COMP 4108 (Winter 2014): Computer Systems Security
Preliminary course outline, subject to change
(other course outlines);
last updated March 25, 2014.
Course website (for updates):
http://people.scs.carleton.ca/~paulv/4108jan2014.html
Course description
(from
official calendar):
Introduction to information security in computer and communications
systems, including network, operating systems, web and software
security. Passwords, authentication applications, privacy, data
integrity, anonymity, secure email, IP security, security
infrastructures, firewalls, viruses, intrusion detection, network
attacks.
Lectures three hours a week.
Prerequisites:
one of
COMP 3203 (Principles of Computer Networks)
or
SYSC 4602 (Computer Communications);
and one of
COMP 3000 (Operating Systems),
SYSC 3001 (Operating Systems and Databases),
SYSC 4001 (Operating Systems).
Otherwise requires written instructor permission.
Instructor:
P. Van Oorschot
(Office Hrs: Tues 3-4, Wed 1-2, 5173HP)
TA:
Adam Skillen
(Office Hrs: Tues 11:30-12:30, Wed 10-11, 1170HP)
Lectures
4:00-5:30pm Tues+Thurs, 501SA (Southam Hall, Carleton).
Jan.7-Apr.8, 2014 excluding Feb.17-21 (winter break).
Textbook:
Stallings and Brown, Computer
Security: Principles and Practice, 2/e (blue cover, 2011);
see also
companion web
site for additional online resources.
You are strongly recommended to get
access to a physical or electronic copy before the first class.
Students seeking resources supplementary to the offical
textbook may consider Gollman (2011) and other books on
this list.
Evaluation:
30%: Test 1 (Feb.4, in class).
30%: Test 2 (Mar.18, in class)
30%: Hands-on assignments (Labs 1-4 = 5% each; Lab 5 = 10%, due Apr.8).
Students should regularly check the
COMP4108
lab page
for details and due dates for these programming-based assignments.
Lab 1 available Jan.14, due Jan.28. Please email your student
number to the course TA, askillen(at)ccsl.carleton.ca,
to get your individual lab account userid/password
(some of the lab page content is password-protected;
the userid+password for that will be provided in class).
10%: Reading Responses (3) - see explanation below.
Bonus marks available: see below (under week 13).
Lab Access:
Access to computing labs in Herzberg (HP) requires a
Carleton University Campus
Card, and is based on the courses you are registered in and the School's
lab policy/lab schedule.
We expect that lab assignments should also be possible by remote
access using generic computing equipment.
Explanation of Reading Responses.
For each specified research
paper, a one-page, hard-copy critque must be handed it at the start
of the specified class, followed by class discussion of the paper.
The response is to include a 2-3 sentence overview of the paper
rephrased in your own words, plus three brief criticisms of the reading
(perceived shortcomings, points you disagree with, or suggestions for
improvement). Support your criticisms as best possible within the
available space.
Course objectives:
to understand fundamental principles of computer security;
to become aware of factors enabling computer
systems to be exploited by attackers, and corresponding
protection techniques and mechanisms;
to understand practical threats and carry out simple
security analysis useful in software and system development; to gain
familiarity with basic concepts in systems security, with
emphasis on authentication and operating systems security.
Attendance and Additional Information.
Topics covered will be largely based on chapters in the course textbook,
occasionally supplemented by
additional material
from the instructor as presented during individual classes;
reading responses also require participation in the class.
Students are thus expected to attend all classes, and are
responsible for all items discussed in class.
=== University Policies (start) ===
Student Academic Integrity Policy.
Every student should be familiar with the Carleton University student
academic integrity policy. A student found in violation of academic
integrity standards may be awarded penalties which range from a
reprimand to receiving a grade of F in the course or even being expelled
from the program or University. Some examples of offences are:
plagiarism and unauthorized co-operation or collaboration. Information
on this policy may be found in the Undergraduate Calendar.
Plagiarism.
As defined by Senate, "plagiarism is presenting, whether
intentional or not, the ideas, expression of ideas or work of others as
one's own". Reported offences will be reviewed by the office of the Dean
of Science.
Unauthorized Co-operation or Collaboration.
Senate policy states that "to
ensure fairness and equity in assessment of term work, students shall
not co-operate or collaborate in the completion of an academic
assignment, in whole or in part, when the instructor has indicated that
the assignment is to be completed on an individual basis". Please refer
to the course outline statement or the instructor concerning this issue.
COMP 4108 addendum:
Beyond any other standard university policies,
any student submitting work including uncited portions originating
from someone else, is subject to a mark of negative 100%
on the entire work item. For example, if an assignment
is worth 10%, the 10% is lost plus an additional 10% penalty, making the
best possible course mark 80%.
Both students may be penalized if the infraction involves copying
from another student.
Each student must write up submitted work individually
unless explicitly allowed otherwise per official instructions
(e.g., in group-based assignments).
Academic Accommodations for Students with Disabilities.
The Paul Menton Centre
for Students with Disabilities (PMC) provides services to
students with Learning Disabilities (LD), psychiatric/mental health
disabilities, Attention Deficit Hyperactivity Disorder (ADHD), Autism
Spectrum Disorders (ASD), chronic medical conditions, and impairments in
mobility, hearing, and vision. If you have a disability requiring
academic accommodations in this course, please contact PMC at
613-520-6608 or pmc@carleton.ca for a formal evaluation. If you are
already registered with the PMC, contact your PMC coordinator to send
your course instructor
your Letter of Accommodation at the beginning of the term, and no later
than two weeks before the first in-class scheduled test or exam
requiring accommodation (if applicable). After requesting accommodation
from PMC, meet with your course instructor to ensure accommodation arrangements are made.
Please consult the PMC website for the deadline to request
accommodations for the formally-scheduled exam (if applicable) at
http://www2.carleton.ca/pmc/new-and-current-students/dates-and-deadlines
Religious Obligation:
Write to the course instructor
with any requests for academic accommodation during the first two
weeks of class, or as soon as possible after the need for accommodation
is known to software and system developmest. For more details visit the
Equity Services website: http://www2.carleton.ca/equity/
Pregnancy Obligation:
Write to the course instructor
with any requests for academic accommodation during the
first two weeks of class, or as soon as possible after the need for
accommodation is known to exist. For more details visit the
Equity Services website: http://www2.carleton.ca/equity/
Medical Certificate:
The official medical certificate (form) accepted by Carleton
University for the deferral of final examinations or assignments in
undergraduate
courses can be accessed from:
http://www.carleton.ca/registrar/forms
=== University Policies (end) ===
Topics Outline.
Topics studied are drawn from those in the course description
and textbook, supplemented as noted above.
Details will be noted on the course website as the term progresses,
updated on an ongoing basis.
Outline of topics:
-
Weeks 1-2 (Basics, Principles, Tools):
security policy and analysis, threat models, risk, attack trees,
security design principles
(source: Ch.1 & 14 + class notes and pdf).
Building Blocks: review of crypto tools, certificates
(source: Ch.2 + class slides).
Optional: why security is hard,
evolution of threat landscape, measuring security,
relationship to physical security.
-
Week 3 (Access Control):
access control models, filesystem permissions and setuid,
role-based access control
(source: Ch.4 + class discussion).
-
Week 4 (Software Security):
handling program input,
data interpretation,
interactions with OS, libraries, other apps,
race conditions, program output
(source: Ch.11 + class discussion).
Optional: boot sequence security, process monitoring,
attacks on servers.
-
Week 5 (Test 1 + Memory Exploits): exploiting management of
stack, heap, and buffers (Ch.10 + class discussion).
-
Week 6 (Malicious Software):
viruses, worms & worm propagation, rootkits
(Source: Ch.6 + class notes).
Optional: botnets, Stuxnet case study,
The History and Evolution of Computer Viruses (see link further below).
-
---Feb.17-21---: no classes (winter break)
-
Week 7: Secure Software Installation, Firewalls (class slides; Ch.9).
Optional: DNS and security.
-
Week 8 (more Network Security):
SSH, tunneling/VPNs/IPsec (class slides; Ch.22.5);
network threats and intrusion detection (class slides; Ch.8).
-
Week 9 (Web Security):
SSL & https (Ch. 22.3-22.4), certificates (again),
active content, DOM, HTTP cookies, same-origin policy,
malicious HTML tags/scripts + XSS + CSRF (class slides; Ch. 11.2).
-
Week 10 (Test 2 + Usable Security).
Security and usable security principles;
password managers and threat models.
Optional: secure email, (more on) certificate authorities & trust models.
-
Week 11 (User Authentication):
User authentication, password security, biometrics (Ch.3).
Reading response #1 (due Mar.27; see instructions
above):
So long, and no thanks for the externalities: the rational rejection of
security advice by users (Herley, NSPW 2009).
-
Week 12 (comparing password alternatives:
The
Quest to Replace Passwords, Bonneau et al., Oakland 2012).
Reading response #2 (due Apr.1):
Security
and Privacy Considerations in Digital Death (Locasto et al., NSPW2011).
Reading response #3 (due Apr.3):
Digital Objects as Passwords (Mannan et al., HotSec'08).
-
Week 13: Lab#5 due (Tues. Apr.8).
Why
You Shouldn't Study Security (Tuomas Aura) IEEE S&P 4(3):74-76 (May/June 2006).
(Restricted access).
-
Bonus marks (4% x 2 = 8% maximum):
by April 6 2014, email to the instructor your PDF-formatted
research-quality summary report of at most
5 typeset pages including abstract and references,
of the following video(s):
1) The History and Evolution of Computer Viruses
(Mikko Hypponen, 49min, DEFCON 2011 talk).
2) SSL and the Future of Authenticity
(Moxie Marlinspike, 48min,
BlackHat USA 2011 talk).
Send comments to: paulv (insert @ here) scs.carleton.ca.