Courses/Computer Science/CPSC 525.W2013/Lecture Notes
Contents
- 1 January 9: Introduction
- 2 January 11: The Security Mindset
- 3 January 14: Ethics and the Security Mindset (Cont)
- 4 January 16: Foundations of Protection
- 5 January 18: Access Control
- 6 January 21: Security Models: Overview
- 7 January 23: Basic Crypto: Overview of Symmetric Key Block Ciphers
- 8 January 25: Basic Crypto: Attacks Against Block Ciphers
- 9 January 28: Security Models: Bell-LaPadula, Biba, Chinese Wall
- 10 January 30: Security Models: Clark-Wilson
- 11 Feb 1: Role-Based Access Control
- 12 February 4: Langsec Roots: A Theory on one Source of Insecurity
- 13 February 6: Langsec Roots: A Talk on Certificate Manipulation
- 14 February 8: Langsec Roots: Weird Machines
- 15 February 11: Langsec Foundations: Exploits as Weird Machines
- 16 February 13: Langsec Foundations: Weird Machines (cont)
- 17 February 15: Langsec Foundations: Weird Machines and Heap Attacks
- 18 February 18, 20, 22: No class
- 19 February 25: Langsec Applications: Intrusion Detection
- 20 February 27: Midterm Exam
- 21 March 1: Langsec Applications: Intrusion Detection (cont)
- 22 March 4: Langsec Applications: Confusing the PHY Layer
- 23 March 6: Langsec's Relationship with Interpreting and Enforcing Security Policy
- 24 March 8: Langsec Meets MLS in Weird Machines
- 25 March 11: HW2 and Related Topics
- 26 March 13: Security Architecture
- 27 March 15: Security Architecture (cont)
- 28 March 18: Isolation: Wherefore art thou reference monitor?
- 29 March 20: Security Evaluation (Overview)
- 30 March 22: Security Evaluation Exercise
- 31 March 25: Security Evaluation Exercise (cont)
- 32 March 27: Security Evaluation Exercise (cont)
- 33 March 29: No Class
- 34 April 1: Verifiable Quantum Systems
- 35 April 3: Overview of Automated Formal Methods
- 36 April 5: Hands-on GDB
- 37 April 8: Hands On GDB
- 38 April 10: Hands On GDB and Pin
- 39 April 12: Bug Project Showcase
- 40 April 15: On "Hackers"
- 41 Misc Topics
January 9: Introduction
Today we briefly covered the course outline, structure, topics, and policies. We also talked about the efficacy of some "basic hygiene" security advice.
Slides
http://www.cpsc.ucalgary.ca/~locasto/teaching/2013/CPSC525/lectures/intro.pdf
Notes/Links from Class Discussion
- S. Bellovin. The Security Flag in the IPv4 Header. RFC 3514, RFC Editor, April 1, 2003. txt
- Just what is the quality of this "advice"?
Readings
- No-tech hacking: http://www.youtube.com/watch?v=5CWrzVJYLWw
- http://www.schneier.com/blog/archives/2008/03/the_security_mi_1.html
- http://stallman.org/articles/on-hacking.html
- http://pages.cpsc.ucalgary.ca/~locasto/readings/NSPW2006Greenwald.pdf
January 11: The Security Mindset
In this session, we will more closely consider how to develop a security mindset, with special reference to the readings for last session and this. We will also briefly consider how to read an academic paper because many of the readings in this course rely on original research papers.
Slides
- http://www.cpsc.ucalgary.ca/~locasto/teaching/2013/CPSC525/lectures/mindset.pdf
- http://www.cpsc.ucalgary.ca/~locasto/teaching/2013/CPSC525/lectures/sigcse-sismat.pdf
Notes/Links From Class Discussion
- http://readwrite.com/2013/01/10/texas-schools-win-right-to-track-students-with-creepy-invasive-rfid-locators
- current events: http://arstechnica.com/tech-policy/2013/01/senator-wyden-lays-out-digital-freedom-agenda-at-ces/
Readings
- "Reflections on Trusting Trust" http://cm.bell-labs.com/who/ken/trust.html
- Brian Snow, "We Need Assurance!" http://www.acsac.org/2005/papers/Snow.pdf
- http://www.schneier.com/blog/archives/2012/06/teaching_the_se.html (references Conti's work)
- Greg Conti, Shmoocon 2012: http://www.youtube.com/watch?v=v0JHDr1oT0Y
January 14: Ethics and the Security Mindset (Cont)
In this session, we will discuss some ethical frameworks, point out some important related legislation, and discuss some example areas, like ethics review for research and issues surrounding "responsible" disclosure.
Slides
Notes/Links From Class Discussion
- "Canada's Cyber Security Strategy" http://www.publicsafety.gc.ca/prg/ns/cybr-scrty/ccss-scc-eng.aspx
- Aaron Swartz: CNN CBC danah boyd
- current events: http://www.wired.com/threatlevel/2013/01/red-october-spy-campaign/all/
- http://www.teachingcopyright.org/
Vulnerability Disclosure
- http://seclists.org/dailydave/2010/q2/58
- CERT's stance: http://www.cert.org/kb/vul_disclosure.html
- http://seclists.org/bugtraq/1996/May/0
- http://seclists.org/fulldisclosure/2002/Jul/7
- https://bugzilla.mozilla.org/page.cgi?id=etiquette.html
- http://isc.sans.edu/diary.html?storyid=6820&rss
- http://arstechnica.com/science/2012/06/controversial-h5n1-bird-flu-papers-published-fuels-fears-of-airborne-mutations/
Readings
- "Pretending Systems Are Secure" by Sean W. Smith PDF
- UofC Statement of Intellectual Honesty
- Towards an Ethical Code for Information Security
- Ethics: Stanford prison experiment http://www.prisonexp.org/
- http://sunnyday.mit.edu/papers/therac.pdf
- http://www.acm.org/about/code-of-ethics
- Privacy/Ethics: Should we let children on Facebook: http://www.economist.com/node/21556578?fsrc=scn/tw/te/ar/letthenippersnetwork
- J. Aycock, E. Buchanan, S. Dexter, and D. Dittrich. Human Subjects, Agents, or Bots: Current Issues in Ethics and Computer Security Research. Panel paper, 2nd Workshop on Ethics in Computer Security Research (LNCS 7126), 2012, pp. 138-145.
- http://dartmouth.smartcatalogiq.com/2012/orc/Regulations/Undergraduate-Study/Academic-Honor
http://www.dartmouth.edu/~reg/regulations/undergrad/acad-honor.html
January 16: Foundations of Protection
In this session, we will consider some of the foundational concepts of computer security, including protection, access control, and the limits of such mechanisms. We will also take a look at some very common expressions of these concepts.
Slides
Notes
Readings
- The Craft of System Security: 1.1 The Standard Rubric
- The Craft of System Security: 1.2 The Matrix
- The Craft of System Security: 1.3 Other Views
- The Craft of System Security: 1.4 Safe States and the Access Control Matrix
- The Craft of System Security: 1.5 Other Hard Problems
- The Craft of System Security: 1.6 Takehome Message
- Protection. Proc. 5th Princeton Conf. on Information Sciences and Systems, Princeton, 1971. Reprinted in ACM Operating Systems Rev. 8, 1 (Jan. 1974), pp 18-24 PDF
- "Protection in Operating Systems" by Michael A. Harrison, Walter L. Ruzzo, and Jeffrey D. Ullman (ACM Digital Library, available via U of C with appropriate network address)
January 18: Access Control
In this session, we will consider some basic access control concepts and terminology.
Slides
Notes
- https://www.cpsc.ucalgary.ca/tech_support/services/www
- http://pages.cpsc.ucalgary.ca/~locasto/download/classified/secret.txt
Readings
The readings for today reinforce some of the foundations of protection by illustrating how they were mapped to the design of an early multi-user system, Multics, that took protection and security quite seriously. You can see remnants or echos of these ideas in other commodity computing systems (e.g., x86 segments and privilege rings).
- "Protection in an information processing utility" http://www.multicians.org/graham-pipu.pdf
- "A hardware architecture for implementing protection rings" http://www.multicians.org/protection.html
- TCSS: 4.1, 4.2 (this should be review -- skip if you have a good handle on this material from your OS and architecture courses)
- "The Protection of Information in Computer Systems" by Jerome H. Saltzer and Michael D. Schroeder
January 21: Security Models: Overview
In this session, we will conduct an overview of the background knowledge needed for discussing specific security models (details of which will occur on the 28th and 30th). Topics include information flow, categories, and partial orders.
Slides
Notes
- Current events: Edmonton Jelly Bean Internet Voting
- http://www.edmonton.ca/city_government/municipal_elections/internet-voting.aspx
- http://www.edmonton.ca/city_government/municipal_elections/2012-jellybean-internet-voting-election-public-involvement.aspx
- http://www.edmonton.ca/city_government/municipal_elections/internet-voting-frequently-asked-questions.aspx#38220
Readings
- TCSS 2.1, 2.2, 2.3, 2.4, 2.5
January 23: Basic Crypto: Overview of Symmetric Key Block Ciphers
In this session, we will take a break from basic computer protection ideas to consider the role that basic cryptography has in protecting a system. We will examine a common form of encryption: symmetric key block ciphers.
Slides
- TBD
Readings
- TCSS: 7.1: Framework and Terminology
- TCSS: 7.3: Symmetric Cryptography
- TCSS: 7.4: Applications of Symmetric Cryptography (optional)
January 25: Basic Crypto: Attacks Against Block Ciphers
As part of our theme of learning through failure modes, we will consider how to attack block ciphers...ask yourself what security guarantees cryptography provides.
Slides
- TBD
Readings
- TCSS: 8.1: Breaking Symmetric Key without Brute Force
- TCSS: 8.2: Breaking Symmetric Key with Brute Force
- TCSS: 8.4: Breaking Cryptography via the Real World
January 28: Security Models: Bell-LaPadula, Biba, Chinese Wall
In this session, we will pick up with a more detailed examination of three security models.
Slides
Readings
- http://nob.cs.ucdavis.edu/history/papers/bell76.pdf (Sections 1 and 2)
- http://nob.cs.ucdavis.edu/history/CD/biba75.pdf (Abstract, Section 1 and 2)
January 30: Security Models: Clark-Wilson
In this session, we will examine the Clark-Wilson integrity model (this is probably about the only Wikipedia link I will give you...ask yourself why)
Slides
Notes
- current events: http://forkthelaw.org/
- http://torekeland.com/blog/on-amending-the-computer-fraud-and-abuse-act-cfaa
Readings
Feb 1: Role-Based Access Control
In this session, we will consider RBAC and related ideas.
Slides
Notes
- vfs_read call chain starts at: http://lxr.linux.no/#linux+v2.6.35.14/fs/read_write.c#L295
- SACMAT
Readings
- None, work on HW1
February 4: Langsec Roots: A Theory on one Source of Insecurity
In this session, we will touch on several ideas related to langsec, particularly the principle that: a thing is not what it is named, but rather a thing is what can be done to it. This principle connects with langsec because we often try to create systems that recognize a thing either by its label or by what it does or by what happens to it. We use the Gostak game to motivate this discussion.
We really start our discussion of langsec by asking the questions "Why do things break?" and "Why do things continue to break?"
We considered a few reasons why things seem to break beyond convenient excuses like lazy programmers and "dangerous" languages, including complexity and composition as hidden by abstraction.
Slides
Notes
- The Gostak
Readings
- Composition Patterns of Hacking. Sergey Bratus, Julian Bangert, Alexandar Gabrovsky, Anna Shubina, Daniel Bilar, and Michael E. Locasto. Proceedings of the 1st International Workshop on Cyber Patterns. pp. 80-85. 9-10 July 2012, Abingdon, Oxfordshire, UK
February 6: Langsec Roots: A Talk on Certificate Manipulation
Presentation
- Towards a formal theory of computer insecurity: a language-theoretic approach Len Sassaman, Meredith L. Patterson, Invited Lecture at Dartmouth College, March 2011. ISTS Seminar on YouTube: http://www.youtube.com/watch?v=AqZNebWoqnc&feature=player_embedded
- This talk partly discusses this work: "Exploiting Computational Slack in Protocol Grammars" http://ph-neutral.darklab.org/previous/0x7da/talks/grammars.html
Notes
Readings
- The Growing harm of Not teaching Malware by George Ledin, Jr.
- Langsec "patch" for Postel's Principle: http://www.cs.dartmouth.edu/~sergey/langsec/postel-principle-patch.txt
February 8: Langsec Roots: Weird Machines
Slides
- No slides -- retro paper surfing on the document display overhead!
Notes
- Let's start with our notion of what a vulnerability is, and what an exploit is.
- What is an exploit? What is shellcode?
- What is a vulnerability? What defines it?
- Motivating example: Aleph One: http://www.phrack.com/issues.html?issue=49&id=14&mode=txt
- Motivating example: Code Red: http://unixwiz.net/techtips/CodeRedII.html
- What is a "weird" "machine", and why should you care?
- weird : unexpected, latent functionality arising from the hidden or composed artifacts in your actual computing environment
- machine : actually quite structured and principled; may be "strange" but not ad hoc
- What is the difference between code and computation?
- What are some inception points of the idea of a "weird machine"?
- vuln-specific defenses
- Vulnerability Specific Execution Filters
- Vigilante "Vigilante: End-to-End Containment of Internet Worms"
- Jedidiah R. Crandall, Zhendong Su, S. Felix Wu, and Frederic T. Chong. On Deriving Unknown Vulnerabilities from Zero-Day Polymorphic and Metamorphic Worm Exploits. In the proceedings of the 12th ACM Conference on Computer and Communications Security (CCS 2005). Alexandria, Virginia. November 2005. pdf
- http://immunityinc.com/infiltrate/archives/Fundamentals_of_exploitation_revisited.pdf
- ;login: article (below)
- vuln-specific defenses
- An impressive effort at documenting history (and the trends arising thereof) "The (Almost) Complete History of Memory Corruption Attacks" http://prezi.com/iemlmzvpnk_d/the-almost-complete-history-of-memory-corruption-attacks/
Readings
- USENIX ;login: articles in the December "Security" issue: http://www.usenix.org/publications/login/2011-12/index.html
- Exploit Programming: From Buffer Overflows to "Weird Machines" and Theory of Computation. Sergey Bratus, Michael E. Locasto, Meredith L. Patterson, Len Sassaman, and Anna Shubina. USENIX ;login: vol. 36, no. 6, pp. 13--21 December 2011. Paper
February 11: Langsec Foundations: Exploits as Weird Machines
In this session, we will take a look at several types of code injection attacks as a way to help build our intuition about weird machines.
Slides
- None - we will be looking at code and papers.
Notes
- HW2 is released
- calling conventions: http://www.unixwiz.net/techtips/win32-callconv-asm.html
- code injection into the stack
- pause: countermeasures like nx bit, non-executable stack, canaries, etc.
- compiling programs with fno-stack-protector
- turning off ASLR: as root, `echo 0 > /proc/sys/kernel/randomize_va_space'
- marking executables as needing executable data areas: `execstack -s a.out'
- old libpng vuln as a weird machine: http://scary.beasts.org/security/CESA-2004-001.txt
Readings
- Jedidiah R. Crandall, Zhendong Su, S. Felix Wu, and Frederic T. Chong. On Deriving Unknown Vulnerabilities from Zero-Day Polymorphic and Metamorphic Worm Exploits. In the proceedings of the 12th ACM Conference on Computer and Communications Security (CCS 2005). Alexandria, Virginia. November 2005. pdf
- Daniela Oliveira and Jedidiah R. Crandall. Holographic Vulnerability Studies: Vulnerabilities as Fractures in Interpretation as Information Flows Across Abstraction Boundaries. In the Proceedings of the New Security Paradigms Workshop (NSPW 2012). Bertinoro, Italy. pdf
February 13: Langsec Foundations: Weird Machines (cont)
In this session, we will continue our gdb-based exploration of types of code injection attacks.
We use these examples to drive our understanding of what elements of the computing environment we need to know in order to find vulnerabilities and construct exploits for them. It isn't simply a matter of guessing where the right bytes should be, or shoveling a piece of execve-invoking x86 shellcode at any open port.
You need to understand the particular input format you're dealing with, how it is consumed (i.e., parsed!) by the application's logic, the state of the process address space, location of various important pieces of state (e.g., function pointers, return addresses, saved registers), how your input gets mapped into that space, how you can supply other input that gives the space structure and predictability (e.g., heap-spraying), how to avoid certain countermeasures, etc.
This whole concept hearkens back to the Cyberpatterns paper about the exploit engineering workflow.
Finding success in building a weird machine means that you need to understand the langsec properties of the program you are targeting.
Notes
- USENIX: https://www.usenix.org/students
- finish libpng example
Readings
- traditional return-to-libc: "Getting around non-executable stack (and fix)" Solar Designer http://www.clip.dia.fi.upm.es/~alopez/bugs/bugtraq2/0287.html
- return-to-libc: Nergal, "Advanced return-into-lib(c) Exploits: PaX Case Study," Phrack 58:4
- Return-oriented programming: The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86) Hovav Shacham. In Proceedings of CCS 2007, pages 552–561. ACM Press, Oct. 2007. http://cseweb.ucsd.edu/~hovav/papers/s07.html
February 15: Langsec Foundations: Weird Machines and Heap Attacks
We continue our discussion of weird machines with respect to attacking parts of the process address space other than the stack.
Readings
- USENIX ;login: articles in the December "Security" issue: http://www.usenix.org/publications/login/2011-12/index.html
- The Halting Problems of Network Stack Insecurity by Len Sassaman, Meredith L. Patterson, Sergey Bratus, and Anna Shubina Paper (click through the PDF link to download)
February 18, 20, 22: No class
This is reading week. Please digest the following:
Readings
- Thomas Dullien and Halvar Flake "Exploitation and State Machines" PDF
- F. B. Schneider. Enforceable Security Policies. ACM Transactions on Information and System Security, 2(4), Mar. 2000.
- A Language-Based Approach to Security. Fred B. Schneider, Greg Morrisett, and Robert Harper2
February 25: Langsec Applications: Intrusion Detection
In this session, we will consider the common security subfield of intrusion detection, and how langsec (as an explanation of insecurity) fouls many of the good intentions we have when we attempt to detect malicious content in network traffic or machine actions. If defense is predicated on detection, and detection is predicated on recognition -- we are in quite a pickle if we're trying to detect arbitrary computational constructs.
Langsec Principle: Alice and Bob are talking, but whomever is listening is highly confused.
Notes
- We looked at a paper (Handley et al.) and a couple of small demonstrations of this principle in action, like:
- looking at Snort rules
- disassembling network packets captured via tcpdump with udcli
Readings
- Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection by Thomas H Ptacek and Timothy M. Newsham
- Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics. Mark Handley and Vern Paxson and Christian Kreibich USENIX paperhtml
Related Work
- mimicry attack against syscall anomaly sensors
- Brief Note on the Utility of AV Debate
- Jarno Niemela's commentary on (misperceptions of) utility of AV
February 27: Midterm Exam
27 February is the midterm exam.
March 1: Langsec Applications: Intrusion Detection (cont)
Today we will talk about polymorphic shellcode and the challenges it presents to detection.
Notes
- reading week readings
- USENIX: https://www.usenix.org/students
- a note on system call profiles (strace-based profiling); a note on process relationships; provos work on systrace
- blog post on utility of AV (link above)
- x86 polymorphic shellcode disassembly example
Readings
- On the Infeasibility of Modeling Polymorphic Shellcode. Yingbo Song, Michael E. Locasto, Angelos Stavrou, Angelos D. Keromytis, and Salvatore J. Stolfo. In the Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS 2007). pp. 541--551. October 2007, Alexandria, VA.
- paper on "English Shellcode Mason, Small, Monrose, MacManus. CCS 2009.
March 4: Langsec Applications: Confusing the PHY Layer
This session is a case study of Goodspeed's recent work in "Remotely Exploiting the PHY Layer".
Notes/Links
- WOOT 2011 talk: https://www.usenix.org/conference/woot11/packets-packets-orson-welles-band-signaling-attacks-modern-radios
- http://www.phrack.org/issues.html?issue=68&id=4&mode=txt (see 0x06, "How I misunderstood digital radio; or, "Weird machines" are in radio, too!" by M. Laphroaig pastor@phrack )
Readings
- http://travisgoodspeed.blogspot.ca/2011/09/remotely-exploiting-phy-layer.html
- WOOT 2011 paper: http://www.usenix.org/events/woot11/tech/final_files/Goodspeed.pdf
March 6: Langsec's Relationship with Interpreting and Enforcing Security Policy
This session will feature a guest lecture by Robin Gonzalez.
March 8: Langsec Meets MLS in Weird Machines
We'll talk about Deep Introspection, and some approaches to enforcing code-data ownership for real systems.
March 11: HW2 and Related Topics
Today we will discuss various topics related to HW 2, gdb, and shellcode. Consider this an "in-class" tutorial session. Feel free to bring your laptops/notebooks/devices.
Notes
Readings
Please read this material; it sets up our discussion of security architecture and concepts like privilege separation.
- "The Protection of Information in Computer Systems" by Jerome H. Saltzer and Michael D. Schroeder
- TCSS: S3.4
- http://searchsecurity.techtarget.com/opinion/Thirteen-principles-to-ensure-enterprise-system-security
March 13: Security Architecture
In this session, we will consider some security design principles. We will highlight some countermeasures against various forms of popular code-injection attack. It will help motivate our discussion of security architecture and the application of the Saltzer-Schroeder principles. We will begin by considering a case study of the security mechanisms present in the Linux kernel. We will continue by engaging in a design exercise -- this will likely span into the next session.
Slides
Case Study: the set of "security" mechanisms present in the Linux OS.
- in-kernel crypto libraries: http://lxr.linux.no/#linux+v2.6.32/crypto/twofish.c
- authentication: login, users, groups
- file system permissions
- gcc/propolice patch, stack canary
- ASLR
- noexec / nx
- segments (what segements?)
- page permissions
- privilege separation: http://www.citi.umich.edu/u/provos/ssh/privsep.html
- SELinux: http://lxr.linux.no/#linux+v3.8.2/Documentation/security/SELinux.txt
- LSM/security modules: http://lxr.linux.no/#linux+v3.8.2/Documentation/security/LSM.txt
- PAX/grsecurity
- SECCOMP: http://lxr.linux.no/#linux+v3.8.2/Documentation/prctl/seccomp_filter.txt
Readings
- Some Thoughts on Security After Ten Years of qmail 1.0, DJB, CSAW 2007 PDF
March 15: Security Architecture (cont)
Design Exercise: A Mobile Transit Safety App
- Come up with a design for this system:
- http://www.calgaryherald.com/technology/Scary+incident+prompts+call+greater+CTrain+safety/7869372/story.html
- how can it be misused?
March 18: Isolation: Wherefore art thou reference monitor?
In the last few sessions, we touched again on the concept of a reference monitor or security kernel. This highly privileged component is responsible for parsing, interpreting, and enforcing security policy. Many different real-world software systems attempt to provide this role, and one of their major security or protection guarantees is isolation.
In this session, we will consider the utility of using virtualization to provide isolation or execution containers.
Notes From Class
- TBD
Readings
- Steven M. Bellovin. Virtual machines, virtual security. Communications of the ACM, 49(10), October 2006. “Inside RISKS” column. html
- VM-based Security Overkill: A Lament for Applied Systems Security Research. Sergey Bratus, Michael E. Locasto, Ashwin Ramaswamy, and Sean W. Smith. Proceedings of the 19th New Security Paradigms Workshop (NSPW 2010). September 2010. Concord, MA, USA. PDF
March 20: Security Evaluation (Overview)
Up until this point in the semester, we've discussed two major concepts:
- why things break (langsec)
- what traditional approaches to protection and security are and what they provide
In this session, we will begin to think about how to evaluate what level of security you achieve and how you can measure or assess this in a principled fashion.
Slides
Notes
- "Building and Operating a Trusted GIG" http://iac.dtic.mil/iatac/download/ia_policychart.pd
- "Security Technical Implementation Guides (STIGs) and the NSA Guides are the configuration standards for DOD IA and IA-enabled devices/systems." http://iase.disa.mil/stigs/
Readings
- Please read this short news article to warm up for our discussions on Friday. http://us.cnn.com/2013/03/18/tech/web/florida-election-cyberattack/index.html?hpt=hp_t2
- Brian Snow, "We Need Assurance!" http://www.acsac.org/2005/papers/Snow.pdf (if you haven't read this already)
- Steve Bellovin, "Security By Checklist" http://www.cs.columbia.edu/~smb/papers/04489860.pdf
- TCSS, 11.1: Standards
- TCSS, 11.2: Policy Compliance
- TCSS, 11.3: Testing
March 22: Security Evaluation Exercise
In this session, we will begin a security evaluation exercise. This exercise will last for about three sessions.
In this first class, we will cover the ground rules and structure of the assignment.
Intro
Welcome to IronRust Security Auditing Solutions, Inc. We have been asked to evaluate the security and assurance properties of a recent Internet-based mock vote. The "Green" Jellybean Party is asking for a recount and this assessment because they did not win (receiving only 111 votes out of 497 cast, good for third place behind Black (123) and Red (202), and ahead of Yellow (61)). According to pre-vote polls and exit polls, Green expected about 70 more votes, and is curious why their support seems to have broken for Black and Red. The Green candidate is an important client, and she wants answers.
Background
This scenario is based on Edmonton's recently trial run of a mock election over the Internet to assess the feasibility of running a municipal election online. In preliminary assessment by the "Citizen Jury" process, their conclusion was:
"The verdict of the Citizen Jury was "Yes - Edmonton should adopt Internet voting as an option for future municipal elections". The verdict was delivered to the City Clerk and will be contained in the report going to City Council on January 23, 2013."
The city, however, has updated their page with the following notice:
"At the February 6, 2013 Edmonton City Council meeting, the decision was made not to proceed with the implementation of an Internet voting option in the 2013 General Election. Although not ready to move forward at this time, Council acknowledged the efforts made by City Administration to assess Internet voting as a potential option for voters."
Warmup Exercise 1
Please post to twitter using the hashtag #cpsc525vote whether you think Internet voting is a good or bad idea, and why.
Warmup Exercise 2
We will discuss this article:
- http://us.cnn.com/2013/03/18/tech/web/florida-election-cyberattack/index.html?hpt=hp_t2
- http://www.miamisao.com/publications/grand_jury/2000s/gj2012s.pdf
Warmup Exercise 3
And we will vote in the Piazza poll for our favorite jellybean color (do this over the next two days). See if you can 'make' your candidate win (only limitations: don't do anything illegal, and don't violate Piazza terms of service).
Rules
- IronRust Security Audit Solutions, Inc. will take the contract from the Green Jellybean Party, and to the best of our ability, perform a security postmortem on the election results and processes involved in creating and holding the election. We seek to answer the question: Does the JellyBean Mock Election demonstrate the feasibility of Internet voting in an Alberta Municipal election?
- Therefore, your main task is an evaluation of the quality of the procedure (based on available documents) used in running the mock election, not a rant for or against Internet voting in general.
- We are not addressing the question of a recount or what candidate should have won.
- The 625 students are our board of directors.
- Prof. Locasto is CEO.
- We need to choose two Scribes who are responsible for taking notes on our discussions and deliberations.
- We need to choose 4 team leaders (and their teams) to address the four main areas of our security evaluation.
- No cross-team communication except through class reports and discussion, for example, to bring in an outside resource that team A noticed and thought would be useful for Team B.
- You should find out what system was used, but do not attempt to obtain one.
- Feel free to consult outside experts.
- This is not a competition between groups. Do not actively interfere with the work of another group.
- Members should not switch teams.
Questions
Since we do not have access to the actual software system used in this trial, we have to perform our security analysis without it. Based on the description of the program, we will form teams to try to answer these questions:
Team 1:
- The main page says "Privacy, security, and confidentiality of the voting public is of primary importance to the City of Edmonton." What do you think these terms mean in this context? Why is this not an empty phrase?
- What is the value of the final results file and the information contained therein? What do the other "vote results" for other questions show/demonstrate?
- What is the credibility of the research team? The background? Possible biases?
- What are the names and affiliations of other Internet voting experts?
- What can we find out about the software used? How? (e.g., FOIA, purchase, etc.)
Team 2:
- What software was used? What is the company's background? Were they involved in any way (beyond providing the software) with this mock election?
- What are the security issues with the "approved" browsers?
- In what ways is an IP address tightly bound to a person? In what ways is it not?
- In what ways is an email address tightly bound to a person? In what ways is it not?
Team 3:
- Can any of these mechanisms (e.g., registration) be subverted? How?
- What is the value of the accepted list of credentials for the purposes of registration?
- What is the security evaluation value of the "citizen jury" of 18 citizens?
- Will the "real" election exactly duplicate the experiment? in scale, type, processes, etc.?
Team 4:
- Is "security" the goal here? Or is it citizen "comfort"? (As this page says, the main question is Is Edmonton Ready for Internet Voting?)
- Is Internet voting any more or less dangerous or subject to manipulation than physical voting has been in the past?
Assessment of FAQs:
Your job is to assess the information contained in the FAQ answers.
- Team 1: Questions 1-8
- Team 2: Questions 9-18
- Team 3: Questions 19-25
- Team 4: Questions 26-34
Outcomes/Observations
- Scribe notes go here.
Links
- http://www.edmonton.ca/city_government/municipal_elections/internet-voting.aspx
- http://www.edmonton.ca/city_government/municipal_elections/2012-jellybean-internet-voting-election-public-involvement.aspx
-
http://www.qp.alberta.ca/1266.cfm?page=L21.cfm{RDhref+}leg_type=Acts{RDhref+}isbncln=9780779760480 (needs flash)[404 Error]
March 25: Security Evaluation Exercise (cont)
Activities
A review of tweets.
Result of Piazza "election."
Preliminary reports and findings.
Small Group Discussions
The first half of the class will be small group discussions so that each team can "get on the same page". The latter half of the class period will be spent on discussing the preliminary opinions and findings.
March 27: Security Evaluation Exercise (cont)
Today we will continue and finish our discussion on an informal "audit" of an evoting experiment.
We have some material available in Piazza. After some initial discussion / presentation by the Prof, your individual teams will meet in small groups to assess this information.
Links
- http://www.charlesproxy.com/
- http://money.cnn.com/2012/11/06/technology/innovation/online-voting-election/index.html?hpt=hp_t2_6
March 29: No Class
Today is Good Friday and a University Holiday.
April 1: Verifiable Quantum Systems
As noted.
April 3: Overview of Automated Formal Methods
This topic is a bridge between the fundamental security models concepts introduced at the beginning of class and the topics associated with Security Evaluation and Assurance.
Links
- http://l4hq.org/
- http://www.ok-labs.com/whitepapers/sample/sel4-formal-verification-of-an-os-kernel
- http://www.cse.unsw.edu.au/~gernot/
- http://spinroot.com/spin/whatispin.html
Readings
- TCSS Chapter 15
- (optional) seL4 paper: http://www.ssrg.nicta.com.au/publications/papers/Klein_EHACDEEKNSTW_09.pdf
April 5: Hands-on GDB
In this class session, we will take another look at GDB (as requested via the Piazza poll). This session replaces the planned tutorial sessions. Bring your computer/notebook/laptop.
You will want to have your virtual machine that you set up before in the semester, or access to a LiveCD distribution, or some other Linux environment (even logging into one of the CPSC Linux machines to your home directory should suffice).
Activities
- Nope: USRI survey starting at noon.
Supplemental Readings
I recommend the book "Hacking: The Art of Exploitation"
April 8: Hands On GDB
Program analysis, debugging, intrusion detection, security evaluation, vulnerability identification, and security policy enforcement are all sides of the same...coin.
Today we looked at the concept of watchpoints, and we attempted to debug the "broken.c" program at the link above. You do not have direct access to the source code. Using just the binary b32 or b64 (whichever is appropriate to your platform).
April 10: Hands On GDB and Pin
GDB is very useful, but sometimes changing the behavior of a monitored process is a bit easier with different tools like Pin or Valgrind.
In this session, we'll finish our consideration of the small bug in the program from Monday.
- http://pages.cpsc.ucalgary.ca/~locasto/teaching/2013/CPSC525/gdb/notes.txt
- Referencing a couple of Unix manual pages to understand what the program's assembly code is invoking: http://pages.cpsc.ucalgary.ca/~locasto/teaching/2013/CPSC525/gdb/misc-commands.txt
- What we did in GDB: http://pages.cpsc.ucalgary.ca/~locasto/teaching/2013/CPSC525/gdb/gdb-session.txt
- Peeking at the structure of the ELF: http://pages.cpsc.ucalgary.ca/~locasto/teaching/2013/CPSC525/gdb/elf-examine.txt
We will then take a look at Pin in a short presentation.
Tools
- http://www.pintool.org/
- The Pin API: http://software.intel.com/sites/landingpage/pintool/docs/56759/Pin/html/
April 12: Bug Project Showcase
- Syed Zain Rizvi
- Dummy Dave N
- Stephen Ma
- Adrian Cristea
Readings
- http://us.cnn.com/2013/04/11/tech/mobile/phone-hijack-plane/index.html?hpt=hp_t5
- Pretending Systems Are Secure: http://www.cs.dartmouth.edu/~sws/pubs/pretending.pdf
April 15: On "Hackers"
In this section, we'll consider whether our security mindset has helped us appreciate the complexity and variety hiding behind the word "hacker".
The topic of computer security includes a vast array of concepts, a rich history, and unique methods of learning and thinking. The hacking community, from companies with security professionals to black, grey, white, and straw-hat hackers holds such a variety of people with different background and experiences. It's really an amazing community, full of some of the most diverse and sharpest people you'll ever meet.
Yet, this community is often misunderstood and regularly misrepresented. Part of that comes from the inherent difficulty of boiling down or summarizing so many diverse individuals into a single "community". But another part of this misperception is deliberate and willful ignorance to actually know the people here -- outsiders tend to prefer thinking about hackers in the most pejorative sense possible, where a media tagline has given the work "hacker" a negative connotation.
Notes
Hacking Is OK and Attack Papers Are Good
- http://stallman.org/articles/on-hacking.html
- http://www.theatlantic.com/technology/archive/12/07/if-hackers-didnt-exist-governments-would-have-to-invent-them/259463/
- http://www.cs.dartmouth.edu/~sws/pubs/pretending.pdf
- Mindset: http://www.nukees.com/d/20070328.html
- It's OK to let students hack: http://geekout.blogs.cnn.com/2012/04/23/students-chow-down-on-cyber-security-weaknesses/?hpt=hp_bn10
- On "The Research Value of Publishing Attacks" http://cacm.acm.org/magazines/2012/11/156578-the-research-value-of-publishing-attacks/abstract
- ethics of error prevention: http://www.infoq.com/presentations/error-prevention-ethics
Should Knowledge Be Locked Away?
- Open Access Manifesto: http://archive.org/download/GuerillaOpenAccessManifesto/Goamjuly2008.pdf
- http://www.patrickmcdaniel.org/IEEE-copyright-policy.html
- disclosure policy cite: http://www.huffingtonpost.com/2011/11/16/charlie-miller-apple-cybersecurity-bug-hacker_n_1095330.html
- http://www.slate.com/articles/technology/future_tense/2013/03/dmca_chilling_effects_how_copyright_law_hurts_security_research.single.html
History
People have been arguing about what the word "hacker" means for decades.
- Denning article on Hackers [here http://www.phrack.org/issues.html?issue=32&id=3&mode=txt] or here
- related phile: http://www.phrack.org/issues.html?issue=32&id=7&mode=txt
Surprise! The Internet was full of crap even before the web existed.
- Usenet flamewar on “hackers”: https://groups.google.com/forum/?fromgroups#!topic/comp.security.unix/Q_eI2DUsiGQ
Is Hacking Easy?
Sort of. The initial learning curve may be steep, but we know that complex systems breed bugs.
- http://www.securesolutions.no/why-its-easy-being-a-hacker/
- Bugs stay unpatched http://www.neowin.net/news/windows-has-a-17-year-old-un-patched-vulnerability
How Should a Hacker Act?
You need to take precautions, but this hasn't been well-studied...yet.
- OPSEC from the Grugq: http://www.slideshare.net/grugq/opsec-for-hackers
- http://arstechnica.com/tech-policy/2012/11/how-georgia-doxed-a-russian-hacker-and-why-it-matters/
- the hackback debate: http://www.steptoecyberblog.com/2012/11/02/the-hackback-debate/
Teaching Hackers
There are some places, schools, universities, programs, and shops that encourage the creation of new straw-hat hackers. This list of links is nowhere near exhaustive.
- Information Security Audit class / case study: http://www.cs.uwp.edu/staff/lincke/infosec/
- cybercrime vs. hacking: http://www.rollingstone.com/culture/news/sex-drugs-and-the-biggest-cybercrime-of-all-time-20101111
- http://blogs.wsj.com/digits/2012/01/13/u-s-business-defenses-against-hackers-are-like-the-maginot-line-nsa-chief-says/
- http://blogs.computerworld.com/19073/dirty_little_secrets_revealed_by_ethical_hackers
- http://money.cnn.com/2012/03/05/technology/hacker_school/index.htm?source=cnn_bin
- http://sites.isis.poly.edu/hackers-in-residence
- I don't agree with this paper at all: http://cacm.acm.org/magazines/2013/4/162513-why-computer-talents-become-computer-hackers/fulltext (dissect this)
Misc Topics
(to be placed above)
- Fault tolerance: byzantine general's paper
- Karger multics security evaluation
- http://arstechnica.com/security/2012/08/wireless-password-easily-cracked/