3761

Security Core Lecture

01 – Introduction

Prof. Dr. Thorsten Holz | 24.10.2023

 3761

A warm welcome!

Today we will talk about

§ Who we are
§ Organizational matters
§ Content of this lecture

You will also have the chance to ask questions.

In general, interacting with the lecturers and the tutors is encouraged!

1
 3761

Main Lecturer: Thorsten Holz

§ Tenured Faculty at CISPA

- Research: Systems security, binary analysis, software security & machine
learning security
- Visit https://cispa.de/en/research/groups/holz

§ Contact: [email protected]

3
 3761

Lecturer: Sven Bugiel

§ Tenured Faculty at CISPA

- Research: Mobile platform security, trusted & secure computing,
authentication
- Visit https://svenbugiel.github.io/

§ Contact: [email protected]

4
 3761

Lecturer: Giancarlo Pellegrino

Lecturer: Giancarlo Pellegrino

§ Tenured Faculty at CISPA

- Research: Web security, program analysis, ML for program analysis,
security of immersive web applications
- Visit https://trouge.net/

§ Contact: [email protected]

5
 3761

Lecturer: Katharina Krombholz

§ Tenured Faculty at CISPA

- Research: Usable security and privacy, privacy, information security, digital
forensics
- Visit https://cispa.de/en/research/groups/krombholz

§ Contact: [email protected]

6
 3761

Organizational Matters
 3761

Lectures

§ Tuesday 16:15-17:45 (HS 002)

§ Thursday 10:15-11:45 (HS 002)
§ We will offer in-person lectures and record lectures on a best effort basis (i.e.,
no guarantee that there will be a recording)

§ No lectures
- November 28 (ACM CCS, many CISPA people will attend the conference)
- First week of January 2024 (Christmas break)
§ Regularly check the course webpage for updates
- https://cms.cispa.saarland/sec2324/
- There is [email protected] - subscribe via
https://lists.cispa.saarland/listinfo/teaching-announce
9
 3761

Lecture Schedule

Intro and Basic Concepts Side Channels

2 lectures 1 lecture
Network Security (GP)
2 lectures
Crypto (SB)
OS and Software 4 lectures
Security Privacy (KK)
4 lectures 1 lecture
Authentication (SB)
2 lectures
Debugging and Finding
Bugs Usable Security (KK)
2 lectures 3 lectures
Christmas Break

Mitigations and
Web Security (GP) Summary + Q&A
Hardening
2 lectures 1 lecture
2 lectures

https://cms.cispa.saarland/sec2324/4/Lecture_Schedule 10
 3761

Exercises

§ Every 1-2 week(s), there will be exercise sheets

§ Will be discussed in the tutorials in the week after
§ Solved individually or in groups of max. 3 students

§ You have to solve exercises!

- Require hands-on work and report
- In total, 10 exercises à 20pts
- Mandatory to get 50% of the exercise points to get admission to exam
- Submission via CMS

11
 3761

Tutorials

§ Tutorials will start in two weeks from now (TBC)

- We will have tutors and teaching assistants

§ Tutorial preferences can be selected in CMS

- Announcement in CMS when tutorial slots are available

§ Once you are assigned to a tutor, feel free to contact them with questions (or
use Askbot)

12
 3761

Askbot

§ Askbot is a StackOverflow-like platform

- Please use Askbot as the primary medium to ask questions
- We hang around to answer your questions
(if not other students do so earlier)
- Obviously, do not share complete solutions here

13
 3761

Important note: Plagiarism

§ All exercises need to be handed in as individual/group solutions

- No copying from some resources
- No copying from other students
- No copying from previous years (including your own solutions)

§ First time this happens: you‘ll get a warning

§ Second time this happens: you lose the ability to take the exam and we will
report you to the university

14
 3761

Exam Preparation

§ We encourage you to learn during the semester

§ There will be a final exam (and re-exam) that determines 100% of your
grade
- Passing 50% of exercise points is necessary, but likely not sufficient to pass
the exam

§ According to examination regulations, you can take the re-exam to improve

your grade
§ Exam dates:
- Exam: Friday, 16.02.2024, from 14:00–16:00
- Re-exam: Thursday, 11.04.2024, from 10:45–12:45
15
 3761

Lecture Recordings

§ We will record every lecture on a best effort basis

- Links to recordings in the CMS
- Please attend the lectures

§ There is not going to be a script of this lecture from our side

- The lecture is aligned pretty much with the course books

§ Watching lecture videos and reading the books does not mean that you
should not attend the lecture
- Studies have shown that attendance is a key to better understanding

16
 3761

Course Books

§ Unfortunately, there is no single has-it-all book for this lecture

§ We will give book recommendations for each topic

§ UdS library has several books available

- https://www.infomath-bib.de/tmp/vorlesungen/info-core_security.html
- UdS IP required
§ Other books are freely available as PDFs online

17
 3761

Further Reading

§ References to further reading after some lectures

- We suggest reading this material
- Supplementary information to the slides
- A textual, prose description of many concepts

§ You also should read further reading

- Repetition is key to learning success
- Exercises may only be solvable with textbook
- Cited further reading content may be relevant for the exam

18
 3761

Quizzes

§ Quizzes are part of most lectures

- Informal way to check your understanding of things
- No implications for your grade
- If answers are wrong, we will clarify things
- Please raise your hand

§ Generally: Questions are encouraged!

- If something is unclear, tell us during the lecture!

19
 3761

Quiz time!

§ Which hacker was born in 1965

and became famous for writing
the first computer worm on the A: Kevin Mitnick
Internet?

B: Robert Morris

C: Beto O’Rourke

20
 3761

Quiz time!

§ Which hacker was born in 1965

and became famous for writing
the first computer worm on the A: Kevin Mitnick
Internet?
Robert Tappan Morris (born November 8, 1965) is an
American computer scientist and entrepreneur. He is best
known for creating the Morris worm in 1988,[3] considered
the first computer worm on the Internet.[4]
Morris was prosecuted for releasing the worm, and B: Robert Morris
became the first person convicted under the then-
new Computer Fraud and Abuse Act (CFAA).[1][5] He went
on to cofound the online store Viaweb, one of the first web
applications,[6] and later the venture capital funding firm Y
Combinator, both with Paul Graham.
He later joined the faculty in the department of Electrical
Engineering and Computer Science at the Massachusetts
Institute of Technology (MIT), where he received tenure in
2006.[7] He was elected to the National Academy of C: Beto O’Rourke
Engineering in 2019.

Source:
https://en.wikipedia.org/wiki/Robert_Tappan_Morris
21
 3761

Action Items on Your Side

§ Mandatory registration latest by Friday, Nov 03

- Register on the course website (CMS):
- https://cms.cispa.saarland/sec2324/

§ If you intend to take the exam: don’t forget to register in LSF!

- No registration in LSF => No admission to participate in exam

§ Get familiar with the books (e.g., library)

22
 3761

Dislike something?

§ If you dislike something, please tell us

- We want you to enjoy this course
- But mistakes happen, so…

§ Ways to improve this course

- CMS features an anonymous feedback form
- Tell us in person / via email
- Spot errors on the slides and earn bug bounties

23
 3761

Office Hours

§ Teaching assistant’s office hours:

- Appointments via email (details soon)

§ Tutors’ office hours:

- Appointments via email (details soon)

§ Thorsten Holz’s office hours:

- Appointment via email: [email protected]
- You can reach the other lecturers also via mail

24
 3761

Motivation

25
 3761

Why do we care about IT security?

§ We use connected devices and services on a daily basis

- Email
- Browsing
- Payment
- Social Networks
- Gaming
- ....
 3761

Why do we care about IT security?

§ Systems becoming more and more complex and inter-connected

27
 3761

Why do we care about IT security?

https://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
28
 3761

Why do we care about IT security?

29
 3761

What is Security?
 3761

What is Security?

§ There is no 100% security

§ Proof by falsification
- Security can only be proven with respect to an attacker model
- Security can only be falsified by finding a successful attack

§ In practice …
- Security is not a binary value, but also other factors need to be taken into
account
- Threat models that are considered relevant by designers of security
technology are often different to those that matter in reality
 3761

What is Privacy?

32
 3761

What is Privacy?

§ Privacy is …
- “the ability of an individual to shield themselves (or information about
themselves) and thereby selectively express themselves”
- a human right
- a cultural/societal/legal/political concept (and not so much only a technical
one)

§ From a technical perspective, privacy is …

- privacy preferences and settings
- confidentiality

33
 3761

What is Anonymity?

34
 3761

What is Anonymity?

§ Anonymity != Privacy
§ Identity cannot be identified

§ In computer science, this is always in reference to an arbitrary element within

a well-defined set (so-called anonymity set)
§ Anonymity != Pseudonymity

35
 3761

What is Hacking?
 3761

What is Hacking?

§ Creative use of computer systems (not necessarily security-related)

§ Coined in academia (MIT) in the 60s
§ Attacker vs. defender
§ Ethical hacking vs. malicious hacking

Image source: https://raincross.com/black-hat-vs-white-hat-seo/

37
 3761

Ethics

§ Use your skills responsibly – just because you are capable of doing
something, it does not mean that you should
§ As a computer scientist, please be aware of the societal implications of …
- the technology you build (exploits, ML/AI, autonomous systems, …)
- the damage you are causing when attacking a system (cf. ransomware in
hospitals)

38
 3761

Example: Chaos Computer Club

§ Ethical principles of hacking (based on Steven Levy’s ethics)

- Access to computers - and anything which might teach you something
about the way the world really works - should be unlimited and total.
Always yield to the Hands-On Imperative!
- All information should be free.
- Mistrust authority - promote decentralization.
- Hackers should be judged by their acting, not bogus criteria such as
degrees, age, race, or position.
- You can create art and beauty on a computer.
- Computers can change your life for the better.
- Don't litter other people's data.
- Make public data available, protect private data.

https://www.ccc.de/en/hackerethics
39
 3761

Example: ACM Code of Ethics and Professional Conduct

§ General Moral Imperatives
- 1.1 Contribute to society and human well-being.
- 1.2 Avoid harm to others.
- 1.3 Be honest and trustworthy.
- 1.4 Be fair and take action not to discriminate.
- 1.5 Honor property rights including copyrights and patents.
- 1.6 Give proper credit for intellectual property.
- 1.7 Respect the privacy of others.
- 1.8 Honor confidentiality
§ More specific professional responsibilities
- 2.3 Know and respect existing laws pertaining to professional work.
- 2.5 Give comprehensive and thorough evaluations of computer systems and their impacts, including analysis
of possible risks.
- 2.6 Honor contracts, agreements, and assigned responsibilities.
- 2.7 Improve public understanding of computing and its consequences.
- 2.8 Access computing and communication resources only when authorized to do so.

40
 3761

Legal Aspects

§ Computer crime (or cybercrime)

- criminal activity in which computers or computer networks are a tool, a
target, or a place of criminal activity
§ Examples:
- German laws: Data espionage (§202a), Data Interception (§202b), Acts
prepatory of 202a and 202b (§202c), Handling stolen data (§202d), Data
tampering (§303a), Computer sabotage (§303b)
- Convention on Cybercrime: Illegal access (§2), Illegal interception (§3),
Data interference (§4), Misuse of devices (§6), Infringement of copyright
and related rights (§10)
- Intellectual property (e.g., DCMA)
- Privacy: EU Data Protection Directive, Data Retention Directive, US HIPPA
& COPPA
41
 3761

Topics
 3761

Software Security
 3761

Secure Communications
 3761

Authentication
 3761

Anti-Censorship

47
 3761

What will you learn?

§ The lecture covers a wide range of topics related to IT security

- Fundamental notions and security models
- Operating system and software security
- Basics of cryptography and cryptographic protocols
- Authentication
- Web and network security
- Privacy
- Usable security