COMP 4108 (Fall 2012): Computer Systems Security
Office calendar course description
(from
here):
Introduction to information security in computer and communications
systems, including network, operating systems, web and software
security. Passwords, authentication applications, privacy, data
integrity, anonymity, secure email, IP security, security
infrastructures, firewalls, viruses, intrusion detection, network
attacks.
Lectures three hours a week.
Essential Course Details
-
Lecture Times:
11:30am-12:55pm, Mon+Wed (Sept.10-Dec.3, 2012)
-
Lecture Location:
101PA (Paterson Hall), Carleton University
-
Instructor:
P. Van Oorschot,
Office Hrs 3-4pm Mon+Wed (5173HP)
-
TA:
Daniel
McCarney,
TA Office Hrs 10am-12noon Thurs (1170HP)
-
Prerequisites:
one of
COMP 3203 (Principles of Computer Networks)
or
SYSC 4602 (Computer Communications);
and one of
COMP 3000 (Operating Systems),
SYSC 3001 (Operating Systems and Databases),
SYSC 4001 (Operating Systems).
Otherwise requires written instructor permission.
Precludes additional credit for COMP 4103 (no longer offered).
-
Lab Access:
Access to computing labs on Herzberg floors 4 and 5 requires a
Carleton University Campus
Card, and is based on the courses you are registered in and the School's
Lab Access Schedule.
Note: we expect that lab assignments should also be possible by remote
access using generic computing equipment.
-
Course Text:
Goodrich and Tamassia (first edition, 2010), Introduction to Computer Security.
You are strongly recommended to get
access to a physical or electronic copy before the first class.
Notice the companion website
including, among other resources, its
list of linked
references , and 2-slide-per-page set of
lecture
slides summarizing text chapters
(but beware: these are not the slides that we will use in
delivery of our course, as explained further below).
Marking Scheme:
(dates are firm; please plan in advance)
30%: Test 1 (Oct.10, in class). Includes Oct.3 lecture.
These slides may be of help in studying. Good luck!
30%: Test 2 (Nov.14, in class)
30%: Computer Assignments/Lab Modules (4 labs at 5% each = 20%) plus Final Lab Module (10%, due Dec.3).
Students are expected to regularly check the
COMP4108
lab/assignment site
for details and due dates for the computer assignments (lab modules).
Assignment lab#1 is available as of Sept.19 and is due Monday Oct.1.
10%: Reading Responses (3) - see explanation below.
Explanation of Reading Responses.
For each specified research
paper, a one-page, hard-copy critque must be handed it at the start
of the specified class, followed by class discussion of the paper.
The response is to include a 2-3 sentence abstract of the paper
rephrased in your own words, plus three brief criticisms of the reading
(perceived shortcomings, points you disagree with, or suggestions for
improvement). Support your criticisms as best possible within the
available space.
University Policies.
For information on university policies regarding
academic integrity/plagiarism, unauthorized collaboration,
academic accommodation related to disabilities,
religious obligation, preganancy obligation and medical certificates,
see the standard university template information as
found on
this course outline page.
In addition COMP 4108 has a
Course-specific addendum re: Unethical Behaviour
as follows.
Any student submitting work including uncited
portions originating from someone else,
is subject to a mark
of minus 100% (-100%) on the entire work item. For example, if an
assignment
is worth 10%, the 10% is lost plus an additional 10% penalty, making the
best possible course mark 80%. If the infraction involves copying
from another student, then both students may be penalized.
Each student must write up submitted work individually
unless explicitly allowed otherwise per official instructions, for
example in group-based assignments.
Harsher penalties following from
any standard university policies will be pursued where appropriate.
Additional Information and Class Attendance.
Students seeking optional textbooks supplementary to the offically specified
course text may consider looking at
Stallings and Brown (2007), Gollman (2006), and/or other books on
this list.
Topics covered will be largely based on chapters in the course textbook,
substantially supplemented by
additional material
from the instructor as presented during individual classes.
Reading responses require participation in the class.
Students are thus expected to attend all classes.
Topics Outline.
Topics studied are drawn from those in the course description
(see top of page) and course text, as noted under
"Additional Information".
Topics and corresponding textbook chapters
will be posted here as the term progresses,
adjusted and updated on an ongoing basis.
-
Week 1: Chapter 1 (overview, basic concepts,
security principles, attack trees,
threat models and risk analysis, evolution of threat landscape,
why security is hard). Optional: review
Chapter 2 for background material on physical security, threat models.
-
Week 2: Chapter 1 (network threats, measuring security,
access control models, cryptographic concepts).
-
Week 3: Chapter 3 (OS security: boot sequence, process monitoring,
password security, filesystem permissions & setuid).
-
Week 4:
Ch.3 (buffer overflows & memory exploits, TOCTOU),
Ch.4 (malware, to end of 4.3.2: computer worms).
-
Week 5: Holiday (Monday) + Test 1 (Wednesday).
-
Week 6: Ch.4 (worm propagation, rootkits, botnets, Stuxnet).
-
Week 7:
Ch.6 (DNS, firewalls, SSH, tunneling/VPNs/IPsec).
-
Week 8:
Ch.6 (IPsec, intrusion detection), start Ch.7 (SSL, certificate
authorities, trust models).
-
Week 9:
Ch.7 (active content, DOM, HTTP cookies, same-origin policy, malicious HTML tags/scripts).
-
Week 10:
Ch.7 (XSS, CSRF) + Test 2 (Wednesday)
-
Week 11:
Ch.7 (7.3: Attacks on Servers) + Reading response #1 (due Nov.21; see instructions
above):
So long, and no thanks for the externalities: the rational rejection of
security advice by users (Herley, NSPW 2009).
-
Week 12:
Reading response #2 (due Nov.26):
Popularity is everything: A new approach to protecting passwords from
statistical-guessing attacks (Schechter et al., HotSec2010).
Reading response #3 (due Nov.28):
Do strong web passwords accomplish anything?
(Florencio et al., HotSec2007).
-
Week 13: Monday Dec.3 (Lab#5 due today).
Why
You Shouldn't Study Security (Tuomas Aura) IEEE S&P 4(3):74-76 (May/June 2006).
(Restricted access).
Last updated: November 28, 2012.
Send comments to: paulv (insert @ here) scs.carleton.ca.