MIT 6.858 Computer Systems Security - Lec 1

Lecture 1 - Introduction

---

0x01. Core Concepts of Security

Security means a system achieves its goals despite adversaries. Requires a systematic plan.

High-Level Framework

• Goal: What the system aims to achieve (negative property: no bypasses).
  • Types:
    • Confidentiality: Data secret (e.g., only Alice reads file F)
    • Integrity: No tampering (e.g., adversary cannot corrupt system state)
    • Availability: System continues working (e.g., resists DoS)
• Threat Model: Assumptions about adversary capabilities (e.g., can guess passwords, cannot steal server).
• Implementation: Layered.
  • Policy: Configuration rules (e.g., file permissions, password + 2FA).
  • Mechanism: Enforces rules (e.g., user accounts, encryption); upper-layer mechanism can be lower-layer policy.
  • Policy may include human elements (e.g., no password sharing), but outside mechanism scope.
• Security Definition: Goal + threat model define security; implementation (policy + mechanism) attempts to achieve it.
• Negative Goal Challenge: Easy to implement positives (e.g., TA accesses grades), but must block all attack paths.
  • Example: 6.566 grades file (AFS server); policy: only TAs read/write.
  • Attack brainstorm: Code bugs, guess passwords, steal laptop, intercept network to registrar, break encryption, trick TA, get registrar job, become TA.

---

0x02. Challenges in Building Secure Sys

• Why Hard? Negative goals require considering countless attacks; first designs often fail.
• Iteration Essential: Design → Observe attacks → Update threats/policies.
• Learn from: Vulnerability databases, bounty programs, post-mortems. Threat models evolve (e.g., computational power, information availability).
• Defender Disadvantage: Limited resources, balance usability; attackers need one weakness.
• Determined Attackers Often Win: Need defense in depth + recovery (e.g., secure backups).
• No Perfect Security: Not required; economic perspective:
  • Attack cost > system value (deterrence).
  • Defense cost < system value (feasible).
  • Make system less attractive than others (e.g., spam generation).
• High-payoff techniques: Eliminate attack classes (e.g., attacks from 10 years ago now ineffective).
• Security sometimes increases value: (e.g., VPN for remote work, JS sandbox for unknown code).
• Similar to physical security: Cost/deterrence; but computer attacks are cheap.

---

0x03. Examples of Security Failures

Categorized: Goals/policies, threat models, mechanisms/bugs, combinations. Many from production/research cases.

4.1 Goal/Policy Issues (System Enforces Policy, But Policy Inadequate)

• Business-Class Airfare: Allows anytime changes, even after boarding → Perpetual flight.
  Lesson: Corner cases matter; may require architecture changes (e.g., gate updates).
• TLS Certificate Domain Verification: CA uses OCR for .eu domain contacts; ambiguous images misread → Fake certificates.
  Ref: https://www.mail-archive.com/dev-security-policy@lists.mozilla.org/msg04654.html
• Fairfax School System: Teachers add students/change passwords; student adds superintendent as “student” → Full access.
  Policy equates to “teachers omnipotent.”
  Lesson: Clear security goals, separate from app logic.
  Ref: https://catless.ncl.ac.uk/Risks/26.02.html#subj7.1
• Sarah Palin Email: Login with password or security questions; questions guessable (high school/birthday).
  Policy equates to “or” not “if forgotten.”
  Ref: https://en.wikipedia.org/wiki/Sarah_Palin_email_hack
• Mat Honan Accounts: Amazon adds card without auth, changes email with card verification → Gets last 4 digits → Apple reset → Gmail reset.
  Lessons: Combine trivia; big sites verify “original creator.”
  Ref: https://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/all/
• Account Lifetime: Email reuse → Other systems assume same owner.
  Ref: https://www.gruss.cc/files/uafmail.pdf
• Insecure Defaults: Router default passwords; AWS S3 world-readable → Data leaks.
  Lesson: Negative goals need secure defaults; many components, easy to forget config.
• Management/Maintenance Pitfalls: Who changes permissions/passwords, accesses logs/backups, controls upgrades/config, manages servers, revokes ex-user privileges?

4.2 Threat Model/Assumption Issues (Attack Feasible But Not Considered)

• Design Secrecy: Clipper chip/secret crypto broken.
  Lesson: Not foundational; openness aids review.
• Users Won’t Leak 2FA Codes: Phishing/phone tricks → Code disclosure.
  Ref: https://www.vice.com/en/article/y3vz5k/booming-underground-market-bots-2fa-otp-paypal-amazon-bank-apple-venmo
• Computational Changes: Kerberos 56-bit DES (1980s feasible) now $100 to crack.
  Ref: https://www.cloudcracker.com/dictionaries.html
• Information Changes: Security questions easy from Facebook.
• Specific Solution Assumption: CAPTCHA assumes OCR; farms use human solvers (fractions of a cent each).
  Ref: https://www.cs.uic.edu/pub/Kanich/Publications/re.captchas.pdf
• Fully Trusted CAs: Browsers trust 100+; 2011 DigiNotar/Comodo breaches → Fake certs.
  Ref: https://en.wikipedia.org/wiki/DigiNotar etc.
• Trustworthy Hardware: Not against NSA.
  Ref: https://www.schneier.com/blog/archives/2013/12/more_about_the.html
• Running Expected Software: 1980s red teams attack source servers; XcodeGhost mirrors inject malware.
  Ref: https://en.wikipedia.org/wiki/XcodeGhost; classic “Reflections on Trusting Trust.”
• Clear UI: IDN homograph attacks; Trojan Source.
  Ref: https://en.wikipedia.org/wiki/IDN_homograph_attack; https://www.trojansource.codes/trojan-source.pdf
• Decommissioned Disks: eBay disks with sensitive data.
  Ref: https://simson.net/page/Real_Data_Corpus
• Software Updates: Apple vs FBI; Chrome extensions sold to malware; Node.js lib steals Bitcoin.
  Ref: https://www.apple.com/customer-letter/ etc.
• Air-Gapped Security: Stuxnet via USB.

Lessons: Explicit assumptions; simple/general models; designs reducing assumptions; defense in depth; learn from cases.

4.3 Mechanism Issues (Bugs Undermine Security)

• Rule of Thumb: One bug per 1000 lines; any bug potential vulnerability (no isolation).
• Data Deletion: Android screenshot crop forgets truncation → Leftover data.
  Ref: https://www.da.vidbuchanan.co.uk/blog/exploiting-acropalypse.html
• Apple iCloud Rate Limits: Find My iPhone API misses limit → Brute-force guesses.
  Lesson: Multiple checks often miss one.
  Ref: https://github.com/hackappcom/ibrute
• Citigroup Access: URL with account number, no login check → Change number for others’ info.
  Lesson: Think beyond intended ops.
  Ref: https://www.nytimes.com/2011/06/14/technology/14security.html
• Poor Randomness:
  • Debian OpenSSL removes seed → Guessable keys.
    Ref: https://www.debian.org/security/2008/dsa-1571
  • Android SecureRandom unseeded → Bitcoin theft.
    Ref: https://bitcoin.org/en/alert/2013-08-11-android
  • Embedded/VMs lack entropy → Identical keys.
    Ref: https://factorable.net/weakkeys12.extended.pdf
  • Casino slots guessable.
• Moxie SSL Check: Cert \0 strings → Browser misreads.
  Lesson: Parsing code bug source.
  Ref: https://www.wired.com/2009/07/kaminsky/

4.4 Combination Issues

• Microsoft Key Leak: Multi-step failures.
  Ref: https://msrc.microsoft.com/blog/2023/09/results-of-major-technical-investigations-for-storm-0558-key-acquisition/
• Chained Bugs: iOS/Android in-the-wild exploits.
  Ref: https://googleprojectzero.blogspot.com/2023/09/analyzing-modern-in-wild-android-exploit.html etc.

---

0x04. How to Build Secure Systems

• Isolation: Security starting point. By default, activity X cannot affect Y (even malicious/buggy).

  • Types: Hardware (processes/containers/VMs), Software (JS/WebAssembly), Physical (USB keys).
  • Enforcement: Host (OS kernel/runtime/physics).
  • Next few lectures cover.

• Controlled Sharing: Not 100% isolation; model:

+-----------------------+
|   Policy              |
|      |                |
request |      V                 |
principal --> GUARD --> resource |
|      |                |
| +-----------+         |
| |    |      |         |
| |    V      |         |
| | Audit log |         |
| +-----------+         |
+-----------------------+
HOST enforcing isolation

• Guard: Authenticate (principal), Authorize (rights), Audit (isolated log for recovery).

• Principals: People/devices/programs/services; Resources: Files/services/accounts.

• Privilege Separation: Limit damage from buggy/malicious components.

• Challenges: Functional system + security guarantees + performance.

• Second module: Case studies.

• Software Security:

• Bug Handling: Runtime defenses/testing/finding/verification.

• Supply Chain: Dependencies/deterministic builds.

• Backdoors: Reviews/approvals/audits.

• Deployment: Systematic enforcement.

• Third module covers.

• Distributed Systems: Network/Internet new threats.

• Big Ideas: Crypto/certificates/trust.

• Fourth module