cis 5373 systems security
play

CIS-5373 Systems Security Class 1 Bogdan Carbunar 1 CIS-5373: - PowerPoint PPT Presentation

Mar 07, 2024 •258 likes •674 views

CIS-5373 Systems Security Class 1 Bogdan Carbunar 1 CIS-5373: 6.January.2020 Outline Administrative Issues Textbooks Security Overview 2 CIS-5373: 6.January.2020 Administrative Issues Staff Bogdan Carbunar, associate

  1. CIS-5373 Systems Security Class 1 Bogdan Carbunar 1 CIS-5373: 6.January.2020

  2. Outline  Administrative Issues  Textbooks  Security Overview 2 CIS-5373: 6.January.2020

  3. Administrative Issues  Staff  Bogdan Carbunar, associate professor  Communications  Class web page: http://www.cs.fiu.edu/~carbunar/teaching/cis5373/cis5373.S.2020/cis5373.htm  E-mail: carbunar@cs.fiu.edu or carbunar@gmail.com  Office Hours  Mondays, ECS 383, 4pm – 5pm  Prior appointment recommended 3 CIS-5373: 6.January.2020

  4. Class Grading (subject to changes)  1 final worth: 35%  Date of exam: TBD, but May 2020  Paper presentation: 35%  Homework: 30%  Extra credit: 5-10%  Exceptional class participation  Additional activities (e.g., programming project) 4 CIS-5373: 6.January.2020

  5. Class Grading: Details (cont’d)  Student paper presentations: 35%  Papers will be posted on class web page  Let me know in time (FIFO assignment rule) 5 CIS-5373: 6.January.2020

  6. Outline  Administrative Issues  Textbooks  Security Overview 6 CIS-5373: 6.January.2020

  7. Textbooks  Security In Computing – 4 th edition Pfleeger and Pfleeger  Cryptography and Network Security William Stallings  Applied Cryptography – 2 nd edition Bruce Schneier Available online  Papers assigned for reading  See class webpage 7 CIS-5373: 6.January.2020

  8. Textbooks (cont’d)  You don’t need to buy the books !  http://www.wikipedia.org/ 8 CIS-5373: 6.January.2020

  9. Outline  Administrative Issues  Textbooks  Security Overview 9 CIS-5373: 6.January.2020

  10. Some Topics (Subject to Change)  Vulnerabilities  Malware  Access Control  Authentication & Key exchange  Network Security 10 CIS-5373: 6.January.2020

  11. Outline  Administrative Issues  Class Overview  Security Overview 11 CIS-5373: 6.January.2020

  12. Information Security  Protecting information and information systems from unauthorized access [Source: wikipedia] 12 CIS-5373: 6.January.2020

  13. Computer Security  Branch of information security applied to computers  Objective: protection of information and property  Theft, corruption, or natural disaster  Allow the information and property to remain accessible and productive to its intended users [Source: wikipedia] 13 CIS-5373: 6.January.2020

  14. Network Security  Provisions and policies adopted by a network administrator to prevent and monitor  Unauthorized access  Misuse  Modification  Denial of access of network and resources [Source: wikipedia] 14 CIS-5373: 6.January.2020

  15. System Security  Goals: Protect  Confidentiality Confidentiality  Integrity  Availability Integrity Availability System Security 15 CIS-5373: 6.January.2020

  16. Confidentiality Confidentiality  Information about system or its users cannot be learned by an attacker  Data Confidentiality:  Private or confidential information is not revealed to unauthorized individuals 16 CIS-5373: 6.January.2020

  17. Integrity  The system continues to operate properly, only reaching states that would occur if there were no attacker Integrity  Data Integrity  Information and programs are changed only in specified and authorized manner  System Integrity  System performs intended function and nothing else 17 CIS-5373: 6.January.2020

  18. Availability  Actions by an attacker do not prevent users from having access to use of the system  Enable access to data and resources  Timely response  Fair resource allocation Availability 18 CIS-5373: 6.January.2020

  19. More Required Concepts  Authenticity  Being able to be verified and trusted  Confidence in the validity of a message (originator)  Accountability  Actions of an entity can be traced to it  Tracing a security breach to a responsible party 19 CIS-5373: 6.January.2020

  20. General Picture System Alice Malory  Security is about  Honest user (e.g., Alice, Bob, …)  Dishonest Attacker  How the Attacker  Disrupts honest user’s access to the system (Integrity, Availability)  Learns information intended for Alice only (Confidentiality) 20 CIS-5373: 6.January.2020

  21. Examples  Confidentiality  Student grades  Available only to student, parents, employer  Integrity  Patient information e.g., allergies  Can lead to loss of human life  Availability  Authentication service  Unavailability can lead to financial loss 21 CIS-5373: 6.January.2020

  22. Program Security and Vulnerabilities Class 2 22 CIS-5373: 6.January.2020

  23. What is Security ?  System correctness  If user supplies expected input, system generates desired output  Good input  Good output  More features: better  Security  If attacker supplies unexpected input, system does not fail in certain ways  Bad input  Bad output  More features: can be worse 23 CIS-5373: 6.January.2020

  24. Why Security Vulnerabilities ?  Some contributing factors  Few courses in computer security   Programming text books do not emphasize security  Few security audits  C is an unsafe language  Programmers have many other things to worry about  Consumers do not care about security  Security is expensive and takes time 24 CIS-5373: 6.January.2020

  25. In this lecture  Buffer Overflow  SQL Injection Attack  Incomplete Mediation  Time-of-Check to Time-of-Use Errors  Malicious Code 25 CIS-5373: 6.January.2020

  26. Famous Buffer Overflow Attacks  Morris worm (1988): overflow in fingerd  6,000 machines infected (10% of existing Internet)  CodeRed (2001): overflow in MS-IIS web server  Internet Information Services ( IIS )  Web server application  The most used web server after Apache HTTP Server  300,000 machines infected in 14 hours  SQL Slammer(2003): overflow in MS-SQL server  75,000 machines infected in 10 minutes (!!) 26 slide 26 CIS-5373: 6.January.2020

  27. Famous Buffer Overflow Attacks  Sasser (2004): overflow in Windows LSASS  Local Security Authority Subsystem Service  Process in Windows OS  Responsible for enforcing the security policy on the system.  Verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens  Around 500,000 machines infected  Conficker (2008-09): overflow in Windows Server  Around 10 million machines infected (estimates vary) 27 slide 27 CIS-5373: 6.January.2020

  28. Memory Exploits  Buffer is a data storage area inside computer memory (stack or heap)  Intended to hold pre-defined amount of data  If executable code is supplied as “data”, victim’s machine may be fooled into executing it  Code will give attacker control over machine 28 slide 28 CIS-5373: 6.January.2020

  29. Stack Buffers  Suppose Web server contains this function void func(char *str) { Allocate local buffer (126 bytes reserved on stack) char buf[126]; strcpy(buf,str); Copy argument into local buffer }  When this function is invoked, a new frame with local variables is pushed onto the stack Stack grows this way ret Top of Frame of the str buf sfp addr calling function stack Local variables Arguments Execute code Pointer to previous at this address frame after func() finishes slide 29 29 CIS-5373: 6.January.2020

  30. Stack Buffers (cont’d)  When func returns  The local variables are popped from the stack  The old value of the stack frame pointer (sfp) is recovered  The return address is retrieved  The stack frame is popped  Execution continues from return address (calling function) Stack grows this way ret Top of Frame of the str buf sfp addr calling function stack Local variables Arguments Execute code Pointer to previous at this address frame after func() finishes slide 30 30 CIS-5373: 6.January.2020

  31. What If Buffer Is Overstuffed  Memory pointed to by str is copied onto stack… void func(char *str) { strcpy does NOT check whether the string at *str contains fewer than 126 characters char buf[126]; strcpy(buf,str); }  If a string longer than 126 bytes is copied into buffer, it will overwrite adjacent stack locations Stack grows this way ret Top of Frame of the addr str buf overflow sfp calling function stack This will be interpreted as return address! slide 31 31 CIS-5373: 6.January.2020

  32. Attack 1: Smashing the Stack  Suppose buffer contains attacker-created string  For example, *str contains a string received from the network as input to some network service daemon Top of str Frame of the code ret calling function stack In the overflow, a pointer back Attacker puts actual assembly into the buffer appears in instructions into his input string, e.g., the location where the system binary code of execve(“/bin/sh”) expects to find return address  When function exits, code in the buffer will be executed, giving attacker a shell  Root shell if the victim program is setuid root 32 slide 32 CIS-5373: 6.January.2020

Recommend

A Brief History of the World 1 CIS-5373: 2.March.2020 Network Security Week 7 2 CIS-5373:

A Brief History of the World 1 CIS-5373: 2.March.2020 Network Security Week 7 2 CIS-5373:

A Brief History of the World 1 CIS-5373: 2.March.2020 Network Security Week 7 2 CIS-5373: 2.March.2020 Why and Who Attack Networks ? Challenge : Hackers Money : Espionage Money : Organized Crime Ideology :

1.06k views • 49 slides
Key Management and Distribution Class 5 Stallings: Ch 14 1 CIS-5373: 10.February.2020

Key Management and Distribution Class 5 Stallings: Ch 14 1 CIS-5373: 10.February.2020

Key Management and Distribution Class 5 Stallings: Ch 14 1 CIS-5373: 10.February.2020 Announcement Homework 1 due today Still waiting for paper assignments 2 CIS-5373: 10.February.2020 Key Distribution: The Problem 1 C=

648 views • 43 slides
The Evolution of Fuel 585.764.5373 CerionEnergy.com Introduction Warren M. Surcouf III Vice

The Evolution of Fuel 585.764.5373 CerionEnergy.com Introduction Warren M. Surcouf III Vice

585.764.5373 CerionEnergy.com Green Business Expo Presentation Hudson Ansley/CEO Warren M. Surcouf III/VP of Business Development August 24, 2011 The Evolution of Fuel 585.764.5373 CerionEnergy.com Introduction Warren M. Surcouf III

419 views • 28 slides
Malware Week 3 1 CIS-5373: 27.January.2020 Announcement! First homework is out! Check

Malware Week 3 1 CIS-5373: 27.January.2020 Announcement! First homework is out! Check

Malware Week 3 1 CIS-5373: 27.January.2020 Announcement! First homework is out! Check out the class webpage Due in two weeks from today, in class 2 CIS-5373: 27.January.2020 In this lecture Viruses How they attach How

989 views • 67 slides
Security Security with Distributed Systems Why Security? The need for security mechanisms in

Security Security with Distributed Systems Why Security? The need for security mechanisms in

Security Security with Distributed Systems Why Security? The need for security mechanisms in distributed systems arises from the desire to share resources Resources must be protected against unauthorized access, as enemies (attackers)

1.16k views • 67 slides
Advanced Systems Security: Introduction to OS Security Trent Jaeger Systems and Internet

Advanced Systems Security: Introduction to OS Security Trent Jaeger Systems and Internet

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security: Introduction to OS Security Trent

770 views • 28 slides
Security and Privacy Why Security is Difficult 12A. Operating Systems and Security complexity

Security and Privacy Why Security is Difficult 12A. Operating Systems and Security complexity

5/24/2017 Security and Privacy Why Security is Difficult 12A. Operating Systems and Security complexity of our software and systems 12B. Authentication millions of lines of code, thousands of developers rich and powerful protocols

533 views • 14 slides
Security and Privacy Why Security is Difficult 12A. Operating Systems and Security complexity

Security and Privacy Why Security is Difficult 12A. Operating Systems and Security complexity

5/18/2018 Security and Privacy Why Security is Difficult 12A. Operating Systems and Security complexity of our software and systems 12B. Authentication millions of lines of code, thousands of developers rich and powerful protocols

374 views • 9 slides
Advanced Systems Security: Linux Security Modules Trent Jaeger Systems and Internet

Advanced Systems Security: Linux Security Modules Trent Jaeger Systems and Internet

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security: Linux Security Modules Trent

872 views • 30 slides
Advanced Systems Security: Security-Enhanced Linux Trent Jaeger Systems and Internet

Advanced Systems Security: Security-Enhanced Linux Trent Jaeger Systems and Internet

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security: Security-Enhanced Linux Trent

474 views • 26 slides
Advanced Systems Security: Hardware Security Trent Jaeger Systems and Internet

Advanced Systems Security: Hardware Security Trent Jaeger Systems and Internet

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security: Hardware Security Trent Jaeger

703 views • 46 slides
Security and Privacy 12A. Operating Systems Security Operating Systems Principles 12B.

Security and Privacy 12A. Operating Systems Security Operating Systems Principles 12B.

5/18/2016 Security and Privacy 12A. Operating Systems Security Operating Systems Principles 12B. Authentication 12C. Authorization Security and Privacy 12D. Trust 12E. At-Rest Encryption Mark Kampe (markk@cs.ucla.edu) Security and Privacy

116 views • 8 slides
Distributed Systems How does the OS ensure security? 13C. Distributed Systems: Security all

Distributed Systems How does the OS ensure security? 13C. Distributed Systems: Security all

5/20/2018 Distributed Systems How does the OS ensure security? 13C. Distributed Systems: Security all key resources are kept inside of the OS protected by hardware (mode, memory management) 13I. Secure sessions processes cannot

129 views • 9 slides
Distributed Systems How does the OS ensure security? 13C. Security for Distributed Systems

Distributed Systems How does the OS ensure security? 13C. Security for Distributed Systems

5/27/2017 Distributed Systems How does the OS ensure security? 13C. Security for Distributed Systems all key resources are kept inside of the OS protected by hardware (mode, memory management) 13I. Secure Sessions processes cannot

253 views • 9 slides
CSE 544 Advanced Systems Security Trent Jaeger Systems and Internet Infrastructure Security

CSE 544 Advanced Systems Security Trent Jaeger Systems and Internet Infrastructure Security

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA CSE 544 Advanced Systems Security Trent Jaeger Systems and

651 views • 28 slides
Advanced Systems Security Retrofitting for Security Trent Jaeger Systems and Internet

Advanced Systems Security Retrofitting for Security Trent Jaeger Systems and Internet

Advanced Systems Security Retrofitting for Security Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and Engineering Department Pennsylvania State University Systems and Internet Infrastructure Security

370 views • 33 slides
Advanced Systems Security: Virtual Machine Systems Trent Jaeger Systems and Internet

Advanced Systems Security: Virtual Machine Systems Trent Jaeger Systems and Internet

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security: Virtual Machine Systems Trent

783 views • 43 slides
Advanced Systems Security: Capability Systems Trent Jaeger Systems and Internet

Advanced Systems Security: Capability Systems Trent Jaeger Systems and Internet

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security: Capability Systems Trent Jaeger

622 views • 36 slides
Advanced Systems Security: Security Kernels Trent Jaeger Systems and Internet Infrastructure

Advanced Systems Security: Security Kernels Trent Jaeger Systems and Internet Infrastructure

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security: Security Kernels Trent Jaeger

559 views • 35 slides
Advanced Systems Security: Principles Trent Jaeger Systems and Internet Infrastructure Security

Advanced Systems Security: Principles Trent Jaeger Systems and Internet Infrastructure Security

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security: Principles Trent Jaeger Systems and

589 views • 23 slides
Advanced Systems Security: Principles Trent Jaeger Systems and Internet Infrastructure Security

Advanced Systems Security: Principles Trent Jaeger Systems and Internet Infrastructure Security

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security: Principles Trent Jaeger Systems and

420 views • 24 slides
Topics in Systems and Program Security Trent Jaeger Systems and Internet Infrastructure Security

Topics in Systems and Program Security Trent Jaeger Systems and Internet Infrastructure Security

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Topics in Systems and Program Security Trent Jaeger Systems

426 views • 20 slides
Advanced Systems Security: Multics Trent Jaeger Systems and Internet Infrastructure Security

Advanced Systems Security: Multics Trent Jaeger Systems and Internet Infrastructure Security

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security: Multics Trent Jaeger Systems and

569 views • 33 slides
5373: ENERGETICS OF URBANIZATION URBAN THEORY LAB PRACTICUM SPRING 2018 COLLOQUIUM HARVARD

5373: ENERGETICS OF URBANIZATION URBAN THEORY LAB PRACTICUM SPRING 2018 COLLOQUIUM HARVARD

5373: ENERGETICS OF URBANIZATION URBAN THEORY LAB PRACTICUM SPRING 2018 COLLOQUIUM HARVARD GRADUATE SCHOOL OF DESIGN MAY 8, 2018 USERS WARNING: Not for the faint of heart or overextended Towards a study of the energetics of

916 views • 73 slides

More recommend