Principles of Computer Security (Fall 2014)

The university calendar entry for CPSC525 describes the course as: Security policies and protection mechanisms for a computing system, including such topics as design principles of protection systems, authentication and authorization, reference monitors, security architecture of popular platforms, formal modeling of protection systems, discretionary access control, safety analysis, information flow control, integrity, role-based access control. Legal and ethical considerations will be introduced.

How This Class is Taught

This is mainly a lecture-style course with some hands-on projects and assignments. It also includes an occasional tutorial component to provide some background technical skills.

This course is largely a guided reading course that aims at helping the student achieve the security mindset and the terminology and vocabulary of the information security field to go on to further study in specific areas: systems security, network security, applied cryptography, HCI security and usability, etc.

Security is a cross-cutting concern; its problems and challenges crop up in many different areas of computer science, and effective security solutions often involve elements that cross layers of abstraction and areas of expertise. This course can be thought of as an archeological exploration of the brief history of the computer security field's principal ideas. We will try to see why the major themes and concepts arose, how approaches were wrought and how they persist into modern computer systems.

This class is driven by asking simple questions that have complex answers. Security has often emerged as a bolt-on afterthought subject to many different types of pressure. Risk assessment involves trying to answer simple value questions. Our aim is to try to understand this landscape by following our natural curiosity -- allowing this kind of inquisitive skill to flourish is a key element of developing a security mindset. This course relies on underlying principles for thinking about how systems can be made to fail, and its central aim is to help students understand the following abstract concepts:

• cross-layer interactions -- root of trust; hardware supporting software security
• composition and trust -- how these concepts affect system assurance
• execution analysis -- how to analyze programs by reversing or removing abstraction, encapsulation, and other system organization principles
• flaws as programming models -- understanding vulnerabilities and exploits as de facto primitives of an unintended programming environment
• countermeasure efficacy -- understanding the context and relative merits of protection measures

Syllabus Topics

• protection mechanisms
• design principles of protection mechanisms
• security policies and security models
• formal models of protection systems
• integrity models
• information flow control models
• MAC/MLS, DAC
• authentication
• authorization
• RBAC
• reference monitors
• example security architectures
• legal and ethical considerations
• security mindset
• LangSec
• security professionals
• security evaluation

Announcments, Policies, and Metadata

Textbook: The Craft of System Security by Smith and Marchesini

Assignments

This section enumerates the project and homework assignments.

Undergraduate

1. Homework 1 - 200 points
2. Homework 2 - 200 points
3. Homework 3 - 200 points
4. Project - 300 points
5. Essay - 100 points

The project entails using a basic static analysis tool (RATS) and looking for computational slack in protocol or file format descriptions.

The essay entails:

• technical review of hacker con talk
• technical evaluation of an academic paper
• objective evaluation of a security product
• comparative review of a security textbook (if suitable, Instructor will suggest posting online)

New: Essays should be attached as a PDF to private posts in Piazza. Essays should be no more than 2 pages of 10point font, single spaced. Only PDFs will be accepted. You may wish to use LaTeX. You should use the ACM proceedings format (LaTeX or word templates available here: http://www.acm.org/sigs/publications/proceedings-templates

Special Regulations affecting the Final Grade: Each item will be given a numerical score out of total points available for that assignment. The final percentage grade will be calculated by summing the total points you earn divided by 1000. This percentage will then be converted to a final letter grade for the University grading system. Percentage scores at or above 95% will receive an A+, while those at or above 90% will receive an A, and those at or above 85% will receive an A-. Percentage scores at or above 80% will receive a B+, while those at or above 75% will receive a B, and those at or above 70% will receive a B-. Percentage scores at or above 65% will receive a C+, while those at or above 60% will receive a C, and those at or above 55% will receive a C-. Among passing scores, those below 55% will receive a D. Percentage scores below 50% will receive an F.

Graduate

1. Project Proposal 40%
2. Literature Review 20%
3. Project Deliverable 30%
4. Final Report/Article 10%

Your papers will be evaluated in a peer-review fashion via a mock-PC process. Poor papers risk rejection and a poor grade.

Assignment Specification

It is your task to produce a research paper suitable for submission to a quality academic security conference. As much as possible, the paper should report on novel research work relevant to your particular research area. The paper should reflect your understanding and appropriate use of the concepts (protection, access control, security policies, history) covered in this course. The paper should demonstrate mastery of these basic concepts and show some value in applying them to your chosen field of specialty. The topic of the research paper is up to you. You may wish to report on novel research, a new security mechanism, an evaluation of a security problem, measurement of security-related phenomena, etc. Papers should generally related to the topic of "Principles of Computer Security" -- papers that are heavily theoretical or crypto-focused should demonstrate (not merely mention) some practical application of the work. Please note that a survey of related literature is one component of this assignment --- reports that are merely surveys of existing fields will receive a very poor grade.

This set of course assignments provides you an opportunity to develop your ability to do meaningful, independent computer security research.

Deadlines

• Project Proposal due Oct 10 (updated)
• Literature review due Oct 30 (updated)
• Project Deliverable due Dec 1 (updated)
• Project Article due Dec 5 (updated)

All project components should be submitted as a private post via Piazza with appropriate attachments (PDF files only). Each component should build on the previous: you are working toward writing one coherent research paper. Paper should be written using LaTeX and formatted in two-column USENIX or ACM format (your choice -- but other formats, e.g., LLNCS will not be accepted).

Further Clarifications

Any clarifications to the assignment will be posted here.

• ...
• ...

Lecture Schedule

Please see the University Academic Calendar for important add/drop dates, holidays, etc.

Courses/Computer_Science/CPSC_525.F2014/Lecture Notes

This section contains the class session notes.

Tutorial Schedule

[| Tutorial Schedule]

Links & Miscellaneous Resources

Langsec Links

• A course in language-based security: http://www.cse.chalmers.se/edu/year/2013/course/TDA602/
• http://www.darkreading.com/vulnerability/taming-bad-inputs-means-taking-aim-at-we/240152171
• http://programmingisterrible.com/post/42215715657/postels-principle-is-a-bad-idea
• Programming with Nothing: http://experthuman.com/programming-with-nothing
• Learning to classify vulns: http://dl.acm.org/citation.cfm?doid=1835804.1835821
• PHY layer hacking: http://2012.hackitoergosum.org/blog/schedule/talks#Strangeand
• Catastrophic backtracking in regular expressions add http to this URL: t.co/KWVDhLyI
• From Buffer Overflows to Weird Machines
• Cyberpatterns
• The Halting Problems of Network Stack Insecurity
• Security Applications of Formal Language Theory
• ELFBac: http://elfbac.org/
• Packets in Packets (Goodspeed)
• Vulnerable Compliance (Geer)
• IDS Evasion Attacks (Ptacek and Newsham)
• Traffic Normalization (Handley)
• Crandall CCS 2005
• http://www.isg.rhul.ac.uk/tls/
• travis goodspeed: "Remotely Exploiting the PHY Layer"
  • http://travisgoodspeed.blogspot.ca/2011/09/remotely-exploiting-phy-layer.html
  • WOOT 2011 paper: http://www.usenix.org/events/woot11/tech/final_files/Goodspeed.pdf
• https://www.usenix.org/conference/woot11/packets-packets-orson-welles-band-signaling-attacks-modern-radios
  • http://www.phrack.org/issues.html?issue=68&id=4&mode=txt (see 0x06, "How I misunderstood digital radio; or, "Weird machines" are in radio, too!" by M.Laphroaig pastor@phrack )
• filtrex: https://github.com/joewalnes/filtrex
• cryptol: http://cryptol.net/index.html

Misc:

• cybersecurity is hot: http://www.reuters.com/article/2014/07/16/us-deliveringalpha-cybersecurity-idUSKBN0FL28R20140716
• http://www.microsoft.com/typography/otspec/featuretags.htm
• evading AV: http://blog.endpoint.com/2013/01/evading-anti-virus-metasploit.html
• http://programmingisterrible.com/post/42432568185/how-to-parse-ruby
• packet of death: http://appliance.cloudshark.org/news/cloudshark-in-the-wild/intel-packet-of-death-capture/
• blocking content based on executable env: http://arstechnica.com/security/2013/01/firefox-to-block-content-based-on-java-reader-and-silverlight/
• recognize a dialup? i.imgur.com/Q3lKIr1.jpg
• http://www.johndcook.com/blog/2013/02/21/can-regular-expressions-parse-html-or-not/
• "evil" code: http://erratasec.blogspot.ca/2013/03/the-debate-over-evil-code.html
• http://www.getprepared.gc.ca/cnt/rsrcs/sfttps/tp201010-eng.aspx
• http://www.foxnews.com/tech/2014/09/03/expert-expect-hackers-to-increase-celeb-attacks/?intcmp=obnetwork
• backdoors in routers:
  • http://www.tomsguide.com/us/chinese-router-backdoor,news-19398.html
  • http://www.tomsguide.com/us/home-router-security,news-19245.html
• Software Copy Projection / DRM
  • http://arstechnica.com/information-technology/2014/07/how-to-implement-a-self-destruct-feature-into-free-trial-software/
• Risks of Cloud
  • http://arstechnica.com/security/2014/07/hackers-seed-amazon-cloud-with-potent-denial-of-service-bots/
• BadUSB
  • http://arstechnica.com/security/2014/07/this-thumbdrive-hacks-computers-badusb-exploit-makes-devices-turn-evil/
• WSJ data for sale
  • http://arstechnica.com/security/2014/07/wsj-website-hacked-data-offered-for-sale-for-1-bitcoin/
• Security Incidents
  • Mozilla devs info exposed: http://arstechnica.com/security/2014/08/thousands-of-mozilla-developers-e-mail-addresses-password-hashes-exposed/
• Spaf on the general security problem and what's ailing the field:
  • https://www.cerias.purdue.edu/site/blog/post/why_we_dont_have_secure_systems_yet_introduction/
• PAGEEXEC: http://pax.grsecurity.net/docs/pageexec.txt
• opinion on systemd broken by design: http://ewontfix.com/14/
• The Monoculture Hype: http://ranum.com/security/computer_security/editorials/monoculture-hype/index.html
• Netflix open sources its Amazon cloud security enforcer http://www.networkworld.com/article/2449445/cloud-security/netflix-open-sources-its-amazon-cloud-security-enforcer.html
• http://www.itmanagerdaily.com/watch-out-defeated-malware-given-new-life/
• generic advice/password length: http://www.foxbusiness.com/personal-finance/2014/08/29/why-your-passwords-should-be-at-least-24-charcters-long/

Focus Questions

This is a list of questions meant to focus our studies on the main themes of information security.

How do you protect things?

• protection
  • access control
  • authentication
  • authorization
• isolation
  • virtualization
  • namespace rewriting
  • containers
  • reference monitors

Why do vulnerabilities exist?

• langsec
• complexity
• composition

What do traditional security models mean?

• translation
• primitives
• e-prime as a lens

What is a security mindset?

• see associated readings

What is assurance?

• B. Snow

What are realistic incentives for keeping things secure?

• usability
• economics

Things We (Probably) Won't Cover

• intrusion detection
• reverse engineering
• malware creation
• network security
• advanced or theoretical access control
• mathematics of cryptography
• many applied cryptography problems
• privacy
• information-theoretic security
• secure multiparty computation