Security Is a Game Tiffany Bao

Slides:



Advertisements
Similar presentations
A Model for When Disclosure Helps Security Peter P. Swire Ohio State University Stanford Cybersecurity Conference November 22, 2003.
Advertisements

Game Theory Here we study a method for thinking about oligopoly situations. As we consider some terminology, we will see the simultaneous move, one shot.
WELCOME TO FOUNDATIONS! In the months ahead, we are going to talk about one of the most important aspects of every ones life. It is at the center.
Sometimes we can tell how people are feeling by looking at them. How are they feeling?
APPROACH AND CONTACT (STEP 2 OF THE SYSTEM MANUAL)
Listening is the highest compliment one can pay to another human being. Listening attentively (actively ): shows respect. builds trust. cements relationships.
Healthy Relationships
Exponential Functions
Creating your online identity
Protecting Your Privacy Online
L.O: To understand how to use the Internet and ICT equipment safely.
Unit 2 What should I do? 1st.
Tiffany Bao∗, Yan Shoshitaishvili†, Fish Wang†
I like to play games and I like to win!
Exponential Functions
Automatic Patch-Based Exploit Generation
How are drugs and alcohol portrayed in the media?
Building the foundations for innovation
Damned if you do and Damned if you don’t
Difficult Conversations
Relationships – Managing Conflict
We Can Handle Cliques! Introduce topic to students. Ask if they’ve heard the word “clique” and explain that it’s pronounced ‘CLICK”. Do they know what.
OUTCOME MEASUREMENT TRAINING
Exponential Functions
I Can Learn From Losing! Introduce the lesson: Ask students what they know about losing – how it feels, when it happened to them, etc. List on whiteboard/chalkboard/easel.
I Can Stay Safe Online! Read the title slide with the students or have the group read it aloud. Introduce the lesson by saying that we can use the computer.
Is this conversation meaningful or meaningless?
The Art of Deception.
Reflection On your own paper:
Not last week, but the week before…
Exponential Functions
Exponential Functions
We Can Handle Cliques! Introduce topic to students. Ask if they’ve heard the word “clique” and explain that it’s pronounced ‘CLICK”. Do they know what.
Properties of Addition
Talking About How I Feel
SafeSurfing Module 5 September 2016.
THE FUTURE CLAIRE WALLIS.
Negotiating & Discounting
My Story Andrew.
How To Help Myself When Playing With Friends
Sometimes, Parents Need Time to Think
Objective 3.02: Utilize critical-thinking skills to determine best options/outcomes. Making Decisions.
Midterm Discussion.
Chapter 29 Game Theory Key Concept: Nash equilibrium and Subgame Perfect Nash equilibrium (SPNE)
Playing Games.
Today I would like to talk to you about conversations
Why do you attend school?
Booking Appointments Presented by J.W. Owens A Perspective 101 Series
I can work with different people in my class
What Do I Want to Research?
The Psychology of Learning
CSC-682 Advanced Computer Security
Thought for the Week: It’s okay not to win..
Positive Relationships
Learning outcomes Knowledge Skills
Impossible problems.
Exponential Functions
Unit 1 Sections 1-4 Sentence Frames
Ethical Hacking ‘Ethical hacking’ is the branch of computer science that involves cybersecurity and preventing cyberattacks. Ethical hackers are not malicious.
Exponential Functions
DO NOW 3/15/2016 Find the values
Her friends are excluding her and talking about her behind her back.
Today I would like to talk to you about conversations
Grammar – Unit 1 Present Continuous
Exponential Functions
Five Steps for Identifying Trouble
Objective 3.02: Utilize critical-thinking skills to determine best options/outcomes. Making Decisions.
Cognitive Flexibility Hypertext Assignment March 20, 2002
The Dot Game THE DOT GAME If you got a dot, Don’t get caught!
10 IT Sales Mistakes Katrin Kiviselg.
Presentation transcript:

Security Is a Game Tiffany Bao tiffanybao@cmu.edu Carnegie Mellon University Today I wanna talk about security as a game,

Ph.D. Student for Computer Security Me Ph.D. Student for Computer Security I am a PhD student, and my research is computer security. When I meet my normal friends, they ask me, hey Tiffany, how should I secure my computer? And when I meet my abnormal friends, a.k.a the hacker friends, they ask me, how to find more vulnerabilities and hack more computers? Well, I am not gonna talk about my answer, especially for the second one. But I do want to show you that, see, different people have different perspectives, and computer security

is just a game with different people playing different roles and making different decisions. The players include individuals such as you and me, and also include parties such as companies or countries. We could defend, or attack, if that helps win the game. you might say, well, I am a good person, why would I wanna attack. Yeah, maybe you are, but it doesn’t mean that you are forbidden to attack. You just prefer defending than attacking because defending makes you feel better and it brings you more utility.

Do Techniques Help Us Win the Game? I Don’t Know. Yet how to get more utility in the game? How to win the game? Does technology help us win the game? <- link technique The truth is, I don’t know. But I can show you why answering this question is not that easy.

Do Techniques Help Us Win the Game? Patches help defense. Patch generation techniques help defense. Patches may help generate exploits[1]. Patch generation techniques may not help in the game (as a player may not want to patch). For example, we know that However, patches may actually help generate exploits, especially that we have the apeg technique. Therefore, techniques which quantitatively improve security doesn’t necessarily mean a qualitatively change in the game. [1] D. Brumley, P. Poosankam, D. Song, and J. Zheng. Automatic Patch-Based Exploit Generation is Possible: Techniques and Implications. In Proceedings of the 2008 IEEE Symposium on Security and Privacy.

Do Techniques Help Us Win the Game? for now Do Techniques Help Us Win the Game? ^ The attacker gets benefits from an attack. The attacking techniques help in the game. The victim may attack back to the attacker (due to the Ricochet attack[2]). The attacking techniques may not help in the game (as the players may not even want to attack[3]). [2] T. Bao, Y. Shoshitaishvili, R. Wang and D. Brumley. Your Exploit is Mine: Automatic Shellcode Transplant for Remote Exploits, Proceedings of the IEEE Symposium on Security and Privacy, 2017. And sometimes, even though we are sure that a technique helps, it doesn’t mean that the technique will help you for good. When new techniques come out, the game may change, and the previous conclusion may expire. For example, we know that However, this year we published a paper showing that one can automatically generate an exploit by replacing the shellcode of an existing remote exploit. The occurrence of the technique implies that now the victim can take advantage of a receiving attack and retarget it back to the attacker, which we call it the Ricochet attack. This can be a threat for the attacker, and the attacker may not want to attack. If a player do not want to attack, the attacking techniques, no matter how powerful they are, will not help him in the game. So when we ask if a technique helps us win the game, we should actually ask if the technique helps us for now. [3] T. Bao, R. Wang, Y. Shoshitaishvili, C. Kruegel, G. Vigna and D. Brumley. How Shall We Play a Game? A Game-Theoretical Model for Cyber-warfare, Proceedings of the IEEE Computer Security Foundation, 2017.

My Confession I Don’t Know. Okay. Time for me to confess. I confess that although I have been working on security for a couple of years, I still don't know whether my research really helps us win the security game, let alone whether it makes the world more secure or more chaos. Since I am so confused, I come here to give you this lightning talk, or perhaps, the perplexing talk. I would like to invite you to think about computer security from the game perspective. That means, we need to figure out what the game actually looks like and how techniques changes the outcome of the computer security game.

Technique X helps/does not help the players in Game G. My Plan Game G Technique X Evaluation Framework Technique X helps/does not help the players in Game G. To answer the questions, I plan to work on a framework which takes a technique and a game as inputs, and output whether or not this technique helps the players in the game. I hope that this framework will ultimately help us understand how a technique impacts computer security --- the strategy game that we are playing on live.

Lightning enough?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.