This course will cover both classic, foundational topics in computer security as well as recent developments. A key goal of the course will be to educate students to think both as an attacker and as a defender. The focus of the course will be security of computer systems, and will complement CS537, which focuses on distributed systems security.
Overview. basic principles of secure system design. Distinction between security policy and mechanism. Confidentiality, Integrity, Availability.
Core concepts. Authentication, Authorization. Isolation. Reference monitors. Intrusion Detection sysetems and firewalls. Sandboxes.
Attacks. Denial of service and defenses. Malware, including viruses, worms, botnets and spyware. Discussion of popular Viruses, worms, and bots such as Slammer, Code Red, and Storm. Malware detection and fingerprinting. Web-based attacks: Cross-site scripting and cross-site request forgery. Phishing
/defenses. Basic of static and dynamic program analysis. Memory errors and exploits. Analysis techniques to detect and fix vulnerbilities. Improving Web application and Web Browser security security. Vurtual machine introspection-based defenses.
Applications. Security of mobile devices. Security and privacy for cloud-based applications.
Computer Security: Art and Science, by Matt Bishop; Security in Computing, by Charles P Pfleeger and Shari L. Pfleeger; Applied Cryptography, by Bruce Schneier; Network Security and Cryptography 4/e, by William Stallings; Network Security: Private Communication in a Public World, by Charlie Kaufman, Radia Perlman and Mike Speciner.
Because this is a graduate-level course, the research project will constitute a large fraction of the grade in the course. The project will be a semester-long activity, and will proceed in several stages, including a formal project proposal, periodic checkpoints, a mini-symposium where students present their research results, and a final conference-paper style project report. Students will be graded on the novelty of their projects and the quality of their project reports and presentations.
The course will also have a homework assignment which will involve students in a hacking exercise, where they exploit vulnerable programs. The goal of this assignment is for the students to develop the skills to think like attackers.
Basic principles of secure system design. Distinction between security policy and mechanism. Confidentiality, Integrity, Availability.