List of important topics for the CS442 final exam. -------------------------------------------------- Several people have expressed concern at the vast amount of material to learn for the final exam (and the weightage given to the final), and have requested a list of important topics to study. Here are my tips on the topics that you should focus on as you prepare for the final exam. 1. Cryptography. Focus on understanding modular arithmetic well and on understanding how RSA works. You need to understand the proofs and how to apply the theorems, and not just their statements. 2. Digital signatures, MACs, Hash functions etc. Understand exactly what scenario each of these is applicable in, and exactly what each of them achieves and does not achieve (e.g., is a digital signature as powerful as a MAC in all scenarios?) 3. Protocols. You need to understand all the protocols (Needham Schroeder + modifications, Kerberos) that we covered in class. In particular, you should be aware of attacks on these protocols (as discussed in your text), and on how to fix them. 4. Security policies. Understand Bell LaPadula and Biba well. Clark Wilson and Chinese wall are also important. 5. Memory errors. You need to have a thorough and detailed understanding of how buffer overflow attacks (specifically stack smashing attacks) and format string attacks work. Specifically, you should completely understand both the Aleph One and the Team Teso paper. You should also be aware of the defense techniques for memory errors, but I will not ask you detailed questions on the specifics of the defense techniques used in the papers assigned for reading in class. (E.g., no details of the StackGuard, PointGuard or the Effectiveness of ASLR papers will be asked). 6. Virtual machines. You need to understand how virtual machines work and why they provide isolation and a basis to implement security mechanisms. 7. Web security. You need to have a thorough and detailed understanding of how XSS, XSRF and SQL injection attacks work. Also focus on understanding the defense techniques that we discussed in class for each of these attacks. 8. Information flow. You must thoroughly understand Chapter 15 in your textbook. Details of both the compiler-based technique and the execution monitoring technique are important. 9. Anonymity. You should be familiar with Chaum's paper and Onion routing. Review all the questions on the homework and the mid term as you prepare for the final exam. Solving the exercise questions in the textbook as you review the material will also greatly help. Focus on understanding basic concepts well rather than memorizing material. For example, if you understand modular arithmetic well, you will be able to reconstruct all the proofs of how RSA works on your own without having to memorize anything. Similarly, if you just remember that Bell LaPadula is a confidentiality policy and that Biba is an integrity policy, you will be able to reconstruct the simple and star security properties without having to memorize them. As yet another example, if you find yourself memorizing the information flow security rules for different language constructs presented in Chapter 15, that indicates that you might not have really understood the material in that chapter. Good luck! Vinod