Difference between revisions of "Courses/Computer Science/CPSC 525.F2014"

From wiki.ucalgary.ca
Jump to: navigation, search
m (Announcments, Policies, and Metadata)
m (Announcments, Policies, and Metadata)
Line 42: Line 42:
Textbook: The Craft of System Security by Smith and Marchesini
Textbook: The Craft of System Security by Smith and Marchesini
== Assignments ==
== Assignments ==

Revision as of 20:42, 8 September 2014

Principles of Computer Security (Fall 2014)

The university calendar entry for CPSC525 describes the course as: Security policies and protection mechanisms for a computing system, including such topics as design principles of protection systems, authentication and authorization, reference monitors, security architecture of popular platforms, formal modeling of protection systems, discretionary access control, safety analysis, information flow control, integrity, role-based access control. Legal and ethical considerations will be introduced.

How This Class is Taught

This is mainly a lecture-style course with some hands-on projects and assignments. It also includes an occasional tutorial component to provide some background technical skills.

This course is largely a guided reading course that aims at helping the student achieve the security mindset and the terminology and vocabulary of the information security field to go on to further study in specific areas: systems security, network security, applied cryptography, HCI security and usability, etc.

Security is a cross-cutting concern; its problems and challenges crop up in many different areas of computer science, and effective security solutions often involve elements that cross layers of abstraction and areas of expertise. This course can be thought of as an archeological exploration of the brief history of the computer security field's principal ideas. We will try to see why the major themes and concepts arose, how approaches were wrought and how they persist into modern computer systems.

This class is driven by asking simple questions that have complex answers. Security has often emerged as a bolt-on afterthought subject to many different types of pressure. Risk assessment involves trying to answer simple value questions. Our aim is to try to understand this landscape by following our natural curiosity -- allowing this kind of inquisitive skill to flourish is a key element of developing a security mindset. This course relies on underlying principles for thinking about how systems can be made to fail, and its central aim is to help students understand the following abstract concepts:

  • cross-layer interactions -- root of trust; hardware supporting software security
  • composition and trust -- how these concepts affect system assurance
  • execution analysis -- how to analyze programs by reversing or removing abstraction, encapsulation, and other system organization principles
  • flaws as programming models -- understanding vulnerabilities and exploits as de facto primitives of an unintended programming environment
  • countermeasure efficacy -- understanding the context and relative merits of protection measures

Syllabus Topics

  • protection mechanisms
  • design principles of protection mechanisms
  • security policies and security models
  • formal models of protection systems
  • integrity models
  • information flow control models
  • authentication
  • authorization
  • RBAC
  • reference monitors
  • example security architectures
  • legal and ethical considerations
  • security mindset
  • LangSec
  • security professionals
  • security evaluation

Announcments, Policies, and Metadata

Textbook: The Craft of System Security by Smith and Marchesini


This section enumerates the project and homework assignments.


  1. Homework 1 - 200 points
  2. Homework 2 - 200 points
  3. Homework 3 - 200 points
  4. Project - 300 points
  5. Essay - 100 points

Project entails oneof:

  • security bug report: find, analyze, and report one significant security bug
  • testing AV combination: evaluate a specific "defense in depth" scenario
  • something suitable for POC||GTFO
  • analysis of bug origin (see Prof.)
  • underhanded crypto entry (see Prof.)
  • EDURange dev (see Prof.)

Essay entails:

  • technical review of hacker con talk
  • technical evaluation of an academic paper
  • objective evaluation of a security product
  • comparative review of a security textbook (posted online)

Special Regulations affecting the Final Grade: Each item will be given a numerical score out of total points available for that assignment. The final percentage grade will be calculated by summing the total points you earn divided by 1000. This percentage will then be converted to a final letter grade for the University grading system. Percentage scores at or above 95% will receive an A+, while those at or above 90% will receive an A, and those at or above 85% will receive an A-. Percentage scores at or above 80% will receive a B+, while those at or above 75% will receive a B, and those at or above 70% will receive a B-. Percentage scores at or above 65% will receive a C+, while those at or above 60% will receive a C, and those at or above 55% will receive a C-. Among passing scores, those below 55% will receive a D. Percentage scores below 50% will receive an F.


  1. Literature Review 20%
  2. Project Proposal 40%
  3. Project Deliverable 30%
  4. Final Report 10%

Your papers will be evaluated in a peer-review fashion via a mock-PC process. Poor papers risk rejection and a poor grade.

  • Project Proposal due TBD
  • Project Deliverable due TBD
  • Project Article due TBD

Courses/Computer Science/CPSC 625 Suggested Projects

Lecture Schedule

Please see the University Academic Calendar for important add/drop dates, holidays, etc.

Courses/Computer_Science/CPSC_525.F2014/Lecture Notes

This section contains the class session notes.

Tutorial Schedule

Tutorial Schedule

Links & Miscellaneous Resources

Langsec Links


Focus Questions

This is a list of questions meant to focus our studies on the main themes of information security.

How do you protect things?

  • protection
    • access control
    • authentication
    • authorization
  • isolation
    • virtualization
    • namespace rewriting
    • containers
    • reference monitors

Why do vulnerabilities exist?

  • langsec
  • complexity
  • composition

What do traditional security models mean?

  • translation
  • primitives
  • e-prime as a lens

What is a security mindset?

  • see associated readings

What is assurance?

  • B. Snow

What are realistic incentives for keeping things secure?

  • usability
  • economics

Things We (Probably) Won't Cover

  • intrusion detection
  • reverse engineering
  • malware creation
  • network security
  • advanced or theoretical access control
  • mathematics of cryptography
  • many applied cryptography problems
  • privacy
  • information-theoretic security
  • secure multiparty computation