Homework. Homework 4 Solution.
Grading Statistics. I added some grading statistics on the cse394 home page.
Homework. Homework 3 Solution.
Homework. Homework 4.
Clarification. I made a comment near the end of today's class that incorrectly suggested I would not see you in class on thursday this week. wrong! sorry for the confusion. I will see you in class on thursday, nov 10.
Project. Please submit the project submission due on Nov 15 in two ways: as a printout in class (as specified in the project description) and by email to cse394 at cs dot sunysb dot edu (by midnight on Nov 15).
Reading. Open Digital Rights Language (ODRL) Specification 1.1, sections 1-3.
Reading. A good survey of digital rights management (DRM) is: William Ku and Chi-Hung Chi. Survey on the technological aspects of Digital Rights Management. In Proceedings of the 7th Information Security Conference (ISC 2004), pages 391-403. Springer-Verlag, volume 3225 of LNCS, 2004.
Reading. A good brief introduction to J2EE security is section 2 of: Gleb Naumovich and Paolina Centonze. Static analysis of role-based access control in J2EE applications. In Proceedings of the 2004 Workshop on Testing, Analysis and Verification of Web Services, July 2004. We did not cover the other sections of the paper.
Reading. The Java 1.5 Security page contains numerous links. A good introduction, which our discussion today is based on, is the link Security Architecture, written by Li Gong, one of the primary designers of the Java security architecture. That document does not describe some subsequent extensions, but it is shorter and the extensions are not significant for our purpose.
Reading. A good introduction to Security-Enhanced Linux is: Peter A. Loscocco and Stephen D. Smalley. Meeting Critical Security Objectives with Security-Enhanced Linux. In Proceedings of the 2001 Ottawa Linux Symposium. I used the slides that accompany this paper in our discussion of SELinux on Nov 1.
Project. This is just a reminder that project-related submissions are due on Nov 15, Nov 24, and Dec 9. See the Project Description (posted on Oct 18) for details. I do not plan to post any other reminders, so please mark these dates in your calendars.
Homework. Homework 3.
Happy Halloween!
Policy Development Projects. An important point, which I forgot to make in the initial project description, is that you should consider security policy administration (in other words, the policies and procedures for authorization of changes to the security policy) in your application domain.
Collected Links to Policies. Here is a page with Collected Links to Security Policies.
University Security Policy. Two comments about the "security policy for universities" project. (1) Try to consider security generally, not only privacy. (2) You do not need to reproduce exactly the policy of one specific university, but you should indicate, for each part of your policy, on which (if any) existing university's policy it is based. Here are links to some of Penn State's policies, in case you find them useful: Privacy Policy, University Policy on Confidentiality of Student Records, Use of Institutional Data.
Reading. After ARBAC, we will discuss: Richard Fernandez. Enterprise Dynamic Access Control (EDAC). US Navy, 2005
Grading. I added grading statistics for hw1 to the cse394 home page.
Reading. Here is the Extended API for Cassandra that we discussed today.
Project. A follow-up to yesterday's comment about XSB: You can use XSB's ordered set (ordset) library (see section 1.16.3 of volume 2 of the XSB manual) to manipulate and compare sets.
Project. A clarification regarding the possible use of XSB for evaluation of trust management policies. XSB supports constraints, but constraints are not needed for typical trust management policeis (including Becker's EHR policy), since the values (of the numbers or sets) being compared are known when the values are being compared. So, they can be compared using ordinary Prolog predicates (as opposed to constraints, which are used when one or more of the values is unknown at the time of the comparison). XSB has built-in arithmetic comparison predicates. You can represent sets as lists. One of XSB's standard libraries should contain a predicate that tests whether the elements of one list are a subset of the elements of another list.
Survey. Please fill out the Mid-Semester Survey for CSE394. Your participation would be appreciated.
Reading. Ravi Sandhu, Venkata Bhamidipati and Qamar Munawer. The ARBAC97 Model for Role-Based Administration of Roles, ACM Transactions on Information and Systems Security (TISSEC), Volume 2, Number 1, February 1999.
Reading. Becker's EHR policy. You don't need to read the whole thing. Please read sections 1 through 5.1, plus a sampling of rules and text from the rest of the document, to help reinforce your understanding of Cassandra's policy language and the EHR policy.
Project. 4:15pm. I updated the second and third paragraphs of section 2 of the Project Description, and changed the document's version number from 18oct2005 to 18oct2005a.
Project. Project Description is now available.
EHR Policy. Here is a plain text version of Becker's EHR Policy.
Homework. Homework 2 Solution.
University Privacy Policy. Here is information about SBU's privacy policy. It is related to one of the suggested projects (details coming soon).
Slides. I updated the slides about trust management available from the link under Oct 6. There are no major changes, just a number of minor improvements and corrections.
Notes. Here are Notes about requestCredential, which we discussed in class today. (The narrow format is for display with a large font in class.)
Slides. Here are Slides about Trust Management. We started at slide 13.
Homework. Homework 2.
Reading. Soon we will start to discuss trust management. Our primary reference for that topic is:
Reading. Ross Anderson's security policy for clinical information systems is described in chapter 7 of the handout on Blackboard. If you would like more detail, here is Ross Anderson's original article; this is optional reading.
Reading. The Dresdner Bank case study is described in
Office Hours. My office hours will be Mon and Wed, 10am-11am, and by appointment and chance (i.e., if I happen to be there). I think many people have classes all day on Tue and Thu, so I avoided those two days.
Homework. Homework 1.
Reading. The next reading, which we will cover after RBAC, is available in the Course Documents section on Blackboard.
Translab. Everyone registered for CSE394 should have an ccount in the Transaction Lab, in case you want to use the Translab for your homeworks and project. I posted the combo to the Translab in the CSE394 discussion group in Blackboard.
Lunch. From Prof. Stent: "The first biweekly CS lunch will be today from 12-1 in the SAC. These are lunches to which CS students are invited to join faculty for friendly, casual interaction. If you have announcements for your undergraduate class, please advertise -- they will be the 2nd and 4th Monday of each month." I will try to attend. I hope to see you there.
Reading. Today we will start to discuss Role-Based Access Control (RBAC). The presentation is based on
Reading. Next week we will discuss design principles for security. Some of that material is discussed in Section 1.A (this is just first few pages) of this classic paper:
Please use the Discussion Forum for CSE394 on Blackboard for questions that do not require privacy. If you can answer a question posted on Blackboard, please do so! This shows us that you know what's going on, and we will appreciate your help. I will usually post announcements in the Discussion Forum or on this page. I will send more urgent announcements by email using Blackboard's mailing list feature, so please set your Blackboard account to have your preferred email address.
Citigroup. A friend at Citigroup asked me to post this message: Citigroup is giving an on-campus presentation for the IT Analyst program for soon-to-be graduates, as well as the CAPP (Citigroup Advanced Placement) program for sophomores and juniors, on Monday September 26th from 5:30-7:00. We are not sure of the exact location yet, but it will most likely be held somewhere in the SAC. Please pass along the word, as this will be the only Citigroup presentation on campus until next year. Please also let people know that it is not necessary to bring a resume to the presentation- instead, they should submit their resume to two places: 1)The Citigroup.com career page 2)The Stony Brook on-campus recruiting site, between September 6th and September 26th.
Reading. Your assignment for the first week of classes is to read: