IntroductionComputer Security Lecture 1

David Aspinall

School of InformaticsUniversity of Edinburgh

9th January 2006

Outline

Overview

Lectures

Assessment

Advisory

Timeline

Reading

Computer security is a concoction of science, technology,engineering, and human factors. A secure system is only as strongas the weakest link: each factor must be secured, using multiplelayers to provide “defence in depth”.

Outline

Overview

Lectures

Assessment

Advisory

Timeline

Reading

What is Computer Security?

I Security is concerned with the protection of assets.

I Computer Security is concerned with assets of computersystems: the information and services which they provide.

I Just as real-world physical security systems vary in theirsecurity provision (e.g., a building may be secure againstcertain kinds of attack, but not all), so computer securitysystems provide different kinds and amounts of security.

I Computer security is quite vast in scope, touching on manyareas besides computer science. In this course we will studysome fundamentals, some current internet technologies, and alittle bit about engineering and management aspects ofcomputer security.

I This lecture describes the organization of the course, anoutline of the topics from the syllabus, and gives a timeline ofnotable computer security events.

What is Computer Security?

I Security is concerned with the protection of assets.

I Computer Security is concerned with assets of computersystems: the information and services which they provide.

I Just as real-world physical security systems vary in theirsecurity provision (e.g., a building may be secure againstcertain kinds of attack, but not all), so computer securitysystems provide different kinds and amounts of security.

I Computer security is quite vast in scope, touching on manyareas besides computer science. In this course we will studysome fundamentals, some current internet technologies, and alittle bit about engineering and management aspects ofcomputer security.

I This lecture describes the organization of the course, anoutline of the topics from the syllabus, and gives a timeline ofnotable computer security events.

What is Computer Security?

I Security is concerned with the protection of assets.

I Computer Security is concerned with assets of computersystems: the information and services which they provide.

I Just as real-world physical security systems vary in theirsecurity provision (e.g., a building may be secure againstcertain kinds of attack, but not all), so computer securitysystems provide different kinds and amounts of security.

I Computer security is quite vast in scope, touching on manyareas besides computer science. In this course we will studysome fundamentals, some current internet technologies, and alittle bit about engineering and management aspects ofcomputer security.

I This lecture describes the organization of the course, anoutline of the topics from the syllabus, and gives a timeline ofnotable computer security events.

What is Computer Security?

I Security is concerned with the protection of assets.

I Computer Security is concerned with assets of computersystems: the information and services which they provide.

I Just as real-world physical security systems vary in theirsecurity provision (e.g., a building may be secure againstcertain kinds of attack, but not all), so computer securitysystems provide different kinds and amounts of security.

I Computer security is quite vast in scope, touching on manyareas besides computer science. In this course we will studysome fundamentals, some current internet technologies, and alittle bit about engineering and management aspects ofcomputer security.

I This lecture describes the organization of the course, anoutline of the topics from the syllabus, and gives a timeline ofnotable computer security events.

Security Fundamentals

By “fundamentals” we mean the basic concepts of secure systems,as well as the low-level design of security protocols.

I Security properties worth guarding: confidentiality, integrity,authentication, availability, accountability.

I A useful science: cryptography.

I Communicating carefully: security protocols.

I Increasing confidence: formal approaches (e.g. to protocolcorrectness).

Security Technologies

Which include . . .

I Privacy for the masses: PGP, S/MIME

I The consumer favourite: SSL

I Securing networks: firewalls, DNSSec, IPSEC

I Securing connections: ssh, VPNs.

I Programming securely: Java security model

Engineering and Management

System security is an engineering and ultimately a managementissue; technology is only part of a security “solution”. We’llconsider engineering aspects of system security and higher-levelissues, including:

I Secure kernels and trusted computing bases

I Malicious code and network defences

I Security policy models, multi-level systems, security standards

I Real-world issues (human factors; budgeting; legalities)

Outline

Overview

Lectures

Assessment

Advisory

Timeline

Reading

Lectures

I I will give 16 lectures covering main topics from thesyllabus.

I There will be space for 2 additional lectures to cover moredetail, additional topics or guest lecture slots. Send mesuggestions if you are interested in something particular!

What lectures will not cover

I War stories, hacking tales, etc.

You can read about these in many places, for example,Anderson’s textbook, books like The Cuckoo’s Egg, websiteslike kevinmitnick. com .

I Crypto application HOWTOs, personal firewallrecommendations, . . .

A practical exercise will be given encourage you to use somecommon Unix applications.

I Low-level details of security APIs

A practical exercise in Java security programming provides anintroduction to one security framework.

I Mathematical details of modern cryptography

We’ll cover crypto at a high level; you are encouraged to studythe mathematics further if interested.

Lectures will concentrate on underlying computer science behindcomputer security and engineering aspects of secure programming.

Lecture plan

I Main topics (over 16 lectures in a mixed order)

I IntroductionI ThreatsI Crypto I-IIII Protocols I-II

I Formal calculiI Security modelsI Internet I-III Software I-II

I Secure emailI Web security

I Possible additional topicsI More crypto (e-cash, zero-knowledge, steganography)I Formal techniques (info flow, static analysis)I Evidence-based certification.I Defences, IDS. Content protection (DRM). Legalities.

Outline

Overview

Lectures

Assessment

Advisory

Timeline

Reading

Assessment for the course

I You will be assessed on the exam, weighted 80% and on thepractical assignments, weighted 20%

I Questions in the exam will test material covered explicitly inmy lectures or the required reading, only.

I Concepts from other parts of the syllabus or the other lecturesmay be used as a basis for exam questions, but withoutassuming detailed knowledge.

I Past papers (with solutions) and a specimen exam paper(without solutions) are available via the course web page.

Practical assignments

I Along the way there will be 3 or 4 small practicalassignments. Of these, 2 assignments are assessed.

I The unassessed exercises are designed to encourage you to usesome Internet security technologies.

I The assessed exercises exploreI OS and Internet securityI Security programming

Solutions to the assessed exercises will be due in about 14days after issue. They each contribute 10% of the final resultfor the course. They will be are designed to be straightforwardso it should be worth attempting them.

I The exercise solutions will be submitted electronically andpartly marked electronically. Please follow the instructionsprecisely for each practical exercise to help this.

Course feedback

I Security is a fast moving subject, with new research, securitybreaches and security technologies all appearing daily.

I I try to keep this course as up-to-date and interesting aspossible, but with a necessarily academic focus on foundationsand well-established tools.

I If there is some part of the course that you think could beimproved, some topic or news item that you think deservesmention, please let me know.

I You are welcome to send comments or suggestions directly tome by email at da@inf.ed.ac.uk. If you wish to sendfeedback anonymously, find out how to use an anonymousremailer, or use the low-tech solution of leaving a note in mymail tray.

Outline

Overview

Lectures

Assessment

Advisory

Timeline

Reading

Standard security course advisory

I Nothing in this course is intended as incitement to crack!

I Breaking into systems to “demonstrate” security problems atbest causes a headache to overworked sysadmins, at worstcompromises systems for many users and could lead toprosecution.

I If you spot a security hole in a running system, don’t exploitit, instead consider contacting the relevant administratorsconfidentially.

I But be aware that keeping abreast with latest security patchesand methods is difficult; practical security is a matter ofweighing up risks and costs, so your advice may be not bequickly acted on.

I This is especially true in a relatively low security environmentsuch as a university, where open access has traditionally beenput above security, and resources for sysadmin are very tight.

Responsible security experiments

I If you want to experiment with security holes, play with yourown machine, or better, your own private network ofmachines.

I One (mostly) harmless way of doing this may be by using aform of virtualisation: e.g., VMWare, UML, Xen.

I If you discover a new security hole in a standard application,or operating system routine that may be running at manysites, then consider contacting the vendor of the software (orvendor of the operating system which contains the software)in the first case. You might also raise the issue in a securityforum for discussion, perhaps without providing completedetails of the hole.

I The software vendor or other security experts will be able toconfirm or deny, and work can begin on fixing the problem (ifyou haven’t already suggested a fix).

Outline

Overview

Lectures

Assessment

Advisory

Timeline

Reading

Is there a computer security crisis?

Almost every month there seems to a high-profile case of computersecurity failure reported in the national or international media.This gives the impression that security problems are prevalent.Partly this may because of salacious reporting: it’s exciting for thepress to report on virus outbreaks (be they cyber or biological), or“underground criminals” who hack computer systems. Evenprofessional computer security texts have deliberately evocativetitles. But the high frequency of security faults and incidentsreported on BugTraq and CERT do testify to the prevalence ofsecurity problems in widely deployed systems.Nonetheless, there is a good body of knowledge in computersecurity and a history of carefully designed secure systems. Itseems that most present-day security problems are due to poordesign of commodity systems and/or insufficient investment inensuring security. Under-investment may be misguided ordeliberate policy. But recent surveys show that many companiesplan to increase their IT security spending.

Security timeline, part 1Security attacks have occurred since the 1950s and securitymechanisms were designed for operating systems since thebeginning. Early attackers were people near the machines. Nowthe Internet provides potential for literally millions of anonymousattackers to target any connected system. “White-hats” and“black-hats” are in an arms race...

1960 Memory protection hardware: partitioning, virtualmemory.

1962 File access controls in multiple-access systems.1967 One-way functions to protect passwords.1968 Multics security kernel (implementation of BLP model)

1969–89 ARPANET Internet beginning with TCP/IP in 1977.

Infamously, ARPANET was built to withstand a nuclear attack butwas nearly crippled in 1988 by the Morris Internet Worm.ARPANET assumed a design philosophy (centralisedadministration) which no longer applies in the Internet: a dramaticexample of a change in environment invalidating security.

Security timeline, part 2

1975 Unix-Unix copy protocol (UUCP) and mail trapdoors

1976 Public-key cryptography and digital signatures

1978 RSA public-key cryptosystem.

1978 First vulnerability study of passwords (intelligent search).

1978 Pioneering e-cash protocols invented by David Chaum.

1983 Distributed domain naming system (DNS), vulnerable tospoofing.

1984 Computer viruses receive attention of researchers.

1985 Advanced password schemes.

1986 Wily hacker attack (Clifford Stoll’s “Stalking the WilyHacker”).

1988 Internet Worm infects 6,000 computers (10% of Internet).

1988 Distributed authentication realised in Kerberos.

1989 Pretty Good Privacy (PGP) and Privacy Enhanced Mail(PEM).

Security timeline, part 3

1990 Anonymous remailers (clever protocols prevent tracing).

1993 Packet spoofing; firewalls; network sniffing.

1994 Netscape designs SSL v1.0 (flawed; revised 1995).

1996 SYN flooding. Java exploits. Rise of web-site hacking.

1997 DNSSec security extension for DNS proposed.

1998 Script kiddies’ scanner tools. IPSec proposals.

1999 First DDoS attacks. DVD encryption broken

2000 VBscript worm ILOVEYOU (0.5 – 8 million infections).Cult of the Dead Cow’s Back Orifice 2000 Trojan.

2001 Code Red, Nimbda worm infect Microsoft IIS server.

2002 Palladium; chipped XBox blocked from online play.

2003 W32/Blaster worm. Debian and FSF are cracked.

2004 First mobile phone virus Cabir

2005 Flaws in SHA-1. Sony’s “rootkit” with broken DRM.

Outline

Overview

Lectures

Assessment

Advisory

Timeline

Reading

Reading: textbooks

I Dieter Gollmann, Computer Security, 2nd Ed, John Wiley &Sons, 2006.A nice textbook with a good (but brief) overview of thesubject.

I Ross Anderson, Security Engineering: A Comprehensive Guideto Building Dependable Distributed Systems, John Wiley &Sons, 2001.A larger book, with more detail of whole-system andnon-software aspects of security. Lots of interesting examples.

I Matt Bishop, Computer Security: art and science, AddisonWesley, 2003.An even larger book. Provides a good up-to-date coverage ofcomputer security topics, with good pointers to research areas.

I Bruce Schneier, Applied Cryptography, J. Wiley & Sons, 2ndEd, 1996.Classic practical crypto text; many algorithms and sourcecode, but now somewhat dated (little mathematics).

Reading: other textbooks

I Nigel Smart, Cryptography: An Introduction, McGraw-Hill,2003.A newer book on cryptography and other computer securityissues, more mathematically rigorous than Schneier.

I Michael Huth, Secure communicating systems: design,analysis, and implementation., CUP, 2001.Includes cryptography and other techniques includingprotocols and information flow analysis.

I John Viega and Gary McGraw, Building Secure Software:How to Avoid Security Problems the Right Way,Addison-Wesley, 2001.The first book to be written on secure coding. Biased towardsUnix programming; look for 2nd Edition of Writing SecureCode by Howard and LeBlanc (MS Press, 2003) for aWindows-biased book.

Reading: specialist books

I Simson Garfinkel and Gene Spafford, Practical UNIX andInternet Security, O’Reilly, 1996.Sound advice on security and good coverage of UNIXspecifics. A little dated on the Internet side by now.

I William R. Cheswick and Steven M. Bellovin, Firewall andInternet Security, 2nd Edition, 2004. Classic book on internetsecurity; original 1st ed online athttp://www.wilyhacker.com.

I Alfred J. Menezes and Paul C. Van Oorschot and Scott A.Vanstone, Handbook of Applied Cryptography. CRC Press,1996.A bible of crypto. Available online athttp://cacr.math.uwaterloo.ca/hac.

Reading: background

I Bruce Schneier, Secrets & Lies — Digital Security in aNetworked World, John Wiley & Sons, 2000.An entertaining and compulsive account of computer securityneeds and techniques, addressed at non-experts.

I Dorothy E. Denning, Information Warfare and Security,Addison-Wesley, 1999.Chilling accounts of impact of information in modern warfare.

I Simson Garfinkel, Database Nation, O’Reilly, 2001.The personal impact of ubiquitous electronic data storage(mainly from a US perspective, but concerns are relevantglobally).

Reading: web resourcesThe web is particularly rich in resources for this subject.Interesting sites include home pages of security researchers, (oftenbiased) technology news discussion forums, security services andadvisory services, etc. A representative sample:

I http://www.cl.cam.ac.uk/users/rja14/— Ross Anderson’s home page.

I http://www.slashdot.org— Slashdot, news for nerds (mostly CS students).

I http://www.theregister.co.uk— The Register (UK industry news)

I http://www.cert.org/— CERT advisories on security, incident statistics

I http://www.securityfocus.com— A “solutions” company which also hosts popular mailing lists.

I http://www.inf.ed.ac.uk/teaching/courses/cs— Our homepage, with many more links.