1 of 15

Secure Systems Engineering

Chester Rebeiro

Indian Institute of Technology Madras

CR

2 of 15

Secure Systems

  • Computer systems can be considered a closed box.
  • Information in the box is safe as long as nothing enters or leaves the box.

CR

3 of 15

Systems Still Secure

  • Even with viruses, worms, and spyware around information is still safe as long as they do not enter the system

3

CR

4 of 15

Vulnerability

  • A flaw that an attacker can use to gain access into the system

4

flaw

CR

5 of 15

Flaws that would allow an attacker �access a system

5

flaw

Bugs in the Program

The Human factor

The attacker just needs one

flaw … any flaw!!!

Design Flaws

CR

6 of 15

System Flaws

  • In application software
    • SQL Injection

  • In system software
    • Buffers overflows and overreads
    • Heap: double free, use after free
    • Integer overflows
    • Format string

  • In peripherials
    • USB drives; Printers

  • In Hardware
    • Hardware Trojans

  • Covert Channels
    • Can exist in hardware or software

6

These are not really program flaws.

CR

7 of 15

Secure Systems Engineering

Approach 1: Design flawless systems

eg. SeL4

(Not easy to develop these systems in a large scale)

Static analysis /

Formal Proof Assistant

eg. COQ

CR

8 of 15

Secure Systems Engineering

Approach 2: Make it difficult for the attacker� Develop systems that are secure in spite of flaws �

CR

9 of 15

Secure Systems Engineering

Approach 3: Isolate systems : sandbox environments, virtual machines, trusted environments�(trusted computing)

Takes care of the

human factor as well

CR

10 of 15

Course Structure

Designing a Secure System

Binary Exploitation

Part 1

Part 3

Latest Topics

(Hardware Security / Micro-architectural attacks)

Malware Analysis

Part 2

Part 4

CR

11 of 15

What to expect during this course

  • Deep dive into systems:
    • Software
      • Assembly level
      • Compiler and OS level

(Programming assignments in class and homework)

    • Hardware
      • Some computer organization features
  • Analysis techniques
      • Static, dynamic analysis / symbolic execution
      • Statistical analysis techniques and some ML

(Programming assignments for homework)

  • Course Project & Reading assignment

CR

12 of 15

Expected Learning Outcomes

  • Understand how C and C++ programs really work!
  • Understand the internals of malware and other security threats
  • Evaluate security measures applied at the hardware, OS, and compiler
  • Understand trade offs between performance and security

CR

13 of 15

Grading

Mid Semester : 20 marks

Endsem : 20 marks

Assignment : 40 marks

Course Project : 20 marks

CR

14 of 15

Schedule

  • Classes will be held from 17/Jan/2022 in Slot D.
    • Monday : 11:00 - 11:50 AM
    • Tuesday : 10:00 - 10:50 AM
    • Wednesday : 9:00 - 9:50 AM
    • Thursday: 1:00 - 1:50 PM  (will be used for Lab and Tutorials)

CR

15 of 15

Websites and Communication

  • Reference Textbooks

mostly research papers; will be provided as per topic

  • For slides and schedule

https://sites.google.com/cse.iitm.ac.in/cs6570-2022/home

  • For discussions / assignment submissions / announcement� Microsoft Teams

CR