cmps 122: computer security - university of california ...€¦ · cmps 122: computer security ......

1

CMPS 122: Computer Security

Introduction

Introduction 2CMPS 122, UC Santa Cruz

Today’s goals

• Course introduction◆ Course overview◆ Course logistics (details on the syllabus)

• Introduction to computer security◆ What is computer security?◆ Goals◆ Attacks

– Who?– How?

◆ Defenses

2


Welcome!

Ethan [email protected]: 265 E2Hours: Tue 11:00–noon Thu 12:30–1:30 PM

• No discussion section or lab hours◆ Ask us questions during office hours

• Class web page (assignments, slides, announcements, etc.)http://www.soe.ucsc.edu/classes/cmps122/Winter05/

Alisa [email protected]:Hours: Mon 10:00–11:00 AM Wed 2:00–3:00 PM


Class outline

• Introduction & concepts• Encryption & authentication• Secure network protocols (Kerberos, SSL)• Program security

◆ Bug exploits◆ Malcode: viruses, worms, trojan horses, and more◆ Writing safe code

• Attacks and defenses on computer systems◆ Firewalls◆ Intrusion detection◆ Countermeasures

• Trusted operating systems

3


Textbooks

• Required◆ Cryptography and Network

Security (Stallings)

• Recommended◆ Secrets and Lies (Schneier)◆ Firewalls and Internet

Security, 2nd Edition(Cheswick, Bellovin, Rubin)


Course requirements

• Two exams◆ Midterm in the 5th–6th week◆ Final exam

• Homework◆ 5–6 homeworks during the quarter◆ About one week per homework◆ Graded◆ Need not do every homework to pass the class

– Missing homeworks count as a zero!◆ Hand in online

• Term project◆ More on this in a bit

4


How are grades determined?

• Final grades based on:◆ Homework: 30% — all homeworks weighted equally◆ Midterm: 16%◆ Final: 24%◆ Final project: 25%◆ Class participation: 5%

• Approximate grade ranges:◆ A: 89% – 100%◆ B: 79% – 88%◆ C: 69% – 78%◆ D: 60% – 68%

• To pass the class, you must◆ Take both exams◆ Turn in a final project◆ Have at least a 50% average on exams and 50% average on homework

– Satisfying both conditions does not guarantee a passing grade


Other ways to change your grade…

• Up…◆ Solve a challenge problem (not normal homework)◆ Find a security hole and have it published by a national

organization (CERT, Mercury News, Time magazine…)• Down…

◆ Send me a virus (email or otherwise)– Doesn’t count if the virus is “neutralized” and sent as an FYI– Email viruses that attack your address book do count

◆ Get arrested for a computer security attack◆ Get convicted for a computer security attack

• To an F/U/NP (i.e., fail!)◆ Get me arrested for something you do related to this class◆ Cheat (we will catch you)

5


Homework

• Homework lets you◆ Try to solve (or create) computer security problems◆ Test your knowledge and understanding of the subject

• Homework isn’t optional!• Homework must be your own work!• Programming may be required

◆ Use any language you want◆ Use any sources you like, if you cite them

– Keep in mind that I’ll take a dim view of copying someone else in class…– If the assignment requires that you write your own code, you may not get

full credit for using someone else’s code…

• In many cases, the biggest benefit is the process!


Challenge problems

• Open until solved or last day of class• First satisfactory answer gets bonus

◆ Later answer might still get bonus if it’s better◆ Solving in groups is OK

– Each member gets √n/n * value (e.g., 3 people = √3/3 = 0.58)• Unlike homework, there’s not necessarily a correct

answer (or even a solution!)• Challenge problems will be listed on the course

Web page

6


Final project

• Write a paper on a topic related to computer security◆ Review several research papers◆ Analyze the security of a particular system◆ Compare the security or performance of several

cryptosystems◆ Evaluate security products (firewalls, software, etc.)◆ Explore ways to write more secure code◆ Lots of other possibilities…

• Suggested topics will be posted on the class web site• Papers should be about 7–8 pages long


Getting help

• Computer security can be a tough subject—get helpif you need it!◆ I’m here to help you learn the material◆ It’s up to you to ask for help◆ Don’t wait too long!

• Ask questions in class• Visit office hours• Ask general questions on the course newsgroup• Ask specific questions by email

◆ Expect short answers, not long explanations

7


What is cheating?

• Cheating is:◆ Copying answers from your fellow students◆ Having someone else do your project for you◆ Using material without attribution

• Cheating is not:◆ Studying in a group: your fellow students are a great resource for

understanding difficult material◆ Discussing homework in general terms◆ Using information from the Web, assuming you write down where

you got it– Copying answers off the Web may be cheating, though….

• Everything you turn in should be yours◆ Document completely if it’s not!

• Use common sense: if you’re not sure, ask me before doing it


The Simpsons rule

• You may discusshomework with others◆ General issues only

• You may not take notes• You must take a 30 minute

break before working onany CMPS 122 assignments◆ Watch the Simpsons or good

Warner Brothers cartoons◆ Watch mindless TV◆ Work on other classes◆ Take a nap

8


Why should you take this course?

• Reason #1: Fate of Humanity◆ Cryptography plays a central role in human history◆ Survival of humanity depends on computer security

• Reason #2: Intellectual Curiosity◆ Cryptology and computer security are about making and

solving puzzles◆ It’s fun to do this!

• Reason #3: $$$◆ Computer security is a growing business◆ There are always jobs for people who know how to keep

vital computer resources safe


Bad reasons for taking this class

• You want to write the ultimate virus to wipe theworld’s hard drives clean

• You want to show (by doing) just how insecureWindows is

• You want to break into (UCSC’s | the NSA’s | yourbank’s) computer systems

• You’re bored, and there’s nothing better to take thisquarter (I guess this isn’t so bad)

9


What is security?

• Keeping something (information in our case) secureagainst◆ Someone stealing it◆ Someone destroying it◆ Someone changing it◆ Someone preventing me from using it

• More specifically◆ Confidentiality: nobody else can see it◆ Integrity: nobody else can change it◆ Availability: I can get at it whenever I want


Security on physical things

• Use physical security rather than computer security◆ Access to valuables was more difficult to obtain

– Had to be physically present in many cases!– Moving the valuable could be difficult

◆ Alteration was easier to notice– Physical marks were left if you tried to change something

◆ Physical goods had one copy– If you have the copy, I don’t– No notion of multiple parties sharing the item

• Physical security could be◆ Expensive: need to hire guards◆ Difficult & dangerous: people got injured or killed

10


Security on information: the old way

• Information isn’t like a physical object◆ Copies can be made inexpensively

– A copy doesn’t prevent the original from being used◆ Easy to transport◆ Less need for physical presence◆ Value can be very high for small data

• Before computers, some things were still easy◆ Integrity easier to check: look for signs of alteration◆ Confidentiality: keep it a locked bank vault (and hope

there are no bank robbers)◆ Availability: only when the bank is open


Security in computing

• More difficult because of the nature of computers• Confidentiality

◆ Easier to break into a networked computer without physical presence◆ Easy to spread information around the world in minutes

• Integrity◆ No signs that information has been altered◆ Can’t easily check to see if someone might have had access to the

information to alter it• Availability

◆ All the old ways of denying access still work– Physical attacks– Destroying the information

◆ New ways exist– Keep the computer too busy to respond– Prevent authorized users from seeing the information

11


Addressing security issues

• What are the risks?◆ How likely is each one?◆ How expensive would it be if the risk came to pass?

• What are the available countermeasures?◆ How expensive are they to implement?◆ How inconvenient are they?

• What are the vulnerabilities?◆ Simple design flaws more than basic problems

• How can they be addressed?◆ Bug fixes◆ Workarounds


Computer intrusions

• This is (usually) a crime!• Typically done for one of two reasons

◆ Commercial gain◆ Fun

• Commercial gain◆ Go after the most valuable item: often information◆ Information can be

– Destroyed: loss of use to the owner– Copied: used by a competitor for commercial advantage

• Fun◆ “Because it’s there”◆ “Because I disagree with their policies”

• In both cases, intrusions follow the path of least resistance◆ Strong security in one area doesn’t cover for weak security elsewhere◆ Relative security of different mechanisms can change over time

12


Attacks: terminology

• Attacks can be made on any of◆ Hardware◆ Software◆ Data (information)

• Terms◆ Threat: circumstances that may lead to loss or harm◆ Vulnerability: weakness in the security system◆ Control: something that reduces or removes a vulnerability

• Types of attacks◆ Interception: unauthorized party gets access to an asset◆ Interruption: asset becomes unusable (lost or destroyed)◆ Modification: existing asset is changed◆ Fabrication: fake asset is planted in the system


Goals of computer security

• Ensure that the system maintains◆ Confidentiality◆ Integrity

– May have many different (conflicting) meanings– Must specify what it means in this case

◆ Availability– Responds at all?– Responds in a timely fashion?– Can be used as it was intended?– Has sufficient capacity?– Others…

• Maintaining these properties can be difficult!

13


Vulnerabilities

False recordsModifydatabasesChange files

SurveillanceInsider theft

Deletion

Data

Fake (ormodified)software

Logic bombTrojan horseVirusTrapdoorInformation leak

Unauthorizedcopying

Deletion

Software

Planting fakecomputers

TheftDenial ofservicePhysicalattack

Hardware

FabricationModificationInterceptionInterruption


Types of intruders

• Amateurs◆ People who steal resources for their own uses◆ Typically unsophisticated

• Crackers◆ Access resources without permission◆ Typically for fun, but may be other reasons

• Career criminals◆ Well-planned attacks◆ Usually for financial gain

• Military◆ Done to disable opposing forces, typically◆ Gain strategic advantage

cmps 122: computer security - university of california ...€¦ · cmps 122: computer security ......

Documents