Web

TYPESETTING CONVENTIONS OF THE COMPUTER SECURITY AND THE INTERNET

There’s an old adage that many people espouse: “Keep It Simple”. When it comes to the nitty-gritty of securing computer systems, networks, and the Internet: Everything is Complicated.  Designing, developing, and using systems with serious requirements for trustworthiness has inherent complexities. Multics is a historical example of a clean-slate system — with new hardware, a new operating system, and a compiler that facilitated taking advantage of the new hardware features that are worth studying as a major step forward into secure multi-access computing.

Typesetting  Conventions of the Computer Security and the Internet that should underlie the design and implementation of systems, particularly systems with stringent requirements for trustworthiness are security, reliability, robustness, resilience, and human safety. These principles all can contribute in many ways to better systems, and indeed they are highlighted as they apply to particular situations.

One particularly desirable principled approach toward dealing with complexity involves the pervasive use of design abstraction with encapsulation, which requires carefully defined modular interfaces. If applied properly, this approach can give the appearance of simplicity, while at the same time actually hiding internal state information and other functional complexities behind the interface.

TYPESETTING CONVENTIONS

CRYPTOGRAPHIC BUILDING BLOCKS

  • Encryption and decryption
  • Symmetric-key encryption and decryption
  • Public-key encryption and decryption
  • Digital signatures and verification using public keys
  • Cryptographic hash functions
  • Message authentication (data origin authentication)
  • Authenticated encryption and further modes of operation
  • Certificates, elliptic curves, and equivalent key lengths

USER AUTHENTICATION—PASSWORDS, BIOMETRICS, AND ALTERNATIVES

  • Password authentication
  • Password-guessing strategies and defenses
  • Account recovery and secret questions
  • One-time password generators and hardware tokens
  • Biometric authentication
  • Password managers and graphical passwords
  • CAPTCHAs (humans-in-the-loop) vs. automated attacks
  • Entropy, passwords, and partial-guessing metrics

AUTHENTICATION PROTOCOLS AND KEY ESTABLISHMENT

  • Entity authentication and key establishment (context)
  • Authentication protocols: concepts and mistakes
  • Establishing shared keys by public agreement (DH)
  • Key authentication properties and goals
  • Password-authenticated key exchange: EKE and SPEKE
  • Weak secrets and forward search in authentication
  • Single sign-on (SSO) and federated identity systems
  • Cyclic groups and subgroup attacks

OPERATING SYSTEM SECURITY AND ACCESS CONTROL

  • Memory protection, supervisor mode, and accountability
  • The reference monitor, access matrix, and security kernel
  • Object permissions and file-based access control
  • Setuid bit and effective userid (eUID)
  • Directory permissions
  • Symbolic links, hard links, and deleting files
  • Role-based (RBAC) and mandatory access control
  • Protection rings: isolation meets finer-grained sharing
  • Relating subjects, processes, and protection domains

SOFTWARE SECURITY—EXPLOITS AND PRIVILEGE ESCALATION

  • Race conditions and resolving filenames to resources
  • Integer-based vulnerabilities and C-language issues
  • Stack-based buffer overflows
  • Heap-based buffer overflows and heap spraying
  • Return-to-libc exploits
  • Buffer overflow exploit defenses and adoption barriers
  • Privilege escalation and the bigger picture
  • Background: process creation, syscalls, shells, shellcode

MALICIOUS SOFTWARE

  • Viruses and worms
  • Virus anti-detection and worm-spreading techniques
  • Stealth: Trojan horses, backdoors, keyloggers, rootkits
  • Rootkit detail: installation, object modification, hijacking
  • Drive-by downloads and droppers
  • Ransomware, botnets, and other beasts

PUBLIC-KEY CERTIFICATE MANAGEMENT

  • Certificates, certification authorities, and PKI
  • Certificate chain validation and certificate extensions
  • Certificate revocation
  • CA/PKI architectures and certificate trust models
  • TLS website certificates and CA/browser trust model
  • Secure email overview and public-key distribution
  • Secure email: specific technologies

WEB AND BROWSER SECURITY

  • Web review: domains, URLs, HTML, HTTP, scripts
  • TLS and HTTPS (HTTP over TLS)
  • DOM objects and HTTP cookies
  • Same-origin policy (DOM SOP)
  • Authentication cookies, malicious scripts, and CSRF
  • More malicious scripts: cross-site scripting (XSS)
  • SQL injection
  • Usable security and the web

FIREWALLS AND TUNNELS

  • Packet-filter firewalls
  • Proxy firewalls and firewall architectures
  • SSH: Secure shell
  • VPNs and encrypted tunnels
  • IPsec: IP security suite
  • Background: networking and TCP/IP

INTRUSION DETECTION AND NETWORK-BASED ATTACKS

  • Intrusion detection
  • Intrusion detection: methodological approaches
  • Sniffers, reconnaissance scanners, vulnerability scanners
  • Denial of service attacks
  • Address resolution attacks (DNS, ARP)
  • TCP session hijacking

President

The divine scriptures are God’s beacons to the world. Surely God offered His trust to the heavens and the earth, and the hills, but they shrank from bearing it and were afraid of it. And man undertook it.
Back to top button