Академический Документы
Профессиональный Документы
Культура Документы
important?
Course philosophy and goals
Course organization and information
High-level overview of topics
A broad perspective on computer security
Security
Most of computer science is concerned with
behavior
Different way of thinking!
An enemy/opponent/hacker/adversary who is actively
and maliciously trying to circumvent any protective
measures you put in place
Security is interdisciplinary
Draws on all areas of CS
Theory (especially cryptography)
Networking
Operating systems
Databases
AI/learning theory
Computer architecture/hardware
Programming languages/compilers
HCI, psychology
Really??!
Security incidents (reported)
Course Organization
Administrative
Me
TA
Contact information, office hours, listed on course
webpage
Course webpage
http://www.cs.umd.edu/~jkatz/security/f09
Syllabus
Subject to change
Slides will be posted for convenience, but they are not
a substitute for attending lecture
Assigned readings
Homeworks distributed from the course webpage
Check frequently for announcements
Course blog
http://cmsc414.wordpress.com
I will post after each lecture
Students can post questions/comments about the lecture
Today: post a hello message, and answer the
question: What do you hope to get from the course?
I will post for each homework
Students can post questions
I will post links to interesting news articles,
papers, etc.
Textbook
Recommended text:
Network Security by Kaufman, Perlman, and
Speciner (most recent edition)
Will only be used for a portion of the course
Several other good texts out there
Ask me if you are interested
Will supplement with other readings (distributed on
class webpage)
Course requirements
Homeworks
About 4-5 throughout the semester
Programming portion will be done with a partner
Each student will receive a computer account
You should have already been assigned a GRACE
account
Syllabus (tentative)
Syllabus I
Introduction
Is security achievable?
A broad perspective on security
Cryptography
The basics (take CMSC 456 or read my book for more)
If you took 456 with me, you can skip
Syllabus II
System security
General principles
Security policies
Access control
OS security
Trusted computing
Programming language security
Buffer overflows, input validation errors
Viruses/worms
Syllabus III
Network security
Identity, PKI
Authentication and key exchange protocols
Password and biometric authentication
Anonymity and pseudonymity
Privacy
Some real-world protocols (IPSec/SSL)
Attacks on network infrastructure (routing, DNS,
DDos)
Wireless security
Syllabus IV
Miscellaneous
Database security
Web security
Other topics (spam, )
A High-Level Introduction
to Computer Security
A nave view
Computer security is about CIA:
Confidentiality, integrity, and availability
These are important, but security is about much
more
A nave view
password
In reality
Where does security end?
password
forgot password?
password
public
A nave view
Achieve absolute security
In reality
Absolute security is easy to achieve!
How?
Absolute security is impossible to achieve!
Why?
Good security is about risk management
Security as a trade-off
The goal is not (usually) to make the system as
secure as possible
but instead, to make the system as secure as
Cost-benefit analysis
Important to evaluate what level of security is
necessary/appropriate
Security mindset
Learn to think with a security mindset in general
What is the system?
How could this system be attacked?
What is the weakest point of attack?
sense?
(I will not give you the answer you can find it online)
This is a thought experiment only!
Summary
The system is not just a computer or a network
Prevention is not the only goal
Cost-benefit analysis
Detection, response, recovery
Neverthelessin this course, we will focus on
Cheap
Distributed, automated
Anonymous
Insider threats
Trusting trust
(or: how hard is security?)
Trusting trust
Consider a compiler that embeds a trapdoor into
anything it compiles
How to catch?
Read source code? (What if replaced?)
Re-compile compiler?
What if the compiler embeds the trojan code
Trusting trust
Whom do you trust?
Does one really need to be this paranoid??
Probably not
Sometimes, yes
Shows that security is complexand essentially
impossible
Comes back to risk/benefit trade-off
Next time:
begin cryptography