COURSE IN INTRODUCT CTION Dr. Benjamin Livshits High-Level Course - PowerPoint PPT Presentation

CSE484/CSE584 COURSE IN INTRODUCT CTION Dr. Benjamin Livshits

High-Level Course Logistics 2 https:/ ://courses.c .cs.washin ington.e .edu/courses/cse484/14au

Course Logistics 3 Office hours: Tuesday after class Office hours: Mon onday and Frid Friday

Class Times 4 Tu/Th 11 11 — 12:20 Savery 264 1:30 1:30-2:2 :20 and 2:30 2:30-3:20 Architecture Hall G070

Prerequisites (C (CSE 484) Cla lasses Practical kn knowle ledge  Assume: Working knowledge of  Data Structures (CSE 326) C and assembly or Data Abstractions (CSE  One of the labs will involve writing 332) buffer overflow attacks in C  You must have an understanding of x86 architecture, stack layout,  Hardware/Software calling conventions, etc. Interface (CSE 351) or  Assume: Working knowledge of Machine Org and software engineering tools for Unix environments (gdb, etc) Assembly Language (CSE  Assume: Working knowledge of 378) Java and JavaScript

Prerequisites (C (CSE 484)  Strongly recommended: Computer Networks; Operating Systems  Will help provide deeper understanding of security mechanisms and where they fit in the big picture  Recommended: Complexity Theory; Discrete Math; Algorithms  Will help with the more theoretical aspects of this course  Finally, courses in Programming languages and Compilers will help a lot, too  These topics will come up in homework, labs, etc.

Fir irst-Day Surv rvey 7

Do NOT Be Scared  Likely, nobody here has satisfied every ry sin single le prerequis isit ite. This is not the point.  Most important thing of all: Eagerness to learn!  This is a 400 level course.  We expect you to push yourself to learn as much as possible.  We expect you to be a strong, independent learner capable of learning new concepts from the lectures, the readings, and on your own.

Role of Research 9  This is a 400-level course  It is a goal to get you in interested you in research in computer science

Your Grade 10 10 This class is interactive. Also, summary vid videos No exam, but this can be pretty su substantial

Participation Matters!  Harder in a large class, but worth it!  I would like to learn everyone’s name !  But 90 or so students may overflow my buffer, without some form of assistance  I’m toying with the idea of name cards or a seating chart -- and will make a decision about that now that I’ve seen the classroom layout.  Videos! More on that later.  Projects – you are encouraged to do more, especially because projects are done in groups

Late Submission Policy  Late assignments will (generally) be dropped 20% per calendar day.  Late days will be rounded up  So an assignment turned in 26 hours late will be downgraded 40%  See website for exceptions -- some assignments must be turned in on time  Many assignments due on Friday  We will have office hours on Friday to meet the demand

Course Reading: Text xtbook 13 13  The book is easy to read  Not nearly as dry as an average textbook  Has read-world illustrations and war stories  Has lots of details not covered in lecture  Proposes a different narrative focusing on the developer, which is good

Why Go To Class? 14 14 Attend le lectures Attend sections  Lectures will not ot follow the  Details that are not textbook covered in lectures will be discussed in sections  Lectures will focus on “big - picture” principles and  You will need this for ideas homeworks and labs  Lectures will cover some  This is a way to get to know material that is not ot in the your classmaters better textbook  Two sections, both on  Lecture slides will be online Thursday

Reading Research Papers 15 15

Summary ry Videos 16 16

17 17

More Vid ideos 18 18 https://www.youtube.com/watch?v=HBwmX1ZITu4

Guest Speakers 19 19  Another connection of  Tentative list of the class material participants from  Facebook  This is a connection to both to res esearch and  Microsoft to in industrial practice  Smaller penetration testing companies

Other Helpful Books (o (online)  Ross Anderson, “Security Engineering” (1st edition)  Focuses on design principles for secure systems  Wide range of entertaining examples: banking, nuclear command and control, burglar alarms  You should all at least look at the Table of Contents for this book.  (2nd edition available for purchase)  Menezes, van Oorschot, and Vanstone, “Handbook of Applied Cryptography”  Many many other useful books exist (not all online)

Mailing Lists  The list is used for announcements  If you are enrolled into the class, you should be on the list  mult lti_cse484a_au14@uw.edu  We will send an email later on – expect to receive one  How to reach us?  cse cse484-tas@cs.washin ington.edu

Labs  General plan (tentative):  First lab: Software security  3 labs (timeline TBD, most likely due on Fridays)  Buffer overflow attacks,  First lab out approximately double-free exploits, next Wednesday format string exploits, ...  Submit to Catalyst system  Second lab: Web (URL on course page) security  Do by yourself, unless  XSS attacks, ... mentioned otherwise  Third lab: TBD  Details will be on the web page

Homework  Currently, two are planned, but three or four are likely  They will require you to look at the reading more carefully  They will require you to investigate some new ideas not mentioned in class, without necessarily writing code

Eth thic ics  In this class you will learn about how to attack the security and privacy of (computer) systems.  Knowing how to attack systems is a cr critical step toward knowing how to protect systems.  But one must use this knowledge in an ethical manner.  In order to get a non-zero grade in this course, you must electronically sign the “Security and Privacy Code of Ethics” form https://catalyst.uw.edu/webq/survey/livshits/247877

Ethics in Security Research 25 25

Spamalitics Scandal 26 26

"Spamalytics: An Empirical Analysis of f Spam Marketing Conversion (CCS’2008) 27 27 • Infiltrated part of a botnet. • Set up a fake online pharmacy. • Redirected clicks for 469,9 469,906,992 spam messages. • Converted 569 569 recipients!

Research Tactics Questioned After Public lication 28 28 Protocol Proble lems  I am experimenting on  Run this on my inbox people who send me mail. and see how well it  Most email is not a public works. document.  Senders did not give  Post ideas to a mailing consent to be involved in list and get other my research. people's experiences.  Under 45 CFR 46, I need IRB IRB approval for this experiment.

What’s the Moral? 29 29 1. Be careful with what you learn 2. Sign the ethics form 3. When in doubt, ask 4. See #2 5. See #3 6. See #1

Break… 30 30

Alice and Bob: Adventures Continue 31 31

Ali lice and Bob 32 32

Sit ita and Rama (not A & B) 33 33 The statement Sita wants to send a message to Rama is inspired from the episode in Sundara Kanda (lit. beautiful book) of Ramayana, where Sita, who was kidnapped by Ravana, is isolated and kept confined to a forest. She is seated under an ashoka tree, when the monkey-God Hanuman, sent by Rama, reaches her. Desperate Sita wants to send a message to Rama through Hanuman (an honest man). We also have the usual man-in-the-middle Ravana (a rogue), who is waiting to sabotage any communication between Sita and Rama. In addition to the aptly chosen names, this entire episode has some striking similarities to modern cryptography.

Alice and Bob. They Just Won’t Quit. 34 34

Technical Themes  Vulnerabilities of computer systems  Software problems (buffer overflows); crypto problems; network problems (DoS, worms); people problems (usability, phishing)  Defensive technologies  Protection of information in transit: cryptography, security protocols  Protection of networked applications: firewalls and intrusion detection  Least privilege, “Defense in depth”

Key Themes of f This is Course  How to thin ink about security  The Security Mindset - “new” way to think about systems  Threat models, security goals, assets, risks, adversaries  Connection between security, technology, politics, ethics, ...  Technic ical l asp spects of security  Attack techniques  Defenses

Special Focus on Software Security 37 37  (In)security comes about as a result of bugs  Often – but not always – these are software bugs  We will focus on the software aspect of security  Often the term application security is used to describe some of this

Software Security 38 38  “ First things first — make sure you know how to o cod ode, and have been doing so for years. It is better to be a developer (and architect) and then learn about security than to be a secu ecurity ty gu guy and try to learn to code”