CS 161 Computer SecurityFall 2008 Dawn Song Notes 11 The scope of this classOur goal in this class is to teach you the some of the most important and useful ideas in computer security.By the end of this course, we hope you will have learned:• How to build secure systems. You’ll learn techniques for designing, implementing, and maintainingsecure systems.• How to evaluate the security of systems. Suppose someone hands you a system they built. How doyou tell whether their system is any good? We’ll teach you how systems have failed in the past, howattackers break into systems in real life, and how to tell whether a given system is likely to be secure.• How to communicate securely. We’ll teach you some selections from the science of cryptogra-phy, which studies how several parties can communicate securely over an insecure communicationsmedium.Computer security is a broad field, that touches on almost every aspect of computer science. We hope you’llenjoy the scenery along the way.What is computer security? Computer security is about computing in the presence of an adversary. Onemight say that the defining characteristic of the field, the lead character in the play, is the adversary. Re-liability, robustness, and fault tolerance are about how to deal with Mother Nature, with random failures;in contrast, security is about dealing with actions instigated by a knowledgeable attacker who is dedicatedto causing you harm. Security is about surviving malice, and not just mischance. Whereever there is anadversary, there is a computer security problem.Adversaries are all around us. The Code Red worm infected a quarter of a million computers in less thana week, and contained a time-bomb set to try to take down the White House web server on a specificdate. Fortunately, the attack on the White House was diverted—but one research company is estimatingthe worm cost $2 billion in lost productivity and in cleaning up the mess caused by infected machines.One company estimated that viruses cost businesses over $50 billion in 2003. Hackers armed with zombienetworks of tens of thousands of compromised machines sell their services brazenly, promising to takedown a competitor’s website for a few thousand dollars. It’s been estimated that, as of 2005, at least amillion computers worldwide have been penetrated and “owned” by malicious parties; many are used tosend massive amounts of spam or make money through phishing and identity fraud. Studies suggest thatsomething like half of all spam is sent by such zombie networks. It’s a racket, and it pays well—theperpetrators are raking in money fast enough that they don’t need a day job. How are we supposed tosecure our machines when there are folks like this out there? That’s the subject of this class.CS 161, Fall 2008, Notes 1 12 It’s all about the adversaryThe early history of computer security is interwoven with military applications (probably because the mil-itary were one of the first big users of computers, and the first to worry seriously about the potential formisuse), so it should not be surprising that much of the terminology has military connotations. We speakof an attacker who is trying to attack computer systems, of defenders working to protect their system fromthese threats, and so on. Well, you get the idea.It might be surprising that we are going to spend so much time studying attackers and thinking about how tobreak into systems. Aren’t the attackers the bad guys? Why on earth would we want to spread knowledgethat will help bad guys be more effective?Part of the answer is that you have to know how your system is going to be attacked, if you want to defendit properly. Civil engineers need to learn what makes bridges fall down if they want to have any chanceof building a bridge that will stay standing. Software engineering is no different; you need to know howsystems fail in real life, if you want to have the best chance of building a system that will resist attack. Thismeans you’d better know what kinds of attacks you are likely to face in the field. And, because attackschange and get better with time, you’d better learn to anticipate the attacks of the future.While learning about recent history is certainly a good start, it’s not enough to learn only about attacks thathave been used in the past. Attackers are intelligent (or some of them are, anyway). If you deploy a newdefense, they will respond. If you build a new system, they will try to find its weak points and attack there.Attackers adapt. This means that we have to find ways to anticipate what kinds of attacks might be mountedagainst us in the future.Security is like a game of chess, only it is one where the attackers often get the last move. We design asystem, and then it is very hard to change once it has been deployed. If attackers find a security hole in awidely deployed system, the consequences can be pretty serious. Therefore, we’d better learn to predict inadvance what the attackers might do to us, so that we can eliminate all the security holes before the systemis deployed. We have to practice thinking like an attacker, so that we will know in advance how secure thesystem is.Thinking like an attacker is not always easy. Sometimes it can be a lot of fun to try to outwit the system, likea game. Other times, it can be disconcerting to think about what could go wrong and who could get hurt,and that’s not fun at all.What happens if you don’t anticipate how you may be attacked? The cellphone industry knows the answer.In the 1980’s, they designed and deployed an analog cellphone infrastructure with essentially no securitymeasures; cellphones transmitted all their billing information in the clear, and security rested on the assump-tion that attackers wouldn’t bother to put together the equipment to intercept it. That assumption held fora while, but sooner or later criminals were bound to catch on, and they did. Technically savvy attackersbuilt “black boxes” that intercepted the radio communications and cloned phones, and criminals used theseto make fraudulent calls en masse and to mount call-selling operations for profit. Cellphone operators wereunprepared for this, and in the early 90’s, it had gotten so bad that the US cellphone carriers were losingmore than $1 billion per year. At one point I was told that 70% of the long-distance cellphone calls placedfrom downtown Oakland on a Friday night were fraudulent. By this point the
View Full Document
Unlocking...