Computer Science | Grinnell College

Most CS Tables for the spring semester will meet in JRC 224B, though a small number will be in an alternate dining room, so watch each week for the location.

This week we will return to a classic: Ken Thompson’s Turing Award lecture, “Reflections on Trusting Trust.” In this lecture, Thompson reveals a security vulnerability he implemented for UNIX. This thought-provoking lecture raises questions about what it takes to build secure software. We’ll follow that reading up with Bruce Schneier’s summary of Thompson’s work and one attempt to counter this type of attack. You can find both readings below, or in the clear folder on the door to room 3827.

• Ken Thompson. Reflections on Trusting Trust. Communications of the ACM (August 1984).
• Bruce Schneier. Countering “Trusting Trust”. Schneier on Security (January 2006).

Computer science table (CS Table) is a weekly meeting of Grinnell College community members (students, faculty, staff, etc.) interested in discussing topics related to computing and computer science. CS Table meets Tuesdays from 12:00–12:50pm inside the Marketplace. Contact the CS faculty for the weekly reading. Students on meal plans, faculty, and staff are expected to cover the cost of their meals. Visitors to the College and students not on meal plans can charge their meals to the department (sign in at the Marketplace front desk).

This week's discussion topic was suggested by an alumna, who writes:

Recently an NPM package author handed over control of his open source project to a stranger who promised to maintain the package for future users. The stranger added malicious code to the package, which was then downloaded by millions of users. This raises questions about responsibility in the open source world. What responsibilities does the owner of an open source project hold? What responsibilities are up to the user? What can developers do to utilize open source projects in a safe and secure manner?

There are two recommended readings for the CS Table discussion; the first is an account of the recent event we’ll discuss, and the second is a perspective on security and open source from Bruce Schneier, written in 1999.

• Check your repos... Crypto-coin-stealing code sneaks into fairly popular NPM lib. Thomas Claburn. The Register. 26 Nov 2018.
• Open Source and Security. Bruce Schneier. Counterplane Security and schneier.com. 15 Sept 1999.

You may also find these resources helpful or informative as you prepare for our discussion:

• Core Infrastructure Initiative. The Linux Foundation.
• What is NPM and why do I need it? Stack Overflow thread.
• The GitHub issue for the exploit that was discovered.

Computer science table (CS Table) is a weekly meeting of Grinnell College community members (students, faculty, staff, etc.) interested in discussing topics related to computing and computer science. CS Table meets Tuesdays from 12:00–12:50pm in JRC 224C (inside the Marketplace). Contact the CS faculty for the weekly reading. Students on meal plans, faculty, and staff are expected to cover the cost of their meals. Visitors to the College and students not on meal plans can charge their meals to the department (sign in at the Marketplace front desk).

We will discuss a recent report from Bloomberg about a security breach in the hardware supply chain for servers used by almost 30 major US-based companies. Bloomberg’s reporting suggests that a group within the Chinese government’s intelligence agency were able to add a small chip to motherboards manufactured for SuperMicro, a major server hardware supplier in the US. These chips apparently inject malicious code into the server’s operating system, allowing hackers to remotely access compromised servers and bypass security controls within the operating system. We will discuss the mechanisms used to carry out these attacks, the differences between hardware- and software-based exploits, consider the impacts of such an attack, and discuss possible ways to mitigate attacks like this one in the future.

Readings include Bloomberg's original reporting (The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies, J. Robertson and M. Riley, Bloomberg Businessweek, 4 Oct 2018) and two articles providing some additional perspective on this story, which has not yet been independently confirmed (The China SuperMicro Hack: About That Bloomberg Report, N. Weaver, Lawfare, 4 Oct 2018, and Decoding the Chinese SuperMicro super spy-chip scandal: What do we know – and who is telling the truth? K. McCarthy, The Register, 4 Oct 2018.)

Computer science table (CS Table) is a weekly meeting of Grinnell College community members (students, faculty, staff, etc.) interested in discussing topics related to computing and computer science. CS Table meets Tuesdays from 12:00–12:45pm in JRC 224C (inside the Marketplace). Contact the CS faculty for the weekly reading. Students on meal plans, faculty, and staff are expected to cover the cost of their meals. Visitors to the College and students not on meal plans can charge their meals to the department (sign in at the Marketplace front desk).

Thursday, September 27, 2018
4:15 p.m. in Science 3821
Refreshments at 4:00 p.m. in the Computer Science Commons (Science 3817)

Antonio Bianchi, Assistant Professor of Computer Science at The University of Iowa, presents this Thursday Extra.

Mobile application markets, such as the Google's Play Store and the Apple's App Store, receive thousands of new applications every day. Ideally, all these apps should be properly vetted to find both security-relevant programming mistakes. Unfortunately, the sheer amount of the submitted code rules out the possibility of using human experts to analyze it. Consequently, researchers have proposed and implemented different techniques to analyze automatically mobile applications.

In this talk, Bianchi will talk about his research using automated analysis techniques to detect security issues in existing Android applications. In particular, he will present his work in detecting Android applications implementing vulnerable authentication schemas. He will also discuss some of the currently open problems in the field and future research directions.

At the January 30 CS Table we will discuss the recently-announced Spectre and Meltdown security vulnerabilities. These are complex security vulnerabilities that rely on two important features of modern processors: speculation and out-of-order execution. In addition to a technical discussion of these specific vulnerabilities, we’ll discuss the ways in which vulnerabilities are disclosed and fixed.

There are two assigned readings for Tuesday. The first gives a non-technical analogy for both vulnerabilities, and should be helpful for getting a handle on how these vulnerabilities work. The second looks at the implications for end users and the tech industry.

• Hubert, Bert. "Spectre & Meltdown: Tapping into the CPU's Subconscious Thoughts." ds9a.nl. January 06, 2018.
• Timberg, Craig, Elizabeth Dwoskin, and Hamza Shaban. "Huge Security Flaws Revealed – and Tech Companies Can Barely Keep Up.” The Washington Post. January 06, 2018.

If you are feeling adventurous, you may want to read the original Spectre and Meltdown papers at https://meltdownattack.com/. These are relatively accessible and include a quite a bit of background information.

Computer science table (CS Table) is a weekly meeting of Grinnell College community members (students, faculty, staff, etc.) interested in discussing topics related to computing and computer science. CS Table meets Tuesdays from 12:00–1:00pm in JRC 224A (inside the Marketplace). Contact the CS faculty for the weekly reading. Students on meal plans, faculty, and staff are expected to cover the cost of their meals. Visitors to the College and students not on meal plans can charge their meals to the department (sign in at the JRC front desk).

Thursday, October 12, 2017
4:15 p.m. in Science 3821
Refreshments at 4:00 p.m. in the Computer Science Commons (Science 3817)

Improving the reliability and security of software with formal methods and automated reasoning is presented by Cesare Tinelli from The University of Iowa.

Producing robust, reliable software, which performs its intended function and is less prone to errors and security vulnerabilities, is becoming more and more important as software comes to control increasingly large and critical aspects of modern society. This talk makes a case for using mathematically rigorous approaches based on formal logic to specify the behavior of safety-critical software and verify its correctness. These methods can reduce automatically large classes of program analysis problems to constraint satisfaction problems in some formal logic, and then solve them with the aid of automatic reasoners for that logic. The talk will give a brief overview of this approach and discuss its recent successes and applications in industry, focusing on research done at the University of Iowa in this area.

The Electronic Frontier Foundation (EFF) has put together a detailed guide of a number of recommended practices used to maintain privacy and security at https://ssd.eff.org/, which we will rely on for this week's discussion. Please complete the following readings before Tuesday:

1. An Introduction to Threat Modeling. EFF Surveillance Self-Defense Guide.
2. Seven Steps to Digital Security. EFF Surveillance Self-Defense Guide.
3. At least one other overview, topic, or briefing from the SSD guide.

If you have specific practices that you use and would be willing to share, please come prepared to demonstrate or describe them. When you choose additional readings, you are encouraged to look for guides that you think are relevant to your own use of technology.

Computer science table (CS Table) is a weekly meeting of Grinnell College community members (students, faculty, staff, etc.) interested in discussing topics related to computing and computer science. CS Table meets Tuesdays from 12:00-1:00pm in JRC 224B. Contact the CS faculty for the weekly reading. Students on meal plans, faculty, and staff are expected to cover the cost of their meals. Visitors to the College and students not on meal plans can charge their meals to the department.

At this CS Table we will discuss a recent turn of events in the presidential election: election security experts are calling for recounts in several critical states. Why are they doing this, and why do we need to recount or audit our elections?

Read these three recent articles building up to this recent call:

• Bruce Schneider. Election Security. In Schneier on Security. Posted on 11/15/2016.
• Ron Rivest and Phillip Stark. Still time for an election audit: Column. Posted on 11/18/2016.
• J. Alex Halderman. Want to Know if the Election was Hacked? Look at the Ballots. In medium.com. Posted 11/23/2016.

In addition, to give you more background on the perils of voting and technology, read this paper by researchers at the University of Michigan, Ann Arbor about breaking into Internet voting systems:

• (PDF) Scott Wolchok, Eric Wustrow, Drawn Isabel, J. Alex Halderman. Attacking the Washington, D.C. Internet Voting System. In Financial Crytography and Data Security. Volume 7397, pp 114–128. Springer-Verlag, 2012.

Printed readings are available at Noyce 3827.

Computer science table (CS Table) is a weekly meeting of Grinnell College community members (students, faculty, staff, etc.) interested in discussing topics related to computing and computer science. CS Table meets Tuesdays from 12:00-1:00pm in JRC 224B. Contact the CS faculty for the weekly reading. Students on meal plans, faculty, and staff are expected to cover the cost of their meals. Visitors to the College and students not on meal plans can charge their meals to the department.

This Friday at CS Table, we discuss a recent security failure in Unix, GNU/Linux, and Mac OS X operating systems: the Shellshock bug. Our reading is:

• Wheeler, David A. “Shellshock.” October 20, 2014. http://www.dwheeler.com/essays/shellshock.html

Computer Science Table is a weekly meeting of Grinnell College community members (students, faculty, staff, etc.) interested in discussing topics related to computing and computer science. We meet on Fridays from 12:10 to 12:50 in Rosenfield 224A (the Day PDR). Students on meal plans, faculty, and staff are expected to cover the cost of their meals. Students not on meal plans can charge their meals to the department.

Contact John Stone for a copy of this week's reading.

On Friday, 13 September 2013, the readings for CS Table will be two papers on trust.

The first is a classic paper, written as a Turing Award Speech

Ken Thompson. 1984. Reflections on trusting trust. Commun. ACM 27, 8 (August 1984), 761-763. DOI=10.1145/358198.358210 http://doi.acm.org/10.1145/358198.358210

The second is a recent article from The New York Times

Nicole Perlroth, Jeff Larson, and Scott Shane. September 5, 2013. N.S.A. Able to Foil Basic Safeguards of Privacy on Web. The New York Times. http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html

---

Computer science table is a weekly meeting of Grinnell College community members (students, faculty, staff, etc.) interested in discussing topics related to computing and computer science. CS Table meets Fridays at noon in the Day PDR. Contact Sam Rebelsky (rebelsky@grinnell.edu) for the weekly reading. Students on meal plans, faculty, and staff are expected to pay the cost of their meals. Students not on meal plans can charge their meals to the department.