperspective:research,industry,lawenforcement,government,legal
– Mostalreadyscheduled,othersTBD
9/29/16 CSE484/CSEM584-Fall2016 17
Ethics
• Tolearntodefendsystems,youwilllearntoattackthem.Youmustusethisknowledgeethically.
• Inordertogetanon-zerogradeinthiscourse,youmustelectronicallysignthe“SecurityandPrivacyCodeofEthics”formby5pmonOctober5
9/29/16 CSE484/CSEM584-Fall2016 18
MailingList
• Makesureyou’reonthemailinglist– We’llsendatestmailafterclass;everyoneenrolledshouldreceiveit
• URLformailinglistoncoursewebsite• Usedforannouncements
9/29/16 CSE484/CSEM584-Fall2016 19
Forum
• We’vesetupaforumforthiscoursetodiscussassignments– https://catalyst.uw.edu/gopost/board/lerner/43195/
• Pleaseuseittodiscussthehomeworkassignmentsandlabsandothergeneralclassmaterials
• Youcanalsouseittoexercisethe“securitymindset”– (Includingdiscussionsofmovies,books,andsecurityin
therealworld)
9/29/16 CSE484/CSEM584-Fall2016 20
Labs
• Generalplan:– 3labs(timelineTBD,tentativedatesonwebsite)
• FirstlaboutapproximatelynextWednesday
– SubmittoCatalystsystem(URLonwebsite)– Groupsofuptothreegenerallyallowed(checkeach
projectpagefordetails)
• http://courses.cs.washington.edu/courses/cse484/16au/assignments.html
9/29/16 CSE484/CSEM584-Fall2016 21
Labs
• Firstlab:Softwaresecurity– Bufferoverflowattacks,double-freeexploits,formatstringexploits,...
• Secondlab:Websecurity– XSSattacks,SQLinjection,...
• Thirdlab:Mobilesecurity– Android
9/29/16 CSE484/CSEM584-Fall2016 22
Homework
• 3or4homeworksdistributedacrossthequarter(tentativedatesonwebsite)– http://courses.cs.washington.edu/courses/cse484/16au/assignments.html
• Donow:signethicsform!
9/29/16 CSE484/CSEM584-Fall2016 23
Waitlist/OverloadInstructions
• Ifyouarenotyetenrolled:– Overloadrequestlink:http://tinyurl.com/zlarys2
– Codeword:<redacted>– Honorsystem:Pleasedon’tsharethiscodewordwithstudentswhodidnotattendclass.
9/29/16 CSE484/CSEM584-Fall2016 24
Theme:TheSecurityMindset
9/29/16 CSE484/CSEM584-Fall2016 25
Theme:TheSecurityMindset
• Thinkingcriticallyaboutthedesignofasystem,andchallengingassumptions
9/29/16 CSE484/CSEM584-Fall2016 26
Theme:TheSecurityMindset
• Beingcurious• Thinkinglikeanattacker
9/29/16 CSE484/CSEM584-Fall2016 27
Theme:TheSecurityMindset
• “ThatnewproductXsoundsawesome,Ican’twaittouseit!”versus…• “ThatnewproductXsoundscool,butIwonderwhatwouldhappenifsomeonedidYwithit…”
9/29/16 CSE484/CSEM584-Fall2016 28
Theme:TheSecurityMindset
• Whyit’simportant– Technologychanges,solearningtothinklikeasecuritypersonismoreimportantthanlearningspecificsoftoday
– Willhelpyoudesignbettersystems/solutions– Interactionswithbroadercontext:law,policy,ethics,etc.
9/29/16 CSE484/CSEM584-Fall2016 29
NotjustTechnology–SocialSystemsareSystemstoo
• SocialEngineering– Lying– Beingnicetopeople– Actinglikeyoubelong
9/29/16 CSE484/CSEM584-Fall2016 30
Q2
Answerquestion2ontheworksheet
9/29/16 CSE484/CSEM584-Fall2016 31
HowSystemsFail
• Systemsmayfailformanyreasons,including• Reliabilitydealswithaccidentalfailures• Usabilitydealswithproblemsarisingfromoperatingmistakesmadebyusers
• Securitydealswithintentionalfailurescreatedbyintelligentparties– Securityisaboutcomputinginthepresenceofanadversary
– Butsecurity,reliability,andusabilityareallrelated
9/29/16 CSE484/CSEM584-Fall2016 32
HowSystemsFail
• Systemsmayfailformanyreasons,including• Reliabilitydealswithaccidentalfailures• Usabilitydealswithproblemsarisingfromoperatingmistakesmadebyusers
• Securitydealswithintentionalfailurescreatedbyintelligentparties– Securityisaboutcomputinginthepresenceofanadversary
– Butsecurity,reliability,andusabilityareallrelated
9/29/16 CSE484/CSEM584-Fall2016 33
ApparentlyHarmlessFailures
• donotreply.com
• Somewebsitesusethis“fake”domain,sendingmailwithreply-toof:[email protected]
9/29/16 CSE484/CSEM584-Fall2016 34
TwoKeyThemesofthisCourse
1. Howtothinkaboutsecurity– The“SecurityMindset”–a“new”waytothinkaboutsystems
2. Technicalaspectsofsecurity– Vulnerabilitiesandattacktechniques– Defensivetechnologies– Topicsincluding:softwaresecurity,cryptography,malware,websecurity,webprivacy,smartphonesecurity,authentication,usablesecurity,anonymity,physicalsecurity,securityforemergingtechnologies
9/29/16 CSE484/CSEM584-Fall2016 35
WhatThisCourseisNotAbout• Notacomprehensivecourseoncomputersecurity– Computersecurityisabroaddiscipline!– Impossibletocovereverythinginonequarter– Sobecarefulinindustryorwhereveryougo!
• Notaboutallofthelatestandgreatestattacks– Readnews
• Notacourseonethical,legal,oreconomicissues– Wewilltouchontheseissues,butthetopicishuge
• Notacourseonhowto“hack”or“crack”systems– Yes,wewilllearnaboutattacks...buttheultimategoal
istodevelopanunderstandingofattackssothatyoucanbuildmoresecuresystems
9/29/16 CSE484/CSEM584-Fall2016 36
Security:NotJustforPCs
9/29/16 CSE484/CSEM584-Fall2016 37
smartphones
wearables
gameplatforms
cars
medicaldevicesEEGheadsetsvotingmachines
RFID mobilesensingplatforms
airplanes
Example:ModernAutomobiles
Modernautomobilescontaindozensofcomputers.
Thosecomputerscontrolnearlyeverythinginthecar,includinglocks,lights,brakes,theengine,theairbags,etc.
9/29/16 CSE484/CSEM584-Fall2016 38
Whomightwanttoattack?Why,andhow?
LearningtheSecurityMindset
• Severalapproachesfordeveloping“TheSecurityMindset”andforexploringthebroadercontextualissuessurroundingcomputersecurity– Homework#1
• Currenteventreflectionsandsecurityreviews• Mayworkingroupsofupto3people(groupsareencouraged–lotsofvalueindiscussingsecuritywithothers!)
– Inclassdiscussionsandactivities– Participationinforums(e.g.,critiquingmovies)
9/29/16 CSE484/CSEM584-Fall2016 39
“Homework#0”:ClassSurvey
• FinditfromtheScheduleorAssignmentspageofthecoursewebsite
• FillitoutbyFriday(simplequestionsaboutyouandhowIcanhelpyoulearn)
9/29/16 CSE484/CSEM584-Fall2016 40
EthicsForm
• FinditfromtheScheduleorAdministriviapageofthecoursewebsite
• Signit(digitally)byOctober5toreceiveanon-zerogradeintheclass.
9/29/16 CSE484/CSEM584-Fall2016 41
Homework#1:TheSecurityMindset
• DueMonday,October10
• Review1)acurrenteventand2)atechnology,topracticethesecuritymindset,threatmodeling,andexplainingsecuritytopicstodifferentaudiences.
9/29/16 CSE484/CSEM584-Fall2016 42
Todo
• Classsurvey!(ByFriday–doitnow!)• Ethicsform!(Oct5–doitnow!)
• Securityreviews(Oct10)– Startforminggroups(forumsareavailable)andthinkingabouteventsandtechnologiesyou’dliketoreview.
9/29/16 CSE484/CSEM584-Fall2016 43