CSE509 Spring 2006. System Security

Lecturer: Rob Johnson
Location: Library N4000
Time: TuTh 11:20am-12:40pm
Office Hours: Th 1-3pm, 2313D Computer Science Building
Home page: http://www.cs.sunysb.edu/~rob/teaching/cse509-sp06



This class will cover the major concepts in computer security. We will focus primarily on securing a single host, although network security issues will be covered whenever they are relevant. The course material will be loosely organized around the central idea that new security mechanisms are developed to support finer-grained sharing.


Requirements and Grading

Subject to tweaks throughout the semester.

Class Notes

If you would like to earn extra credit, say, to make up for missing paper reviews, you may volunteer to write up notes for a lecture. I will count one day's notes as equivalent to one paper review. Only two people can submit notes for any given day, so check with me in advance. Notes should be submitted in text, html, postscript, or PDF format. I will post the notes on the course web page.

Note: If you have a physical, psychological, medical or learning disability that may impact on your ability to carry out assigned course work, please contact the staff in the Disabled Student Services office (DSS), Room 133, Humanities, 632-6748v/TDD. DSS will review your concerns and determine with you what accommodations are necessary and appropriate. All information and documentation of disability are confidential.

Reading Assignments

Note: the reading list may change throughout the semester.
DateTopic/Reading assignment
1/24 Security basics: goals, threat models
Notes, Beili Wang.
1/26 Trust, open design, principles of secure system design
Reflections on trusting trust, Thompson
Rudimentary treatise on the construction of locks, Tomlinson
Notes, Beili Wang.
1/31 Confinement, virtual machines
No reading
Notes, Gabriel Sanchez.
Notes, Samir Shah.
2/2 Access Control
Protection, Butler Lampson.
Notes, Fatima Zarinni.
2/7 Access Control: HRU, Bell-LaPadula
The Confused Deputy, Hardy.
Notes, Paul Roddin
2/9 Access Control: Biba, Capabilities, Revocation
No reading
Notes, Ravi Muthunoori
Notes, Vaibhav Chopda
2/14 Authentication
No reading
Notes, Wenbin Zhang
Notes, Ravi Muthunoori
2/16 Cryptography: Symmetric key crypto
No reading
Notes, Fatima Zarinni
2/21 Cryptography: Hashes, MACs, number theory
No reading
Notes, Faisal Islam
2/23 Public key crypto: RSA
Combining cryptography with biometrics effectively, Hao, Anderson, Daugman
Notes, Siddharth Bhatt.
2/28 Diffie-Hellman, signatures
No reading
Notes, Ravi Muthunoori
3/2 Authentication, continued: token cards, biometrics
No reading
Notes, Sadler Divers
3/7 Authentication, continued: token cards, biometrics
Software security: format string bugs
No reading
Notes, Sumeet Bajaj
3/9 Static analysis: type qualifier inference
Detecting Format String Vulnerabilities With Type Qualifiers, Shankar, Talwar, Foster, Wagner.
3/14 Static analysis: MECA
Checking System Rules Using System-Specific, Programmer-Written Compiler Extensions, Engler, Chelf, Chou, Hallem.
Notes, Shibiao Lin
Notes, Samir Shah
3/16 Static analysis: CCured
CCured: Type-Safe Retrofitting of Legacy Code, George Necula, Scott McPeak, Westley Weimer
Notes, Wenbin Zhang
Notes, Fatima Zarinni
3/21 Secure software design
Privtrans: Automatically Partitioning Programs for Privilege Separation, Brumley, Song
Notes, Harry Papaxenopoulos
Notes, Vaibhav Chopda
3/23 Privilege Separation, continued
Notes, Paul Talamo
Notes, Manish Nair
3/28 Midterm
3/30 Buffer overflows: the systems solution
On the Effectiveness of Address-Space Randomization, Shacham, Page, Pfaff, Goh, Modadugu, Boneh
OPTIONAL: StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks, Cowan, Pu, Maier, Walpole, Bakke, Beattie, Grier, Wagle, Zhang
OPTIONAL: PointGuard: Protecting Pointers from Buffer Overflow Vulnerabilities, Cowan, Beattie, Johansen, Wagle
Notes, Shibiao Lin
Notes, Pramod Adiddam
4/4 Untrusted code
Inline reference monitors: Efficient Software-Based Fault Isolation, Wahbe, Lucco, Anderson, Graham
System call interposition: Ostia: A Delegating Architecture for Secure System Call Interposition, Garfinkel, Pfaff, Rosenblum
Notes, Beili Wang
Notes,Fatima Zarinni
4/6 No reading
Notes, Vaibhav Chopda
Notes, Siddharth Bhatt
4/11 Spring Break
4/13 Spring Break
4/18 Intrusion detection
Intrusion Detection via Static Analysis, Wagner, Dean.
4/20 DOS
Using Client Puzzles to Protect TLS, Dean, Stubblefield
Notes, Manish Nair
4/25 DOS: No reading
Notes, Beili Wang
4/27 Trusted computing
Terra: A Virtual Machine-Based Platform for Trusted Computing, Garfinkel, Pfaff, Chow, Rosenblum, Boneh
Notes, Sadler Divers
Notes, Pramod Adiddam
5/2 Side channel attacks
TIMING: Remote Timing Attacks are Practical, Brumley, Boneh
OPTIONAL: TEMPEST: Optical Time-Domain Eavesdropping Risks of CRT Displays, Kuhn
OPTIONAL: SOUND: Keyboard Acuoustic Emanations, Asonov, Agrawal
Notes, Manish Nair
5/4 Fun stuff
Humans: Telling Humans and Computers Apart Automatically, von Ahn, Blum, and Langford
Money: Why Information Security is Hard - An Economic Perspective, Anderson
Notes, Gabe Sanchez
Final Exam