Tentative Syllabus

These topics are tentative and subject to change without warning. In particular, if I don’t discuss something you’re interested in, ask about it! I may very well add it or modify what I’m covering to include it.

lec.	date	topic	reading	due

1.	Mon Mar 30	Introduction to computer security	text, §1
dis 1.		no discussion section today
2.	Wed Apr 1	Assurance; principles of secure design	text, §13, 18, [Bel07,Mei06,VE06]
3.	Fri Apr 3	Robust programming, part 1	[Bis11]

4.	Mon Apr 6	Robust programming, part 2	text, §29; [VBKM00,CCS06]
dis 2.		Case study; Buffer overflow, ROP	[Ale96, Sha07]
5.	Wed Apr 8	Common vulnerabilities	[Chr11,OWA13]
6.	Fri Apr 10	Flaw hypothesis methodology, part 1	text, §23.1–23.2, [Bis07a]	homework #1

7.	Mon Apr 13	FHM part 2; vulnerability models	text, §23.3–23.4, [PTE12]
dis 3.		Using a source code analyzer
8.	Wed Apr 15	Vulnerability models, part 2	text, §23.1–23.4
9.	Fri Apr 17	Access control matrix, HRU result	text, §2, 3.1–3.2

10.	Mon Apr 20	Policies	text, §4.1–4.4, [War70]
dis 4.v		Some security tools; nmap, metasploit
11.	Wed Apr 22	Policy languages	text, §4.5
12.	Fri Apr 24	Confidentiality: Bell-LaPadula model	text, §5	homework #2

13.	Mon Apr 27	to be arranged
dis 5.		Review for midterm examination
14.	Wed Apr 29	Midterm (in class)
15.	Fri May 2	Integrity: Biba model	text, §6 (not 6.3)

16.	Mon May 4	Integrity: Clark-Wilson model	text, §6.4
dis 6.		Web security
17.	Wed May 6	Classical cryptography	text, §9.1–9.2
18.	Fri May 8	Classical, public key cryptography	text, §9.3

19.	Mon May 11	Public key cryptography	text, §9.3–9.4	homework #3
dis 7.		Breaking a Vigenère Cipher
20.	Wed May 13	Key management, digital signatures	text, §10.1–10.4, 10.6
21.	Fri May 15	Cryptographic protocols, authentication	text, §11.3, 11.4.1, 12

22.	Mon May 18	Authentication	text, §12
dis 8.		Race conditions
23.	Wed May 20	Authentication	text, §12
24.	Fri May 22	Access control mechanisms	text, §15	homework #4

—.	Mon May 25	Holiday: Memorial Day
25.	Wed May 27	Malware	text, §22 (not 22.6), [Nac97]
26.	Fri May 29	Malware, network security	text, §11.4, 22 (not 22.6), [Nac97]

27.	Mon Jun 1	to be arranged
dis 9.		Review for Final Examination
28.	Wed Jun 3	Electronic voting	[BBG07, Bis07b,BW07,RAB04]	homework #5

—.	Wed Jun 10	Final examination (at 6:00pm)

References

[Ale96]: AlephOne, “Smashing the Stack for Fun and Profit,” Phrack 7(49) (1996).
[BBG07]: E. Barr, M. Bishop, and M. Gondree, “Fixing Federal E-Voting Standards,” Communications of the ACM 50(3) pp. 19–24 (Mar. 2007).
[Bel07]: S. Bellovin, “DRM, Complexity, and Correctness,” IEEE Security and Privacy 5(1) p. 80 (Jan. 2007).
[Bis07a]: M. Bishop, “About Penetration Testing,” IEEE Security and Privacy 5(6) pp. 84–87 (Nov. 2007).
[Bis07b]: M. Bishop, “Overview of Red Team Reports,” Technical Report, Office of the Secretary of State of California, Sacramento, CA (July 2007).
[Bis11]: M. Bishop, “Robust Programming,” Handout for ECS 153, Computer Security, (Mar. 2011).
[BW07]: M. Bishop and D. Wagner, “Risks of E-Voting,” Communications of the ACM 50(11) p. 120(Nov. 2007).
[CCS06]: P. Chandra, B. Chess, and J. Steven, “Putting the Tools to Work: How to Succeed with Source Code Analysis,” IEEE Security and Privacy 4(3) pp. 80–83 (May 2006).
[Chr11]: S. Christey, “2011 CWE/SANS Top 25 Most Dangerous Software Errors,” (Sep. 13, 2011). Available at http://cwe.mitre.org/top25/.
[Mei06]: J. Meier, “Web Application Security Engineering,” IEEE Security and Privacy 4(4) pp. 16–24 (July 2006).
[Nac97]: C. Nachenberg, “Computer Virus-Antivirus Coevolution,” Communications of the ACM 40(1) pp. 46–51 (Jan. 1997).
[OWA13]: OWASP, “Top 10—2013 rc1: The Ten Most Critical Web Application Security Risks,” Technical Report, The Open Web Application Security Project (2013).
[PTE12]: Penetration Testing Execution Standard (Jan. 2012). Available at http://www.pentest-standard.org/index.php/Main_Page.
[RAB04]: RABA Innovative Solution Cell, “Trusted Agent Report Diebold AccuVote-TS Voting System,” Technical Report, RABA Technologies LLC, Columbia, MD (Jan. 2004).
[Sha07]: H. Shacham, “The Geometry of Innocent Flesh on the Bone: Return-into-Libc Without Function Calls (on the x86),” Proceedings of the 14th ACM Conference on Computer and Communications Security pp. 552–561 (2007).
[VBKM00]: J. Viega, J. Bloch, Y. Kohno, and G. McGraw, “ITS4: A Static Vulnerability Scanner for C and C++ Code,” Proceedings of the 16th Annual Computer Security Applications Conference pp. 257–267 (Dec. 2000).
[VE06]: J. Viega and J. Epstein, “Why Applying Standards to Web Services Is Not Enough,” IEEE Security and Privacy 4(4) pp. 25–31 (July 2006).
[War70]: W. Ware, “Security Controls for Computer Systems: Report of Defense Science Board Task Force on Computer Security,” Technical Report R609-1, Rand Corporation, Santa Monica, CA (Feb. 1970).

You can also obtain a PDF version of this.

Version of March 29, 2015 at 10:35PM