Für diese Seite
Instructors
- Prof. Dr.-Ing. Volker Roth
- Philipp Schmidt
Description
This course gives an introduction to computer security from a
classical perspective.
Time and Location
Lectures:
- Tuesdays, 16h - 18h, T9/005
- Thursdays, 12h - 14h, T9/005
Tutorials:
- Mondays, 16h - 18h, T9/005
Grading
The grade will be computed as a weighted sum of the following:
Active participation requires successful completion of a semester project
and is graded on a pass / no pass basis.
Interesting links
Below are links to a few resources they may be interesting to students of
this class at one time or another.
Assignments
Assignment 1, due to Monday April 26
- Set up a Lua build environment and compile Lua yourself from source
- Read R. Ierusalimschy, L. H. de Figueiredo and W. Celes, The implementation of Lua 5.0
- Read the literature of lecture 1.
Assignment 2, due to Monday May 17
- Implement an efficient lattice data structure in C according to this lattice.h header file.
- Implement a Lua interface for the lattice specified in lattice.h (updated May, 5th).
All operations should be accessible in a reasonable way through the
metatable of the lattice and lattice_element objets. The metatable
implementation should not depend on your lattice implementation.
Assignment 3, due to Monday June 7
- Study the structure of the Lua virtual machine
- Which structs of the VM need to be extended to implement information flow control and how would this be done?
- Make a tabular of the Lua VM instructions and how these instructions affect the labels of their operands and result.
Assignment 4, due to Monday June 28
As you might have seen in the last assignment, there is a nasty problem
reflecting the label state of program counter within the vm instructions
generated from conditional blocks. So your task is to come up with a solution
for that problem.
Assuming that vm instructions are always generated by a trusted compiler:
- Invent new Opcodes for the Lua vm to implement information flow labeling.
- Describe how the compiler should use them when generating instructions from conditional blocks.
Assignment 5, due to Tuesday July 6
As we have discussed in the tutorial, we cannot implement reasonable dynamic
information flow control without compiler aid, which leads to the question
whether it is a good idea to shift more of the work from the VM to the compiler.
- Elaborate weather the information flow labeling is better implemented within the VM instructions wherever possible or in special instructions generated by the compiler.
- Write a disquisition containing at least performance and implementation complexity arguments.
- Consider complex calculations like radix calculation or matrix multiplication.
Lecture 1, Thursday April 15, Course Information and Motivation
Topics:
- Why every computer counts today
- Fraud for profit [1,2,3,4]
- Espionage
- Why systems are not secure
- Prominent real world example: the Browser
- Goals for this class
Literature
-
Jason Franklin, Vern Paxon, Adrian Perrig, Stefan Savage, 2007. An inquiry into the nature and causes of the wealth of internet miscreants. In Proc. ACM CCS, 375-388, 2007.
-
Kanich, C., Kreibich, C., Levchenko, K., Enright, B., Voelker, G. M., Paxson, V., and Savage, S. 2009. Spamalytics: an empirical analysis of spam marketing conversion. Commun. ACM 52, 9 (Sep. 2009), 99-107.
-
Stone-Gross, B., Cova, M., Cavallaro, L., Gilbert, B., Szydlowski, M., Kemmerer, R., Kruegel, C., and Vigna, G. 2009. Your botnet is my botnet: analysis of a botnet takeover. Proc. ACM CCS (2009), 635--647.
-
Herley, C. and Florêncio, D. 2008. A profitless endeavor: phishing as tragedy of the commons. In Proc. NSPW, 2008. ACM, 59-70.
Lecture 2, Tuesday April 20, What is computer security?
Topics: [1; ch. 1-3]
- Internal and external security
- System boundary and system perimeter
- Security objectives
- Threats and threat analysis
- Policy and mechanism
- Assumptions and trust
- Assurance
- Operation
- Testing (penetration)
Literature
-
Morrie Gasser. Building a Secure Computer System. Van Nostrand Reinhold, 1988.
Lecture 3, Thursday April 22, State transition models
Topics: [1; ch. 9]
- Role of a security model
- Uses of a security model
- State transition model
- Informal model to system correspondence
Literature
-
Morrie Gasser. Building a Secure Computer System. Van Nostrand Reinhold, 1988.
Lecture 4, Tuesday April 27, Access control matrix model
Topics: [1; ch. 4.7.1-4.7.3]
- The general access control matrix model [2,3]
- Mono-operational systems
- General systems
- Decidability
Literature
-
Robling Denning, D. E. 1982, Cryptography and Data Security. Addison-Wesley Longman Publishing Co., Inc.
-
B. Lampson. Protection. Proc. 5th Princeton Conf. on Information Sciences and Systems, Princeton, 1971. Reprinted in ACM Operating Systems Rev. 8, 1 (Jan. 1974), pp 18-24.
-
Harrison, M. A., Ruzzo, W. L., and Ullman, J. D. 1976. Protection in operating systems. Commun. ACM 19, 8 (Aug. 1976), 461-471.
Lecture 5, Thursday April 29, Take-Grant protection model
Topics: [1; ch. 4.7.4]
- The Take-Grant protection model [2,3]
- Decidability
Optional additional reading: [4]
Literature
-
Robling Denning, D. E. 1982, Cryptography and Data Security. Addison-Wesley Longman Publishing Co., Inc.
-
Snyder, L. 1981. Formal Models of Capability-Based Protection Systems. IEEE Trans. Comput. 30, 3 (Mar. 1981), 172-181.
-
Snyder, L. 1977. On the synthesis and analysis of protection systems. Proc. ACM Symposium on Operating Systems Principles (SOSP). pp. 141-150.
-
Bishop, M. and Snyder, L. 1979. The transfer of information and authority in a protection system. Proc. ACM Symposium on Operating Systems Principles (SOSP), 45-54.
Lecture 6, Tuesday May 04, Mandatory access control models
Topics:
- Bell and LaPadula model [1,2]
- Biba model [3]
- Brewer and Nash (Chinese Wall) model [4]
- Comparisons
- Example application: Negotiating access within a Wiki [5]
Literature
-
David E. Bell and Leonard J. LaPadula, Secure Computer System: Unified Exposition and MULTICS Interpretation, MTR-2997 Rev. 1, The MITRE Corporation, Bedford, MA 01730 (Mar. 1976); also ESD-TR-75-306, rev. 1, Electronic Systems Division, Air Force Systems Command, Hanscom Field, Bedford, MA 01731.
-
David Elliott Bell, Looking Back at the Bell-La Padula Model, Proc. ACSAC, pp.337-351, 2005
-
Biba, K., Integrity Considerations for Secure Computer Systems, ESD-TR-76-372, ESD/AFSC, Hanscom AFB, Bedford, MA (Apr. 1977) [NTIS ADA039324]
-
Brewer, D., Nash, M., The Chinese Wall security policy. IEEE Symposium on Security and Privacy, pp. 206-214, Oakland, May 1989
-
Burrow, A. L. 2004. Negotiating access within Wiki: a system to construct and maintain a taxonomy of access rules. Proc. ACM Conference on Hypertext and Hypermedia 2004. ACM, 77-86.
Lecture 7, Thursday May 06, Trojan Horses and Covert Channels
Topics:
- Trojan Horse compiler [1]
- Covert channels [2,3]
Literature
-
Thompson, K. 1984. Reflections on trusting trust. Commun. ACM 27, 8 (Aug. 1984), 761-763.
-
Lampson, B. W. 1973. A note on the confinement problem. Commun. ACM 16, 10 (Oct. 1973), 613-615.
-
Lipner, S. B. 1975. A Comment on the Confinement Problem. ACM Operating Systems Review 9(5):192-196
Lecture 8, Tuesday May 11, Lattice model of information flow
Topics: [1; ch.5.1]
- Lattice model of information flow [2]
- Information flow policy
- State transitions and information flow
- Lattice structure
- Flow properties of lattices
- Security and precision [3]
Literature
-
Robling Denning, D. E. 1982, Cryptography and Data Security. Addison-Wesley Longman Publishing Co., Inc.
-
Denning, D. E. 1976. A lattice model of secure information flow. Commun. ACM 19, 5 (May. 1976), 236-243.
-
Jones, A. K. and Lipton, R. J. 1975. The enforcement of security policies for computation. In Proceedings of the Fifth ACM Symposium on Operating Systems Principles (Austin, Texas, United States, November 19 - 21, 1975). SOSP '75. ACM, New York, NY, 197-206.
No class on Thursday May 13, Christi Himmelfahrt
Lecture 9, Tuesday May 18, Execution-based flow control mechanisms
Topics: [1; ch.5.3]
- Dynamically enforcing security for implicit flow (see also [2])
- Flow-secure access controls
- Data Mark Machine
- Single Accumulator Machine
Literature
-
Robling Denning, D. E. 1982, Cryptography and Data Security. Addison-Wesley Longman Publishing Co., Inc.
-
J. S. Fenton. Memoryless Subsystems. Comput. J. 17(2): 143-147 (1974)
Lecture 10, Thursday May 20, Compiler-based flow control mechanisms
Topics: [1; ch.5.4]
- Flow specifications
- Security requirements
- Certification semantics
- General data and control structures
- Concurrency and synchronization
- Abnormal terminations
Literature
-
Robling Denning, D. E. 1982, Cryptography and Data Security. Addison-Wesley Longman Publishing Co., Inc.
Lecture 11, Tuesday May 25, Program verification with security requirements
Topics: [1; ch.5.5-5.6]
- Program verification
- Flow controls in practice
- JFlow [2]
Literature
-
Robling Denning, D. E. 1982, Cryptography and Data Security. Addison-Wesley Longman Publishing Co., Inc.
-
Myers, A. C. 1999. JFlow: practical mostly-static information flow control. Proc. Symposium on Principles of Programming Languages. 1999, 228-241.
Lecture 12, Thursday May 27, Principles of a secure architecture
Topics: [1; ch.5,8,10]
- Gasser's principles
- Saltzer's and Schroeder's principles [2]
- Hardware security mechanisms
- Reference monitor and security kernels
Literature
-
Morrie Gasser. Building a Secure Computer System. Van Nostrand Reinhold, 1988.
-
Jerome H. Saltzer, Michael D. Schroeder, The Protection of Information in Computer Systems, Proc. IEEE Vol. 63(9) pp. 1278-1308 (Sep. 1975).
Lecture 13, Tuesday June 01, Capabilities and capability-based systems
Topics: [1; ch.4.5]
- Capabilities
- Capability-based computer systems [2]
- The EROS capability system [3]
- Capabilities in a distributed operating system [4]
Additional literature on capabilities and their discussion
- The Confused Deputy [5]
- Capability "myths" [6]
- KeyKOS Architecture [7]
- The KeyKOS Home Page
Literature
-
Robling Denning, D. E. 1982, Cryptography and Data Security. Addison-Wesley Longman Publishing Co., Inc.
-
Henry M. Levy, 1984. Capability-based computer systems. Digital Press, 1984.
-
Shapiro, J. S., Smith, J. M., and Farber, D. J. 1999. EROS: a fast capability system. Proc. ACM Symposium on Operating Systems Principles. SOSP '99, 170-185.
-
Tanenbaum, A.S., Mullender, S.J., and Renesse, R. van. Using Sparse Capabilities in a Distributed Operating System. Proc. Int'l Conf on Distributed Computing Systems, IEEE, pp. 558-563, 1986.
-
Hardy, N. 1988. The Confused Deputy: (or why capabilities might have been invented). SIGOPS Oper. Syst. Rev. 22, 4 (Oct. 1988), 36-38.
-
Mark S. Miller, Ka-Ping Yee, Jonathan Shapiro, 2003. Capability Myths Demolished. Technical Report SRL2003-02, Systems Research Laboratory, Johns Hopkins University.
-
Hardy, N. 1985. KeyKOS architecture. SIGOPS Oper. Syst. Rev. 19, 4 (Oct. 1985), 8-25.
Lecture 14, Thursday June 03, Secure Operating Systems
Topics:
Literature
-
Nickolai Zeldovich, Silas Boyd-Wickizer, Eddie Kohler, and David Mazières. Making information flow explicit in HiStar. In Proceedings of the 7th Symposium on Operating Systems Design and Implementation, Seattle, WA, November 2006.
-
Zeldovich, N., Boyd-Wickizer, S., and Mazières, D. 2008. Securing distributed systems with information flow control. In Proc. USENIX Symposium on Networked Systems Design and Implementation, 2008. pp. 293-308.
Lecture 15, Tuesday June 08, Trusted path and secure window systems
Topics:
- Trusted X [1]
- The EROS Trusted Window System [2]
- Nitpicker [3]
Additional literature
- Securing Graphical User Interfaces [4]
Literature
-
Epstein, J. 2006. Fifteen Years after TX: A Look Back at High Assurance Multi-Level Secure Windowing. In Proc. Annual Computer Security Applications Conference, 301-320.
-
Shapiro, J. S., Vanderburgh, J., Northup, E., and Chizmadia, D. 2004. Design of the EROS trusted window system. In Proc. USENIX Security Symposium, 2004, 165-178.
-
Feske, N. and Helmuth, C. 2005. A Nitpicker's guide to a minimal-complexity secure GUI. In Proc Annual Computer Security Applications Conference, 85-94.
-
Norman Feske, 2009. Securing Graphical User Interfaces. Dissertation, TU Dresden.
Lecture 16, Thursday June 10, Secure Web Browsers
Topics:
- DARPA Secure Browser
- Chrome
- OP Browser [1]
- Gazelle [2]
Literature
-
Grier, C., Tang, S., and King, S.T. Secure web browsing with the OP web browser. In Proc. IEEE Symposium on Security and Privacy, Oakland, CA, May 2008.
-
Wang, H. J., Grier, C., Moshchuk, A., King, S. T., Choudhury, P., and Vente, H. The multi-principal OS construction of the Gazelle web browser. In Proc. USENIX Security Symposium, Montreal, Canada, August 2009.
Lecture 17, Tuesday June 15, Buffer overflows
Topics:
- Buffer overflow exploitation [1]
Literature
-
Aleph One, 1996. Smashing the stack for fun and profit. Phrack Magazine No. 49, Nov. 1996.
Lecture 18, Thursday June 17, Format string vulnerability exploitation
Topics:
- Format string vulnerabilities [1]
Literature
-
Scut, 2001. Exploiting Format String Vulnerabilities.
Lecture 19, Tuesday June 22, Heap and integer overflows
Topics:
- Heap overflow vulnerability exploitation [1]
- Integer overflow vulnerability exploitation [2]
Additional literature:
- Attackson the Action Script Virtual Machine [3]
- Blended attacks [4]
Literature
-
Anonymous, 2001. Once upon a free().... Phrack Magazine 57, 9.
-
Blexim, 2002. Basic Integer Overflows. Phrack Magazine 11, 60.
-
Mark Dowd, 2008. Application-Specific Attacks: Leveraging the Action Script Virtual Machine. IBM Global Technology Services Whitepaper, April 2008.
-
Eric Chien, Peter Szor, 2002. Blended Attacks: Exploits, Vulnerabilities and Buffer-Overflow Techniques in Computer Viruses. Virus Bulletin Conference Sep. 2002, New Orleans, USA, 1-35.
Lecture 20, Thursday June 24, Return oriented programming
Topics:
- Return oriented programming [1]
- Return oriented rootkits [2]
Literature
-
Ryan Roemer, Erik Buchanan, Hovav Shacham and Stefan Savage, 2009. Return-Oriented Programming: Systems, Languages, and Applications. In review.
-
Ralf Hund, Thorsten Holz, Felix C. Freiling, 2009. Return-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms. Proc. USENIX Security Symposium, 2009.
Lecture 21, Tuesday June 29, TOCTOU attacks
Topics:
- Time-of-check vs. time-of-use vulnerabilities
- Probabilistic hardness amplification
- K-races
- Filesystem mazes
- Atomic K-races [1]
- Algorithmic complexity attacks [2]
Literature
-
Dan Tsafrir, Tomer Hertz, David Wagner, Dilma Da Silva, 2008. Portably Solving File TOCTTOU Races with Hardness Amplification. FAST, pp. 189-206.
-
Xiang Cai, Yuwei Gui, Rob Johnson, 2009. Exploiting Unix File-System Races via Algorithmic Complexity Attacks. IEEE S&P, Oakland, CA, pp.27-41.
Lecture 22, Thursday July 01, Inline reference monitors
Topics:
Literature
-
Bennet Yee, David Sehr, Gregory Dardyk, J. Bradley Chen, Robert Muth, Tavis Ormandy, Shiki Okasaka, Neha Narula, Nicholas Fullagar, 2009. Native Client: A Sandbox for Portable, Untrusted x86 Native Code. IEEE S&P, Oakland, CA, pp. 79-93.
Lecture 23, Tuesday July 06, Guest lecture
Topics:
- Sandro Gaycken talks about Cyber Warfare
Lecture 24, Thursday July 08, Humans and passwords
Topics:
- Password doctrine
- Password cracking
- Password selection in practice [1]
- Password effectiveness [2]
- Shoulder-surfing resistant PIN entry [3]
Literature
-
Florencio, D. and Herley, C. 2007. A large-scale study of web password habits. In Proc. WWW, pp. 657-666.
-
C. Herley, 2009. So Long, and No Thanks for the Externalities: the Rational Rejection of Security Advice by Users. NSPW
-
Volker Roth and Kai Richter, 2006. How to fend off shoulder surfers. Journal of Banking and Finance, 30(6):1727-1751.
Lecture 25, Tuesday July 13, Final exam
Lecture 26, Thursday July 15, Final exam review