Security Engineering (2016 Spring) · 2017-08-14 · information security technology • Security...
Transcript of Security Engineering (2016 Spring) · 2017-08-14 · information security technology • Security...
![Page 1: Security Engineering (2016 Spring) · 2017-08-14 · information security technology • Security policy (what should be protected) • Engineering (how we can obtain assurance that](https://reader034.fdocuments.us/reader034/viewer/2022042402/5f13a306a34f6100383e795e/html5/thumbnails/1.jpg)
Course overview
Hyoungshick Kim
Department of Computer Science and Engineering
College of Information and Communication Engineering
Sungkyunkwan University
Security Engineering (2016 Spring)
![Page 2: Security Engineering (2016 Spring) · 2017-08-14 · information security technology • Security policy (what should be protected) • Engineering (how we can obtain assurance that](https://reader034.fdocuments.us/reader034/viewer/2022042402/5f13a306a34f6100383e795e/html5/thumbnails/2.jpg)
• Assistant Professor in Department of Computer Science and Engineering
• Research interests:
• security engineering
• usable security (e.g., user authentication)
• security and privacy of online social networks (in PhD)
• software security
• Lecture: Mon 12:00-13:15, Wed 15:00-16:15
• Office hours: Wednesdays 11-12, 27324
• http://seclab.skku.edu/people/hyoungshick-kim/
• Email: [email protected] Please include [보안공학] in the subject of your e-mail
Instructor – Hyoungshick Kim
![Page 3: Security Engineering (2016 Spring) · 2017-08-14 · information security technology • Security policy (what should be protected) • Engineering (how we can obtain assurance that](https://reader034.fdocuments.us/reader034/viewer/2022042402/5f13a306a34f6100383e795e/html5/thumbnails/3.jpg)
Course orientation
1. Intended audience
2. Aims
3. Textbook
4. Class schedule
5. Evaluation
![Page 4: Security Engineering (2016 Spring) · 2017-08-14 · information security technology • Security policy (what should be protected) • Engineering (how we can obtain assurance that](https://reader034.fdocuments.us/reader034/viewer/2022042402/5f13a306a34f6100383e795e/html5/thumbnails/4.jpg)
• Graduate students who
• want to know how a secure system is developed
• want to get background in information security
• might do research in information security
Intended audience
![Page 5: Security Engineering (2016 Spring) · 2017-08-14 · information security technology • Security policy (what should be protected) • Engineering (how we can obtain assurance that](https://reader034.fdocuments.us/reader034/viewer/2022042402/5f13a306a34f6100383e795e/html5/thumbnails/5.jpg)
• To give you a through understanding of information security technology
• Security policy (what should be protected)
• Engineering (how we can obtain assurance that the protection provided is adequate)
• Protection mechanisms (cryptography, software security, …)
• Attacks (malicious code, protocol failure …)
• To help you doing a research about information security
Aims
![Page 6: Security Engineering (2016 Spring) · 2017-08-14 · information security technology • Security policy (what should be protected) • Engineering (how we can obtain assurance that](https://reader034.fdocuments.us/reader034/viewer/2022042402/5f13a306a34f6100383e795e/html5/thumbnails/6.jpg)
Textbook
• Security Engineering by Ross Anderson: http://www.cl.cam.ac.uk/~rja14/book.html
• Information Security: Principles and Practice by Mark Stamp
• Introduction to Computer Security by Michael Goodrich and Roberto Tamassia
• Handbook of Applied Cryptography by Alfred J. Menezes, Paul C. Van Oorschot, Scott A. Vanstone: http://www.cacr.math.uwaterloo.ca/hac/
• Papers
![Page 7: Security Engineering (2016 Spring) · 2017-08-14 · information security technology • Security policy (what should be protected) • Engineering (how we can obtain assurance that](https://reader034.fdocuments.us/reader034/viewer/2022042402/5f13a306a34f6100383e795e/html5/thumbnails/7.jpg)
Class schedule 1st
Week Topic
1 Course overview & Introduction to computer security/security engineering
2 Security policy & Access control
3 Security protocols I
4 Security protocols II
5 Cryptography I
6 Cryptography II
7 Cryptography III
8 Network security
![Page 8: Security Engineering (2016 Spring) · 2017-08-14 · information security technology • Security policy (what should be protected) • Engineering (how we can obtain assurance that](https://reader034.fdocuments.us/reader034/viewer/2022042402/5f13a306a34f6100383e795e/html5/thumbnails/8.jpg)
Class schedule 2nd
Week Topic
9 Term project proposal presentations (No Mid term)
10 Software security I
11 Software security II
12 OS security
13 Web security/Usable security
14 Database security / Security economics
15 Mini-conference
16 Final term
![Page 9: Security Engineering (2016 Spring) · 2017-08-14 · information security technology • Security policy (what should be protected) • Engineering (how we can obtain assurance that](https://reader034.fdocuments.us/reader034/viewer/2022042402/5f13a306a34f6100383e795e/html5/thumbnails/9.jpg)
Evaluation
• Assignments (25%)
• Final term (25%)
• Term project (40%)
– Proposal (10%)
– Results (30%)
• Participation to classroom discussion (10%)
https://docs.google.com/spreadsheets/d/1GHOwsRwi_-
60zglgKuWG9XgT62tMMpSerEvAMIfkUqw/edit?usp=sharing
![Page 10: Security Engineering (2016 Spring) · 2017-08-14 · information security technology • Security policy (what should be protected) • Engineering (how we can obtain assurance that](https://reader034.fdocuments.us/reader034/viewer/2022042402/5f13a306a34f6100383e795e/html5/thumbnails/10.jpg)
Evaluation - Assignments
• 1 reading report (for a security research paper) in
English (10%)
Best reports will be selected for presentation (extra credit 1~5)
• 3 programming assignments (15%)
![Page 11: Security Engineering (2016 Spring) · 2017-08-14 · information security technology • Security policy (what should be protected) • Engineering (how we can obtain assurance that](https://reader034.fdocuments.us/reader034/viewer/2022042402/5f13a306a34f6100383e795e/html5/thumbnails/11.jpg)
An assignment winner
in a previous semester
![Page 12: Security Engineering (2016 Spring) · 2017-08-14 · information security technology • Security policy (what should be protected) • Engineering (how we can obtain assurance that](https://reader034.fdocuments.us/reader034/viewer/2022042402/5f13a306a34f6100383e795e/html5/thumbnails/12.jpg)
Assignments – Reading report
• Your reading report should be organized as follows:
– Title
– Your name, student ID
– Summary: summary should include
• Motivation of the paper
• Which problem the paper is trying to solve
• Key ideas to solve the problem
• How authors evaluate their solution
– Strength of the paper
– Weakness of the paper
– Future work: not mentioned by the author
You have your own deadline!
![Page 13: Security Engineering (2016 Spring) · 2017-08-14 · information security technology • Security policy (what should be protected) • Engineering (how we can obtain assurance that](https://reader034.fdocuments.us/reader034/viewer/2022042402/5f13a306a34f6100383e795e/html5/thumbnails/13.jpg)
Reading report schedule 1st
Week Date Topic
1
2
3 03/14 강현련, 고상준, 김동용
4 03/19 김소영, 김은수, 김이진
5 03/26 김종명, 김지원, 김진우
6 04/02 박재우, 서찬수, 여윤석
7 04/09 이소라, 이수연, 최현재
8
![Page 14: Security Engineering (2016 Spring) · 2017-08-14 · information security technology • Security policy (what should be protected) • Engineering (how we can obtain assurance that](https://reader034.fdocuments.us/reader034/viewer/2022042402/5f13a306a34f6100383e795e/html5/thumbnails/14.jpg)
Reading report schedule 2nd
Week Date Topic
9 No Mid term
10 04/30 이형규, 임진호, 조금환
11 05/07 차승훈, 최주섭, 박열
12 05/14 채근홍, 김민창, 김재훈
13 05/21 이경준, 이한나, 조릭
14
15 Term project presentation
16 Final term
![Page 15: Security Engineering (2016 Spring) · 2017-08-14 · information security technology • Security policy (what should be protected) • Engineering (how we can obtain assurance that](https://reader034.fdocuments.us/reader034/viewer/2022042402/5f13a306a34f6100383e795e/html5/thumbnails/15.jpg)
How to choose your paper
• You can choose a paper from the top-tier conferences (2013~2016)
– General: IEEE S&P (Oakland), USENIX Security, ACM CCS, NDSS
– (2nd General: ESORICS, Euro S&P, ACSAC, AsiaCCS)
– Hardware: CHES
– Usable Security: CHI, SOUPS
– Security Economics: WEIS
– Privacy: PETS
– Financial Security: FC
– Malware/Intrusion Detection: RAID, DIMVA
– Etc. (e.g., USENIX WOOT: offensive research) You are encouraged to
discuss with me for
choosing your paper.
![Page 16: Security Engineering (2016 Spring) · 2017-08-14 · information security technology • Security policy (what should be protected) • Engineering (how we can obtain assurance that](https://reader034.fdocuments.us/reader034/viewer/2022042402/5f13a306a34f6100383e795e/html5/thumbnails/16.jpg)
Final term exam
Open book! Open network!
![Page 17: Security Engineering (2016 Spring) · 2017-08-14 · information security technology • Security policy (what should be protected) • Engineering (how we can obtain assurance that](https://reader034.fdocuments.us/reader034/viewer/2022042402/5f13a306a34f6100383e795e/html5/thumbnails/17.jpg)
Term project
• (1) Proposal presentation + (2) Results presentation + (3) Paper submission
• Project types
– Design projects attempt to solve some interesting problem by proposing a design;
implementing a prototype; and using the implementation as a basis for evaluating the
proposed system architecture.
– Analysis projects study some previously-proposed solutions, and existing systems;
evaluate its security properties; find security flaws; and provide new insight into how to
build secure systems.
– Survey projects review previous work on a specific subject and present a structured
work including a set of important references (e.g. papers in ACM Computing Surveys).
![Page 18: Security Engineering (2016 Spring) · 2017-08-14 · information security technology • Security policy (what should be protected) • Engineering (how we can obtain assurance that](https://reader034.fdocuments.us/reader034/viewer/2022042402/5f13a306a34f6100383e795e/html5/thumbnails/18.jpg)
Term project – design project
examples
• Sandbox for embedded devices
• Memory protection for operating systems
• User authentication methods for IoT devices
• Secure electronic voting on the Internet
• Secure device paring for home networks
• Hash algorithms for password salts
• Access controls for social networks
• Information flow tracking for user privacy
• Lightweight hypervisor for code integrity
![Page 19: Security Engineering (2016 Spring) · 2017-08-14 · information security technology • Security policy (what should be protected) • Engineering (how we can obtain assurance that](https://reader034.fdocuments.us/reader034/viewer/2022042402/5f13a306a34f6100383e795e/html5/thumbnails/19.jpg)
Term project – analysis project
examples
• Software/Hardware attacks on existing systems
• Side channel analysis on software/hardware
• Security analysis of random numbers (in real-world system; e.g., OTP)
• Harvesting private information using online social networks
• Security analysis of location services
• Network traffic analysis
• Analyzing potential privacy risks for new security features (e.g. Samsung payment)
• Analyzing security and usability of existing security applications
• Analyzing correlation between user personality and his privacy concern
• Analyzing ecommerce fraud cases
![Page 20: Security Engineering (2016 Spring) · 2017-08-14 · information security technology • Security policy (what should be protected) • Engineering (how we can obtain assurance that](https://reader034.fdocuments.us/reader034/viewer/2022042402/5f13a306a34f6100383e795e/html5/thumbnails/20.jpg)
Term project - rules
• Each project should have some "research" aspect.
• You should work in a small group of 3-4 students.
• Important dates
– Proposal: April 25, 27.
– Results presentation (with 1 minute movie clip at YouTube):
June 11, 9:00
– Final report: June 19, Midnight (NO EXTENSION!!)
![Page 21: Security Engineering (2016 Spring) · 2017-08-14 · information security technology • Security policy (what should be protected) • Engineering (how we can obtain assurance that](https://reader034.fdocuments.us/reader034/viewer/2022042402/5f13a306a34f6100383e795e/html5/thumbnails/21.jpg)
Term project - awards
Awards will be announced at the end of the mini-conference in
the following categories:
– Best paper
– Best practical paper
– Best presentation paper
![Page 22: Security Engineering (2016 Spring) · 2017-08-14 · information security technology • Security policy (what should be protected) • Engineering (how we can obtain assurance that](https://reader034.fdocuments.us/reader034/viewer/2022042402/5f13a306a34f6100383e795e/html5/thumbnails/22.jpg)
Term project – ethical issues
If your project deals with vulnerabilities (e.g., software
vulnerabilities in a given program or design weaknesses in a
hardware system), you need to discuss in detail the steps they
plan to take to address these vulnerabilities (e.g., by carefully
disclosing vulnerabilities to the vendors).
![Page 23: Security Engineering (2016 Spring) · 2017-08-14 · information security technology • Security policy (what should be protected) • Engineering (how we can obtain assurance that](https://reader034.fdocuments.us/reader034/viewer/2022042402/5f13a306a34f6100383e795e/html5/thumbnails/23.jpg)
Term project – academic results
• “We are still vulnerable to clickjacking attacks: about 99% of Korean websites are
dangerous”, WISA: The 14th International Workshop on Information Security
Applications, 2013. pdf
• “Security Analysis of Mobile Authentication using QR-Codes”, NCS: The 7th International
Conference on Network & Communication Security, 2015. pdf,
https://www.youtube.com/watch?v=u7PMdPaC2Vk
• “Wrong Siren! A location spoofing attack on indoor positioning systems: the Starbucks case
study”, 국가암호공모전 2015 논문분야 장려상 (상금 50만원), IEEE Security & Privacy
Magazine (under submssion), https://www.youtube.com/watch?v=tdS7MsyhRWg
![Page 24: Security Engineering (2016 Spring) · 2017-08-14 · information security technology • Security policy (what should be protected) • Engineering (how we can obtain assurance that](https://reader034.fdocuments.us/reader034/viewer/2022042402/5f13a306a34f6100383e795e/html5/thumbnails/24.jpg)
Questions?