Download presentation
Presentation is loading. Please wait.
Published byCamron Chandler Modified over 8 years ago
1
CSCE 548 Introduction Basic Security Concepts
2
APOGEE Students Download recorded lectures Contact instructor if needed via – Phone: during office hours – Email: any time – Arrange meetings as needed Attend exams as scheduled Attend class presentation CSCE 548 - Farkas2
3
Instructor:Csilla Farkas Office:Swearingen 3A43 Office Hours:Mondays, Wednesdays 3:30 – 5:00 pm or electronically any time or by appointment Telephone: 576-5762 E-mail:farkas@cec.sc.edufarkas@cec.sc.edu Class homepage: http://www.cse.sc.edu/~farkas/csce548- 2012/csce548.htmhttp://www.cse.sc.edu/~farkas/csce548- 2012/csce548.htm CSCE 727 - Farkas3
4
Text Books Software Security: Building Security In by Gary McGraw, Publisher: Addison-Wesley Professional, February 2, 2006, ISBN-10: 0321356705 ISBN-13: 978-0321356703 24 Deadly Sins of Software Security by Michael Howard, David LeBlanc, John Viega, Publisher: McGraw-Hill Osborne Media, ISBN 978-0-07-162675-0 CSCE 727 - Farkas4
5
Assignments Research project: There will be one research project related to software security. Final project reports must be submitted at the end of the semester. Further project requirements will be distributed at a later time. Homework: There will be 4-5 homework assignments during the semester. There will be a late submission penalty of 4%/day after the due date. (You can always turn it in early.) Class Presentation: Each group will cover a particular code-level security vulnerability (topics to be distributed later) Exams: two closed book in-class exams CSCE 727 - Farkas5
6
Grading Test 1: 15%, Test 2: 30%, Homework: 15%, Presentation: 10%, Research project: 30% Total score that can be achieved: 100 Final grade: 90 < A ; 87<B+<= 90 ; 80<B<=87 ; 76<C+<=80 ; 66<C<=76 ; 61<D+<=66 ; 50 <D<= 61 CSCE 727 - Farkas6
7
Course Policies All students are responsible for reading and following the official Academic Responsibility of the University of South Carolina, as well as the policies of the university and department regarding usage of the computing resourcesAcademic Responsibility university department CSCE 727 - Farkas7
8
Tentative Schedule Week 1 Software Engineering and Security Week 2Risk Management Week 3 Use Cases and Misuse Cases Week 4 Software Reliability Week 5Seven Touchpoints for Software Security Week 6 Code Review; Architectural Risk Analysis TEST 1 Week 7Penetration Testing, Risk-Based Security Testing Week 8Abuse Cases; Security Requirements Week 9Security Analysis; Taxonomy of Coding Errors Week 10-15 Programming Flaws; Language-Based Vulnerabilities April 25, 5:30-7:30 pm FINAL EXAM CSCE 727 - Farkas8
9
Questions? 9
10
Basic Security Concepts http://www.cse.sc.edu/~farkas/cs ce522-2011/csce522.htm Basic Security Concepts CSCE 522 Information Security Principles Fall 2011 http://www.cse.sc.edu/~farkas/cs ce522-2011/csce522.htm
11
CSCE 548 - Farkas11 Security Objectives Confidentiality: prevent/detect/deter improper disclosure of information Integrity: prevent/detect/deter improper modification of information Availability: prevent/detect/deter improper denial of access to services
12
CSCE 548 - Farkas12 Fourth Objective Securing computing resources: prevent/detect/deter improper use of computing resources – Hardware – Software – Data – Network
13
CSCE 548 - Farkas13 Information Assurance Prevention Detection Tolerance/response
14
CSCE 548 - Farkas14 Achieving Security Policy – What to protect? Mechanism – How to protect? Assurance – How good is the protection?
15
CSCE 548 - Farkas15 Security Policy Organizational Policy Computerized Information System Policy
16
CSCE 548 - Farkas16 Security Tradeoffs COST Security Functionality Ease of Use
17
CSCE 548 - Farkas17 Threat, Vulnerability, Risk Threat: potential occurrence that can have an undesired effect on the system Vulnerability: characteristics of the system that makes is possible for a threat to potentially occur Attack: action of malicious intruder that exploits vulnerabilities of the system to cause a threat to occur Risk: measure of the possibility of security breaches and severity of the damage
18
CSCE 548 - Farkas18 Types of Threats Errors of users Natural/man-made/machine disasters Dishonest insider Disgruntled insider Outsiders
19
CSCE 548 - Farkas19 Types of Attack Interruption – an asset is destroyed, unavailable or unusable (availability) Interception – unauthorized party gains access to an asset (confidentiality) Modification – unauthorized party tampers with asset (integrity) Fabrication – unauthorized party inserts counterfeit object into the system (authenticity) Denial – person denies taking an action (authenticity)
20
CSCE 548 - Farkas20 Computer Criminals Amateurs: regular users, who exploit the vulnerabilities of the computer system – Motivation: easy access to vulnerable resources Crackers: attempt to access computing facilities for which they do not have the authorization – Motivation: enjoy challenge, curiosity Career criminals: professionals who understand the computer system and its vulnerabilities – Motivation: personal gain (e.g., financial)
21
CSCE 548 - Farkas21 Methods of Defense Prevent: block attack Deter: make the attack harder Deflect: make other targets more attractive Detect: identify misuse Tolerate: function under attack Recover: restore to correct state Documentation and reporting
22
CSCE 548 - Farkas22 Information Security Planning Organization Analysis Risk management Mitigation approaches and their costs Security policy and procedures Implementation and testing Security training and awareness
23
CSCE 548 - Farkas23 Prevention
24
CSCE 548 - Farkas24 Identification Authentication
25
CSCE 548 - Farkas25 Authentication Allows an entity (a user or a system) to prove its identity to another entity Typically, the entity whose identity is verified reveals knowledge of some secret S to the verifier Strong authentication: the entity reveals knowledge of S to the verifier without revealing S to the verifier
26
CSCE 548 - Farkas26 Access Control
27
CSCE 548 - Farkas27 Access Control Protection objects: system resources for which protection is desirable – Memory, file, directory, hardware resource, software resources, etc. Subjects: active entities requesting accesses to resources – User, owner, program, etc. Access mode: type of access – Read, write, execute
28
CSCE 548 - Farkas28 Indirect Information Flow Channels Covert channels Inference channels
29
CSCE 548 - Farkas29 Firewall Objectives Keep intruders, malicious code and unwanted traffic or information out Keep proprietary and sensitive information in Private Network External Network Proprietary data External attacks
30
CSCE 548 - Farkas30 Cryptography Confidentiality - Secret-Key Encryption - Public-Key Encryption
31
CSCE 548 - Farkas31 Insecure communications Sender Snooper Recipient Insecure channel Confidential Plus: -Authentication (digital signatures) -Integrity verification (hash functions)
32
CSCE 548 - Farkas32 Encryption and Decryption EncryptionDecryption PlaintextCiphertextPlaintext
33
CSCE 548 - Farkas33 Hash Functions Hash function h maps an input x of arbitrary length to a fixed length output h(x) (compression) Given h and x, h(x) is easy to compute (ease of computation)
34
CSCE 548 - Farkas34 Digital Signatures in RSA A B Insecure channel Plaintext Signed plaintext Encryption Alg. Decryption Alg. A’s public keyA’s private key (need reliable channel) SignVerify
35
CSCE 548 - Farkas35 Signature and Encryption D EDE A B Plaintext Signed Plaintext Signed Plaintext Encrypted Signed Plaintext A’s private key B’s public key B’s private key A’s public key
36
CSCE 548 - Farkas36 Cryptographic Protocols Messages should be transmitted to destination Only the recipient should see it Only the recipient should get it Proof of the sender’s identity Message shouldn’t be corrupted in transit Message should be sent/received once only
37
CSCE 548 - Farkas37 Program Flaws Taxonomy of flaws: – how (genesis) – when (time) – where (location) the flaw was introduced into the system
38
CSCE 548 - Farkas38 Security Flaws by Genesis Genesis – Intentional Malicious: Trojan Horse, Trapdoor, Logic Bomb, covert channels Non-malicious – Inadvertent Validation error Domain error Serialization error Identification/authentication error Other error
39
CSCE 548 - Farkas39 Next Class: Secure software development G. McGraw: Chapter 1
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.