Halloween is over but we are onto a spooky new topic in CS146a: security.
Today's lecture will cover Chapter 11, Section 1 (Introduction to secure systems) and some material in Section 8 (Cryptography as a building block for secure systems).
For the class discussion read Section 11 (War Stories: Security Systems Breaches),
a collection of stories about security holes in suposedly-secure systems.
Some of the security problems are due to stupidity, but many emerged even though the designers were smart and had the best intentions.
Read them all through. You need the material in Section 1 to follow the analysis in the case studies.
Your reading assignment will focus on three case studies described in Section 11.5.2 (Nonobvious Trust (TOCTTOU)),
and 11.4.3 (Slammer), and 11.11.12 (Injection). You do not have to use prezi format to prepare your response and are free to use powerpoint.
The idea behind asking you to submit short presentations instead of regular written text is to be able to ask you in class to give a short report on your answer.
- As a warmup, for the TOCTTOU problem, please explain how a tool we have learned about earlier in the semester, could have helped to avoid the problem and how.
- As a warmup for the Slammer worm problem, please read the wikipedia article about the buffer overrun vulnerability and stack smashing attack, and explain whether the Slammer attack be possible if all the network listener programs (including the one you wrote for Project 2) would be implemented using Java language instead of C?
- Cut to the security principles: both TOCTTOU and Slammer case studies include an analysis suggesting a security lesson. Please explain for each case study how the secure system design principles (from Section 1), identified by the analysis as being violated, could have averted the security problem.
- Understanding security can have unexpected benefits. For example, your uncle Ben may ask you over Thanksgiving gathering what is funny about this cartoon? Based on the analysis in the Injection study, please give an explanation. Make sure everyone at the Thanksgiving table can follow it!
Authentication of requests amounts to answering the question which principal is making the request. Almost any security policy requires an answer this question. Today we study mechanisms for authentication. In preparation, read Chapter 11 Sections 2 and 3.
In addition, please read"Why cryptosystems fail" by Ross Anderson. You may wish to skim the abstract, introduction, and conclusion first, because they will help you to focus on the parts of the paper that support the author's main claims. As always, you should read critically and be on the lookout for additional gems, and for arguments that are missing or whose framing de-emphasizes certain points.
This paper is about a philosophy of cryptosystem design, with a focus on their use in financial institutions, and particularly in ATM (Automated Teller Machine, not Asynchronus Transfer Mode) networks. Although it may not be immediately obvious, this paper is closely related to other papers we have read, such as the "Therac-25 paper". Think about these connections as you read.
Over half of the paper is devoted to examples of ways in which ATM networks could fail or have failed. This part of the paper is very entertaining, but it can be difficult to keep the big picture in mind while reading about the individual exploits and problems. Pay attention to the section headings (which you may wish to skim before diving into the text) in order to keep your bearings. For each incident, before moving on, spend a few moments thinking about the lessons that it teaches, and how the problem could have been avoided.
Here are some specific issues to think about while you are reading.
Your reading report will answer the questions marked with a (*) above.
We are covering material on Cryptographic techniques that underly security protocols. In preparation please read section 5 Chapter 11 in the on-line textbook.
Your assignment includes exercise 11.1 and 11.6 from the Security chapter.
Read the paper Exploiting Underlying Structure for Detailed Reconstruction of an Internet-Scale Event. This paper describes how the authors analyzed the propagation tree of the Witty Worm and identified the host that started the attack. Read the abstract, and Sections 1, 2, 3, and 4.
Computer worms are self-propagating programs. A worm can be either benign or malicious. A malicious worm may try to destroy some files on the infected machine or use the machine to mount a denial of service attack on some Internet service, whereas a benign one uses the machine only to spread itself to other machines.
To infect a host, a worm exploits a security bug in the software running on that host. Once the worm infects a host, it uses that host to contact new destinations and propagate to new victims, thus creating a propagation tree. As a result worms propagate exponentially fast. One important characteristic of a worm is the method used for picking new destinations. The most common way is to randomly pick IP addresses and contact them to see whether they suffer from the same security bug exploited by the worm. If they are, then they become infected and they start propagating the worm to even more machines. Some worms do not pick destinations randomly; they rather have a hit list of IP addresses that suffer from the exploited bug. These worms can propagate faster because they focus on the vulnerable victims.
The paper uses a network telescope to passively collect information about the Witty worm. A network telescope is an unused chunk of the IP address space. A big telescope may be monitoring a /8 address prefix, while a small one may monitor a /24 prefix. Since IP addresses in the monitored space are not assigned to any Internet hosts, they theoretically should not receive any traffic. But because worms and other Internet attacks tend to send traffic to random IPs, in practice, an unused IP prefix receives a lot of attack traffic. The authors of the paper collected the Witty packets received at all IP addresses in the monitored space and analyzed it to understand how Witty propagated.
For your reading assignment please answer the following questions:
<\BLOCKQUOTE>
- How does Witty pick the IP address of the next destination?
- How did the authors identify patient zero (i.e., the machine that started the worm)
- How could one change Witty to prevent the detection of patient zero?
- Which factors affect how fast a worm propagates?
For Discusion Class, Monday, December 5, 2011 (Authorization)
We are covering material on Confidentiality and Authorization. In preparation please read sections 4 and 6 in Chapter 11 in the on-line textbook. We will study how to provide confidentiality of the content of messages that are sent over untrusted networks and mechanisms to perform authorization (i.e., deciding which principles are allowed to perform the requested operation).
In addition, please read Ken Thompson's "Reflections on Trusting Trust" available online. Do not be deceived by the shortness of this paper -- it is very deep and requires a lot of thinking and understanding, but it is also fun, once you get the hang of it. Keep this in mind as your prepare an answer to the following question:
Given that there are currently many different C compilers, both commercial and open source, discuss whether or not you can ensure that a C program that you write is free of the trojan horse described in the paper. In order to answer this question, you might want to think about what compiler(s) were used to compile the compiler(s) that you use and any common ancestry (code reuse) that they might have. You should discuss how much confidence you have that your program is trojan-free and whether or not this requires trust in any entities.For Class Wednesday December 7, 2011
The final class discusses Butler Lampson's classic paper Hints for computer Systems Design. This paper presents about two dozen general rules of thumb that experienced system designers have found helpful in building functional, fault-tolerant systems with acceptable performance. Some of Lampson's rules may seem obvious to you. Don't be misled by their apparent simplicity: they embody deep ideas, and it is all too easy to forget them while in the throes of a project. (And even if they are obvious, they are well worth collecting and repeating.) Start out by reading the conclusion of the paper, and then follow the advice in its first sentence: read the paper in small pieces, over time, so that you can fully absorb its lessons. You will get less from the paper if http://research.microsoft.com/en-us/um/people/blampson/33-Hints/WebPage.html read it all at once. You are likely to be unfamiliar with many of the systems discussed in the examples. It is not necessary to understand every example, but you should understand in detail at least one of the examples for each hint. Then, for each hint you should think of at least one example of a use (and perhaps also a misuse) of the hint from one of the readings. In addition, think about your design projects: how did you follow (or not) the hints? You might also think about when the hints are not applicable, and how you can tell when that is the case. Overall, the collection of hints should help you to synthesize the lessons you have learned during the semester.
For Class Monday, December 12, 2011
Quiz 3 is today. Material covers Security Chapter 11 Sections 1,2,3,4,5,6 and Section 11 from the textbook and the papers). We will post a short list of topics for study for your perusal a week before the quiz.
System aphorism of the week
Engineering is the art of modeling materials we do not wholly understand, into shapes we cannot precisely analyse so as to withstand forces we cannot properly assess, in such a way that the public has no reason to suspect the extent of our ignorance. (Dr. A. R. Dykes, British Institution of Structural Engineers, 1976)CS 146a Handout 10, issued November 17, 2011