Courses/Computer Science/CPSC 525.F2014

From wiki.ucalgary.ca
< Courses‎ | Computer Science
Revision as of 19:46, 8 September 2014 by Locasto (talk | contribs) (Undergraduate)
Jump to: navigation, search

Principles of Computer Security (Fall 2014)

The university calendar entry for CPSC525 describes the course as: Security policies and protection mechanisms for a computing system, including such topics as design principles of protection systems, authentication and authorization, reference monitors, security architecture of popular platforms, formal modeling of protection systems, discretionary access control, safety analysis, information flow control, integrity, role-based access control. Legal and ethical considerations will be introduced.

How This Class is Taught

This is mainly a lecture-style course with some hands-on projects and assignments. It also includes an occasional tutorial component to provide some background technical skills.

This course is largely a guided reading course that aims at helping the student achieve the security mindset and the terminology and vocabulary of the information security field to go on to further study in specific areas: systems security, network security, applied cryptography, HCI security and usability, etc.

Security is a cross-cutting concern; its problems and challenges crop up in many different areas of computer science, and effective security solutions often involve elements that cross layers of abstraction and areas of expertise. This course can be thought of as an archeological exploration of the brief history of the computer security field's principal ideas. We will try to see why the major themes and concepts arose, how approaches were wrought and how they persist into modern computer systems.

This class is driven by asking simple questions that have complex answers. Security has often emerged as a bolt-on afterthought subject to many different types of pressure. Risk assessment involves trying to answer simple value questions. Our aim is to try to understand this landscape by following our natural curiosity -- allowing this kind of inquisitive skill to flourish is a key element of developing a security mindset. This course relies on underlying principles for thinking about how systems can be made to fail, and its central aim is to help students understand the following abstract concepts:

  • cross-layer interactions -- root of trust; hardware supporting software security
  • composition and trust -- how these concepts affect system assurance
  • execution analysis -- how to analyze programs by reversing or removing abstraction, encapsulation, and other system organization principles
  • flaws as programming models -- understanding vulnerabilities and exploits as de facto primitives of an unintended programming environment
  • countermeasure efficacy -- understanding the context and relative merits of protection measures

Syllabus Topics

  • protection mechanisms
  • design principles of protection mechanisms
  • security policies and security models
  • formal models of protection systems
  • integrity models
  • information flow control models
  • MAC/MLS, DAC
  • authentication
  • authorization
  • RBAC
  • reference monitors
  • example security architectures
  • legal and ethical considerations
  • security mindset
  • LangSec
  • security professionals
  • security evaluation

Announcments, Policies, and Metadata

Textbook: The Craft of System Security by Smith and Marchesini

Assignments

This section enumerates the project and homework assignments.

Undergraduate

  1. Homework 1 - 200 points
  2. Homework 2 - 200 points
  3. Homework 3 - 200 points
  4. Project - 300 points
  5. Essay - 100 points

Project entails oneof:

  • security bug report: find and report one significant security bug
  • testing AV combination: evaluate a specific "defense in depth" scenario

Essay entails: - technical review of hacker con talk - technical evaluation of an academic paper - objective evaluation of a security product - comparative review of a security textbook (posted online)

Graduate

  • Project Proposal due TBD
  • Project Deliverable due TBD
  • Project Article due TBD

Courses/Computer Science/CPSC 625 Suggested Projects

Lecture Schedule

Please see the University Academic Calendar for important add/drop dates, holidays, etc.

Courses/Computer_Science/CPSC_525.W2013/Lecture Notes

This section contains the class session notes.

Tutorial Schedule

Tutorial Schedule

Links & Miscellaneous Resources

Langsec Links

Misc:

Focus Questions

This is a list of questions meant to focus our studies on the main themes of information security.

How do you protect things?

  • protection
    • access control
    • authentication
    • authorization
  • isolation
    • virtualization
    • namespace rewriting
    • containers
    • reference monitors

Why do vulnerabilities exist?

  • langsec
  • complexity
  • composition

What do traditional security models mean?

  • translation
  • primitives
  • e-prime as a lens

What is a security mindset?

  • see associated readings

What is assurance?

  • B. Snow

What are realistic incentives for keeping things secure?

  • usability
  • economics

Things We (Probably) Won't Cover

  • intrusion detection
  • reverse engineering
  • malware creation
  • network security
  • advanced or theoretical access control
  • mathematics of cryptography
  • many applied cryptography problems
  • privacy
  • information-theoretic security
  • secure multiparty computation