CS 177 Computer Security Lecture 19 Stefano Tessaro tessaro@cs.ucsb.edu
Update #1: The Piazza story This is amazing! (in many ways, but good job!) Will get in touch with Piazza asap If you were involved, drop me an e-mail so that I know who will get the credits Will probably not disclose your names on first e-mail Do not disclose or use exploits Ethical disclosure: We will give Piazza some time to deal with it Authors of Monday morning exploit apologied Good lesson!
Update #2: The VM vs ResNet Network security is great! VM was victim of anti-spoofing counter measures at campus-level device Took 2 weeks, 4-5 people, until problem was detected So that you know, ResNet admins acted awesomely in all of this, but it wasn t their fault either
Today General grading info (25 min) Initial Q&A (35 min) Class evaluation (15 minutes)
Final information Final will take place Thursday in two weeks. Final will be 3 hours Similar style as midterm You are allowed to take with you 4 letter-sized sheets (i.e., 8 pages) of handwritten notes Will publish list of topics. Q&A next Wednesday.
Q&A session Next Tuesday Next Tuesday, Phelps 3526 at 5:30pm
Grades You will receive an e-mail by early next week (i.e., when done grading HW6) with your current scores Next slides explain how to read them!
How is the grade computed Each of six homework assignments is assigned a normalized score (Your score / Max score) E.g., 28/30 = 0.93, 34/30 = 1.13 Similarly for the midterm (out of 80 points) and final (out of 180 points) Hence, three scores (call them HW, MT, FI)
Overall scores HW: Remove lowest homework, and compute average of remaining 5 scores E.g. HW1: 0.9, HW2: 0.8, HW3: 1.0, HW4: 1.1, HW5: 0.7, HW6: 1 Remove HW5, average is 0.48/5 = 0.96 Score: S = 0.4 * HW + 0.2 * MT + 0.4 * FIN E.g. HW = 0.96, MT = 0.85, FIN = 0.75: S = 0.85
It s all about the grade Final letter grade obtain by curving (very fairly ;)) on final score Expect: Median will get B or better Expect: S > 0.5 for passing grade (D) A+ is assigned on an ad-hoc basis (high scores in homework and exams, S close to 1) Currently, ignoring final, and grading with HW6 counting as 0, median is 0.78. (Will drop slightly with final.)
Concerns Many folks have not submitted two homeworks, or haven t submitted one (and scored low in another one) If you are concerned, talk to me now! Typical e-mail 20 min after grades are released: Hi Professor, I do not like my grade. I couldn t solve HW1 because XYZ, is there any chance There is only so much we professors can do after we submitted grades. Also, ad-hoc deals are unfair and hard to implement
Concerns Following procedure: By Friday after exam, you will receive an e-mail with final scores Complaints by Saturday night Then grades will be submitted on Sunday
The Final Understand concepts Expect a couple of question of the type Here is Alice s proposal to do X, is this a good idea? What is most important is Which design choice X opens up vulnerability Y Understand the homework solutions Homework in 2 nd part was hacking intensive, yet final solution is often simple Midterm was on the harder side Solutions are posted (as you see, answers are easy)
Exam Topics Complete list of what is covered at: http://www.cs.ucsb.edu/~tessaro/cs177/
Exam Topics 1 Buffer overflows Understand the memory layout and basics of the x86 architecture Be able to extract from simple assembly code snippets the relative position of a buffer and the stored return pointer Understand all steps necessary for a stack overflow Have an idea about prevention methods
Exam Topics 2 Web Security Basic of the HTTP protocol (GET/POST queries) What are cookies and how do they work? What are the main security issues with scripting languages like PHP? How do SQL injection attacks succeed? How can they be prevented? How do XSS attacks proceed? Which types are there (reflected vs stored)? How can they be prevented? How do cross-site request forgery attacks proceed, and how are they prevented?
Exam Topics 3 Network security Different types of DoS attacks Understand basics of TCP / IP (including handshake) Sequence numbers and session hijacking DNS cache poisoning Network intrusion and port scanning What is a DMZ? What is an idle scan?
Exam Topics 4 Malware Computer Viruses Which types are there? What is polymorphism? What is an encrypted virus? Boot sector, executable, resident, etc What is the virus lifecycle? What does antivirus software do? Trojans, worms, rootkits, keyloggers, etc. What are they? What is a botnet?
Exam Topics 5 Privacy + Bitcoin class Not exam material But helps to know what privacy is about as one of the basic goals of computer security