Computer Security
Instructors
- Prof. Dr.-Ing. Volker Roth
- Jan-Ole Malchow
Description
This course gives an introduction to computer security from a classical
perspective.
Time and Location
Lectures:
- Tuesdays, 16h - 18h, T9/005
- Thursdays, 12h - 14h, T9/005
Tutorials:
- Mondays, 16h - 18h, T9/049 (starting April 18th)
- Thursdays, 10h - 12h, A7/E.31 (starting April 21th)
Grading
The grade will be computed as a weighted sum of the following:
Active participation requires successful completion of homework
assignments and projects and is graded on a pass / no pass basis. At
least 50% of the cumulative score is required to pass.
The exam will be given in the ZIP Lecture Hall, Takustraße 7.
Assignments
Please look at this page for information on
tutorials and homework assignments.
Lecture 1, Tuesday April 12, Course Information and Motivation
Topics:
- Why every computer counts today
- Fraud for profit
- Espionage
- Why systems are not secure
- Prominent real world example: the Browser
- Goals for this class
Read: [1], [2], [3], [4]
Lecture 2, Thursday April 14
Guest lecture by Frank Boldewin
Abstract: Trotz immer weiterentwickelten Sicherheitsmechanismen im
Windowsbetriebssystem in den letzten paar Jahren, schafften es
Malware-Autoren immer wieder, die gelegten Hürden zu überwinden
und Schadcode im System zu installieren. Selbst Zusatzmaßnahmen wie
Firewall und Virenscanner schützen nicht hundertprozentig vor
Korrumpierung. Versagen die gängigen Sicherheitstools ist es
unabdingbar mit manuellen Mitteln dem Feind im System zu Leibe zu
rücken. Dieser Vortrag zeigt, wie man mit dem Windows Kerneldebugger
"Windbg" und diversen Scripts erfolgreich nach Rootkits sucht.
Eine Livedemonstration zeigt darüber hinaus, wie man mittels
Physicaldump-Memory Analyse ebenfalls Malware aufspürt und für
weitere Detailbetrachtungen aus dem Speicher extrahiert.
Lecture 3, Tuesday April 19, What is computer security?
Topics:
- Internal and external security
- System boundary and system perimeter
- Security objectives
- Threats and threat analysis
- Policy and mechanism
- Assumptions and trust
- Assurance
- Operation
- Testing (penetration)
Read: ch. 1-3 of [5]
Lecture 4, Thursday April 21, State transition models
Topics:
- Role of a security model
- Uses of a security model
- State transition model
- Informal model to system correspondence
Read: ch. 9 of [5]
Lecture 5, Tuesday April 26, Access control matrix model
Topics:
- The general access control matrix model
- Mono-operational systems
- General systems
- Decidability
Read: ch. 4.7.1-4.7.3 of [6], [7], [8]
Lecture 6, Thursday April 28, Take-Grant protection model
Topics:
- The Take-Grant protection model
- Decidability
Read: ch. 4.7.4 of [6], [9], [10]
Optional additional reading: [11]
Lecture 7, Tuesday May 03, Mandatory access control models
Topics:
- Bell and LaPadula model
- Biba model
- Brewer and Nash (Chinese Wall) model
- Comparisons
- Example application: Negotiating access within a Wiki
Read: [12], [13], [14], [15]
Optional additional reading: [16]
Lecture 8, Thursday May 05, Trojan Horses and Covert Channels
Topics:
- Trojan Horse compiler
- Covert channels
Read: [17], [18], [19]
Lecture 9, Tuesday May 10, Lattice model of information flow
Topics:
- Lattice model of information flow
- Information flow policy
- State transitions and information flow
- Lattice structure
- Flow properties of lattices
- Security and precision
Read: ch.5.1 of [6], [20], [21]
Lecture 10, Thursday May 12, Execution-based flow control mechanisms
Topics:
- Dynamically enforcing security for implicit flow
- Flow-secure access controls
- Data Mark Machine
- Single Accumulator Machine
Read: ch.5.3 of [6], [22]
Lecture 11, Tuesday May 17, Compiler-based flow control mechanisms
Topics:
- Flow specifications
- Security requirements
- Certification semantics
- General data and control structures
- Concurrency and synchronization
- Abnormal terminations
Read: ch.5.4 of [6]
Lecture 12, Thursday May 19, Program verification with security requirements
Topics:
- Program verification
- Flow controls in practice
- JFlow
Read: ch.5.5-5.6 of [6], [23]
Lecture 13, Tuesday May 24, Principles of a secure architecture
Topics:
- Gasser's principles
- Saltzer's and Schroeder's principles
- Hardware security mechanisms
- Reference monitor and security kernels
Read: ch.5,8,10 of [5], [24]
Lecture 14, Thursday May 26, Capabilities and capability-based systems
Topics:
- Capabilities
- Capability-based computer systems
- The EROS capability system
- Capabilities in a distributed operating system
Read: ch.4.5 of [6], [25], [26], [27]
Additional literature on capabilities and their discussion
- The Confused Deputy [28]
- Capability "myths" [29]
- KeyKOS Architecture [30]
- The KeyKOS Home Page
Lecture 15, Tuesday May 31, Secure Operating Systems
Topics:
Read: [31], [32]
No lecture on Thursday June 02, Christi Himmelfahrt
Lecture 16, Tuesday June 07, Trusted path and secure window systems
Topics:
- Trusted X
- The EROS Trusted Window System
- Nitpicker
Read: [33], [34], [35]
Additional literature
- Securing Graphical User Interfaces [36]
Lecture 17, Thursday June 09, Secure Web Browsers
Topics:
- DARPA Secure Browser
- Chrome
- OP Browser
- Gazelle
Read: [37], [38]
Lecture 18, Tuesday June 14, Buffer overflows
Topics:
- Buffer overflow exploitation
Read: [39]
Lecture 19, Thursday June 16, Format string vulnerability exploitation
Topics:
- Format string vulnerabilities
Read: [40]
Lecture 20, Tuesday June 21, Heap and integer overflows
Topics:
- Heap overflow vulnerability exploitation
- Integer overflow vulnerability exploitation
Read: [41], [42]
Additional literature:
- Attackson the Action Script Virtual Machine [43]
- Blended attacks [44]
Lecture 21, Thursday June 23, Return oriented programming
Topics:
- Return oriented programming
- Return oriented rootkits
Read: [45], [46]
Lecture 22, Tuesday June 28, TOCTOU attacks
Topics:
- Time-of-check vs. time-of-use vulnerabilities
- Probabilistic hardness amplification
- K-races
- Filesystem mazes
- Atomic K-races
- Algorithmic complexity attacks
Read: [47], [48]
Lecture 23, Thursday June 30, Web application security
Topics: (slides)
- SQL injection
- XSS, XSRF
- Bad practice with regards to URLs, cookies and hidden form fields
- Rebinding attacks
Lecture 24, Tuesday July 05, Inline reference monitors
Topics:
Read: [49]
Lecture 25, Thursday July 07, Humans and passwords
Topics:
- Password doctrine
- Password cracking
- Password selection in practice
- Password effectiveness
- Shoulder-surfing resistant PIN entry
Read: [50], [51], [52]
Lecture 26, Tuesday July 12, Pre-exam lecture
Topics:
- Lecture topics summary
- Wrap-up
- Questions
Lecture 27, Thursday July 14, Final exam
As announced in prior lectures and recitations, this is the exam day.
The exam will be given in the ZIP Lecture Hall, Takustraße 7.
Literature
-
Jason Franklin, Vern Paxon, Adrian Perrig, Stefan Savage, 2007. An inquiry into the nature and causes of the wealth of internet miscreants. In Proc. ACM CCS, 375-388, 2007.
-
Kanich, C., Kreibich, C., Levchenko, K., Enright, B., Voelker, G. M., Paxson, V., and Savage, S. 2009. Spamalytics: an empirical analysis of spam marketing conversion. Commun. ACM 52, 9 (Sep. 2009), 99-107.
-
Stone-Gross, B., Cova, M., Cavallaro, L., Gilbert, B., Szydlowski, M., Kemmerer, R., Kruegel, C., and Vigna, G. 2009. Your botnet is my botnet: analysis of a botnet takeover. Proc. ACM CCS (2009), 635--647.
-
Herley, C. and Florêncio, D. 2008. A profitless endeavor: phishing as tragedy of the commons. In Proc. NSPW, 2008. ACM, 59-70.
-
Morrie Gasser. Building a Secure Computer System. Van Nostrand Reinhold, 1988.
-
Robling Denning, D. E. 1982, Cryptography and Data Security. Addison-Wesley Longman Publishing Co., Inc.
-
B. Lampson. Protection. Proc. 5th Princeton Conf. on Information Sciences and Systems, Princeton, 1971. Reprinted in ACM Operating Systems Rev. 8, 1 (Jan. 1974), pp 18-24.
-
Harrison, M. A., Ruzzo, W. L., and Ullman, J. D. 1976. Protection in operating systems. Commun. ACM 19, 8 (Aug. 1976), 461-471.
-
Snyder, L. 1981. Formal Models of Capability-Based Protection Systems. IEEE Trans. Comput. 30, 3 (Mar. 1981), 172-181.
-
Snyder, L. 1977. On the synthesis and analysis of protection systems. Proc. ACM Symposium on Operating Systems Principles (SOSP). pp. 141-150.
-
Bishop, M. and Snyder, L. 1979. The transfer of information and authority in a protection system. Proc. ACM Symposium on Operating Systems Principles (SOSP), 45-54.
-
David E. Bell and Leonard J. LaPadula, Secure Computer System: Unified Exposition and MULTICS Interpretation, MTR-2997 Rev. 1, The MITRE Corporation, Bedford, MA 01730 (Mar. 1976); also ESD-TR-75-306, rev. 1, Electronic Systems Division, Air Force Systems Command, Hanscom Field, Bedford, MA 01731.
-
David Elliott Bell, Looking Back at the Bell-La Padula Model, Proc. ACSAC, pp.337-351, 2005
-
Biba, K., Integrity Considerations for Secure Computer Systems, ESD-TR-76-372, ESD/AFSC, Hanscom AFB, Bedford, MA (Apr. 1977) [NTIS ADA039324]
-
Brewer, D., Nash, M., The Chinese Wall security policy. IEEE Symposium on Security and Privacy, pp. 206-214, Oakland, May 1989
-
Burrow, A. L. 2004. Negotiating access within Wiki: a system to construct and maintain a taxonomy of access rules. Proc. ACM Conference on Hypertext and Hypermedia 2004. ACM, 77-86.
-
Thompson, K. 1984. Reflections on trusting trust. Commun. ACM 27, 8 (Aug. 1984), 761-763.
-
Lampson, B. W. 1973. A note on the confinement problem. Commun. ACM 16, 10 (Oct. 1973), 613-615.
-
Lipner, S. B. 1975. A Comment on the Confinement Problem. ACM Operating Systems Review 9(5):192-196
-
Denning, D. E. 1976. A lattice model of secure information flow. Commun. ACM 19, 5 (May. 1976), 236-243.
-
Jones, A. K. and Lipton, R. J. 1975. The enforcement of security policies for computation. In Proceedings of the Fifth ACM Symposium on Operating Systems Principles (Austin, Texas, United States, November 19 - 21, 1975). SOSP '75. ACM, New York, NY, 197-206.
-
J. S. Fenton. Memoryless Subsystems. Comput. J. 17(2): 143-147 (1974)
-
Myers, A. C. 1999. JFlow: practical mostly-static information flow control. Proc. Symposium on Principles of Programming Languages. 1999, 228-241.
-
Jerome H. Saltzer, Michael D. Schroeder, The Protection of Information in Computer Systems, Proc. IEEE Vol. 63(9) pp. 1278-1308 (Sep. 1975).
-
Henry M. Levy, 1984. Capability-based computer systems. Digital Press, 1984.
-
Shapiro, J. S., Smith, J. M., and Farber, D. J. 1999. EROS: a fast capability system. Proc. ACM Symposium on Operating Systems Principles. SOSP '99, 170-185.
-
Tanenbaum, A.S., Mullender, S.J., and Renesse, R. van. Using Sparse Capabilities in a Distributed Operating System. Proc. Int'l Conf on Distributed Computing Systems, IEEE, pp. 558-563, 1986.
-
Hardy, N. 1988. The Confused Deputy: (or why capabilities might have been invented). SIGOPS Oper. Syst. Rev. 22, 4 (Oct. 1988), 36-38.
-
Mark S. Miller, Ka-Ping Yee, Jonathan Shapiro, 2003. Capability Myths Demolished. Technical Report SRL2003-02, Systems Research Laboratory, Johns Hopkins University.
-
Hardy, N. 1985. KeyKOS architecture. SIGOPS Oper. Syst. Rev. 19, 4 (Oct. 1985), 8-25.
-
Nickolai Zeldovich, Silas Boyd-Wickizer, Eddie Kohler, and David Mazières. Making information flow explicit in HiStar. In Proceedings of the 7th Symposium on Operating Systems Design and Implementation, Seattle, WA, November 2006.
-
Zeldovich, N., Boyd-Wickizer, S., and Mazières, D. 2008. Securing distributed systems with information flow control. In Proc. USENIX Symposium on Networked Systems Design and Implementation, 2008. pp. 293-308.
-
Epstein, J. 2006. Fifteen Years after TX: A Look Back at High Assurance Multi-Level Secure Windowing. In Proc. Annual Computer Security Applications Conference, 301-320.
-
Shapiro, J. S., Vanderburgh, J., Northup, E., and Chizmadia, D. 2004. Design of the EROS trusted window system. In Proc. USENIX Security Symposium, 2004, 165-178.
-
Feske, N. and Helmuth, C. 2005. A Nitpicker's guide to a minimal-complexity secure GUI. In Proc Annual Computer Security Applications Conference, 85-94.
-
Norman Feske, 2009. Securing Graphical User Interfaces. Dissertation, TU Dresden.
-
Grier, C., Tang, S., and King, S.T. Secure web browsing with the OP web browser. In Proc. IEEE Symposium on Security and Privacy, Oakland, CA, May 2008.
-
Wang, H. J., Grier, C., Moshchuk, A., King, S. T., Choudhury, P., and Vente, H. The multi-principal OS construction of the Gazelle web browser. In Proc. USENIX Security Symposium, Montreal, Canada, August 2009.
-
Aleph One, 1996. Smashing the stack for fun and profit. Phrack Magazine No. 49, Nov. 1996.
-
Scut, 2001. Exploiting Format String Vulnerabilities.
-
Anonymous, 2001. Once upon a free().... Phrack Magazine 57, 9.
-
Blexim, 2002. Basic Integer Overflows. Phrack Magazine 11, 60.
-
Mark Dowd, 2008. Application-Specific Attacks: Leveraging the Action Script Virtual Machine. IBM Global Technology Services Whitepaper, April 2008.
-
Eric Chien, Peter Szor, 2002. Blended Attacks: Exploits, Vulnerabilities and Buffer-Overflow Techniques in Computer Viruses. Virus Bulletin Conference Sep. 2002, New Orleans, USA, 1-35.
-
Ryan Roemer, Erik Buchanan, Hovav Shacham and Stefan Savage, 2009. Return-Oriented Programming: Systems, Languages, and Applications. In review.
-
Ralf Hund, Thorsten Holz, Felix C. Freiling, 2009. Return-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms. Proc. USENIX Security Symposium, 2009.
-
Dan Tsafrir, Tomer Hertz, David Wagner, Dilma Da Silva, 2008. Portably Solving File TOCTTOU Races with Hardness Amplification. FAST, pp. 189-206.
-
Xiang Cai, Yuwei Gui, Rob Johnson, 2009. Exploiting Unix File-System Races via Algorithmic Complexity Attacks. IEEE S&P, Oakland, CA, pp.27-41.
-
Bennet Yee, David Sehr, Gregory Dardyk, J. Bradley Chen, Robert Muth, Tavis Ormandy, Shiki Okasaka, Neha Narula, Nicholas Fullagar, 2010. Native Client: A Sandbox for Portable, Untrusted x86 Native Code. CACM Vol. 53, No. 1.
-
Florencio, D. and Herley, C. 2007. A large-scale study of web password habits. In Proc. WWW, pp. 657-666.
-
C. Herley, 2009. So Long, and No Thanks for the Externalities: the Rational Rejection of Security Advice by Users. NSPW
-
Volker Roth and Kai Richter, 2006. How to fend off shoulder surfers. Journal of Banking and Finance, 30(6):1727-1751.