sec-intro - quine = 'quine = %r\r\nprint quine % quine'...

Info iconThis preview shows pages 1–3. Sign up to view the full content.

View Full Document Right Arrow Icon
Security, part 1 15-440 quine = 'quine = %r \r\n print quine %% quine' print quine % quine A quine is a self-reproducing program. What does this have to do with security? It lets you write a self-propagating trojan horse compiler Ken Thompson’s compiler hack from “Reflections on Trusting Trust.” –Modified C compiler does two things: • If compiling a compiler, inserts the self-replicating code into the executable of the new compiler. • If compiling login , inserts code to allow a backdoor password –After recompiling and installing old C compiler: • Source code for Trojan horse does not appear anywhere in login or C compiler • Only method of finding Trojan is analyzing binary –So, of course, you make the compiler also trojan the debugger, and so on, and so on. .. slide derived from original by Nick Feamster Lesson and a warning • Attacks can come from anywhere. .. –Trojaned compilers, software; –Outside attack over the network; –USB keys left outside your office with malware; –Insider jobs at banks, –... • Remember today and tomorrow: The adversary will attack the weakest point of the system. If you use weak crypto, they’ll break the crypto. Use strong crypto? Attack the crypto protocol. Good protocol? Attack the implementation. .. etc., etc. • No silver bullet: security is really hard and requires enormous attention to detail at all levels.
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
What do we want to secure? 5 (What’s our model for the good & bad guys and the environment?) A B A wants to talk to B. .. Basic Components Confidentiality is the concealment of information or resources Authenticity is the identification and assurance of the origin of information Integrity refers to the trustworthiness of data or resources in terms of preventing improper and unauthorized changes Availability refers to the ability to use the information or resource desired slide derived from original by Nick Feamster Example: Eavesdropping - Message Interception (Attack on Confidentiality) • Unauthorized access to information
Background image of page 2
Image of page 3
This is the end of the preview. Sign up to access the rest of the document.

This note was uploaded on 11/02/2011 for the course CS 440 taught by Professor Anderson during the Spring '11 term at Carnegie Mellon.

Page1 / 6

sec-intro - quine = 'quine = %r\r\nprint quine % quine'...

This preview shows document pages 1 - 3. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online