Host Security Course Introduction

Abstract: Overview of the course. This course is a broad introduction. In 14 weeks, we cover about 14 very different topics. This course has four objectives:

1. Teach security improvement techniques.
2. Explain how exploitable errors have been made in the development of software.
3. Raise the level of security awareness.
4. Bring attention to ethical issues.

1. Educational Objectives
2. Overview of the Internet Security Course
   1. Statement of Ethics
   2. Prerequisites
   3. Lecture Contents
   4. Lab Experiments
   5. Exams
3. Reading Assignments
4. Acknowledgements
5. Web Sites to Visit Regularly

Introduction to the Security Course

Educational Objectives

This course has four objectives:

1. Teach security improvement techniques.
2. Explain how exploitable errors have been made in the development of software.
3. Raise the level of security awareness.
4. Bring attention to ethical issues.

Prerequisites

Officially, the prerequisite is Undergraduate level CEG 4350 Minimum Grade of D. Students are expected to

1. Be very comfortable with Linux as a User
2. Be familiar with software development on Linux
   1. gcc, g++
   2. make
   3. shell scripts
3. Understand system administration tasks
4. Remote computers via networking
5. Be knowledgeable in practical TCP/IP

Lecture Contents

1. All lectures are supported by reading materials on the web
2. See the Weekly Schedule
3. See the Syllabus

Lab Experiments

This course is heavily lab oriented. Most experiments are to be performed by the student individually with a few that are best learned when there is a pair of students. This course depends on Linux for all its lab experiments. Most of the details of a lab depend only on "the" general Linux environment, not on specifics of a distribution of Linux.

A typical experiment consists of networking three or four machines into an isolated network, booting the machines into specially configured Linux OS, connecting them up so that the middle machine is a router, run certain programs on the three machines, interacting with the three machines, and making observations.

In this course, a project rarely involves writing your own programs. It generally will require you to build an executable after suitable reconfiguration using tools such as make. The source code tree will be given to you. The code is in C/C++, Java, or in (one or two cases) ASM code.

Exams

There are two exams: a mid term and a final. These are closed-book, closed-notes exams. I proposed to conduct the exams on-line, but so far, students balk at it. Several of the old exams are on line on the course web site.

Terminology

There are very few good definitions for the terms used in this area. Unfortunately, because security breaches are newsworthy, these terms have been also media-distorted.

We will discuss terms as they become introduced in the course. However, let us consider a few terms right away.

Hacker v. Attacker v. Intruder

The media uses the term "hacker" in a wholly negative way. Whereas in computer science, we think of a hacker as an experimenter, not interested in "theory", interested in results regardless of elegance in solution, and a hackers intentions may be good/bad." The Jargon File/Dictionary has the following entry:

hacker n. [originally, someone who makes furniture with an axe] 1. A person who enjoys exploring the details of programmable systems and how to stretch their capabilities, as opposed to most users, who prefer to learn only the minimum necessary. 2. One who programs enthusiastically (even obsessively) or who enjoys programming rather than just theorizing about programming. 3. A person capable of appreciating hack value. 4. A person who is good at programming quickly. 5. An expert at a particular program, or one who frequently does work using it or on it; as in `a Unix hacker'. (Definitions 1 through 5 are correlated, and people who fit them congregate.) 6. An expert or enthusiast of any kind. One might be an astronomy hacker, for example. 7. One who enjoys the intellectual challenge of creatively overcoming or circumventing limitations. 8. [deprecated] A malicious meddler who tries to discover sensitive information by poking around. Hence `password hacker', `network hacker'. The correct term for this sense is cracker.

The term `hacker' also tends to connote membership in the global community defined by the net (see the network and Internet address). For discussion of some of the basics of this culture, see the How To Become A Hacker FAQ. It also implies that the person described is seen to subscribe to some version of the hacker ethic (see hacker ethic).

It is better to be described as a hacker by others than to describe oneself that way. Hackers consider themselves something of an elite (a meritocracy based on ability), though one to which new members are gladly welcome. There is thus a certain ego satisfaction to be had in identifying yourself as a hacker (but if you claim to be one and are not, you'll quickly be labeled ). See also wannabee.

Most serious literature on Internet security uses the term "attacker" when describing someone who is on the system but was not authorized to use the system. A "script kiddie" is an attacker who is invoking scripts and tools, without understanding their innards, that others have developed.

DoS (Denial of Service)

We think of computer systems as providing services to authorized users. When a system is deliberately made to crash, or made to run legitimate users' programs so very slowly that it is unusable by an attacker, we refer to it as a "denial of service attack." The attacker accomplishes this by running certain cleverly composed programs, and is pre-aware of the consequences. CERT (www.cert.org ):

"Examples include

• attempts to "flood" a network, thereby preventing legitimate network traffic
• attempts to disrupt connections between two machines, thereby preventing access to a service
• attempts to prevent a particular individual from accessing a service
• attempts to disrupt service to a specific system or person

"Not all service outages, even those that result from malicious activity, are necessarily denial-of-service attacks. Other types of attack may include a denial of service as a component, but the denial of service may be part of a larger attack.

"Illegitimate use of resources may also result in denial of service. For example, an intruder may use your anonymous ftp area as a place to store illegal copies of commercial software, consuming disk space and generating network traffic."

The escape sequence "\033[4;65536;65536t" can kill xterm in certain versions of Unix systems. Is this a "denial of service"?

Black Hats v. White Hats

These are "adjectives" applied to security experts. White hats are the "good" guys: they are mostly into forensics and prevention of attacks. To that end, they ultimately release all knowledge they gain to the rest of the community, while initially controlling such release so that vendors and law-and-order authorities have time to fix things. Black hats are the "bad" guys in that they use their knowledge to unauthorizedly break into even more systems, and pass their knowledge to other insiders. They tend to spend enormous hours researching security weaknesses and do have a work ethic that can be admired but is at odds with our values. Black hats are almost always known only via their pseudonyms. If we ignore ethics related issues, black hats are charismatic and many are excellent writers (see e.g., articles in www.phrack.org ).

Reading Assignments

"There is an oceanic amount of material on network security available over the Internet."

-- A Web Page.

Each lecture of the course is supported by a web article. This article includes at the end a list of annotated references. Some of these are required reading.

Web Sites to Visit Regularly

1. www.infosyssec.org/ A comprehensive computer and network security portal with many tutorials.
2. www.phrack.org/ An electronic magazine that publishes excellent, in-depth technical articles on security exploits whose authors rarely reveal their true names. If we can put aside our prejudices regarding who and what hackers are, we will see that this site is a source of solid technical information that can be used by bad guys for malicious purposes, and the good guys to protect their own computer systems.
3. www.securityfocus.com/ Slogan: "The leading provider of Security Intelligence Service for Business" Hosts BUGTRAQ. The site has a comprehensive collection of security tools. It also highlights current incidents in internet security. This is a white-hat site.
4. http://www.packetstormsecurity.org/ This is a security portal. It archives security tools and exploits. This is a white-hat site.
5. www.antionline.com/ No, it is not a site promoting against the use of online activity. It is similar to the Security Focus site.
6. www.oodaloop.com takes a broader view of security and has articles about how countries can get affected.
7. www.blackhat.com/ "The World's Premier Technical Security Conference" -- Their claim.

Acknowledgements

These lecture materials are gleaned from many sources. All are presented after careful reading. In some cases, I may have neglected proper attribution. I assure the reader it is not because I claim authorship. Indeed, in the lectures there is hardly any thing new that I have contributed. I welcome concrete suggestions of improvement.

I appreciate comments, complementary or not, constructive or not.

Links when they were first inserted into my articles were working. I do run run link checkers. But, fixing broken links is no longer a priority, since working links can be easily found. But if you found "better" (in terms of pedagogy) links, please let me know.