Introduction and Security Principles

CS 161 - Lecture 1

Computer Science 161

Today

• Introductions
• Nicholas and Peyrin
• Course staff
• Course logistics
• What will you learn in this class?
• What is security? Why is it important?
• Security principles

2

Computer Science 161

Introductions

3

Computer Science 161

Who Am I? Nicholas

• 3rd-year EECS student
• Took 161 in Spring 2020 and then TA’d for it after that
• Current research interests: Data-oblivious primitives and algorithms in a distributed setting
• I love board games! Have definitely missed playing them in person…

4

Computer Science 161

Who Am I? Peyrin

• Incoming EECS 5th-year MS student
• Advisor: Nick Weaver (frequent 161 instructor!)
• Research focus: CS education (balancing accessibility, cheating detection, student stress, and effectiveness in online exams)
• 7th time teaching 161
• Feels like I’m stuck in a time loop every time Project 1 releases again…
• … but it’s been fun helping the class grow and adapt to remote semesters!

5

Computer Science 161

And a team of talented TAs and readers!

6

Sid Bansal

he/him

Prachi Deo

Jinan Jiang

he/him

Fuzail Shakir

he/him

Jun Hee Han

he/him

Solomon Joseph

he/him

Kenneth Lien

he/him

vron

they/them or ey/em

EvanBot

any/all

TAs

Readers

Computer Science 161

Course Logistics

7

Computer Science 161

Learning Objectives

• How to think adversarially about computer systems
• How to assess threats for their significance
• How to build computer systems with robust security properties
• How to gauge the protections and limitations provided by today's technology
• How attacks work in practice

8

Computer Science 161

Course Outline

• Introduction to Security
• What are some general philosophies when thinking about security?
• Memory Safety
• How do attackers exploit insecure software? How do we defend against these attacks?
• Cryptography
• How do we securely send information over an insecure channel?
• Web Security
• What are some attacks on the web, and how do we defend against them?

9

Computer Science 161

Course Outline

• Network Security
• What are some attacks on the Internet, and how do we defend against them?
• Miscellaneous Topics
• Useful, interesting, or fun applications of topics
• You can use CS 161 knowledge to finish Super Mario Bros. 3 in record time?!

10

Computer Science 161

Extra Tools and Skills

• Some extra non-security-related skills you can take away from this class:
• Memory safety
• x86 assembly: A commonly-used assembly language
• Using GDB: Debugging C code
• Cryptography
• Becoming a better consumer: Be able to analyze security products and pick the right security tools for your software
• Web Security
• Software engineering: Understanding how websites are built and how your web browser interacts with remote web servers (CS 169 preview)
• Network Security
• Networking: How the Internet works (CS 168 preview)

11

Computer Science 161

Prerequisites

• CS 61B: Ability to work with large and complex codebases, data structures
• Relevant for Project 2 (500–1000 lines of Go code)
• CS 61C: Familiarity with low-level memory layouts and assembly
• We’ll spend the next lecture reviewing all the 61C material you need to succeed
• Relevant for the memory safety unit (Project 1, first two weeks of class only)
• CS 70: Familiarity with basic mathematical notation and proof structures
• Relevant for the cryptography unit
• We’ll review CS 70 material as we encounter it during the cryptography lectures
• An ability to pick up new programming languages quickly
• Project 2 will be in Go

12

Computer Science 161

Course Structure

• Lectures
• Option 1: Live lectures (Nicholas and Peyrin) (recordings will be posted)
• Option 2: Recorded lecture videos (Professors Raluca Popa and David Wagner)
• Discussions
• Attend any discussion section you want
• Discussion walkthrough videos will be posted
• Office Hours: https://oh.cs161.org/
• Office hours are posted on the website
• Exams
• Midterm: Tuesday, July 13, 5:00–7:00 PM PT
• Final: Thursday, August 12, 5:00–8:00 PM PT
• Alternate exams will be available if you have a time conflict
• Attendance is always optional! (Except exams)

13

Computer Science 161

Resources

• Textbook: https://textbook.cs161.org/
• Free! There’s no textbook you need to pay for
• Readings are optional, but highly recommended from past students
• Course website: https://cs161.org
• Course schedule, lecture slides, assigned readings, and other resources are all posted here

14

Computer Science 161

Platforms

• Piazza
• Course-related communication should take place in Piazza or happen in office hours
• For private matters, you can make a private post
• Please don’t post publicly about project spoilers!
• Gradescope
• All assignments are submitted and graded on Gradescope
• Email
• cs161-staff@berkeley.edu for private matters
• Piazza response is faster, but staff will monitor the email if you’re more comfortable with that

15

Computer Science 161

Platforms

• Piazza
• Course-related communication should take place in Piazza or happen in office hours
• For private matters, you can make a private post
• Please don’t post publicly about project spoilers!
• Gradescope
• All assignments are submitted and graded on Gradescope
• Email
• cs161-staff@berkeley.edu for private matters
• Piazza response is faster, but staff will monitor the email if you’re more comfortable with that

16

Computer Science 161

Grading Structure

• Homework: 15%
• Projects: 30%
• 3 projects in total, each 10% of your grade
• Optional Labs: 15%
• If not completed, its score will be replaced by your homework score or project score, whichever is higher
• Midterm: 15%
• Final: 25%

17

Computer Science 161

Class Policies: Submission Policy

• Homework
• Individual
• Instant feedback: You can keep trying until you get the answer right
• No credit for late homework, but we drop your lowest homework score
• Projects and labs
• Individual or groups of 2
• 1 day late: -10%
• 2 days late: -20%
• 3 days late: -40%
• >3 days late: No credit
• You have 3 slip days, which will be applied optimally to maximize your final grade.

18

Computer Science 161

Class Policies: Collaboration

• Asking questions and helping others is encouraged
• Discussing course topics with other is welcome!
• Limits of collaboration
• Don’t share solutions with each other (except project partners)
• You should never see or have possession of anyone else’s solutions—including from past semesters

19

Computer Science 161

Class Policies: Academic Honesty

• We’re here to help! There are plenty of staff and resources available for you
• There’s no need to cheat and find disallowed resources. We have lots of resources for you!
• You can always talk to a staff member if you’re feeling stressed or tempted to cheat
• Academic dishonesty policies
• At minimum, the student will receive negative points on the assignment
• Example: If the midterm is worth 150 points, the student will receive a score of -150 on the midterm.
• The student will be referred to Nick Weaver and the Center for Student Conduct
• CSC often doesn’t care that much about first-time cases! They are there to make sure a student doesn’t make the same mistake a second time.
• If you take the class honestly, you don’t need to worry about these!

20

Computer Science 161

Class Policies: Exam Proctoring

• We will be using remote proctoring through Zoom for the midterm and final
• We’ve worked hard to make sure the setup is low-stress while preserving exam security
• Logistics are available at https://cs161.org/exam

21

Computer Science 161

Class Policies: DSP and Extenuating Circumstances

• Disabled Students’ Program (DSP)
• There’s a variety of accommodations UC Berkeley can help us set up for you in this class
• https://dsp.berkeley.edu/
• Are you facing barriers in school due to a disability?
• Apply to DSP!
• Our goal is to teach you the material in our course. The more accessible we can make it, the better.
• Shit happens. Do you need an extension or other accommodation?
• Please let us know through our form: https://cs161.org/extensions.html

22

Computer Science 161

Stress Management and Mental Health

• We want to reduce your stress where we can
• Project 2 (mid semester) is going to be the most intensive part of this class, but we’ve made things lighter towards the end (when every other class has stuff due)

Your health is more important than this course

• If you feel overwhelmed, there are options
• Academically: Ask on Piazza, talk to staff in office hours, set up a meeting with staff to make a plan for your success this semester
• Non-academic:
• Counselling and Psychological Services (CAPS) has multiple free, confidential services
• Casual consultations: https://uhs.berkeley.edu/counseling/lets-talk
• Crisis management: https://uhs.berkeley.edu/counseling/urgent
• Check out UHS’s resources: https://uhs.berkeley.edu/health-topics/mental-health

23

Computer Science 161

Ethics

• In this class, you will learn a lot about attacks out of necessity
• To be able to defend against the attacker, you must learn the techniques that attackers use
• It is usually okay to break into your own systems
• This is a great way to evaluate your own systems
• It is usually okay to break into someone else’s systems with their explicit permission
• It is grossly unethical and exceedingly criminal to break into someone else’s systems without their permission

24

Computer Science 161

Case Studies and Blue Slides

• Security is often best taught through real-world case studies and stories
• Lectures will sometimes use real-world examples to demonstrate concepts
• Slides with a blue background are case study slides
• Content on blue slides are not tested on exams
• You do not need to remember the exact details of the story
• Each blue slide will end in a takeaway that describes the moral of the story
• You do need to understand the takeaway from the story

25

Computer Science 161

What is security?

26

Computer Science 161

What is security?

• Enforcing a desired property in the presence of an attacker
• Data confidentiality, user privacy, data and computation integrity, authentication, availability, etc.
• Security is not privacy: Privacy is protecting data from unauthorized access
• Privacy is about making sure that the data is either not collected in the first place or, if collected, not misused
• Security is not safety: Safety is enforcing a desired property, but in the presence of random nature
• In other words, making sure systems work as expected

27

Computer Science 161

Why is security important?

• It is important for our
• physical safety
• confidentiality/privacy
• functionality
• protecting our assets
• successful business
• a country’s economy and safety
• and so on…

28

Computer Science 161

Why is security important?

• Consider: Physical Safety

29

Computer Science 161

Why is security important?

• Consider: Privacy/Confidentiality

30

In 2018, there were over 1,200 breaches, totalling 450,000,000 records compromised!

Computer Science 161

Why is security important?

• Consider: Countries and Nations

31

Computer Science 161

What is hackable?

• Everything!
• Especially things connected
 to the Internet
• Assume that every system is a target
• A casino was hacked because a fish-tank thermometer was hacked within the network

32

Computer Science 161

Security Principles

33

Computer Science 161

The Parable of the Bear Race

“I don’t have to outrun the bear. I just have to outrun you.”�Takeaway: You often just need to have “good enough” defense to make attackers turn somewhere else.

34

Computer Science 161

Security Principle: Know Your Threat Model

• Threat model: A model of who your attacker is and what resources they have
• It all comes down to people: The attackers
• No attackers = No problem!
• One of the best ways to counter an attacker is to attack their reasons
• Why do people attack systems?
• Money
• Politics
• Fun
• Watching the world burn

35

Computer Science 161

Security Principle: Know Your Threat Model

• Consider: Personal security
• Who and why might someone attack you?
• Criminals might attack you for money
• Teenagers might attack you for laughs or to win online games
• Governments might spy on you to collect intelligence
• Intimate partners might spy on you
• This is a surprisingly dangerous threat model!

36

Computer Science 161

The National Security Agency (NSA)

• Stated purpose: To collect information to protect US national security
• Since its founding in 1952, the NSA has:
• Decoded secret enemy communications in wars
• Spied on people in the US and other countries (sometimes legally, sometimes illegally)
• Participated in security research and helped develop security standards
• Developed secret techniques for surveillance and cyberattacks
• For better or worse, the NSA are an essential part of computer security
• We’ll see many stories with the NSA this semester

37

Computer Science 161

Threat Model: Common Assumptions for Attackers

• Assume the attacker…
• Can interact with systems without notice
• Knows general information about systems (operating systems, vulnerabilities in software, usually patterns of activity, etc.)
• Can get lucky
• If an attack only succeeds 1/1,000,000 times, the attacker will try 1,000,000 times!
• May coordinate complex attacks across different systems
• Has the resources required to mount the attack
• This can be tricky depending on who your threat model is
• Can and will obtain privileges if possible

38

Computer Science 161

Trusted Computing Base

• Trusted computing base (TCB): The components of a system that security relies upon
• Properties of the TCB:
• Correctness
• Completeness (can’t be bypassed)
• Security (can’t be tampered with)
• Generally made to be as small as possible
• A smaller, simpler TCB is easier to write and audit.
• KISS principle: Keep It Simple, Stupid

39

Computer Science 161

Warning Dialogs

40

Computer Science 161

Warning Dialogs

41

Computer Science 161

Warning Dialogs

42

Computer Science 161

Warning Dialogs

Takeaway: Consider human factors

43

Computer Science 161

Security Principle: Consider Human Factors

• It all comes down to people: The users
• Users like convenience (ease of use)
• If a security system is unusable, it will be unused
• Users will find way to subvert security systems if it makes their lives easier
• It all comes down to people: The programmers
• Programmers make mistakes
• Programmers use tools that allow them to make mistakes (e.g. C and C++)
• It all comes down to people: Everyone else
• Social engineering attacks exploit other people’s trust and access for personal gain
• Consider the tools presented to users, and make them fool-proof

44

Computer Science 161

Physical Safes

Takeaway: Security is economics

• We want our safes to stop people from breaking in, so let’s measure them by how long it takes an expert to break into one:

45

Computer Science 161

Security Principle: Security is Economics

• Cost/benefit analyses often appear in security: The expected benefit of your defense should be proportional to the expected cost of attack
• More security (usually) costs more
• If the attack costs more than the reward, the attacker probably won’t do it
• Example: You don’t put a $10 lock on a $1 item…
• … unless a $1 item can be used to attack something even more valuable
• Example: You have a brand-new, undiscovered attack that will work on anybody’s computer. You wouldn’t expose it on a random civilian
• iPhone security vulnerabilities are often sold for ~$1M on the market, so it’s probably safe to use an iPhone on a hostile network if you aren’t a $1M target

46

Computer Science 161

Burglar Alarms

• Security companies are supposed to detect home break-ins
• Problem: Too many false alarms. Many alarms go unanswered
• Placing a sign helps deter burglars from entering at risk of being caught…
• … even if you don’t have an alarm installed!
• Takeway: Prevent attacks when you can, but detect them if you can’t

47

Computer Science 161

Security Principle: Detect if You Can’t Prevent

• Deterrence: Stop the attack before it happens
• Prevention: Stop the attack as it happens
• Detection: Learn that there was an attack (after it happened)
• If you can’t stop the attack from happening, you should at least be able to know that the attack has happened.
• Response: Do something about the attack (after it happened)
• Once you know the attack happened, you should respond
• Detection without response is pointless!

48

Computer Science 161

Response: Mitigation and Recovery

• Assume that bad things will happen! You should plan security in way that lets you to get back to a working state.
• Example: Earthquakes
• Have resources for 1 week of staying put
• Have resources to travel 50 miles from my current location
• Example: Ransomware
• Keep offsite backups!
• If your computer and house catch on fire, it should be no big deal.

49

Computer Science 161

Detection but no Response

• Bitcoin transactions are irreversible. If you are hacked, you can never recover your Bitcoins.
• $68M stolen from NiceHash exchange in December 2017
• Four multi-million-dollar attacks on Ethereum in July 2018
• Coinbase: One detected theft per day
• Takeaway: Prevention is great, but you must not only depend on prevention; you must also respond

50

Computer Science 161

The Theodosian Walls of Constantinople

• The ancient capital of the Byzantine empire had a wall…
• Well, they had a moat…
• then a wall…
• then a depression…
• … and then an even bigger wall
• It also had towers to rain fire and arrows upon the enemy…
• Takeaway: Defense in depth

51

Computer Science 161

Security Principle: Defense in Depth

• Multiple types of defenses should be layered together
• An attacker should have to breach all defenses to successfully attack a system
• However, consider security is economics
• Defenses are not free.
• Defenses are often less than the sum of their parts

52

Computer Science 161

uTorrent

53

Computer Science 161

uTorrent

54

Computer Science 161

uTorrent

55

Computer Science 161

uTorrent

56

Computer Science 161

uTorrent

• What was this program able to do?
• Leak your files
• Delete your files
• Send spam
• Run another malicious program
• What does this program need to be able to do?
• Access the screen
• Manage some files (but not all files)
• Make some Internet connections (but not all Internet connections)
• Takeaway: Least privilege

57

Computer Science 161

Security Principle: Least Privilege

• Consider what permissions a entity or program needs to be able to do its job correctly
• If you grant unnecessary permissions, a malicious or hacked program could use those permissions against you

58

Computer Science 161

Welcome to a Nuclear Bunker

59

Computer Science 161

Welcome to a Movie Theater

60

Computer Science 161

Security Principle: Separation of Responsibility

• If you need to have a privilege, consider requiring multiple parties to work together (collude) to exercise it
• It’s much more likely for a single party to be malicious than for all multiple parties to be malicious and collude with one another

61

Computer Science 161

Spot the Issue

62

Computer Science 161

Security Principle: Ensure Complete Mediation

• Ensure that every access point is monitored and protected
• Reference monitor: Single point through which all access must occur
• Example: A network firewall, airport security, the doors to the dorms
• Desired properties of reference monitors:
• Correctness
• Completeness (can’t be bypassed)
• Security (can’t be tampered with)
• Should be part of the TCB

63

The cars drove around the barrier

Computer Science 161

Time-of-Check to Time-of-Use

• A common failure of ensuring complete mediation involving race conditions
• Consider the following code:

64

procedure withdrawal(w)

// contact central server to get balance

1. let b := balance

​

2. if b < w, abort

​

// contact server to set balance

3. set balance := b - w

​

4. give w dollars to user

Suppose you have $5 in your account. How can you trick this system into giving you more than $5?

Computer Science 161

Time-of-Check to Time-of-Use

withdrawal(4)�1. let b := balance�2. if b < w, abort

��withdrawal(4)�1. let b := balance�2. if b < w, abort�

// contact server to set balance�3. set balance := b - w��4. give w dollars to user

65

// contact server to set balance�3. set balance := b - w��4. give w dollars to user

The machine gives you $8!

Computer Science 161

Accident on Motorway

66

Here’s the hidden computer inside the sign.

Here’s a highway sign.

Here’s the control panel. The user manual says you can reset the password by entering DIPY.

Computer Science 161

Caution! Zombies Ahead!!!

Note: Do not ever do this. Yes, some former CS 161 students did it once.

67

Computer Science 161

Trapped in Sign Factory! Send Help!

Takeaway: Shannon’s maxim/Don’t rely on security through obscurity

68

Computer Science 161

Security Principle: Shannon’s Maxim

• Shannon’s maxim: “The enemy knows the system”
• You should never rely on obscurity as part of your security. Always assume that the attacker knows every detail about the system you are working with (algorithms, hardware, defenses, etc.).

69

Assume the attacker knows where the “secret” control panel is located, and has read the manual with instructions on resetting the password.

Computer Science 161

Soda Hall

• Rooms in Berkeley’s Soda Hall are guarded by electronic card keys
• What do you do if the power goes out?
• Fail closed: No one can get in if the power is out
• Fail open: Anyone can get in if the power goes out
• What’s the best option to choose for closets with expensive equipment? What about emergency exit doors?
• Takeaway: Use fail-safe defaults

70

Computer Science 161

Security Principle: Use Fail-Safe Defaults

• Choose default settings that “fail safe,” balancing security with usability when a system goes down
• This can be hard to determine

71

Computer Science 161

Security Principle: Design in Security from the Start

• When building a new system, include security as part of the design considerations rather than patching it after the fact
• A lot of systems today were not designed with security from the start, resulting in patches that don’t fully fix the problem!
• Keep these security principles in mind whenever you write code!

72

Computer Science 161

Security Principles: Summary

• Know your threat model: Understand your attacker and their resources and motivation
• Consider human factors: If your system is unusable, it will be unused
• Security is economics: Balance the expected cost of security with the expected benefit
• Detect if you can’t prevent: Security requires not just preventing attacks but detecting and responding to them
• Defense in depth: Layer multiple types of defenses
• Least privilege: Only grant privileges that are needed for correct functioning, and no more
• Separation of responsibility: Consider requiring multiple parties to work together to exercise a privilege
• Ensure complete mediation: All access must be monitored and protected, unbypassable
• Shannon’s maxim: The enemy knows the system
• Use fail-safe defaults: Construct systems that fail in a safe state, balancing security and usability.
• Design in security from the start: Consider all of these security principles when designing a new system, rather than patching it afterwards

73

Computer Science 161