CPSC 525/625

Principles of Computer Security

ZAIN RIZVI
BSC. MSC.

TUT 01 – TU/TH 12:00 – 12:50 ICT 517

TUT 02 – TU/TH 1:00 – 1:50 ICT 517
TUT 03 – MO/WE 4:00 – 4:50 MS 160
 Contact Info

 Email:
 szrrizvi@ucalgary.ca

 Office:
 ICT 625

 Website:
 pages.cpsc.ucalgary.ca/~szrrizvi

 Cell Phone:
 Please don’t call me!
 About Me!

 BSc – University of Calgary. 2009-2013.

 MSc – University of Calgary. 2013 – 2015.
 PhD – University of Calgary. 2015 – 2019*.

 Supervisor: Dr. Fong

 Working with Dr. Fong since summer 2011.

 Research Topic: Relationship-Based Access Control.

 Rules/Conventions

 Common courtesy!
 Avoid personal conversations (go outside if necessary).
 No food / drinks.
 Cell phones on silent or off.
 Let’s all be adults.

 24 hours response time for emails (normally).

 No set office hours. Available by appointment.
 Others?
 Tutorial Structure

 2 TAs: Zain Rizvi and Simpy Parveen.

 Zain: Weeks 2, 8 – 14.

 Simpy: Weeks 3 – 6.

 (No tutorials in Week 7, Reading Week).

 Tutorial Structure

• Book: “Threat Modeling: Designing for Security.”

Adam Shostack. Wiley, 2014.

• Available digitally from UCalgary library website.

• During the tutorial we will have discussions and

exercises based on the reading. This is not
(supposed to be) a lecture!

• You don’t have to do the readings before hand, but

you can if you want to.
• <<Pause for laughter>>

• Content possibly useful for project.

• I will do my best to make things interactive.

 Ch1. Dive in and Thread Model!

 What is a model?
 Abstract Details

 Look at bigger picture

 Find issues before you start building

 4 Questions for Threat Modeling

 What are you building?

 What can go wrong?

 What should you do about those things that can go wrong?

 Did you do a decent job of analysis?

 Threat Types: STRIDE

 Spoofing
 Pretending to be something/someone you’re not.
 Tampering
 Modifying something you’re not supposed to.
 Repudiation
 Claiming that you didn’t do something.
 Information Disclosure
 Exposing information to those who are not authorized.
 Denial of Service
 Attacks designed to prevent a system from providing service.
 Elevation of Privilege
 Ability to perform tasks you’re not supposed to be able.
 Identifying Threats

 Start with external entities.

 Don’t ignore a threat because it’s not what you’re

looking for right now.

 Focus on feasible threats.

 Addressing Threats

 1) Mitigate Threats.

 2) Eliminate Threats.

 3) Transfer Threats.

 4) Accept the Risk.

 Exercise

 Break off into groups of 3 or 4.

 Consistent teams throughout the semester.

 Revisiting previously explored subjects.

 Choose a system as your subject (website, program,

device).
 Think of possible threats for the system (use STRIDE).
 How would you address these threats?
 Mitigate, eliminate, transfer, or accept?