Principles and practice of computer system security: Operating system security, Authentication and access control, Capabilities, Information flow, Program security, Database security, Cryptographic key management, Auditing, Assurance, Vulnerability analysis and intrusion detection.

CSE 306 or 376, or ESE 333

• An understanding of fundamental concepts in security such as authentication, access control and information flow.
• An understanding of the mechanism and means by which these concepts are implemented in operating systems, databases and other application software.
• An ability to develop software that implements sample security mechanisms and services chosen by the instructor.
• An ability to identify security vulnerabilities in existing systems and develop means to mitigate these vulnerabilities.

• Introduction: What is security ? What isn't security ? Security by obscurity
• Cryptographic Primitives (1): single-key encryption, DES.
• Cryptographic Primitives (2): two/multi-key crypto (RSA), crypto-hashes.
• Ciphers (1): overview, types, (also: project discussion)
• Communication Security: layers: PEM/SSL/IPSec
• Key Management: PKIs, storage for secrets (disk, memory).
• Catch-up Session: continue with Kerberos, do overview of previous lectures
• Access Control (1): AC matrix, undecidability of security
• Access Control (2): ACLs, capabilities.
• Policies (1): overview, confidentiality, trust, Bell-LaPadula model
• Policies (2): integrity, Biba, Clark-Wilson.
• Policies (3): Chinese Wall, other hybrids.
• Midterm Review
• Midterm: on Friday,in class.
• Authentication: definition, passwords, biometrics, location.
• Information Flow: compiler, runtime mechanisms
• Sandboxing: confinement, isolation, covert channels.
• Audits: mechanisms, implementations.
• Intrusion Detection: models, reponse.
• Advanced Topics: Proof-Carrying Code.

Not Applicable