CSE409


Course

CSE409

Title

Computer System Security

Credits

3

Course Coordinator

R. Sekar

Current Catalog Description

Principles and practice of computer system security: Operating system security, Authentication and access control, Capabilities, Information flow, Program security, Database security, Cryptographic key management, Auditing, Assurance, Vulnerability analysis and intrusion detection.

Prerequisite

CSE 306 or CSE 376 or equivalent

Course Goals

Learn to design, develop and administer secure software and computer systems.

Understand fundamental concepts in security such as authentication, access control and information flow.

Understand the mechanism and means by which these concepts are implemented in operating systems, databases and other application software.

Develop software that implements sample security mechanisms and services chosen by the instructor.

Be able to identify security vulnerabilities in existing systems and develop means to mitigate these vulnerabilities.

Textbook

Introduction to Computer Security by Matt Bishop

Computer Security: Art and Science

Major Topics Covered in Course

Introduction: What is security ? What isn't security ? Security by obscurity.

Cryptographic Primitives (1): single-key encryption, DES.

Cryptographic Primitives (2): two/multi-key crypto (RSA), crypto-hashes.
Ciphers (1): overview, types, (also: project discussion)

Communication Security: layers: PEM/SSL/IPSec
Key Management: PKIs, storage for secrets (disk, memory).

Catch-up Session: continue with Kerberos, do overview of previous lectures
Access Control (1): AC matrix, undecidability of security

Access Control (2): ACLs, capabilities.
Policies (1): overview, confidentiality, trust, Bell-LaPadula model

Policies (2): integrity, Biba, Clark-Wilson.
Policies (3): Chinese Wall, other hybrids.

Midterm Review
Midterm: on Friday,in class.

Authentication: definition, passwords, biometrics, location.
Information Flow: compiler, runtime mechanisms

Sandboxing: confinement, isolation, covert channels.

Audits: mechanisms, implementations.
Intrusion Detection: models, reponse.

Advanced Topics: Proof-Carrying Code.
Review for Final

Laboratory Projects

Not Applicable

Course Webpage

http://www.cs.sunysb.edu/~cse409