updates

content/CSE4303/CSE4303_L2.md

@@ -0,0 +1,108 @@
+# CSE4303 Introduction to Computer Security (Lecture 2)
+
+[Configuring VM](https://github.com/seed-labs/seed-labs/blob/master/manuals/vm/seedvm-from-scratch.md)
+
+## Course introduction and security fundamentals
+
+### Other security goals
+
+Authenticity: identity of an entity (issuer of info/message) is verified
+
+Anonymity: identity of an entity remains unknown
+
+Non-repudiation: messages can’t be denied or taken back (e.g. online transaction commitments)
+
+### Security foundations
+
+Security is about people, processes, technology
+
+- need all 3 to be secure!
+
+Security is about *trust in* people, processes, technology
+
+- Fundamental question: where is trust being placed, and is it justified?
+- Computing stack: compromise at a given level can impact any higher level
+
+Attackers often exploit assumptions
+
+"I assumed everyone would log out when they leave”
+
+"I didn’t expect anyone to do that"
+
+The assumptions we make are often hidden or implicit, making them easy to forget when reasoning about security of a system
+
+Reasoning about security requires properly defining security relative to the particular system:
+
+- What assets are being secured?
+- What properties should the system enforce?
+  - CIA triad, anonymity, non-repudiation
+- What capabilities does the threat have?
+- Where does the system place trust?
+- What assumptions are being made?
+
+### Modeling attacks
+
+Common components:
+
+- System being attacked
+  - Architecture of the system, trust model, assumptions, assets
+- Threat model
+- Attack surface: what can be attacked
+  - Open ports and exposed services
+  - Public APIs and their parameters
+  - Web endpoints, forms, cookies
+  - File system permissions
+  - Hardware interfaces (USB, JTAG)
+  - User roles and privilege boundaries
+- Attack vector: how the attacker attacks
+  - SQL injection via POST /login
+  - Phishing to steal credentials, then SSH login
+  - Buffer overflow in a network daemon
+  - Cross-site scripting through a comment field
+  - Supply-chain poisoning of a dependency
+- Vulnerability: what the attacker can do
+- Exploit: how the attacker exploits the vulnerability
+- Damage: what the attacker can do
+- Mitigation: mitigate vulnerability
+- Defense: close vulnerability gap
+
+<details>
+<summary>Example</summary>
+
+Stealing credit card info via hidden scanner ("skimming")
+
+- System being attacked: card-swipe payment kiosk (alternative models?)
+- Threat model: professional criminal gang with substantial knowledge and resources
+- Attack surface: magstripe scanner
+- Attack vector: rogue scanner inserted into machine (e.g. at pay-at-the-pump gas station), or on top of existing scanner
+- Vulnerability: physical scanner easy(ish) to remove, and magstripes easy to read
+- Exploit: record card info as it’s scanned, then store/exfiltrate
+- Mitigation: 2FA in addition to magstripe (chip, PIN, zip code, etc.)
+- Defense: anti-tamper strips on card swiper
+
+</details>
+
+Importance of correct modeling
+
+- Attack-surface awareness guides defenses
+  - E.g. pre-Covid-19 vs. post-Covid attack surface of company
+servers
+- Match resources to expected threat actors
+- Common threat actors
+  - "Script kiddie": individual or group running off-the-shelf attacks
+    - Caveat: off-the-shelf attacks can still be quite powerful! Metasploit, Shodan, dark web market.
+  - "Insider attack": employee with access to internal machines/networks
+  - "Advanced Persistent Threat (APT)": nation-state level
+resources and patience
+  - All these threats have different motivations, require different defenses/responses!
+
+### Specific vulnerabilities
+
+Goal of the course: exposure to common threats in broad range of areas of computing stack
+
+- Hardware
+- OSes
+- Networks
+- Apps: web, AI/ML
+
+Studio time!

content/CSE4303/_meta.js

@@ -4,4 +4,5 @@ export default {
         type: 'separator'
     },
     CSE4303_L1: "Introduction to Computer Security (Lecture 1)",
+    CSE4303_L2: "Introduction to Computer Security (Lecture 2)",
 }