Lecture 9, April 19

Discussion Problem. Wired today reported:

All of those questions, messages, and stern commands that people have been whispering to Siri are stored on Apple servers for up to two years, Wired can now report. [ … ] Here’s what happens. Whenever you speak into Apple’s voice activated personal digital assistant, it ships it off to Apple’s data farm for analysis. Apple generates a random numbers to represent the user and it associates the voice files with that number. This number — not your Apple user ID or email address — represents you as far as Siri’s back-end voice analysis system is concerned. Once the voice recording is six months old, Apple “disassociates” your user number from the clip, deleting the number from the voice file. But it keeps these disassociated files for up to 18 more months for testing and product improvement purposes.

Robert McMillan, “Apple Finally Reveals How Long Siri Keeps Your Data,” Wired (Apr. 19, 2013); available at http://www.wired.com/wiredenterprise/2013/04/siri-two-years/

Lecture outline.

1. Aslam
   1. Goal: Treat vulnerabilities as faults
   2. Coding faults: introduced during software development
      1. Synchronization errors
      2. Validation errors
   3. Emergent faults: introduced by incorrect initialization, use, or application
      1. Configuration errors
      2. Environment faults
   4. Introduced decision procedure to classify vulnerabilities in exactly one category
2. Models of Attacks
   1. Example attack: rsh and synflooding (“the wily hacker”)
   2. Capabilities and requires/provides models
   3. Attack trees
3. Access Control Matrix
   1. Subjects, objects, and rights
   2. Primitive commands: create subject/object, enter right, delete right, destroy subject/object