Introductions CSci 8271 Security and Privacy in Computing Day 1: Introduction and Logistics Stephen McCamant University of Minnesota Outline What is computer security? Big-Picture Introduction Keep “bad things” from happening Course Logistics Distinguished by presence of an adversary Topics Overview Two sides of security Classic security goals Defenders / white-hats / good guys[sic] Confidentiality Attackers / black-hats / bad guys[sic] Integrity Each side’s strategy depends on the Authenticity other Availability In some ways like a game
What about “privacy”? Tool: cryptography One perspective: privacy ✚ security Math techniques for making things Roughly a synonym for confidentiality purposely hard to figure out But, very different emphasis More than just encryption and “Security” often means interests of decryption institutions, administrators We take a research but results rather “Privacy” is an interest of individuals often against institutions than proof-focused perspective Tool: program analysis Applications Programs whose job is to operate on Security problems occur all over other programs computer science For bug finding, hardening, etc. Broad division: systems and networks De-emphasized a bit this year, because For 8271, mixture of standard and of a concurrent 8980 uncommon Outline Instructor information Stephen McCamant Big-Picture Introduction Office: 4-225E Keller Course Logistics Office hours: Monday 10-11am (may change), or by appointment Topics Overview Email: ♠❝❝❛♠❛♥t❅❝s✳✉♠♥✳❡❞✉
Evaluation components Readings Linked from the course web page 15% Reading questions Usually one main paper per class 10% Class attendance and participation Most either public or UMN-licensed 15% In-class paper presentation(s) Take notes while reading 10% Hands-on demo assignment Bring a copy (to refer to) to class 50% Research project Also: optional and background Reading questions General questions What interesting new thing did you learn? Goal: make sure you read and What question is raised but not understand the papers answered? Answer one: a general question Do you disagree with a claim? selected from list on next slide Is something important left out or Ask one: suggest a question for ambiguous? in-class discussion In hindsight, what would you do differently? Submission logistics In-class presentation Three per student, scheduled in Email or Moodle? advance Due the day before Can also promote an optional or 9pm? midnight? 3am? chosen-by-you relevant paper Late: 50% credit; after 9:45am: 0 Prepare 25 minutes of slides, but expect questions
Class participation Hands-on demo assignment Experience actually using an existing The goal of a seminar is discussion, not research tool lecture Done individually I expect everyone to contribute Find existing software, and get it to do Aim is not to show off knowledge something interesting An interesting question ❃ a Preparation in advance, short writeup, straightforward answer brief in-class demo Research project Project topics Idea: microcosm of research Computer security, including privacy experience Can use one of our papers as a Formulate a question, answer it, starting point convince others of your results But, must make your own novel Given enrollment, done individually contribution Project goals Project results Innovative Scholarly Report: about 10 pages, in the format of Put in context of related work a conference paper Appropriately evaluated In-class presentation: 20+5 minutes Able to convince a skeptic Well presented
Collaboration and cheating Course web site Principle: learn from each other, but Department web site under ❝s❝✐✽✷✼✶ don’t substitute another’s Also linked from my home page understanding for your own ⑦♠❝❝❛♠❛♥t Moodle page coming soon Cardinal sin: taking ideas without acknowledgment Outline Security of clouds and outsourcing Big-Picture Introduction How can I pay someone else to do my computing for me, and still have it be Course Logistics secure? Systems-based and cryptographic Topics Overview approaches Blockchains and anonymous payment Smartphone and app security What are Bitcoin-like systems good for? Android and iOS get avoid some desktop problems by design, but also introduce new Can your transactions be private if the dangers. ledger is public?
Anonymous overlays / Tor Web application security The web has a complicated distributed trust How can we communicate anonymously on model, and processing is all based on string the Internet, when every packet has your IP parsing. What could go wrong? address on it? Measuring privacy loss (Anti-)censorship techniques Can we communicate even when/how an Using math to define how computations ISP or government doesn’t want us to? reveal information or allow inferences. Architectural side channels Naming and PKI Instruction-level timing and other low-level Systems like DNS and HTTPS certificates CPU details can reveal information are central, but depend on a lot of unintentionally. centralized trust.
Embedded applications Physical side channels Domains with real-world implications, where Information leakage or unexpected attacks hardware matters, like medical devices and made possible by the physical world. cars. Subverted infrastructure Security of machine learning Could our CPUs, compilers, etc., have hidden The power of machine learning is leading it back doors? Is there anything we could do to be widely adopted, but it also makes new about it? kinds of attack possible. Applied cryptanalysis Malice in the network Malware, botnets, and spam form economic In practice, the security of cryptographic and software ecosystems built on “efficient” systems can be broken by both fraud. How do they work and is there mathematical and implementation problems. anything we can do to stop them?
Passwords Passwords are an authentication mode that users and researchers both love to hate, but they don’t seem to be going away. Maybe we can make them less bad.
Recommend
More recommend
