Courses/Computer Science/CPSC 525.W2016
Contents
Words from the Instructor
This course was taught by Robin E. Gonzalez V. (http://pages.cpsc.ucalgary.ca/~gonzalre) in Winter 2016 (January - April 2016). Assignments and course material can be found on this wiki's sub-sites. If you have any questions about the material or syllabus do not hesitate to contact the instructor at gonzalreATucalgary.ca, only people with proper permissions are allowed to modify this site.
Principles of Computer Security (Winter 2016)
The course overview page is located at: http://pages.cpsc.ucalgary.ca/~gonzalre/CPSC525
The university calendar entry for CPSC525 describes the course as: Security policies and protection mechanisms for a computing system, including such topics as design principles of protection systems, authentication and authorization, reference monitors, security architecture of popular platforms, formal modeling of protection systems, discretionary access control, safety analysis, information flow control, integrity, role-based access control. Legal and ethical considerations will be introduced.
What we study in this class
This is mainly a lecture-style course with some hands-on projects and assignments. It also includes an occasional tutorial component to provide some background technical skills. This course is largely a guided reading course that aims at helping the student achieve the security mindset and the terminology and vocabulary of the information security field to go on to further study in specific areas: systems security, network security, applied cryptography, HCI security and usability, etc.
Security is a cross-cutting concern; its problems and challenges crop up in many different areas of computer science, and effective security solutions often involve elements that cross layers of abstraction and areas of expertise. This course can be thought of as an archeological exploration of the brief history of the computer security field's principal ideas. We will try to see why the major themes and concepts arose, how approaches were wrought and how they persist into modern computer systems.
This class is driven by asking simple questions that have complex answers such as:
- What is security?
- Why do we care about security?
- Can we measure security?
- What does the term "hacking" mean?
- What subjects are involved in security?
- What are the weak links in security?
Subsequently, the same questions are asked for the term privacy.
Security has often emerged as a bolt-on afterthought subject to many different types of pressure. Risk assessment involves trying to answer simple value questions. Our aim is to try to understand this landscape by following our natural curiosity -- allowing this kind of inquisitive skill to flourish is a key element of developing a security mindset. This course relies on underlying principles for thinking about how systems can be made to fail, and its central aim is to help students understand the following abstract concepts.
Reading Material
- Computer Security by Dieter Gollmann (3rd Edition)
- The Craft of System Security by Sean Smith and John Marchesini
- Understanding the Linux Kernel by Bovet (3rd Edition)
- The C Programming Language by Kernighan and Ritchie
Syllabus Topics
Introduction to security
- security mindset
- security professionals
- example security architectures
- legal and ethical considerations
- security evaluation
- attack vs defense
OS and software security
- dynamic instrumentation
- reverse engineering
- intrusion detection
- history of attacks
- programming languages security issues
Formal security
- protection mechanisms
- design principles of protection mechanisms
- security policies and security models
- formal models of protection systems
- integrity models
- information flow control models
- MAC/MLS, DAC
- authentication
- authorization
- RBAC
- LangSec
Privacy
- usable studies
- social engineering
- automated attacks
- the importance of data
Lecture Schedule
Please see the University Academic Calendar for important add/drop dates, holidays, etc.
Courses/Computer_Science/CPSC_525.W2016/Lecture Notes
This section contains the class session notes.
Tutorial Schedule
Please see the University Academic Calendar for important add/drop dates, holidays, etc.
Courses/Computer_Science/CPSC_525.W2016/Tutorial Notes
This section contains the tutorial session notes.
Midterm Examination
- Definitions of attacks in security and privacy (history of attacks pt 1 + 2)
- Identification of vulnerable code (e.g., integer overflow, buffer overflow)
- Identification of undefined behavior (https://www.securecoding.cert.org/confluence/display/c/2+Rules)
- Issues with Access Control (e.g., The Deputy Attack, issues with DAC and MAC)
- Discretionary Access Control
- Access Control Structures (Gollman's chapter 5)
- Role-Based Access Control (Gollman's chapter 5)
- Bell-LaPadula Model (Gollman's chapter 11)
- Intrusion Detection Model
- DWARF + ELF analysis and construction
- Access Control in Unix
Undergraduate Assignments
Assignment 1 [1] - About ethics, Stuxnet, and code injection/reverse engineering... (Due on February 12th, 2016)
Winners best context-aware attacks:
- 1st Place (+5 points): Albert Luu, Andrew Heng, Pauline Telan - Attack Twitter hashtags with fake Ticketmaster events.
- 2nd Place (+3 points): Jun Ooi, Jason Law - Location based attack with common friend.
- 3rd Place (+2 points): Anthony Mak - Community based attack with hosted events.
- Honorable mention (+1 point): Anthony Chen, Christian Daniel - High school reunion attack.
Assignment 2 [2] - About Confidentiality, and Integrity
Assignment 3 [3] - About Social Engineering, Privacy, and Passwords
Please include references when required.
Papers for Q1:
- Social Phishing - http://markus-jakobsson.com/papers/jakobsson-commacm07.pdf
- Modeling and Preventing Phishing Attacks - https://pdfs.semanticscholar.org/e051/dc2df2f8b2a0ce403eaa5ddef17797a796fa.pdf