arisuchan    [ tech / cult / art ]   [ λ / Δ ]   [ psy ]   [ ru ]   [ random ]   [ meta ]   [ all ]    info / stickers     temporarily disabledtemporarily disabled

/cyb/ - cyberpunk and cybersecurity

low life. high tech. anonymity. privacy. security.
Name
Email
Subject
Comment

formatting options
File
Password (For file deletion.)

Help me fix this shit. https://legacy.arisuchan.jp/q/res/2703.html#2703

Kalyx ######

File: 1514303584819-0.jpg (39.42 KB, 320x264, 6-858f14.jpg)

 No.2295

>6.858 Computer Systems Security is a class about the design and implementation of secure computer systems. Lectures cover threat models, attacks that compromise security, and techniques for achieving security, based on recent research papers. Topics include operating system (OS) security, capabilities, information flow control, language security, network protocols, hardware security, and security in web applications.

 No.2296

>1. Introduction, Threat Models
https://www.youtube.com/watch?v=GqmQg-cszw4

>Instructor
Nickolai Zeldovich

>Summary
In this lecture, Professor Zeldovich gives a brief overview of the class, summarizing class organization and the concept of threat models.

>Video Download
https://archive.org/download/MIT6.858F14/MIT6_858F14_lec01_300k.mp4

>Subtitles Download
https://ocw.mit.edu/courses/electrical-engineering-and-computer-science/6-858-computer-systems-security-fall-2014/video-lectures/lecture-1-introduction-threat-models/GqmQg-cszw4.srt

Lecture starts at 5:40

 No.2301

>>2296
>Notes:
Security: Achieving some goal when there is an adversary present.
When can divided into three parts:

I. Policy: The goal you want to achieve. The statement about what I want my system to be able to do.

Examples:
Confidentiality: "Only I should be able to read the grades file for 6.858"
Integrity: "Only the staff can upload the final grades"
Availiability: "A web site should be available even while the adversary try to take it down"

II. Threat Model: What is the adversary thinking about? Assumptions. Modelling their own goals.

Examples:
"The adv. doesn't know the password."
"The adv. doesn't have physical access to the phone, keys or laptop."

III. Mechanism: Software, Hardware or System design implementation where our policy is followed as long the adversary follows the threat model.


How is the policy vulnerable?
Example: Recovery questions.

 No.2337

File: 1515126012936.png (387.46 KB, 847x419, Screenshot_1.png)

>2. Control Hijacking Attacks
https://www.youtube.com/watch?v=r4KjHEgg9Wg

>Instructor
James Mickens

>Summary
In this lecture, Professor Mickens continues the topic of buffer overflows, discussing approaches to such control hijacking attacks.

 No.2346

File: 1515205758991.png (345.41 KB, 706x1000, __cibo_blame_drawn_by_miko….png)

>>2337
>Notes:
1. System softwre is often written in C. Databases, compilers, network servers, your favorite shell command. Why? The dev community is obsessed with speed. C is supposed to be high level assembly and all the mission critical systems are written in C.

2. The problem.
C exposes raw memory addresses. Not only that but also performs no bounds checking when programs manipulate those raw addresses. Recipe for disaster. Why doesn't C check these bounds? One reason is because the hardware doesn't do that. Another reason is it can be very difficult to determine the semantic of what it means to have a pointer that's actually in bounds. There is exists techniques for prevent this but none of them are bulletproof.

3. Knowledge of the x86 architecture.
Answers to questions like What's the direction that the stack grows,
what are the calling convetion for functions. When you invoke a C function, what is the stack going to look like? When you allocate an object on the heap, what are those chief allocation structures going to look like?


[Return] [Go to top] [ Catalog ] [Post a Reply]
Delete Post [ ]