In time for the spooky Halloween we are starting a new topic in CS146a: security.
Today's lecture will cover Chapter 11, Section 1 (Introduction to secure systems) and some material in Section 8 (Cryptography as a building block for secure systems).
For the class discussion read Section 11 (War Stories: Security Systems Breaches),
a collection of stories about security holes in suposedly-secure systems.
Some of the security problems are due to stupidity, but many emerged even though the designers were smart and had the best intentions.
Read them all through. You need the material in Section 1 to follow the analysis in the case studies.
Your reading assignment will focus on three case studies described in Section 11.5.2 (Nonobvious Trust (TOCTTOU)),
and 11.4.3 (Slammer), and 11.11.12 (Injection). You do not have to use prezi format to prepare your response and are free to use powerpoint.
The idea behind asking you to submit short presentations instead of regular written text is to be able to ask you in class to give a short report on your answer.
Your report is due Tuesday 5pm (instead on usual Monday 5pm).
- As a warmup, for the TOCTTOU problem, please explain how a tool we have learned about earlier in the semester, could have helped to avoid the problem and how.
- As a warmup for the Slammer worm problem, please read the wikipedia article about the buffer overrun vulnerability and stack smashing attack, and explain whether the Slammer attack be possible if all the network listener programs (including the one you wrote for Project 2) would be implemented using Java language instead of C?
- Cut to the security principles: both TOCTTOU and Slammer case studies include an analysis suggesting a security lesson. Please explain for each case study how the secure system design principles (from Section 1), identified by the analysis as being violated, could have averted the security problem.
- Understanding security can have unexpected benefits. Based on the analysis in the Injection study, please explain why this is funny. (Could you explain this at the Thanksgiving table?)
Authentication of requests amounts to answering the question which principal is making the request. Almost any security policy requires an answer this question. Today we study mechanisms for authentication. In preparation, read Chapter 11 Sections 2 and 3.
In addition, please read "Why cryptosystems fail" by Ross Anderson. You may wish to skim the abstract, introduction, and conclusion first, because they will help you to focus on the parts of the paper that support the author's main claims. As always, you should read critically and be on the lookout for additional gems, and for arguments that are missing or whose framing de-emphasizes certain points.
This paper is about a philosophy of cryptosystem design, with a focus on their use in financial institutions, and particularly in ATM (Automated Teller Machine, not Asynchronus Transfer Mode) networks. Although it may not be immediately obvious, this paper is closely related to other papers we have read, such as the "Therac-25 paper". Think about these connections as you read.
Over half of the paper is devoted to examples of ways in which ATM networks could fail or have failed. This part of the paper is very entertaining, but it can be difficult to keep the big picture in mind while reading about the individual exploits and problems. Pay attention to the section headings (which you may wish to skim before diving into the text) in order to keep your bearings. For each incident, before moving on, spend a few moments thinking about the lessons that it teaches, and how the problem could have been avoided.
Here are some specific issues to think about while you are reading.
Your reading report will answer the questions marked with a (*) above.
We are covering material on Cryptographic techniques that underly security protocols. In preparation please read section 5 Chapter 11 in the on-line textbook.
Your assignment includes exercise 11.1 and 11.6 from the Security chapter.
We are covering material on Confidentiality and Authorization. In preparation please read sections 4 and 6 in Chapter 11 in the on-line textbook. We will study how to provide confidentiality of the content of messages that are sent over untrusted networks and mechanisms to perform authorization (i.e., deciding which principles are allowed to perform the requested operation).
In addition, please read Ken Thompson's "Reflections on Trusting Trust" available online. Do not be deceived by the shortness of this paper -- it is very deep and requires a lot of thinking and understanding, but it is also fun, once you get the hang of it. Keep this in mind as your prepare an answer to the following question:
Given that there are currently many different C compilers, both commercial and open source, discuss whether or not you can ensure that a C program that you write is free of the trojan horse described in the paper. In order to answer this question, you might want to think about what compiler(s) were used to compile the compiler(s) that you use and any common ancestry (code reuse) that they might have. You should discuss how much confidence you have that your program is trojan-free and whether or not this requires trust in any entities.
Quiz 2 is today. Material covers Security Chapter 11 Sections 1,2,3,4,5 and Section 11 from the textbook and the papers). There is a short list of topics for study posted here) for your perusal.
System aphorism of the week
Engineering is the art of modeling materials we do not wholly
understand, into shapes we cannot precisely analyse so as to withstand
forces we cannot properly assess, in such a way that the public has no
reason to suspect the extent of our ignorance. (Dr. A. R. Dykes,
British Institution of Structural Engineers, 1976)
CS 146a Handout 8, issued October 24, 2009