 I'll sit down, go okay again. Okay, I know the class hasn't technically started yet, but I'm here early. Some of you are here early. I'm recording this. If you have a sign-in question, we'll talk about them now in the next 10 minutes. Otherwise, you can go on the board. There's office hours today. I will be hosting office hours today at 5. And then Max has office hours on Wednesday. And then I have office hours on Thursday. I have the Max. And we'll have office hours on Friday. Is there anything you can tell us about the term test case? Yeah, it's not complicated, I don't know. I feel like you're all over complicated. We're all over complicated. The other thing I'd recommend is to always have your own test cases. You can totally feel free to share test cases on Piazza. Don't be like, this is whatever. As long as it's not like, this is exactly what I did. And then this passed the, I did like this. And then I passed the test case. We're trying to keep some semblance of secrecy there. But otherwise, I just gave the test case the right thing to do. So yeah, so I think that's super helpful. To like make test cases, share it online and be like, what does everyone else think this should be? Yeah. Would that be secure? It's a smart lock system, right? So how smart is it? Would it be smart for somebody else to be able to turn a key that somebody else put into the lock? So, what do you mean there is no key? I feel like this is a philosophical argument. But for the same reasons, the very first command in the program is turn key. Okay. Or the next instrument key. And that would like, what is it? So it's like a failure to turn a key. Oh. So you get to take a big key here. Yeah. I'm fairly certain that never happens. I think either way you choose is fine. To just say error, or say, whatever this failure to turn a key and have it be blank. Any other questions or people who came up? Yeah. So we're saying that it's a smart lock system, so it knows who initially concerned that he didn't want a lock and the other is showing a problem and he's like, he doesn't want a lock system. Correct. The question was, it's a smart lock system? I guess maybe I'll really have to you, right? Well, you could this, but if we assume it's a smart age system, it's got to figure out whatever the secret key stuff. If a, like what should happen if a, whatever, what would you do that turns the key is not the same user that inserted a key? I'm looking at Max, too, to double check me on everything I'm saying, right? Sure. Yes. That would be, they should not be able to do it because they're not the person that put in the key. Our name and then use firefighter key. Yeah. So what is it? So then I, it'd be annoying. So the question is about the firefighter key. So what does the suspect here say? A firefighter is going to enter with the secret key of a literal string firefighter secret key. So does it have any constraints about the name of the person can be? No. So yeah. And this is where you can see, so actually a lot of buildings and places are like this where there's like a master skeleton key and if you have access to it, you have access to all of, actually there's a great story. I think it was somewhere in New York. They posted a picture on the newspaper of the master key of one of the things and it was actually with enough detail that you could go create your own master skeleton key to get access to things. So yeah, it's one of those things like a traditional key. If you know this secret then you, you get access regardless of anything. Yeah. That story was the TSA master key. Was it the TSA master key? Someone created it and started signing up. There we go. Oh, okay yeah. So this is a different story that I was thinking. So these are the TSA, you know, anybody have a TSA lock on their luggage? No. Nobody has luggage or knows what luggage is. Okay, well if you have that lock right, the whole point is that TSA can open it when you can. So these people actually, group pictures were able to create the TSA locks to be able to open TSA locks. Well, anyway, Simon. Any other assignment one questions? Yeah, in the back. Yeah, shout. The class hasn't technically started yet, so it's okay. Okay. If you turn the key, the lock is now unlocked, right? You can take out the key and unlock it. Think at that point you would still enter the house, right? So there's like the lock hasn't been changed, but the lock is now unlocked and then when you go in it locks. Give it a few more minutes to formulate. Anything else? No, it's a very safe and secure system. So as soon as it's, like this light, see this makes it more complicated. It's not that complicated. So the door needs to be, it's a smart lock system, so it needs to be unlocked. Like if there's a certain key, turn it, go in, and then it locks automatically behind you. So the next process would be the same process. What is the next process in the center? I guess it doesn't matter. How many people will leave the house? Like as they ask who's in the house, right? You can leave at any point, or you should be able to leave the house at any point when I was going outside. And you think that the state of the system is still leaving me, right? Yeah. Can I enter the house if I didn't turn the key? Should you be able to? The door will lock, yes. The door is always locked. So who else is concerned? So who else turns? The lock is very smart, and does that mean that the person who is concerned will lock the key or turn it? Very smart system. So you insert or turn the key? Correct. They should keep me outside the house to be able to do that. Some people, they can't be in two places at once. And we'll say people leaving the house have no effect on the state of the lock system. So they're just like very smartly less than that without letting anyone else in. And it goes right back to the state of the lock system. Yeah. I know I'm not saying one, but user names aren't unique. So if you have Steve inside the house, you can have another Steve. Correct. Well, I wouldn't say that user names are not unique. I'd say a name uniquely identified a person, and people cannot be in two places at once. So you only have one person to see a person that has ever made a Steve. Okay. So maybe it's a case or whatever, because I'm going to get a case that's in the frame. Is there a question here? Well, it's actually kind of the same question. You aren't supposed to, should we try it for big bearings? Well, like once one person made a Steve, should we try it in between band and real bearing of the main piece, the capital S, or something like that? Is there any reason to not have it? I mean, everything's case-insensitive, right? So just like a file system that's case-insensitive, we can create a file named capital S-C, or create a file named lowercase c. Those two files can coexist in the same frame. They don't belong to each other or anything right there. Two completely distinct things. Yeah. Well, the inputs always be in the same way, which I don't expect to be in certain terms here today. It's a bit like something that some people say because they can't get an S in site. There's no limitation on how much work things can necessarily happen, right? So you should be able to respond to any statement I think. Like there's only an insurance level. You have to type it out yourself. Yeah. So all the authorized users, those two bills like the time in front of you are looking at separate text files and techniques that authorized users to come in. There you go. So people don't want to access through. It's like you're going to type in the program starts and you should have a separate text file that says these and these and these files. So essentially, we're going to be able to link this and say, when you're two lives here, yes, you should be ready. So if you have input that moves inside, you should be able to say who's exactly inside the house. So we need to keep track of the inside of the program, right? We're going to start class. Let's give it 30 seconds. Anybody have one more question who's getting in to answer? Passive questions? Yeah. Should be denied, right? I don't know. You can look through all the test cases. So as I mentioned, 10 minutes ago, we started if you're just getting in. Don't worry, all of that discussion was recorded. If you want additional and please take advantage of our time here to help you through this assignment, it shouldn't be. So it's not intended to be something insanely difficult. So we can help you think through things. It is supposed to be slightly ambiguous, but we'll talk about it in a second as to why. And so please come to our office hours. We have office hours actually at every day of the week. If you cannot attend our office hours, let us know and we will work with you to find a time that works. Cool. So what are policies and what are mechanisms? Thinking about things. Policies are like rules and mechanisms are maybe physical or technical things that we do. So what? So in our own example, what's the example of a policy and what's the example of a mechanism? Yeah. The policy is like if you're not in the house, you're going to be able to take the lock. Okay, there you go. So the policy could be if you're not in the house, you're not in there, you can't take the lock. So that's good. What would be a mechanism? Yeah. Sorry. I was just going to get the door on the wall. So the door on the lock is supposed to be like this smart lock mechanism that we're using. So how do you know these policies about this house? This smart lock house. Just come to you from the air. You woke up one morning and you knew everything about this house. Documentation. Was it? Documentation? So what was that? What was that documentation? How was that presented to you? TPS. Where'd you get a TPS? Wait a second. Specifically for the assignment. Are you on your website? Yeah, on the website. In what? How did you download into a file into your brain? I had to read it. You had to read it with your eyeballs? Yeah. Or read the screen reader? And so, I mean, so how was that policy expressed to you? Poorly, yeah. But why? Or how? Why is it poor? It's in English. It's in English. It's in a natural language, right? Where I'm trying to describe in English the security policy of this house. And as you'll notice, there are things that maybe are under specified. Has anybody ever read like a protocol documentation? Like a request for comments or something? Yeah. And it can be when you get to networking, you'll probably hopefully like to do that. And you'll get to there and say like it should do this, it may do this, it must do this. There can be surprising corner cases, even in official documentation for things like IPv4 or TCP, all these things, right? So this is one way we can define policies. Is it the only way? Is natural language the only way we can define policies? I heard somebody over here. There's got to be a formal language, a formal specification. So formal language, so what kind of, so can you give me, like, what would an example be? A very generous big one, okay. So I need a grammar, I need an alphabet, I need semantics of those rules, like exactly what those rules mean. So how would I express that? I was going to say illustration. Illustration, so that may be, I don't know, is that not just natural language? I mean it's not a language, I guess, I understand what you're saying. But at the core you're expressing ideas. How is that different? So let's think about, so let's think about, like, a formal, what would be the most formal way of specifying something? Math, reading one plus one equals two. Yes, you see some headlines from math majors. I didn't take enough math to back up that statement or not. So what's the difference between math, or let's say formal notation, we could say, and natural language. Does math have syntax and semantics, like we were talking about? I'm sure you're 100% confident in bolting up math so you can realize that. Maybe you didn't know what to call it, syntax and semantics, but now you do, you're a scientist. So like procedural, there's a lot of rules. Could you express, like could I express what I wanted from this house in mathematical forms in a formal way? Sure, but it's not going to be particularly legible to a human. So that's your main flaw here, is that while you get much more accuracy, it becomes exponentially difficult for a normal human to just look at it and go all this way with one. Yeah, so maybe I can express them the policy very precisely of exactly what I mean, and what are the things you can do with a formalism? How do we know that one plus one equals two under some domain of numbers or something? A proof. Would you want to do that on a security policy? No? You never want to prove something about a security policy? A screen proof. Like what kind of things would you want to prove about a security policy? Like you prove your policies in terms of just like a discrete proof of it, like if this is open then these are false, this proves that my policy is affecting the people who are closed. There you go, so you could prove maybe something about the policy, right, a high level intention of whatever. You could prove that this policy says nobody but the owner can change the locks. Or you could prove that only somebody who had access to a key or was a firefighter could get access inside the house. Right, and you could prove that formally based on a specification. Do you take in 355 yet? Some of you? Does proving things easy? Does anybody remember trigonometry? I don't, but there's a lot of proofs there, right? Are they easy? You just like look at it and you're like yep, I know that this thing is correct. Also, so when you're thinking about proving things, how do I specify that high level property I want out of this policy? How do I specify that nobody who does not have access to a key and who is not a firefighter or who doesn't know the firefighter's secret key can access the house? How do I specify that? What did I just specify that in? Yeah, sorry. I have to do the formalism to describe the properties that I want and then I have to use the mathematical formalism I have to describe the policy and then I have to derive that this property follows from some set of mathematical formalisms. That seemed super awesome. Could you do that for this homework? I think you could definitely make a good stab at it. Would you want to do that for something as complicated as the policy like ASU's computer use policy? Is that any of you ever will fit that? I will change that to this last one. So why? What's the difference between the two? Complexity. Complexity? Yeah, so complexity, scale, all these kinds of things, right? How do you represent a mathematical notation that every year you have basically a quarter of your network moves in who's never been on a whatever. But in most corporations, you don't have to turn over a quarter a year. You have students graduating all that time, new freshmen coming in who are now on your network that you have to make it secure. People who are delivering security calls are not exactly computer experts. Yeah, so like who? You want to give me an example? I'm not like a specific person. Like me. So yeah, maybe a student worker that's hired in whatever IT department, they're like, well great, here's our computer use policy. If you have a massive jumble of Greek letters and symbols, figure out what it means and figure out if it's correct or something, right? So like expressing that to somebody else would it be easier to describe what the policy is or means in English? Also do you want maybe end users to actually follow your policy correctly? If it's only a written formalization, will they understand what's expected of them? What's better? Natural language? Really? Sound like somebody who's either done with the signing loan or has started it yet? It's not a right answer, by the way. Yeah, okay, you can state your... I would say neither, because you could just write a reference implementation through it out there and it's not your problem anymore. Okay, so that would be another thing, but can you write a reference implementation of a security policy for an organization? Not quickly. Not quickly. Okay, so that would be a third option that we don't have on here, but you could actually say, I mean, create a program that implements your security policy like what you're all doing and then say whatever that program does is the security policy of this house. So if you have any questions, you just run a new simulation against that system. This happens a lot in... Isn't Ruby done this way? Yeah, so Ruby the language doesn't... It must have some specification. No? Nothing at all? Okay, so they just have the Ruby interpreter that maps, is it? The guy who wrote and whatever that does is what Ruby does and anything else is incorrect. So if you want to make a competing Ruby implementation, you better do it exactly the way the actual Ruby interpreter works. Whereas other languages like C++, Java have specifications for how they should work and there's a lot of similarities here between what we're talking about here with security policies and computer languages. Is there a middle ground? Middle ground sounds great. So design it for me. What does it look like? Okay, so maybe like a combination of some English with some formalisms. Maybe we can borrow a camera who said it but somebody mentioned set notation. We can maybe borrow symbols from there. We can do first forward logic, types of things. And then we can create essentially our own language. So we can create a policy language to express security policies in and then what benefits does that have for us? It's gotten us out of our trap. The one way to think of this is do we inherit the best of both worlds or the worst of both worlds? Worst of both worlds how? Because if you're using the same thing, you could have used one or any of the other problems but then that's the case. Maybe that one doesn't work the other way. Yeah, okay. Maybe there's something interesting here. We've added formalism to natural language, right? So now it's more difficult for people to express in what they actually want from their security policy. So we've added some formalism in this specific language. So now we need to learn this language. There actually exists a language called the XACML, which is like an access control list and an access control specified in XML. So XML is like a data format language that has all the things you can think about ands, ors, whatever various conditions, all this kind of stuff built into this policy language. So this is thinking about how to define security policies and then we go to this question of well how do we tell if a security policy is correct? So we kind of at the start of this discussion talked a little bit about well we just say that we mathematically prove that it's correct. I mean is that easy? What are other ways and other things? How do we go about proving that a security policy is correct? Yeah. Try to break it. We can try to break it so we can prove that it's incorrect, right? So similar actually to mathematical proof of proof by actually I can't remember what it's called a contradiction. There we go, yeah. So in that sense where we can if we can show one counter example where the system or the policy is not secure then that would be a way to show that. What if we can't come up with a counter example? Does that mean that it's secure? Not necessarily. Not necessarily? Why? If you wanted to prove security you need to show that for any case it would still be good. Yeah so just because maybe we're not smart enough to prove the right the fact that we can't find it doesn't actually prove necessarily anything. So this could be a good way to just prove something. Yeah, somebody else is going to answer. A fairly simple system would it exhaust all possible ways to interrupt this system? Yeah, so it's a simple system. We could maybe try to exhaust all possibilities maybe essentially brute force the security and prove the security. What kind of assumptions do we make? So do we care about assumptions here? So like even thinking about the assignment what kind of assumptions are being made? We made no assumptions? The person who has the right to be that is scared to be into the or should be allowed to enter the house. Yeah so we're assuming some parts of like the people check there's somebody else back there. Yeah? We want firefighters to be able to assume we don't have to be so we have firefighters so we assume that the let's say I'd say maybe another way to put that, we assume that the policy is complete in what our intentions are. Right? So maybe the person who wrote this security policy had some intention of making this secure but maybe they forgot about policemen. So yeah, at least people. Yeah? Yeah, or maybe trying a bunch of keys until somebody gets one and just magically guesses it correctly, right? So you could, like what force, what if the key is just food? You could easily guess that or if the key was password or something. Right? Yeah. We assume the person making the policy is trustworthy. We assume the person making the policy is trustworthy. Yeah, that's very exciting. In this case you can assume they're definitely not trustworthy. So we assume, right in the this is what we're talking about, we assume the policy is correct. Right? So we assume that the policy correctly expresses the intentions of the person developing it, right? And we talk about threat modeling, we talk about all those cases. What else do we assume? So we talk to actually touch on it a little bit. We assume, at least in this house, there's no windows that somebody could break in and get into the house. So a good assumption when we talk about that a little bit. Yeah. Yeah, we're assuming that there's a magic device that prevents people from two people from going out of a door at one time. An insanely smart door but still, right? And all of these actually are ways where we're putting our trust and we're assuming that the mechanism is correctly implementing the policy, right? We're also assuming that this smart lock system we didn't get from somebody and it has a hard coded key in it. Why would somebody do that? Or why would a manufacturer do that, let's say? Maybe they have their own thing, so maybe they have a key that they favor the law enforcement. Yeah. What else? Yeah, in the back. Initial setup. Say again? Initial setup. Initial setup, right? When you first install your lock, it's a super smart lock and you just turn it on and it just auto locks. Right? Does this ever happen in health at home? Anybody ever set up a life IRR? What happens when you first set it up? Yeah, usually newer ones are slightly better but it used to be, it was just like admin or you look up a list of what are the standard username passwords of Wi-Fi routers. So you plug it in the Wi-Fi network turns on, you connect to it and you just log into this device with a hard coded username password. So that's clearly for ease of use, for you starting up using that device right now. There's also cases where people have found inside the firmware of the device that routers have hard coded username passwords that you can't change and they want those for the same reasons that we just talked about. Actually one thing is remote administration. So they can actually go in and maybe fix problems with the router when you call them for tech support help. So this is, so these are things to help you think about even if you whatever, mathematically proven you've gone through all the use cases you've used a theorem prover whatever you've proved that this is security policy correctly invokes your safety policies or whatever or matches your safety requirements. You still have to deal with these facts of is the policy itself even correct and do the mechanisms actually correctly implement this policy. These are constantly things that you're thinking about. It really brings back the trust. So who do you trust? The firefighters? Yeah, there's inherent, why is understanding who you trust in this scenario important? Yeah? Yeah, so you're trusting that you've given the fire, your local fire department that key, you're trusting that nobody there has made a duplicate of that key, that nobody there is secretly a criminal and is going to use that key to break into your house when you're not home, right? So there's trust there and why is it important to think about these avenues of trust? Yeah, so this is where the policies fail, right? We have a perfect policy but here we've trusted this human element and if you don't even realize that we're trusting that the firefighters aren't going to share this key, right, then we could completely that could completely undermine the security of our system but at least if we're aware of it, right, what kind of things can we do to increase our trust in that process or that aspect of the system? You can know and write down exactly who in the fire department you gave it to so that in case anything happens you have somebody to go to for remorse, yeah, plus you can do their badge number that way if you give it up to someone else when they're entering the key, they also have to enter their badge number so you know who the culprit was that gave out the information. Great, so maybe then we change our policy rather than having a hard coded key, we have a key with the prefix of that key and the suffix of their badge number so that we have some maybe some audit or some logs that can point to who actually used that. Yeah. It would also be nice to see the security of the fire station. Maybe we want to audit the fire department, right, and say, okay, before I give you this key and trust you with my key what safeguards do you have in place, right, you can look at their security policy, you can look at their security mechanisms, right, which could all increase your assurance and your trustworthiness of how you think about this aspect. So then you can say, okay I know I have this element where I'm trusting the fire department in here but I've gone through all these steps and I've increased my level of assurance that this is an acceptable risk to the system. This is cool. I can't believe we're picking on fire people, but it's an important thing to think about. Cool. Okay, so what kind of mechanisms have we been talking about here? So we're talking about mechanisms, right? Mechanisms are used to kind of actually be the things that enforce the policy let's say, or maybe one way of phrasing it. So what types of mechanisms do you draw from? Yeah, so maybe like a physical like a physical device that has like a key card access or a sensor. Yeah, what else? I'm thinking broadly beyond this normal one. Yeah, it's fun though. Yeah? So like if you have a security protocol to help fire idols or fire fighters are inside well, any mechanism or a policy if it's like a system of place we call you a repairer or a fire pilot. It would be a mechanism of that. So the idea would be if there's some protocol so let's say your smart lock system has a way to connect back to the fire department system so they can, maybe before they leave to go to your house they can call on or something that says yes, we're going to use this key maybe in the next 30 minutes or something and so your lock has a way to ask that so yeah that that mechanism that, or that yes that protocol and everything would be a mechanism the policy aspect would be like before you leave you have to hit this button that says you're going to use this key in the next 30 minutes or something and then you may need override mechanisms so you may need all kinds of other aspects. So we have very roughly right so what do we want out of a security mechanism? So what makes a security mechanism effective? So think about, let's say securing a door of the things we've been talking about right? Are they all locks considered equal? Oh, maybe. No, they're all locks are not created equal. Why? Yeah. Maybe it depends on the door, right? I mean it depends if you can maybe slide a credit card in to open the thing depending on how which way the lock actually goes. It also depends on if it's a deadbolt versus just a regular, right? So a deadbolt is a lock that actually slides into place I don't even know what the other kind is called but the other type of just door lock that depending on what side of the door you're on you can actually open the door lock depending on what side of the door you're on depending on what side of the door you're on depending on what side of the door you're on you could maybe pop open with a credit card even. What are other types of, I don't know, door locks that are more secure? Pin codes? Yeah, so maybe a pin number that's Ah, sorry, sorry, a pin's like in the tumbler of the lock or whatever. Yeah, different types of locks like if you look, I mean I won't show you close enough so you can take a picture but if you look at like my home lock looks very not as complicated as like a door lock in ASU like I don't know actually have no idea the difference, I'm also not a lock expert so don't quote me on all this stuff the mailbox to my my home mailbox has like much less complexity to it than the other ones, right? So these all increase the difficulty of either picking the lock or trying to make a counterfeit or make a bump or a key or do any of these other kinds of crazy stuff, right? That's not to say we didn't even talk about pin code locks so a lock that you actually don't have a key to but you know some numeric digit that you type in we didn't talk about let's say the locks on a prison are quite different than the locks on your home Do you agree? I hope so for all of your things So yeah, so what's the difference between all these things like what when you think about the effectiveness of a security mechanism so we talked a little bit about like in some sense so we talked about pins and how many pins there are in a lock, right? That could affect the effectiveness of the lock mechanism based on how easy it is to break back but then what's the difference between that and let's say cutting a lock on a bike Yeah, so do you agree with me? I was just going to state the risk of what happens to the information or the value of the security mechanism Okay, so yeah, so in both cases we're talking about in one way we're talking about how easy is it to bypass this mechanism, right? If let's say those two doors in the back there if one was open and the other one was locked and I had a super fancy lock on one door but not on the other it would be a very ineffective security mechanism because it could be easily bypassed similarly on a bike lock if it's easy to just cut through with some fire cutters? No, what are those called? Bolt cutters, there we go Yeah, if it's easy to cut through whatever the lock chain itself that's a big problem. If it's easy to cut through the lock itself that way, that's another problem right? So we want to think about how secure are these and that's maybe a poor choice of words but in some sense this mechanism, right? How easily bypassable is it? How effective is it at implementing what we want it to do? Another thing we want to think about is so another thing to think about is would it be, let's say my security policy is we'll talk about the room because I'm thinking about doors now but let's say I hauled in a giant rock that was the size of those doors and put it in front of the doors and it says I'm now implementing a policy where you can basically like a lock on the door does that prevent people from coming in? Yes, yeah Is it like a round rock? Like if you push it will it start moving? I'll say it's so big, it's like bigger than that door so there's no possibility it's on the outside so, yeah Is it only on that side of the doors or is it on every side? It's on every side, it's blocked all doors, yeah Yeah, so in that case you would say maybe that the security mechanism is not very precise in what it allows or disallows so it maybe matches one set of my security policy, right? It's saying that okay, people can't access it but it doesn't actually allow a way for people to not get access so you can think about it security mechanisms in terms of how precise it is how broad is that security mechanism is it easily bypassable these are all great things that you're all thinking about so don't use rocks when the locks will do it Cool, so assurance so this is one of the words in the title of this course so is this an important concept or not an unimportant concept just here to get grades so what does assurance mean? I've used it a few times which is kind of difficult so we're still not able to review ooh, guarantee address can you ever guarantee trust in something or someone? not 100% proof, what if I prove it in something yeah so maybe I give you this proof that this thing is trustworthy, secure, correct one area that's come up in is they made progress on doing formally verified actually an entire operating system do you remember the name of it? something Linux not SE Linux but anyways there's a an operating system that they have verified satisfies certain security properties so they have to model all the functions and they have ways to analyze the code and use theorem provers to actually prove it so it fits out this proof that says yes this system is secure the question though is again should you trust that system 100% you're shaking your head no, it's easy to say no yeah so who wrote the specifications so you have to prove something is correct against the specification so who wrote that specification? were the specifications correct? how do you prove that the operating system matches the specification but a human had to write the specifications so how do you prove that the human's intention of what should be secure is exactly what that specification says building on the technology like computers are getting faster obviously every year so the proof like do you have a proof for a password or something? it might not be as valid today as it might have been like 10 years ago yeah so proof let's say that's good so let's say technology improves so attackers' capabilities get better what if they attack a part of the system that was outside of your model so anybody heard of specter meltdown? yeah so most operating systems give you a very clean separation let's say between a process or one process can't read another process's memory space which is great because otherwise you'd have your apps and each other's using passwords all that kind of stuff essentially at a high level specter meltdown broke down some of this and used at a very low level to shift the branch prediction ability of the actual hardware device to leak data through like a time inside channel from one process to another and so you could you could use it to leak the entire memory pages of it's insane but the point remains for a lot of applications and secure applications this was outside of that threat model they didn't never consider this possibility so you could have had a system that was proven 100% correct but now they've changed fundamentally something that you didn't model in your system and so how could you ever think that that was 100% secure so it's very easy to think that but so then the alternative is give up so I just hopefully convince you that you can't ever 100% trust things so does that mean that you should never trust anything you have to trust things or else you'll just live your life with full of insecurities but you'll have to admit that it might get broken at some point and just meant to deal with that I guess yeah so maybe like you don't think to rephrase right you don't think necessarily that anything is 100% secure but assume think that thing you still get compromised yeah trust will verify trust will verify so do you do that with your operating system nope right so when can you do that let's say that so the many eyes argument yeah so you may be saying well this was an open source whatever Linux I'm sure people have looked at this there must not be any security problems so you can at least verify that it hasn't been tampered right but can you verify that it's secure like you trust it if for example you make an API call you can verify the data you get back before you use it even if it says it's perfect so yeah you can do depending on your app or something you can do more validation layers on top of things I guess with a lot of companies of organizations that make software they're really precious software to that company it's a very proprietary they don't release their code so a lot of times you can't actually verify what you're using to secure this handling information so that's part of it I think all of these are different it's not a yes or no binary you trust it or don't trust it you may say on one hand you'd say well whatever Microsoft Windows you know Microsoft is a huge team that's dedicating to security and if I regularly patch maybe I'll stay moderately up to date you could then also think well maybe Linux has tens or hundreds of open source developers I'm sure they're not making any problems I always could look at the code even though I don't check the vulnerabilities you could try to find vulnerabilities yourself in the system so I could be part of the verify which you can do even if you don't have the source code I assume that you have to trust it at all just don't trust it and only trust it with what you're willing to put at risk so assume that there is risk and then only trust it with things you're willing to put at risk so that maybe what we're missing here is that this notion of let's say risk or trustworthiness in some sense if you could quantify it in some sense to say well I trust this I have data that's this level sensitive and I trust this system that's more than that so I'll put that out on my system otherwise so you can think of companies have this now if they don't allow you to put company data on your own personal smart phone or you're not supposed to especially as a company owned and controlled device so that way they have some level of insurance in that device yeah so actually this brings up great points so can we quantify it can we come up with these numbers and all this especially with data we control that's a lot easier maybe to quantify a risk in some sense how sensitive is this data how important is this data what about on the other side on the securing systems side can you say that we can test the system for this amount of like attempted entries what is the success like the system is able to continue to secure just as many so maybe there are and there are some ways you can do this right so there's let's say what's the name of the SSL testing stuff do you know so there's HTTPS all uses secure and cryptic communication but there's a negotiated process of what protocols are used and some protocols have known weaknesses so there's a site SSL something that looks at a bunch of sites and grades them based on how well and what crypto properties their cypress suites allow so if you look at me I'm trying to convince people to upgrade the security of those from like an F rating to an A rating so that could be one way to quantify that but you know when you think about well how do I quantify in that way the operating system I could run all the tests I want I mean if I find something that crashes the Mac kernel or something then I would be very very very happy but I would likely I would find that but is that still the one how do I quantify that how do I say and how much of my assurance and trust in that system just because I couldn't find anything to justify right now it's going to be a worse challenge but how do you rank those you could try to make that determination but then you had the key problem with a lot of these things that windows still have an 80% market share something crazy so our attackers really like that guy is focusing their kind of effort on windows and opposed to Mac it also gets into his friend modeling how worried are you that somebody is targeting you and your organization so it doesn't actually matter which one you choose they will find something in there versus how you just worried about being one of the general people that's hit by the next thing yeah so you know there are but we'll get into crypto there are subtle ways that crypto can fail that looks correct but on closer inspection is actually just bogus and wrong which may be difficult to know from the outside right or from just a cursory point cool this is a great so yeah I pose this not as a question of telling you it can or it can't I think this is all important things to think about I mean if you could and this is actually the biggest problem right now in security in the sense of if you come up with some product to be able to take a system and quantify trust in it you could I'm sure you've mentioned a lot of businesses to give you a lot of money assuming it actually works the problem is actually creating that number right because you have companies that say that try to answer this question well how much I have sensitive data what do I put it on how much effort do I put into like so you're a chief information security officer you go to the CEO and you say we need 10 million dollars in order to secure whatever our new data center or new product and they go great how much more secure is that going to get us than if I give you zero dollars and you go more whereas in other areas of business right if you go to marketing they can say well you give us 5 million dollars and we'll be able to empirically show you that we'll be able to create sales up to here right I can calculate the return on investment you'll get from giving me that 5 million dollars or that 10 million dollars where in security we just say well it's going to be more secure hopefully I mean you're not going to say it's going to be less secure cool so what does assurance depend on we've been hitting a lot of different things that it can depend on what other things we're talking about maybe good access to the source or not yeah complexity or even existence of test cases right so you can say well what kind of test cases do you have what's your testing procedure like so we could maybe talk with if we're a big customer that actually could maybe get us pretty far can you say it a little louder right so in what way can you say it a little louder yeah so you can use maybe your own knowledge and power in order to try to help verify that right and you can use what's publicly known right so we went into quantification a little bit of like public exploits you can see like whatever you're going to buy a new bike lock you can look at YouTube this bike lock like bypass you can see things where they just stick a thick pen in the side of a bike lock and it pops the bike lock open right so you can say maybe this is not an effective way to spend my money because it's trivially bypassable right I have zero insurance in this system or maybe you'd look at what was the last incident that happened to this company and how did they respond right were they very hostile and hiding details or were they very open and transparent about exactly what went on right yeah please sometimes even the speed yeah so that's that's great yeah and that's all about thinking about your front models right and thinking through well I mean I don't know if everybody's getting this wrong and there's not like you can do about it right but yeah that's definitely a risk and something you need to think about that can impact your assurance of the system how long do we get it 150 miles sorry it's been a long time it's been like a whole week since I was at your teaching so and one of the things we can look at with assurance is so let's say let's put ourselves in the mindset of now we're developing we'll keep it in software because that's what I know best but we're developing some piece of software we want we do we want it to be secure no maybe I don't know who cares maybe yeah so we want it to be secure so it should be just develop everything and at the end ask the question of is this piece of software secure no how long does it take to develop a piece of software how long can it years yeah it can make years to develop this piece of software right so do you want to wait two years before you figure out that actually this design you did was fundamentally flawed and you need to go back to the drawing board and start all over what happens at that point yeah people say like just put whatever bangers you can do on it and ship it because we've spent too much money on this anyways right so this is what's important to think about the entire software development life cycle and this is again we'll talk about very high levels there's whatever you can get pretty depth in this there's a lot of waterfall agile different types but at each point you need some notion of the first step which is like the specifications but at a high level what does the specification mean it's not tricky it doesn't have to be you know we're not talking necessarily specification documentation but if you're developing some piece of software you must have some notion of what it should do right otherwise you're just sitting there just typing random things which could be fun but it's alright but assuming you are asking the question of what is the software supposed to do so how do we define that or how is the specification can it be defined so you could have a fancy like a UML diagram that I would say that it's actually maybe fits in more to the next part because I mean a UML diagram can get into that a little bit but it's more on the how to construct all the pieces but they properly talk to each other right but it's less about the what should it do so how do you define what to do it could just or it could be an email or it could be whatever you can get whatever Trello board agile has like user stories all this kind of stuff right so there's different ways of specifying the specification could you like mathematically model and define exactly what you want your program to do yeah you could do that I think that's simple you can do that so what should we thinking about here at the specification stage in order to increase our assurance on a system should we or should we wait just like maybe say what part of that spec does it only do what you say it's supposed to do or can it do other things yeah so what kind of things okay so yes we do want to do this right because actually fix the thing that exists is either in our mind or in the Word document is it easier to change a Word document than a program yes you've all written papers written programs and have bugs in those programs is it easier to change a sentence in a paper than it is to change a program from whatever an array of linked lists the day before that one right so changing here can be a lot easier and a lot cheaper in terms of business right so what kind of things do we want to think about then for this specification yes we may need to think through this is where we can kind of bring in the notion of security policy right and all the things we talked about of what what is it actually we can ask the question what does it actually mean for the system to be secure right so at this point we kind of have a notion of what the system should do and how can we make sure that it's actually secure or what does secure mean in this context right and then we can start drilling down to access who should be accessing what what type of information is sensitive here if we say well we'll just have whatever a list of all of our employees names and social security numbers on our public website at that moment you can maybe stop and say hey whoa that's sensitive information we should maybe think about securing that what else the environment that's going to be in so we can start thinking forward to being this is the specification where's it going to live how are we going to test that environment how are we going to make sure that what we've actually deployed is what is so we can be thinking through planning at this stage that's a great example yeah is it just a terminal right yeah so thinking through attack service like we talked about right as far as threat modeling so you can go through threat modeling here to say what are all the threats against this where is this located is it a terminal in a secure facility or is it a website that's accessible from literally anyone on earth right so all of those impact the security of the system and how we need to think about it great so what's next so we have a specification now what are we doing design what's the difference between design and implementation so I need some high level am I okay with that yeah these are kind of roughly again it's um this is kind of the a tragedy of underground computer science indication is the assignments you work on are not really big enough that you need to do these as part of separate steps but even then while you're writing code and this can be intertwined in some sense because oftentimes you don't actually know what the design should be until you've tried it out in one way and failed completely but here we can design and what kind of things can we design hexagonal in one sense yeah so we can design the code we can make sure that the structure is clean we can make sure that it's easily sensible in the future um yeah what else so with like diagrams topologies yeah we can look at this where the UML comes in maybe we kind of structure our and model our code so that it can be a little more clean any other things yeah say that yeah so we maybe want to design what our system is we may want to design okay what are the different pieces how do they talk to each other the network how are they going to live we may think at this stage about UI what's the interface look like is it a command line application is it a website is it an app um all these different things and so now what's the key question so now can we do any security analysis here can we do anything to increase our assurance that we'll get something secure at the end good so we can look ahead and we can see okay well we're writing this in C buffer overflow is the most common vulnerability and here's a list of other vulnerabilities so maybe we can implement good coding practices to before we ever start actually writing code so that way we can prevent these types of things uh yeah it's a good uh good option what else would you consider test-driven development design or more implementation yeah that's true um I don't know some things don't fit cleanly into these models I think kind of depends I guess on exactly where you're doing you could say test-driven development is like a way to implement um but you could decide to use that in this design stage maybe could you say we can have security tests right as part of our test-driven development um so that would be good this is happening I think of uh I was talking with I think it was a guy from Allstate who was thinking about how to do like secure include development as part of the developer sorry the how to add security to the development process through things like that through automated security test cases uh these kind of things so yeah you could definitely think about those things here and you could say what do these things do to increase our assurance that the system will be secure yeah so we're looking at places where the specification is being transferred right so we can look at like okay what type of things do we need at different points in the system um how does this relate to the specification are we just in a completely new territory area now so your specification should go to handle this vulnerability hmm interesting okay so yeah yeah or even think about it in the reverse way right we want to make sure that the design actually matches the specification right so we did some analysis of the specification we said okay here's the assumptions here's the threats that we're facing but if the specification says you need like an app and the design says we're going to make a website I mean that's a clear example of something is not matching up right could we prove that the design satisfies the specification say based on certain part of the specification if I do that inside my design or I carry out some method it should do what specification is specifying cool so what would you need to do that go on so what would you need to do that so you maybe could do that if you have a way to match specification to design yeah so okay so yeah we need maybe and to maybe get there right we need some kind of formalism in the specification formalism in the design a way to map them back and forth maybe some cool stuff where you take the specification you do natural language processing to kind of try to extract some high level rules that you then use to compare against the design maybe in the form of a UML diagram so you can kind of see what those things would be so then we go to everyone's favorite part so implementation so what's the implementation part like getting something to do what your design says it should do what the specification says it should do right this is like what y'all have been working on for the last couple years of how to actually do this so how do we actually implement the design I mean everyone implements differently but following the design in a particular amount in one of the classes and how they relate yeah so implementing it right in code is that the only way to do it not necessarily there's some like tools that you can try yeah so maybe you could actually like auto generate the implementation or some version of it based on the design which would be pretty cool so yeah I mean taking through these kind of things and then from a security question right we want to ask does the implementation satisfy the design how do we tell that test cases yeah maybe we create test cases right so I will caution us unless the test cases are so in general what are test cases for what is testing usually test unit testing so it's testing maybe like a function but what's the high level thing that it is testing behavior is a program behavior is a program what about the behavior programs behave right like don't you have a potential flaw in the program a potential flaw in what in the program logic in the behavior right so you're looking for is the program functionally correct in some sense right are you actually testing that it's secure what's the difference between the two so the analogy was syntax and semantic so maybe you've written correctly but it doesn't do what it's supposed to do right so this is actually one of the key things about security is that I mean a bug is just a bug until it summarizes the security of an application in which case now we're talking about vulnerability in the application so most testing is done in the sense of correctness does this match the specification or the design so you need to go that extra step to actually test like is this securing the face of a certain kind of vulnerability which may be a completely different way of thinking about testing there's an important thing if you do mine like if I told you I had 100% test code coverage of an application that doesn't necessarily mean that it's secure it may mean it's functionally correct but given the malicious input if I never tested on that it couldn't have massive consequences cool what are the things do we do to increase our insurance that the implementation is secure you could be putting the malicious input to see how it responds to that yeah so I may be depending on the exact language and the bugs and classes I'm worried about I may put in test cases is actually a really good way of finding security bugs and kind of like incorporating them into your development and testing life cycle by creating test cases that are made really deliberately insane now this doesn't mean that it's secure again but it can increase your assurance that it's somewhat resilient cool and could we prove then that the implementation satisfies the design do we want to? do we care to? could prove by showing that the code you have formed a function that aligns with specification yeah yeah so then yeah you could just like we talked about right you have a model of your programming language you could maybe your design you could maybe extract what things should do what or what we talked about UML like the UML diagram you can actually verify that it does this correctly so let's say we've done some of the things we talked about here are we good secure we can go home I don't have 15 yet but what else? yeah hasn't been tested we're going to get all the way like you've been testing it and you've also been using a program and developed it to give to somebody else the most and see what happens so maybe we have blind spots because we developed it this ever happened to you where you wrote some code you're looking at it you have no idea what the problem is and then of course this is not a class project but you ask somebody else to look at it and they point out immediately that you have a problem on this line that you never saw because you wrote the code yeah so that's a great aspect the other aspect is did we ever actually test it of how it's really going to run right at this point what about deployment, configuration operation right how is this system configured how is it deployed if we're running this on whatever AWS are our AWS buckets open to the world and we're leaking customer data this is actually how what company got hacked by that what was it Apple? yes there you go thank you sorry that goes as well yeah Table 1 got hacked because they have a bunch of user account information leaked through AWS buckets that were set to are they hacked into that? I can't remember but and again we want to ask the question like how is the implementation deployed so even if we've whatever you could say theoretically proven that the implementation is secure you can still take that and deploy it in an environment that is not secure right so we still want to think through how is the implementation deployed configured operated and again kind of how to prove this is a key problem so I want to kind of shift gears a little bit so I was kind of thinking through how we're going to apply this idea of threat modeling assurance at through the software genre lifecycle I want to talk a little bit because we're going to talk about all the different like aspects of security so you know this is something we've touched on a little bit but are security measures worth the cost are they why are they not are they always worth the same right so contacts become very important to answer this question from a business perspective if we lose this information are we going to get $200 million or whatever it is it's pretty big incentive to do things what else if you have your employees have like 10 factor authentication or something crazy and whenever they want to change their code it's a big mess it's going to be a lot of factors I think you've run out of factors at a certain point yeah a lot of thoughts maybe depend on the person for these reasons I mean think about personal security personal mechanisms you want to think through all those things but yeah so these are really amazing and this is actually one of the key things that why we talk about business and business contacts because these types of questions come up you want to implement some new things two factor authentication great what's the cost benefit analysis what's going to cost us to do that in terms of both monetary dollars to actually do this plus what's going to cost our employees when they get locked out of their account because they forgot their phone at home or something these are all important things okay so risk analysis should we protect things seems like a silly question the answer should always be yes security class is that true depends, depends on what it's like the answer to most things in this class so you have to actually back up with reasoning how much resources you can or just spend on for attending events again cost benefit analysis right so what's the risk of this system what actually budget do we have to fix those that's a great example so yeah you may if the defense mechanism cost you more money than the asset itself is worth so you have a $20 bike would you buy a $50 bike lock to defend that bike I don't know it's up to you depends on how far you travel same ladder sorry the reputation of the company that's a great example likelihood of death likelihood right so the risk all these things actually you may not let's say don't buy a lock if you're able to keep your bike in your house whatever in a classroom or something well don't keep your bikes in a classroom but if you can always keep them in a secure place maybe they'll need a lot cool what threats does it face what are the consequences if it's attacked this is an interesting point does risk remain constant no why not value changes over time do we talk about corporate profit numbers does anybody know like companies quarterly release public companies release their quarterly profit numbers is that information valuable that's why it's a shot what is it those numbers right so the stock will likely rise or fall based on how the actual numbers do against expectations and whether you know it's going to rise or fall you can bet that way and make a lot of money so think about the server that has a company's quarterly report earnings the day before those numbers are to be released is the value of that system very high what about the day after the numbers are released nothing changed about that server nothing changed about any data to that system it's the exact same system not really right because that data is literally public at this point so actually I don't care if you get access to it assuming everything's equal so the how the value to an attacker of that asset actually fluctuates over time right and so of course and maybe we throw that machine away and get a new one or something right there's a lot of things up there first thing I want to ask I want to ask you would you put a microchip in your skin sure what does it do, thank you if somebody asks a good question some of your classmates have started yelling out yes or no so this is a really interesting news story if you go check it out it talks about so instead of key cards which you can lose, which sucks the company will let you will not let anybody forces you to put a microchip in your finger so that you can like bag in and out of the buildings and then pay for food and stuff in the company's store what do you think, are you on board with this we'll leave it open source only if it's open source so thanks if anybody wants to give a microchip if you want to see it as a code there you go why don't you like it in case of a privacy why I don't want to lose a finger to somebody losing a finger so if somebody wants to get in the building they'll chop out your finger let's continue this on Thursday come with your microchips thank you