cse 484 cse m 584 computer security and privacy
play

CSE 484 / CSE M 584: Computer Security and Privacy Spring 2017 - PowerPoint PPT Presentation

Jun 05, 2023 •49 likes •419 views

CSE 484 / CSE M 584: Computer Security and Privacy Spring 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner, John Manferdelli, John Mitchell, Vitaly Shmatikov,

  1. CSE 484 / CSE M 584: Computer Security and Privacy Spring 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee, and many others for sample slides and materials ...

  2. Announcements / Answers • If you’re on the class mailing list, you should have received a test email. • Late days: everyone in the group uses them simultaneously • Example final projects: we will post some! • Prereqs… 3/29/17 CSE 484 / CSE M 584 - Spring 2017 2

  3. Prerequisites (CSE 484) • Required: Data Structures (CSE 326) or Data Abstractions (CSE 332) • Required: Hardware/Software Interface (CSE 351) or Machine Org and Assembly Language (CSE 378) • Assume: Working knowledge of C and assembly – One of the labs will involve writing buffer overflow attacks in C – You must have detailed understanding of x86 architecture, stack layout, calling conventions, etc. • Assume: Working knowledge of software engineering tools for Unix environments (gdb, etc) • Assume: Working knowledge of Java and JavaScript 3/29/17 CSE 484 / CSE M 584 - Spring 2017 3

  4. Prerequisites (CSE 484) • Strongly recommended: Computer Networks; Operating Systems – Will help provide deeper understanding of security mechanisms and where they fit in the big picture • Recommended: Complexity Theory; 
 Discrete Math; Algorithms – Will help with the more theoretical aspects of this course. 3/29/17 CSE 484 / CSE M 584 - Spring 2017 4

  5. Last Time • Importance of the security mindset – Challenging design assumptions – Thinking like an attacker • There’s no such thing as perfect security – But, attackers have limited resources – Make them pay unacceptable costs to succeed! • Defining security per context: identify assets, adversaries, motivations, threats, vulnerabilities, risk, possible defenses 3/29/17 CSE 484 / CSE M 584 - Spring 2017 5

  6. SECURITY GOALS (“CIA”) 3/29/17 CSE 484 / CSE M 584 - Spring 2017 6

  7. Confidentiality (Privacy) • Confidentiality is concealment of information. Eavesdropping, packet sniffing, illegal copying network 3/29/17 CSE 484 / CSE M 584 - Spring 2017 7

  8. Integrity • Integrity is prevention of unauthorized changes. Intercept messages, tamper, release again network 3/29/17 CSE 484 / CSE M 584 - Spring 2017 8

  9. Authenticity • Authenticity is knowing who you’re talking to. Unauthorized assumption of another’s identity network 3/29/17 CSE 484 / CSE M 584 - Spring 2017 9

  10. Availability • Availability is ability to use information or resources. Overwhelm or crash servers, disrupt infrastructure network 3/29/17 CSE 484 / CSE M 584 - Spring 2017 10

  11. THREAT MODELING 3/29/17 CSE 484 / CSE M 584 - Spring 2017 11

  12. What Drives Attackers? • Money, theft, fun • Malice, revenge, wreak havoc • Curiosity, fun • Politics, terror 3/29/17 CSE 484 / CSE M 584 - Spring 2017 12

  13. Threat Modeling (Security Reviews) • Assets: What are we trying to protect? How valuable are those assets? • Adversaries: Who might try to attack, and why? • Vulnerabilities: How might the system be weak? • Threats: What actions might an adversary take to exploit vulnerabilities? • Risk: How important are assets? How likely is exploit? • Possible Defenses 3/29/17 CSE 484 / CSE M 584 - Spring 2017 13

  14. Example: Electronic Voting • Popular replacement to traditional paper ballots 3/29/17 CSE 484 / CSE M 584 - Spring 2017 14

  15. Pre-Election Ballot definition file Poll worker Pre-election: Poll workers load “ballot definition files” on voting machine. 3/29/17 CSE 484 / CSE M 584 - Spring 2017 15

  16. Active Voting Voter token Voter token Ballot definition file Interactively vote Poll worker Voter Active voting: Voters obtain single-use tokens from poll workers. Voters use tokens to activate machines and vote. 3/29/17 CSE 484 / CSE M 584 - Spring 2017 16

  17. Active Voting Voter token Voter token Ballot definition file Interactively vote Poll worker Voter Encrypted votes Active voting: Votes encrypted and stored. Voter token canceled. 3/29/17 CSE 484 / CSE M 584 - Spring 2017 17

  18. Post-Election Voter token Voter token Ballot definition file Interactively vote Poll worker Voter Encrypted votes Post-election: Stored votes Recorded votes transported to tabulation center. si.edu 3/29/17 CSE 484 / CSE M 584 - Spring 2017 18 Tabulator si.edu

  19. Security and E-Voting (Simplified) • Functionality goals: – Easy to use, reduce mistakes/confusion • Security goals: – Adversary should not be able to tamper with the election outcome • By changing votes ( integrity ) • By voting on behalf of someone ( authenticity ) • By denying voters the right to vote ( availability ) – Adversary should not be able to figure out how voters vote ( confidentiality ) 3/29/17 CSE 484 / CSE M 584 - Spring 2017 19

  20. Can You Spot Any Potential Issues? Voter token Voter token Ballot definition file Interactively vote Poll worker Voter Encrypted votes Recorded votes si.edu 3/29/17 CSE 484 / CSE M 584 - Spring 2017 20 Tabulator si.edu

  21. Potential Adversaries • Voters • Election officials • Employees of voting machine manufacturer – Software/hardware engineers – Maintenance people • Other engineers – Makers of hardware – Makers of underlying software or add-on components – Makers of compiler • ... • Or any combination of the above 3/29/17 CSE 484 / CSE M 584 - Spring 2017 21

  22. What Software is Running? Problem: An adversary (e.g., a poll worker, software developer, or company representative) able to control the software or the underlying hardware could do whatever he or she wanted. 3/29/17 CSE 484 / CSE M 584 - Spring 2017 22

  23. 3/29/17 CSE 484 / CSE M 584 - Spring 2017 23

  24. Problem: Ballot definition files are not authenticated. Example attack: A malicious poll worker could modify ballot definition files so that votes cast for “Mickey Mouse” are recorded for “Donald Duck.” Voter token Ballot definition file Bad file Interactively vote Poll worker Voter Encrypted votes Recorded votes Tabulator

  25. Problem: Smartcards can perform cryptographic operations. But there is no authentication from voter token to terminal. Example attack: A regular voter could make his or her own voter token and vote multiple times. Voter token Ballot definition file Interactively vote Poll worker Voter Encrypted votes Recorded votes Tabulator

  26. Problem: Encryption key (“F2654hD4”) hard-coded into the software since (at least) 1998. Votes stored in the order cast. Example attack: A poll worker could determine how voters vote. Voter token Ballot definition file Interactively vote Poll worker Voter Voter Encrypted votes Recorded votes Tabulator

  27. Problem: When votes transmitted to tabulator over the Internet or a dialup connection, they are decrypted first; the cleartext results are sent the the tabulator. Example attack: A sophisticated outsider could determine how voters vote. Voter token Ballot definition file Interactively vote Poll worker Voter Encrypted votes Recorded votes Tabulator

  28. TOWARDS DEFENSES 3/29/17 CSE 484 / CSE M 584 - Spring 2017 28

  29. Approaches to Security • Prevention – Stop an attack • Detection – Detect an ongoing or past attack • Response – Respond to attacks • The threat of a response may be enough to deter some attackers 3/29/17 CSE 484 / CSE M 584 - Spring 2017 29

  30. Whole System is Critical • Securing a system involves a whole-system view – Cryptography – Implementation – People – Physical security – Everything in between • This is because “security is only as strong as the weakest link,” and security can fail in many places – No reason to attack the strongest part of a system if you can walk right around it. 3/29/17 CSE 484 / CSE M 584 - Spring 2017 30

  31. Whole System is Critical • Securing a system involves a whole-system view – Cryptography – Implementation – People – Physical security – Everything in between • This is because “security is only as strong as the weakest link,” and security can fail in many places – No reason to attack the strongest part of a system if you can walk right around it. 3/29/17 CSE 484 / CSE M 584 - Spring 2017 31

  32. Whole System is Critical • Securing a system involves a whole-system view – Cryptography – Implementation – People – Physical security – Everything in between • This is because “security is only as strong as the weakest link,” and security can fail in many places – No reason to attack the strongest part of a system if you can walk right around it. 3/29/17 CSE 484 / CSE M 584 - Spring 2017 32

  33. Attacker’s Asymmetric Advantage 3/29/17 CSE 484 / CSE M 584 - Spring 2017 33

  34. Attacker’s Asymmetric Advantage • Attacker only needs to win in one place • Defender’s response: Defense in depth 3/29/17 CSE 484 / CSE M 584 - Spring 2017 34

Recommend

CSE 484 / CSE M 584: Computer Security and Privacy

CSE 484 / CSE M 584: Computer Security and Privacy

CSE 484 / CSE M 584: Computer Security and Privacy Spring 2015 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter

531 views • 31 slides
CSE 484 / CSE M 584: Computer Security and Privacy

CSE 484 / CSE M 584: Computer Security and Privacy

CSE 484 / CSE M 584: Computer Security and Privacy Spring 2016 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter

708 views • 34 slides
Web Privacy Professor Adam Bates Fall 2018 Security & Privacy Research at Illinois (SPRAI)

Web Privacy Professor Adam Bates Fall 2018 Security & Privacy Research at Illinois (SPRAI)

CS 563 - Advanced Computer Security: Web Privacy Professor Adam Bates Fall 2018 Security & Privacy Research at Illinois (SPRAI) Administrative Learning Objectives : Consider the difference between security and privacy Discuss work

814 views • 43 slides
Admin Today: finish web privacy, start mobile security Friday: Lab #2 due (8pm)

Admin Today: finish web privacy, start mobile security Friday: Lab #2 due (8pm)

CSE 484 / CSE M 584: Computer Security and Privacy Web Privacy [finish] Mobile Platform Security [start] Spring 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner,

535 views • 29 slides
CS573 Data Privacy and Security Li Xiong Department of Mathematics and Computer Science Emory

CS573 Data Privacy and Security Li Xiong Department of Mathematics and Computer Science Emory

CS573 Data Privacy and Security Li Xiong Department of Mathematics and Computer Science Emory University Today Meet everyone in class Course overview Why data privacy and security What is data privacy and security What we

810 views • 70 slides
Layer Optimization: Security and Privacy CS 118 Computer Network Fundamentals Peter Reiher

Layer Optimization: Security and Privacy CS 118 Computer Network Fundamentals Peter Reiher

Layer Optimization: Security and Privacy CS 118 Computer Network Fundamentals Peter Reiher Lecture 18 CS 118 Page 1 Winter 2016 Another type of layer deficiency Some layers of protocol do not provide any security or privacy What if

708 views • 59 slides
CS573 Data Privacy and Security Data Privacy and Security in Healthcare Data Privacy and Security

CS573 Data Privacy and Security Data Privacy and Security in Healthcare Data Privacy and Security

CS573 Data Privacy and Security Data Privacy and Security in Healthcare Data Privacy and Security in Healthcare Li Xiong Healthcare security and privacy HIPAA overview Research survey on information security and privacy in healthcare

1.05k views • 57 slides
Security and Privacy 12A. Operating Systems Security Operating Systems Principles 12B.

Security and Privacy 12A. Operating Systems Security Operating Systems Principles 12B.

5/18/2016 Security and Privacy 12A. Operating Systems Security Operating Systems Principles 12B. Authentication 12C. Authorization Security and Privacy 12D. Trust 12E. At-Rest Encryption Mark Kampe (markk@cs.ucla.edu) Security and Privacy

116 views • 8 slides
SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY

SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY

SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY Christian Kaestner with slides from Eunsuk Kang Required reading: Hulten, Geoff. "Building Intelligent Systems: A Guide to Machine Learning

1.95k views • 113 slides
S & P SECURITY & PRIVACY GROUP Security and Privacy for Payment Channel Networks

S & P SECURITY & PRIVACY GROUP Security and Privacy for Payment Channel Networks

FAKULTT FR !NFORMATIK Faculty of Informatics S & P SECURITY & PRIVACY GROUP Security and Privacy for Payment Channel Networks Pedro Moreno-Sanchez Blockchain Summer School BDLT19 Vienna, Sep 2nd 2019 Blockchain Research

1.41k views • 73 slides
Introduction to Computer Security Session 4.4 Web Privacy Prof. Nadim Kobeissi 4.4a Web

Introduction to Computer Security Session 4.4 Web Privacy Prof. Nadim Kobeissi 4.4a Web

CSCI-UA.9480 Introduction to Computer Security Session 4.4 Web Privacy Prof. Nadim Kobeissi 4.4a Web Privacy Goals 2 CSCI-UA.9480: Introduction to Computer Security Nadim Kobeissi Web privacy goals. Preventing websites from learning:

337 views • 14 slides
Web Security [Privacy] Spring 2020 Earlence Fernandes earlence@cs.wisc.edu Thanks to Dan

Web Security [Privacy] Spring 2020 Earlence Fernandes earlence@cs.wisc.edu Thanks to Dan

CS 642: Computer Security and Privacy Web Security [Privacy] Spring 2020 Earlence Fernandes earlence@cs.wisc.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner, John Manferdelli, John Mitchell, Franzi Roesner,

839 views • 32 slides
CSE 484 / CSE M 584: Computer Security and Privacy Fall2016 Adam (Ada) Lerner

CSE 484 / CSE M 584: Computer Security and Privacy Fall2016 Adam (Ada) Lerner

CSE 484 / CSE M 584: Computer Security and Privacy Fall2016 Adam (Ada) Lerner lerner@cs.washington.edu Thanks to Franzi Roesner, Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet

654 views • 51 slides
Privacy Computer Security Peter Reiher December 11, 2014 Lecture 16 Page 1 CS 136, Fall 2014

Privacy Computer Security Peter Reiher December 11, 2014 Lecture 16 Page 1 CS 136, Fall 2014

Privacy Computer Security Peter Reiher December 11, 2014 Lecture 16 Page 1 CS 136, Fall 2014 Privacy Data privacy issues Network privacy issues Some privacy solutions Lecture 16 Page 2 CS 136, Fall 2014 What Is Privacy?

789 views • 63 slides
Syllabus Professor Adam Bates Fall 2018 Security & Privacy Research at Illinois (SPRAI)

Syllabus Professor Adam Bates Fall 2018 Security & Privacy Research at Illinois (SPRAI)

CS 563 - Advanced Computer Security: Syllabus Professor Adam Bates Fall 2018 Security & Privacy Research at Illinois (SPRAI) Learning Objectives Before CS 563: Intermediate knowledge of computer security topics Experience working

775 views • 38 slides
Be,er Privacy and Security via Secure Computa9on Jonathan Katz Security/privacy would be much

Be,er Privacy and Security via Secure Computa9on Jonathan Katz Security/privacy would be much

Be,er Privacy and Security via Secure Computa9on Jonathan Katz Security/privacy would be much easier if there were someone we could all TRUST with our data Be8er data mining -- using MORE data, while respec@ng users PRIVACY

888 views • 35 slides
Security, Privacy and Trust in DOSNs: State-Of-The-Art Approaches and Open Challenges Panagiotis

Security, Privacy and Trust in DOSNs: State-Of-The-Art Approaches and Open Challenges Panagiotis

Security, Privacy and Trust in DOSNs: State-Of-The-Art Approaches and Open Challenges Panagiotis Ilia Institute of Computer Science Foundation for Research and Technology Hellas (FORTH) <pilia@ics.forth.gr> Security, Privacy and Trust

272 views • 25 slides
Privacy-Preserving Query Processing over Encrypted Data in Cloud CS573 Data Privacy and Security

Privacy-Preserving Query Processing over Encrypted Data in Cloud CS573 Data Privacy and Security

Motivation Two-Cloud Setting PP k NN Classification Conclusion and Future Research Privacy-Preserving Query Processing over Encrypted Data in Cloud CS573 Data Privacy and Security Yousef M. Elmehdwi Department of Mathematics and Computer

919 views • 19 slides
Privacy & Security Matters: Privacy & Security Matters: Protecting Personal Data

Privacy & Security Matters: Privacy & Security Matters: Protecting Personal Data

Privacy & Security Matters: Privacy & Security Matters: Protecting Personal Data Protecting Personal Data Privacy & Security Project HIPAA: What it is Health Insurance Portability and Accountability Act of 1996 Also known as

445 views • 26 slides
Healthcare privacy and security Li Xiong CS573 Data Privacy and Security Patients Are Concerned

Healthcare privacy and security Li Xiong CS573 Data Privacy and Security Patients Are Concerned

Healthcare privacy and security Li Xiong CS573 Data Privacy and Security Patients Are Concerned Did you know... 77 percent of all Americans feel their personal health information privacy is very important, and 84 percent said they

769 views • 50 slides
Law and Security CS461/ECE422 Computer Security I Fall 2010 Slide #6-1 Overview Law and

Law and Security CS461/ECE422 Computer Security I Fall 2010 Slide #6-1 Overview Law and

Law and Security CS461/ECE422 Computer Security I Fall 2010 Slide #6-1 Overview Law and privacy Cybercrime Laws Affecting Computer Use Slide #6-2 Reading Material Secrets of Computer Espionage: Tactics and Countermeasures

690 views • 33 slides
How Badly Broken is Privacy Legislation? And what can we do to fix it? 17th Annual Privacy and

How Badly Broken is Privacy Legislation? And what can we do to fix it? 17th Annual Privacy and

How Badly Broken is Privacy Legislation? And what can we do to fix it? 17th Annual Privacy and Security Conference Privacy and Security by Choice, not Chance Afternoon Workshop Wednesday February 3, 2016 Victoria, B.C. Canada Gerry Bliss

1.11k views • 63 slides
CS573 Data Privacy and Security Local Differential Privacy Li Xiong Privacy at Scale: Local

CS573 Data Privacy and Security Local Differential Privacy Li Xiong Privacy at Scale: Local

CS573 Data Privacy and Security Local Differential Privacy Li Xiong Privacy at Scale: Local Differential Privacy in Practice (Module 1) Graham Cormode, Somesh Jha, Tejas Kulkarni, Ninghui Li, Divesh Srivastava, and Tianhao Wang Differential

819 views • 38 slides
Security Measurement Professor Adam Bates Fall 2018 Security & Privacy Research at Illinois

Security Measurement Professor Adam Bates Fall 2018 Security & Privacy Research at Illinois

CS 563 - Advanced Computer Security: Security Measurement Professor Adam Bates Fall 2018 Security & Privacy Research at Illinois (SPRAI) Administrative Learning Objectives : Discuss two recent studies that use measurement methods

925 views • 54 slides

More recommend