/docs/cy4740/ Recent content in CY 4740 on Carter Codell Hugo -- gohugo.io Sat, 28 Dec 2019 18:06:37 -0500 /docs/cy4740/network-stack/ Fri, 10 Jan 2020 14:11:54 -0500 /docs/cy4740/network-stack/ /docs/cy4740/lecture1/ Tue, 07 Jan 2020 13:37:00 -0500 /docs/cy4740/lecture1/ <h2 id="modules">Modules</h2> <ul> <li>Attacks against the networking stack</li> <li>Security of core Internet services</li> <li>TLS and the global PKI</li> <li>Privacy and anonymity</li> <li>Web security</li> <li>Malware and malware detection</li> </ul> <h2 id="concepts">Concepts</h2> <ul> <li> <p><strong>Confidentiality</strong> - Data must only be released to authorized principals. Temploral aspect, relation to difficulty or work factor.</p> </li> <li> <p><strong>Integrity</strong> - Data must not be modified (in an undetectable manner)</p> </li> <li> <p><strong>Availability</strong> - Data and resources must be accessible when required.</p> </li> <li> <p><strong>Authenticity</strong> - Data must be bound to identity. Authentication enables the ability to make trust decisions.</p> </li> <li> <p><strong>Non-repudiation</strong> - Non-repudiation prevents denial of authorship of a message. Not always a desirable property.</p> </li> </ul> <h2 id="access-control">Access Control</h2> <ul> <li>Access control frameworks allow one to specify security policies that describe who can interact with what. Requires authentication as a building block for authorization.</li> </ul> <p><strong>Principals</strong>: Participants in a system <strong>Subjects</strong>: Entities that operate on behalf of principals <strong>Objects</strong>: Resources acted upon by subjects</p> <h3 id="authentication">Authentication</h3> <ul> <li> <p>Verification of a claim of identity made by a subject on behalf of a principal. Involves credentials: something you know; something you have; something you are.</p> </li> <li> <p>Desirable properties: unforgeable, unguessable, revocable.</p> </li> <li> <p>Discretionary access control (DAC): users control what access is given</p> </li> <li> <p>Manatory access control (MAC): a central authority sets the access</p> </li> <li> <p>Role-based access control (RBAC): users are assigned roles and access is given on role</p> </li> </ul> <p>Access Control Matrices are very verbose way of describing access control</p> <p>There are some models including abstract and contrete: access control lists (ACLs), Bell-LaPadula (no read up, no write down), Biba (no write up, no read down)</p> <p>Covert channels can be used to leak information in collusion wiht an authorized user.</p> <p>Side channels allow inadvertent information leakage (timing, power, RF emissions, sound)</p> <p><strong>Non-interference</strong>: Any sequence of low inputs will produce the same low ouputs, regardless of any high inputs.</p> <h3 id="information-flow">Information Flow</h3> <p>Information flow control (IFC) makes it theoretically possible to verify non-interference.</p>