Tentative Syllabus

These topics are tentative and subject to change without warning. In particular, if I don’t discuss something you’re interested in, ask about it! I may very well add it or modify what I’m covering to include it.
lec.datetopicreadingdue

1. Mon Mar 30Introduction to computer securitytext, §1
dis 1.  no discussion section today
2. Wed Apr 1Assurance; principles of secure designtext, §13, 18, [Bel07,Mei06,VE06]
3.  Fri Apr 3 Robust programming, part 1 [Bis11]

4.  Mon Apr 6 Robust programming, part 2 text, §29; [VBKM00,CCS06]
dis 2.  Case study; Buffer overflow, ROP [Ale96, Sha07]
5.  Wed Apr 8 Common vulnerabilities [Chr11,OWA13]
6.  Fri Apr 10 Flaw hypothesis methodology, part 1 text, §23.1–23.2, [Bis07a] homework #1

7.  Mon Apr 13 FHM part 2; vulnerability models text, §23.3–23.4, [PTE12]
dis 3. Using a source code analyzer
8.  Wed Apr 15 Vulnerability models, part 2 text, §23.1–23.4
9.  Fri Apr 17 Access control matrix, HRU result text, §2, 3.1–3.2

10.  Mon Apr 20 Policies text, §4.1–4.4, [War70]
dis 4.v Some security tools; nmap, metasploit
11.  Wed Apr 22 Policy languages text, §4.5
12.  Fri Apr 24 Confidentiality: Bell-LaPadula model text, §5 homework #2

13.  Mon Apr 27 to be arranged
dis 5.  Review for midterm examination
14.  Wed Apr 29 Midterm (in class)
15.  Fri May 2 Integrity: Biba modeltext, §6 (not 6.3)

16.  Mon May 4 Integrity: Clark-Wilson modeltext, §6.4
dis 6.  Web security
17.  Wed May 6 Classical cryptographytext, §9.1–9.2
18.  Fri May 8 Classical, public key cryptographytext, §9.3

19.  Mon May 11 Public key cryptographytext, §9.3–9.4 homework #3
dis 7.  Breaking a Vigenère Cipher
20.  Wed May 13 Key management, digital signaturestext, §10.1–10.4, 10.6
21.  Fri May 15 Cryptographic protocols, authenticationtext, §11.3, 11.4.1, 12

22.  Mon May 18 Authenticationtext, §12
dis 8.  Race conditions
23.  Wed May 20 Authenticationtext, §12
24.  Fri May 22 Access control mechanismstext, §15 homework #4

—. Mon May 25 Holiday: Memorial Day
25.  Wed May 27 Malwaretext, §22 (not 22.6), [Nac97]
26.  Fri May 29 Malware, network securitytext, §11.4, 22 (not 22.6), [Nac97]

27.  Mon Jun 1 to be arranged
dis 9.  Review for Final Examination
28.  Wed Jun 3 Electronic voting[BBG07, Bis07b,BW07,RAB04] homework #5

—. Wed Jun 10 Final examination (at 6:00pm)

References

[Ale96]
AlephOne, “Smashing the Stack for Fun and Profit,” Phrack 7(49) (1996).
[BBG07]
E. Barr, M. Bishop, and M. Gondree, “Fixing Federal E-Voting Standards,” Communications of the ACM 50(3) pp. 19–24 (Mar. 2007).
[Bel07]
S. Bellovin, “DRM, Complexity, and Correctness,” IEEE Security and Privacy 5(1) p. 80 (Jan. 2007).
[Bis07a]
M. Bishop, “About Penetration Testing,” IEEE Security and Privacy 5(6) pp. 84–87 (Nov. 2007).
[Bis07b]
M. Bishop, “Overview of Red Team Reports,” Technical Report, Office of the Secretary of State of California, Sacramento, CA (July 2007).
[Bis11]
M. Bishop, “Robust Programming,” Handout for ECS 153, Computer Security, (Mar. 2011).
[BW07]
M. Bishop and D. Wagner, “Risks of E-Voting,” Communications of the ACM 50(11) p. 120(Nov. 2007).
[CCS06]
P. Chandra, B. Chess, and J. Steven, “Putting the Tools to Work: How to Succeed with Source Code Analysis,” IEEE Security and Privacy 4(3) pp. 80–83 (May 2006).
[Chr11]
S. Christey, “2011 CWE/SANS Top 25 Most Dangerous Software Errors,” (Sep. 13, 2011). Available at http://cwe.mitre.org/top25/.
[Mei06]
J. Meier, “Web Application Security Engineering,” IEEE Security and Privacy 4(4) pp. 16–24 (July 2006).
[Nac97]
C. Nachenberg, “Computer Virus-Antivirus Coevolution,” Communications of the ACM 40(1) pp. 46–51 (Jan. 1997).
[OWA13]
OWASP, “Top 10—2013 rc1: The Ten Most Critical Web Application Security Risks,” Technical Report, The Open Web Application Security Project (2013).
[PTE12]
Penetration Testing Execution Standard (Jan. 2012). Available at http://www.pentest-standard.org/index.php/Main_Page.
[RAB04]
RABA Innovative Solution Cell, “Trusted Agent Report Diebold AccuVote-TS Voting System,” Technical Report, RABA Technologies LLC, Columbia, MD (Jan. 2004).
[Sha07]
H. Shacham, “The Geometry of Innocent Flesh on the Bone: Return-into-Libc Without Function Calls (on the x86),” Proceedings of the 14th ACM Conference on Computer and Communications Security pp. 552–561 (2007).
[VBKM00]
J. Viega, J. Bloch, Y. Kohno, and G. McGraw, “ITS4: A Static Vulnerability Scanner for C and C++ Code,” Proceedings of the 16th Annual Computer Security Applications Conference pp. 257–267 (Dec. 2000).
[VE06]
J. Viega and J. Epstein, “Why Applying Standards to Web Services Is Not Enough,” IEEE Security and Privacy 4(4) pp. 25–31 (July 2006).
[War70]
W. Ware, “Security Controls for Computer Systems: Report of Defense Science Board Task Force on Computer Security,” Technical Report R609-1, Rand Corporation, Santa Monica, CA (Feb. 1970).

You can also obtain a PDF version of this. Version of March 29, 2015 at 10:35PM