NoteNextra-origin/content/CSE4303/CSE4303_L2.md

# CSE4303 Introduction to Computer Security (Lecture 2)

[Configuring VM](https://github.com/seed-labs/seed-labs/blob/master/manuals/vm/seedvm-from-scratch.md)

## Course introduction and security fundamentals

### Other security goals

Authenticity: identity of an entity (issuer of info/message) is verified

Anonymity: identity of an entity remains unknown

Non-repudiation: messages can’t be denied or taken back (e.g. online transaction commitments)

### Security foundations

Security is about people, processes, technology

- need all 3 to be secure!

Security is about *trust in* people, processes, technology

- Fundamental question: where is trust being placed, and is it justified?
- Computing stack: compromise at a given level can impact any higher level

Attackers often exploit assumptions

"I assumed everyone would log out when they leave”

"I didn’t expect anyone to do that"

The assumptions we make are often hidden or implicit, making them easy to forget when reasoning about security of a system

Reasoning about security requires properly defining security relative to the particular system:

- What assets are being secured?
- What properties should the system enforce?
  - CIA triad, anonymity, non-repudiation
- What capabilities does the threat have?
- Where does the system place trust?
- What assumptions are being made?

### Modeling attacks

Common components:

- System being attacked
  - Architecture of the system, trust model, assumptions, assets
- Threat model
- Attack surface: what can be attacked
  - Open ports and exposed services
  - Public APIs and their parameters
  - Web endpoints, forms, cookies
  - File system permissions
  - Hardware interfaces (USB, JTAG)
  - User roles and privilege boundaries
- Attack vector: how the attacker attacks
  - SQL injection via POST /login
  - Phishing to steal credentials, then SSH login
  - Buffer overflow in a network daemon
  - Cross-site scripting through a comment field
  - Supply-chain poisoning of a dependency
- Vulnerability: what the attacker can do
- Exploit: how the attacker exploits the vulnerability
- Damage: what the attacker can do
- Mitigation: mitigate vulnerability
- Defense: close vulnerability gap

<details>
<summary>Example</summary>

Stealing credit card info via hidden scanner ("skimming")

- System being attacked: card-swipe payment kiosk (alternative models?)
- Threat model: professional criminal gang with substantial knowledge and resources
- Attack surface: magstripe scanner
- Attack vector: rogue scanner inserted into machine (e.g. at pay-at-the-pump gas station), or on top of existing scanner
- Vulnerability: physical scanner easy(ish) to remove, and magstripes easy to read
- Exploit: record card info as it’s scanned, then store/exfiltrate
- Mitigation: 2FA in addition to magstripe (chip, PIN, zip code, etc.)
- Defense: anti-tamper strips on card swiper

</details>

Importance of correct modeling

- Attack-surface awareness guides defenses
  - E.g. pre-Covid-19 vs. post-Covid attack surface of company
servers
- Match resources to expected threat actors
- Common threat actors
  - "Script kiddie": individual or group running off-the-shelf attacks
    - Caveat: off-the-shelf attacks can still be quite powerful! Metasploit, Shodan, dark web market.
  - "Insider attack": employee with access to internal machines/networks
  - "Advanced Persistent Threat (APT)": nation-state level
resources and patience
  - All these threats have different motivations, require different defenses/responses!

### Specific vulnerabilities

Goal of the course: exposure to common threats in broad range of areas of computing stack

- Hardware
- OSes
- Networks
- Apps: web, AI/ML

Studio time!