CS 598 - Computer Security in the Physical World: Introduction Professor Adam Bates Fall 2016 Security & Privacy Research at Illinois (SPRAI)
Adam Bates Research Interests: ➢ Trustworthy Provenance-Aware Systems (CCS’16, SecDev’16, Security’15, TAPP’15, SENT’14, CODASPY'13) ➢ Communications Security (NDSS’12, Security’15, JCS’14) ➢ Embedded Device Security (ACSAC’15, NDSS’14) ➢ Mobile Phone Security & Privacy (Security’15) ➢ SSL/HTTPS Trust Enhancements (CCS’14, IMC’14) ➢ Cloud Computing Security (IJIS’14, CCSW’13) shadow_t Career Highlights: sshd_t Information Flow Plane 1. Research covered by Wall Street etc_t syslog_t sysadm_t Journal, PC World, Mobile World Live. 2. 17 Peer-Reviewed publications Provenance Plane (8 Conference Majors) 3. Organizing Committee, IEEE SP ’16, ‘17 Program Committee, ACSAC (2015) Session Chair, ACM CCS (2015) USB User Expectations Device Claims Policy MNF , Product, Features MNF , Product, Interfaces Mediator Program Committee, MCS (2015)
Course Goals • Exposure to how computer security concepts interact with and inform the ‘real’ world • Look at impactful applications of security in the literature • Explore interesting topics related to systems security through + Security & Privacy Research at Illinois (SPRAI) 3
Class Logistics • Tuesday & Thursday 3:30 - 4:45 • 1302 Siebel Center • Website: http://adambates.org/courses/cs598-fa16/ • 14 weeks, each exploring a different topic • Most sessions will be student-driven , I’m merely here to facilitate • Emails go to batesa@illinois.edu • Start email subject with [CS598] please! Security & Privacy Research at Illinois (SPRAI) 4
Grading • Paper Summaries (20%) • Paper Presentations (30%) • Class Participation (10%) • Project (40%) Security & Privacy Research at Illinois (SPRAI) 5
Paper Reviews • Each student must email brief reviews for assigned papers. • One paragraph summary of paper content, followed by 2-3 criticisms, praises, or confusing points. What makes this approach different/novel? • Expect approx. 0.5 pages, limit to1 page. • Structure similar to the first half of a peer review • Due by 11:59 PM the night before class • Do this for the 2 papers next lecture. Security & Privacy Research at Illinois (SPRAI) 6
Paper Presentations • Two discussion leaders/presenters per session • Responsibilities of the Presenter: ‣ Create a 15-20 minute presentation on the topic to be discussed ‣ Discuss the paper assigned as a jumping off point for the general (20-25 minutes) ‣ Share slides with me at least one day before class (email OK, or stop by office hours). • Each student will be a presenter for 2-3 papers Security & Privacy Research at Illinois (SPRAI) 7
How to fail at class • Do a crummy job with your presentation, or skip it altogether • Do a crummy job with reviews, or skip them altogether • Show total lack of comprehension indicative of having read the papers before class • Have three or more unexplained absences (Reasonable absences: attending conference, job interview, etc.). Security & Privacy Research at Illinois (SPRAI) 8
Course Projects • The course project requires the students execute some original research in security • Demonstrate applied knowledge • Don’t try to learn some new non-security field • Be realistic about what is possible in a one quarter. • However, the work should reflect real thought and effort. • The grade will be based on: novelty , depth , correctness , clarity of presentation , and effort . • 1-3 students per group; single person suggested if you want to work in security. Security & Privacy Research at Illinois (SPRAI) 9
Deliverables • The chief product of the project will be a 10-15 page conference style paper. There will be several milestones: • Project Choice (9/06/16) • Abstract, Background and Related Work (10/04/16) • Experiment Proposal (10/18/16) • Project Status Slides (11/08/16) • Project Presentation (12/08/16) • Final Project Write-up (TBD during finals week) • This is a very important factor in your grade! Security & Privacy Research at Illinois (SPRAI) 10
Project Choice • Due on September 6, 5:00 PM • Ordered list of projects • Choose 3 projects in order of interest • Choose up to 2 collaborators (optional) • Bigger expectations for bigger groups • I will (hopefully) resolve all constraints and approve/ choose your project and group Security & Privacy Research at Illinois (SPRAI) 11
Picking a topic • Skim course schedule for ideas • I will work with you to acquire research equipment • Be realistic — I’m not buying a car. • I *can* potentially connect you to IoT, CPS, Medical, and Mobile devices. • Realistically, we can make any topic from OS security or NetSec (feat. Layer 2 or below) fit. • Picking a topic is very important, and should almost certainly involve an area you already know well. Security & Privacy Research at Illinois (SPRAI) 12
Tentative Topic List • Locks, Keys • Internet of Things • Financial Security • Medical Devices • USB Security • Voting Systems • Mobile Security • Telephony • Data Provenance • Network Infrastructure • Smart Grid • Wiretapping • Cyber Physical • Automotive Security & Privacy Research at Illinois (SPRAI)
Ethics Statement This course considers topics involving personal and public privacy and security. As part of this investigation we will cover technologies whose abuse may infringe on the rights of others . As an instructor, I rely on the ethical use of these technologies. Unethical use may include circumvention of existing security or privacy measurements for any purpose, or the dissemination, promotion, or exploitation of vulnerabilities of these services. Exceptions to these guidelines may occur in the process of reporting vulnerabilities through public and authoritative channels. Any activity outside the letter or spirit of these guidelines will be reported to the proper authorities and may result in dismissal from the class . When in doubt, please contact the instructor for advice. Do not undertake any action which could be perceived as technology misuse anywhere and/ or under any circumstances unless you have received explicit permission from Professor Bates. Security & Privacy Research at Illinois (SPRAI) 14
Next Class • USB Security — 2 conference papers • Reviews due by the end of the day tomorrow • Assignments and paper links available at http://adambates.org/courses/cs598-fa16 (Note: This is easily reachable from adambates.org) Security & Privacy Research at Illinois (SPRAI) 15
Reading Papers • Why do we read papers? • How do you read papers? • What should you get out of a paper? • Did you read the paper for today? Security & Privacy Research at Illinois (SPRAI) 16
Understanding Papers • What is the central idea expressed in this paper? • Where do you find this information? • What is the context of this paper? • Related work, details pertinent details and justifies paper • What is the methodology? • Proofs, experiments, simulation, rhetoric • What are the claimed results? • New scientific discovery, if it is not novel it is not research • What do you need to remember about this work? Security & Privacy Research at Illinois (SPRAI) 17
Thompson Paper • What is the contribution? • Related Work? • Methodology? • Results? • Takeaway? Security & Privacy Research at Illinois (SPRAI) 18
Sample Summary Contribution: Ken Thompson shows how hard it is to trust the security of software in • this paper. He describes an approach whereby he can embed a Trojan horse in a compiler that can insert malicious code on a trigger (e.g., recognizing a login program). Related Work: This approach is an example of a Trojan horse program. A Trojan horse is a • program that serves a legitimate purpose on the surface, but includes malicious code that will be executed with it (e.g., Sony/BMG rootkit). Methodology: The approach works by generating a malicious binary that is used to compile • compilers. Since the compiler code looks OK and the malice is in the binary compiler compiler, it is difficult to detect. Results: The resulting system identifies construction of login programs and miscompiles the • command to accept a particular password known to the attacker. Take Away: Thompson states the “obvious” moral that “you cannot trust code that you • did not totally create yourself.” We all depend on code, but constructing a basis for trusting it is very hard, even today. Security & Privacy Research at Illinois (SPRAI) 19
How to Read a Paper • Prepare your environment • Decide what to read • Read in generalities (10-20 minutes) • Skim intro, headings, figures, definitions, conclusions, related work, references. • Read in depth (1-4+ hours) • Consider methodology, challenge arguments, examine assumptions/methods, become invested in the work! • Make notes, mark up a copy, summarize paper Security & Privacy Research at Illinois (SPRAI) 20
Recommend
More recommend