CSE 409 Fall 2011. System Security

Lecturer: Rob Johnson
Time: MoFr 12:50-2:10pm
Office Hours: Rob: Mo 2:30-3:30, Tu 4:00-5:00, 2313D Computer Science Building
Home page: http://www.cs.sunysb.edu/~rob/teaching/cse409-fa11

News

Overview

This class will cover the major concepts in computer security. We will focus primarily on securing a single host, although network security issues will be covered whenever they are relevant. The course material will be loosely organized around the central idea that new security mechanisms are developed to support finer-grained sharing.

Topics

Requirements and Grading

Subject to tweaks throughout the semester.

Class Notes

If you would like to earn extra credit, you may volunteer to write up notes for a lecture. I will count one day's notes as approximately 0.3 points added to your final grade. Notes should be submitted in PDF format. I will post the best notes on the course web page, and they will receive 0.5 points of extra credit.

References

There is no course textbook. You may review notes taken by students in previous years by visiting the course webpages linked from my home page. The following books may also serve as useful references:

Lecture Schedule

Note: the reading list may change throughout the semester.
You do not need to turn in a paper review for readings marked "OPTIONAL".
Warning: The notes below may contain errors. Use with caution.
Date
Topic/Reading assignment
8/29 No class: Hurricane
9/2 Security basics: goals, threat models, transitive trust
OPTIONAL READING: Reflections on trusting trust, Thompson

SELECTED NOTES: Alin Tomescu, Brijesh Joshi
9/5 No class: Labor Day
9/9 Hardware foundations: privileged mode, virtual memory

SELECTED NOTES: Luke Mladek, Brijesh Joshi, Alin Tomescu
9/12 OS security models: Unix, Windows

SELECTED NOTES: Alin Tomescu, Brijesh Joshi, Luke Mladek
9/16 Bell-Lapadula, Biba, RBAC, Chinese Wall

SELECTED NOTES: Alin Tomescu, Brijesh Joshi, Luke Mladek
9/19 The Android security model, capabilities

SELECTED NOTES: Brijesh Joshi, Luke Mladek, Alin Tomescu
9/23 Software security: buffer overflows and other memory safety bugs

SELECTED NOTES: Alin Tomescu, Luke Mladek
9/26 Software security: integer overflows, format string bugs

SELECTED NOTES: Alin Tomescu, Luke Mladek, Eric Kaggen
9/28 Note: CORRECTION DAY: Classes follow a Friday schedule
Demos of buffer overflow exploits
SELECTED NOTES: Alin Tomescu, Eric Kaggen
9/30 No class: Rosh Hashanah
10/3 Demos continued
SELECTED NOTES: Alin Tomescu, Eric Kaggen
10/7 Software security: race conditions, privilege management (e.g. setuid and friends)

SELECTED NOTES: Alin Tomescu, Luke Mladek
10/10 Web security model, SQL injection attacks, XSS attacks
SELECTED NOTES: Alin Tomescu, Luke Mladek, Eric Kaggen
10/14 XSS attacks, content sniffing attacks

SELECTED NOTES: Alin Tomescu, Eric Kaggen, Luke Mladek
10/17 CSRF attacks, path traversal attacks, force browsing, mashup issues, chroot jails

SELECTED NOTES: Alin Tomescu, Luke Mladek, Eric Kaggen
10/21 Mashups continued, HTML5 postMessage()

SELECTED NOTES: Alin Tomescu, Luke Mladek, Eric Kaggen
10/24 Principles of secure system design

SELECTED NOTES: Alin Tomescu, Luke Mladek
10/28 Principles of secure system design, continued, Sandboxing and IDS

SELECTED NOTES: Alin Tomescu, Eric Kaggen
10/31 Google Native Client

SELECTED NOTES: Alin Tomescu, Eric Kaggen
11/4 Model Checking, Fuzzing, Fault Injectiont

SELECTED NOTES: Alin Tomescu, Eric Kaggen
11/7 Type qualifiers for security, CCured
Guest Lecture: Jun Yuan

SELECTED NOTES: Alin Tomescu, Eric Kaggen
11/11 Compiler techniques for memory safety
Guest Lecture: Aseem Rastogi

SELECTED NOTES: Alin Tomescu, Matthew Cordaro, Eric Kaggen
11/14 Overview of design trade-offs in compiler defenses, Jones & Kelly, Run-time taint tracking

SELECTED NOTES: Alin Tomescu
11/18 Run-time taint tracking continued

SELECTED NOTES:
11/21 Authentication

SELECTED NOTES: Alin Tomescu, Eric Kaggen, Matthew Cordaro
11/25 No class: Thanksgiving break
11/28 Trustworthy computing

SELECTED NOTES: Alin Tomescu, Luke Mladek
12/2 Trustworthy computing, continued (sealed storage), usable security

SELECTED NOTES: Alin Tomescu, Luke Mladek
12/5 Usable security, continued: Phorcefiel, device pairing

SELECTED NOTES: Alin Tomescu, Luke Mladek
12/9 Incentives and security

SELECTED NOTES: Alin Tomescu, Luke Mladek
12/15 Final Exam: 2:15-4:45

Note: If you have a physical, psychological, medical or learning disability that may impact on your ability to carry out assigned course work, please contact the staff in the Disabled Student Services office (DSS), Room 133, Humanities, 632-6748v/TDD. DSS will review your concerns and determine with you what accommodations are necessary and appropriate. All information and documentation of disability are confidential.

Note: Each student must pursue his or her academic goals honestly and be personally accountable for all submitted work. Representing another person's work as your own is always wrong. Any suspected instance of academic dishonesty will be reported to the Academic Judiciary. For more comprehensive information on academic integrity, including categories of academic dishonesty, please refer to the academic judiciary website at http://www.stonybrook.edu/uaa/academicjudiciary/.