UW Computer Security Research and Course Blog

Erin Covington provided this example CSE 490K Security Review.

(Read on …)

David Chen provided this example CSE 490K Security Review.

(Read on …)

For the Spring 2007 CSE 490K Computer Security course students conducted a security review of future EEG-based gaming device. A few people have given me permission to post their reviews online, and I will do so next. In some cases I will modify the reviews slightly.

While these reviews serve as good examples for the types of reviews you will write for the upcoming CSE 484 course, please remember that the 490K assignments were slightly different than the CSE 484 assignments. For example, you will need to evaluate the risks associated with the assets, threats, and potential weaknesses that you identify. You should also prefix long posts with a short abstract, followed by the “more” tag, and then followed by the body of your full post.

Every week you must submit one high-quality, thoughtful, and well-formulated story or comment to this blog. You should also read this blog regularly. We may discuss aspects of this blog in class or pull from this blog for the midterm or final exams.

The primary goal of this blog is to have you constantly think about security when you read the news or hear about new products. I.e., the goal of this blog is to help you develop the security mindset and become mature security thinkers. This blog will also give you an opportunity to exercise your writing and critical thinking skills in a cooperative learning environment. Through this blog we will also discuss some of the “bigger picture” issues surrounding computer security — issues ranging from ethics to politics to accessibility.

You may contribute several types of stories (articles) for CSE 484 (in addition to comments on existing blog entries), including: current event articles and security reviews. You should submit one article or thoughtful comment for each week of the 10-week lecture period of the course (where a week is defined as Monday through Sunday). Within the first five weeks of the course you must submit at least one current events article and one security review. You must also submit at least one current events article and one security review within the last five weeks of this course.

Current event articles. Current events articles should be short, concise, very thoughtful, and well-written. Please remember that your fellow students, as well as the general public, will be able to read your article. Your goal should be to write an article that will help your fellow students and other readers learn about and understand the computer security field.

Your article should: (1) summarize the current event; (2) discuss why the current event arose; (3) reflect on what could have been done different prior to the event arising (to perhaps prevent, deter, or change the consequences of the event ); (4) describe the broader issues surrounding the current event (e.g., ethical issues, societal issues); (5) propose possible reactions to the current event (e.g., how the public, policy makers, corporations, the media, or others should respond).

You should tag your current events articles under “Current Events” category. If you don’t do this, you may not get credit for your contribution. You should also select any other relevant categories.

Security reviews. Your goal with the security review articles is to evaluate the potential security and privacy issues with new technologies, evaluate the severity of those issues, and discuss how those technologies might address those security and privacy issues. These articles must be tagged under the “security review” category. These articles should reflect deeply on the technology that you’re discussing, and should therefore be significantly longer than your current events articles.

It’s OK if two students review the same technology, say the Miracle Foo. But if you’re the second reviewer of the Miracle Foo, you need to: (1) explicitly reference the earlier articles; (2) provide new technical contribution; (3) don’t waste space repeating what the previous review said. (3) is important since you are all required read this blog, and it’s not fair to ask your fellow students to spend time re-reading previously-posted material. For (2), new technical contributions might include: a new perspective on the risks; a new potential attack vector; or a new defensive mechanism.

Each security review should contain:

• Summary of the technology that you’re evaluating. You may choose to evaluate a specific product (like the Miracle Foo) or a class of products with some common goal (like the set of all implantable medical devices). This summary should be at a high level, around one or two paragraphs in length. State the aspects of the technology that are relevant to your observations below. If you need to make assumptions about a product, then it is extremely important that you state what those assumptions are. To elaborate on the latter, if you end up making assumptions about a product like the Miracle Foo, then you are not studying the Miracle Foo but “something like the Miracle Foo,” and you need to make that extremely clear in your review.
• State at least two assets and security goals. Please explain why the security goal is important. This should be around one or two sentences per asset/goal.
• State at least two potential adversaries and threats. You should have around one or two sentences per adversary/threat.
• State at least two potential weaknesses. Again, justify your answer using one or two sentences per weakness.
• State potential defenses. Describe potential defenses that the system could use or might already be using to address your potential weaknesses above.
• Evaluate the risks associated with the assets, threats, and potential weaknesses that you describe. Also discuss relevant “bigger picture” issues (ethics, likelihood that the technology will evolve, and so on).  (Update on Jan 10, 2008:  Being qualitative is fine; you don’t need to be “formal” in you risk analysis.)
• Conclusions. Give some conclusions based on your discussions above. In your conclusions you should reflect thoughtfully on your results above.

Comments. You may also comment on the articles of others. Your comments should be thoughtful reflections on the original article and earlier comments. One- or two-liners are not sufficient. You might draw in other examples to support the original article’s thesis, and then explain why these are good examples. Or you might give several concrete counter examples, and explain why they are counter examples. You might also raise an issue that the original article didn’t fully address.

Anything else. You are, of course, welcome to submit other types of articles. As always, your articles must be thoughtful and well-written. If you’re trying to make an argument, make sure that your argument is clear and convincing.

Breaking up long articles. If your article is particularly long, then please use the “more” button at the top of the visual editor to break long posts into a short abstract by the full details of your article. Make sure your abstract summarizes all the key points. (E.g., for a security review, your abstract should briefly describe the technology, the risks, whether there exist natural mitigation mechanisms, and how likely it would be to get those mitigation mechanisms adopted).

Modifications by course staff. The course staff reserves the right to modify postings, but we will try to do so rarely and will always make it clear that the post is modified. For example, if we notice an entry describing a zero-day exploit, then we may remove the discussion of that exploit first and then work with the article’s author to revise the post.

Why this blog. A computer security course should teach you many things. You should obviously learn the important technical material, including aspects of applied cryptography, programming language security, web security, and so on. We’ll cover many of these technical concepts in the lectures, homeworks, and projects.

But a key goal of my courses is to help you learn more than just the technical material. My goal is to help you cultivate the security mindset and to help you become mature security thinkers. This blog plays a critical role in achieving these goals.

The security mindset. If you’re new to security, you’re probably wondering what I mean by the security mindset. Let me give you a brief example. Suppose you see an advertisement for a brand new product — the Miracle Foo. Is your first reaction:

“Wow, the Miracle Foo is a cool product, I can’t wait to use it?”

Or is your first reaction:

“Wow, the Miracle Foo is neat, but I wonder if someone could subvert the security or privacy of the Miracle Foo by doing Blah?”

If you’re immediate reaction is the latter — and especially if you’ve filled in the blanks for “by doing Blah” — then you probably already have the security mindset, or at least the makings of that mindset. If not, don’t worry! This mindset is not natural for most people. It requires you to think like an adversary — to be constantly thinking about how a malicious party might circumvent the goals of a system or product. This blog will help you develop that mindset. Never again will you see a product advertisement and not wonder what mischievous things an adversary might be able to do.

Why cultivating the security mindset is important. You may someday find yourself working on the design, implementation, or evaluation of new computer software or hardware systems. If you have the security mindset, then you will be better able to identify potential security problems with the systems on which you are working. You may not be able to fix all of the security problems by yourself, but you’ll still know that the problems exist and will be able to get others to help you fix the problems. But if you don’t have the security mindset, you may never realize that your system might have security problems and, therefore, obviously can’t protect against those problems in a principled way.

Furthermore, technologies change very rapidly, which means that some of the technologies and topics that I cover in my courses will inevitably be out-of-date in 10 years. But if I can help you learn how to think about security issues and have an appreciation for adversaries, then you can take that security mindset with you for the rest of your life and apply it to new technologies as they evolve.

Broader perspective and becoming a mature security thinker. There are many other things to gain from this blog as well. As some of you may know, my personal research interacts broadly with policy, law, medicine, ethics, and so on. Given my experiences, I believe that it is critical for you to understand how technologies interact with the “bigger picture” and society at large. This blog will give you an opportunity to reflect on the “big picture” issues surrounding technology and society.

Welcome to the UW Computer Security Course Blog! We’ll be using this blog for the upcoming UW CSE 484 undergraduate computer security course (Winter 2008), and many courses after that.

All of the students in these courses will be able to contribute stories and comments to this blog, and this blog will be readable by the public. Students will also be able to contribute to this blog after the courses finish and after they graduate.

I’ll spend the next couple of blog posts elaborating on the goals for this blog and the plans for this course.

In the meantime, if you’re interested in learning more about security and privacy research at the University of Washington, you might begin by following this link.