Overview Topics in Computer Security Baojian Hua bjhuaustc

Overview Topics in Computer Security Baojian Hua bjhua@ustc. edu. cn

What's this course about?

What’s computer security? n Many aspects: n n n safety, confidentiality, integrity, availability, … Useful or important? What principles are applied in building safe and secure systems? n many ideas: isolation, open design, minimal trusted computing base, etc.

What’s computer security? n Diverse fields: n n Software security, web security, networking security, mobile security, ML security, Io. T security, blockchain security, … And still in rapid growth n Every new computer science topic comes with a security topic

Course Contents n Foundation of computer security n n General principals, terminologies & concepts Specific security problems and mitigations (5 board topics for this year's course) n n n Basic principals Software security Web security Network security Machine learning security

Course Contents: software security n Potential topics: n n n Set-UID & env-vars Shell and shellshock buffer overflow Ret-to-libc & ROP Format strings attack Race conditions & dirty-COW

Course Contents: web security n Potential topics: n n CSRF: Cross Site Request Forgery XSS: Cross-Site Scripting SQL injection Browser security (if time permits)

Course Contents: networking security n Potential topics: n n n Packet sniffing and spoofing Link layer (ARP cache poisoning) IP layer (IP attack) Transport layer (TCP attack, VPN) Application layer (DNS attack, PKI & TLS/HTTPS)

Course Contents: machine learning security n Potential topics: n n Backdoor, Trojan horse, neutron overflow, … You'll finish a project on this in a group n n n The content is relatively new No lectures, but we'll help to select the topics, set up the environments, etc. . Details to be discussed below

How does this course work?

Administrivia n Staff: n n Hua, Baojian: bjhua@ustc. edu. cn Fan, Qiliang: sa 613162@mail. ustc. edu. cn Pan, Zhizhong: sg 513127@mail. ustc. edu. cn Course page: n n n http: //staff. ustc. edu. cn/~bjhua papers, labs, books, projects, among other materials check it frequently

Course Organization n #1: book reading n n Chapter assigned before each lecture some are very technical, so must read in advance n n #2: lecture and discussion n lecture given by me discussion by all of us #3: lab n n n Don’t expect to pick it up just by sitting and listening 1 lab/per week planned you are expected to become an expert after … #4: project n Finish a project (team of no more than 3 people)

#1: Readings n This year, we'll be using the book n n Computer security: a hands-on approach how to read? n n n what security problem does this chapter intend to address? is this problem real or serious? How does the security problem happen? How to mitigate the problem? novel or borrowed from other fields? method detail? the benefits and drawbacks? Your comment! Better ideas?

#1: Reading, cont' n There will a question about the topic n n You are expected to answer the question after you read the material And submit you answer before the next lecture n n We’ll not grade you answer but just to see that you’ve made your hands dirty

#1: Background knowledge n Security study means that you must be an expert on the relevant topics n n n can we understand virus if we don’t know what's “. exe” file format or how it’s executed? can we perform web attack if we don’t know how browsers and web servers work? So, when reading the assigned papers, pick up the background knowledge along the way n we’d offer some other auxiliary materials

#2: lecture & discussion n Three parts in each week’s lecture: n #1: background knowledge, zero-starting n n #2: security vulnerability and exploitation n e. g. , what’s a buffer, how does it work? e. g. , why a buffer can be overflowed? e. g. , why does an overflow corrupt the system? #3: defending techniques n e. g. , canary, stack-guard or CPU NX-bit

#3: Labs n n Learning-by-doing, or learning-byhacking This year, we'll be using the accompanied SEED project with the book n n Roughly 1 lab/per week Considerable engineering efforts n To start early

#4: Projects n Select a topic from machine learning security n n And finish a final project See the course web pages for detailed schedule n n Proposal, write-up, presentation In a group of no more than 3 people

Evaluation n Labs: 30% Project: 30% Final-test: 40%

What to do next? n n Check out the course web pages Lab #1 is out: n n Read the first assigned reading n n To install the software Do the homework Find partners, form groups, select ML security topics

Have fun!