CEG5105

Cybersecurity for Computer

Systems
Introduction

1
Why Cybersecurity?
• Can a USB stick bring down a nuclear program?
• Stuxnet: Iran’s nuclear program
• Can a malware cause hours of blackout in a large city?
• Crashoverride: Ukraine’s power grid
• Can an Internet worm kill 10% of all computers
connected to Internet?
• Morris worm (1988): infected 6,000 of 60,000 UNIX machines
connected to Internet

2
Empowerment Promise
• Understand the challenges in securing systems.
• E.g., PC, network of computers, smartphone, email, ATM, car,
smart grid, wireless link, medical device
• Learn the fundamentals of cryptography and how to use
it to secure systems.
• Security relates to a “security objective” or “security policy”:
what is being prevented? What activities or events should be
prevented/detected?
• To be able to identify security gaps, threats and propose
defense mechanisms.

3
Course Instructors

Utku TEFEK
Adjunct Senior Lecturer @NUS
Senior Research Scientist @Illinois ARCS
E-mail: utefek@nus.edu.sg
Website: www.utkutefek.com

4
Course Instructors

Biplab SIKDAR
Professor
Head of Department
Department of Electrical & Computer
Engineering
Phone: 6516-2291
E-mail: bsikdar@nus.edu.sg

5
Administrative Issues
• Time: Tuesdays 6:05 pm – 9:00 pm
• Venue: LT7A
• Lectures will be webcasted
• Slides will be uploaded to Canvas
• No mandatory textbook, only optional textbooks
• Assignments and submission links to be published on
Canvas

6
Grading
• 2 Homework assignments (15% each)
• Problem questions or mini programing
assignments
• 1 Course Project (30%)
• Open-ended assignment
• Final Exam (40%)

7
Prerequisites
• No hard prerequisites
• Basic knowledge of computer networks
• Elementary probability and modular arithmetic is
helpful
• Knowledge of a general-purpose programming language
is helpful for the course project (no programming in the
exam)

8
Supplementary Resources
“Introduction to Modern Cryptography”
by Jonathan Katz and Yehuda Lindell

“Network Security: Private

Communication in a Public World” by
Kaufman, Perlman, and Speciner

9
Syllabus (tentative)
• Course Intro, Introduction to Cryptography, Secure
Communication basics (0.5)
• What do we mean by “secure”?
• Encryption (1.5)
• History of ciphers
• Perfectly secret encryption: Vernam’s cipher
• Computationally Secure Encryption
• Block ciphers, AES
• Secret sharing

10
Syllabus (tentative)
• Authentication and Integrity (2)
• Cryptographic hash functions, Pseudorandom functions
• Message authentication codes
• PKI Security, Digital signatures
• Authenticated data structures
• Privacy (1)
• Zero-knowledge proofs
• Homomorphic encryption

11
Syllabus (tentative)
• Web Security (2)
• TLS
• DoS attacks
• DNS security
• Routing security
• Security in ICS and IoT Environments (2)
• History of attacks, unique challenges
• Secure design principles, regulatory standards
• Software Security (1)
• Principles of secure coding and design
• Common vulnerabilities and exploits
12
Syllabus (tentative)
• Emerging Topics in Security (2)
• Privacy, anonymity, and online identity
• Differential privacy
• Onion routing: Tor
• Censorship
• Blockchain

13
Secure communication basics
• Understand principals of cybersecurity
• Principals in security:
• Confidentiality
• Integrity
• Availability
• Basics of cryptography and its uses beyond
confidentiality

14
What do we mean by secure?

Alice Bob
channel data, control
messages

data secure secure data

sender receiver

Eve

15
Secrecy, Confidentiality, Privacy,
Anonymity
• Often considered synonymous, but are slightly different
• Secrecy
• Keep data hidden from unintended receivers
• “Alice and Bob use encrypted communication links to achieve secrecy”
• Confidentiality
• Keep someone else’s data secret
• “Alice encrypts all user information to keep their client’s information
confidential in case of a file server compromise”
• Privacy
• Keep data about a person secret
• “To protect Alice’s privacy, company XYZ did not disclose any personal
information”
• Anonymity
• Keep identity of a protocol participant secret
• “To hide her identity to the web server, Alice uses The Onion Router (TOR) to
communicate”
 Integrity, Authentication
• Sometimes used interchangeably, but they have different
connotations
• Data integrity
• Ensure data is “correct” (i.e., unchanged)
• Prevents unauthorized or improper changes
• “Alice always verifies the integrity of her database after restoring a
backup, to ensure that no incorrect records exist”
• Endpoint authentication
• Verify the identity and liveliness of an entity
• “Alice authenticates Bob each time they establish a secure connection”
• Message/data authentication
• Ensure that data originates from claimed sender and is not tampered with
en route
• “For every message Alice sends, Bob authenticates it to ensure that it
originates from Alice”
Integrity, Authentication (2)

• Integrity can be a property of local or stored data

• E.g., Alice ensures integrity of a software, or her data on a
cloud server
• Integrity emphasizes that data has not been tampered
• Authentication is used in network context
• Two communicating hosts want to achieve message
authentication to ensure their messages/data were not
changed by the network (or someone sitting on the network)
• Message authentication emphasizes that data was
created by a specific sender
• Implies integrity of data
• Implies that identity of sender is verified
Other principles

• Non-repudiation
• Sender cannot deny/refute having sent the data.
• Availability
• Resources are available
• But which resources?
• E.g., Defense against Denial-of-Service (DoS) attacks
What can the
attacker/adversary do?
A lot!
• Eavesdrop: intercept messages
• Access secret stored data
• Insert messages into network
• Tamper with stored data or messages in a network
• Impersonation: can fake (spoof) source address in
packet (or any field in packet)
• Hijacking: “take over” ongoing connection by removing
sender or receiver, inserting himself in place
• Denial of service: prevent service from being used by
others (e.g., by overloading resources)
Cryptography: definition
• Oxford dictionary: The art of writing or solving codes.
• Modern definition (Katz and Lindell): The scientific study
of the techniques for securing digital information.
• Historically by military and intelligence organizations.
• Today,
• Web browsing
• E-mail
• Messaging
• Payments, banking
• Cloud applications
• DNS