COMS W4187: Lectures
- Jan 16
- Introduction
- Jan 18
- Access control
- Jan 23
- Complex access control
Readings:
- Chapter 2 and 3 of Bishop (suggested)
- Jan 25
- Privileges
- Jan 30
- Introduction to Cryptography
Reading:
- Section 13.1 of Cheswick and Bellovin,
Firewalls
and Internet Security, first edition
- The Story of Alice
and Bob
- Bishop, Chapter 8 and 9 (optional)
- New Directions in Cryptography,
Whitfield Diffie and Martin E. Hellman, IEEE Transactions on Information
Theory, vol IT-22, number 6, pp. 644--654, November 1976.
-
British invention of non-secret encryption (recommended)
- A method for
obtaining digital signatures and public-key cryptosystems,
R. L. Rivest, A. Shamir, L. Adleman, Communications of the ACM, Volume 21
Issue 2, February 1978. (recommended)
- Feb 1
- Authentication
Readings:
- Feb 6
- Biometrics; authentication as a systems problem
Reading:
-
Chapter 5
of Who Goes There? Authentication Through the Lens of
Privacy.
- Feb 8
- Case Study: Access control
- Feb 13
- Secure programming
Reading:
-
The emperor's
old clothes, Charles Antony Richard Hoare, February 1981,
Communications of the ACM, Volume 24 Issue 2
-
Smashing
The Stack For Fun And Profit, Aleph One, Phrack 49, Volume
Seven, Issue Forty-Nine, File 14 of 16
-
Exploiting
Format String Vulnerabilities, scut / team teso, March 17,
2001, Version 1.0
-
StackGuard:
Automatic Adaptive Detection and Prevention of
Buffer-Overflow Attacks, Crispin Cowan, Calton Pu, Dave Maier, Heather
Hinton, Peat Bakke, Steve Beattie, Aaron Grier, Perry Wagle, and Qian
Zhang. Proceedings of the 7th USENIX Security Symposium, January 1998,
San Antonio, TX.
-
Building Secure Software, John Viega and Gary McGraw, Addison-Wesley,
2002.
(Recommended)
-
Secure Coding in C and C++, Robert C. Seacord, Addison-Wesley, 2006.
(Recommended)
- Feb 15
- Secure programming
Reading:
- Feb 20
- Protecting the Client
Reading:
-
Reading Between the
Lines: Lessons from the SDMI Challenge, Scott A. Craver, Min Wu, Bede
Liu, Adam Stubblefield, Ben Swartzlander, Dan W. Wallach, Drew Dean, and
Edward W. Felten. Proc. of 10th USENIX Security Symposium, August 2001.
- Viewpoint: the ACM
declaration in Felten v. RIAA, Simons, B. 2001. Commun. ACM 44, 10
(Oct. 2001), 23-26.
- Java
Card Security: How Smart Cards and Java Mix, From Securing Java:
Getting Down to Business with Mobile Code, Gary McGraw and Ed Felten, John
Wiley & Sons, 1999.
- MYK-78 CLIPPER CHIP:
ENCRYPTION/DECRYPTION ON A CHIP (recommended)
- Using
Memory Errors to Attack a Virtual Machine, A. Appel and S.
Govindavajhala. In IEEE Symposium on Security and Privacy, 2003 (
"Oakland Security Conference"). (recommended)
- Overview
of Differential Power Analysis, An engineering overview of
Differential Power Analysis by Paul Kocher, Joshua Jaffe, and Benjamin
Jun. (recommended)
- Information
Hiding: A Survey, Fabien A. P. Petitcolas, Ross J. Anderson and Markus
G. Kuhn, Proceedings of the IEEE, special issue on protection of
multimedia content, 87(7):1062{1078, July 1999. (recommended)
- Feb 22
- Permissive Action Links, Nuclear Weapons,
and the Prehistory of Public Key Cryptography
Reading:
- Feb 27
- Cryptographic Engineering
Reading:
- Mar 1
- Architecture
Reading:
- Mar 6
- Keys and Passwords
- Mar 8
- Confinement
Reading:
- A
domain and type enforcement UNIX prototype, Lee Badger, Daniel F.
Sterne, David L. Sherman, and Kenneth M. Walker. USENIX Computing Systems,
9(1):47--83, Winter 1996. (recommended)
- A
Secure Environment for Untrusted Helper Applications, Ian Goldberg,
David Wagner, Randi Thomas and Eric A. Brewer, Proc. Usenix Security
Symposium, 1996. (recommended)
- Mar 13
- Spring Break
- Mar 15
- Spring Break
- Mar 20
- Review
- Mar 22
- Midterm
- Mar 27
- Viruses and Trojan Horses
Reading:
-
Computer Viruses -
Theory and Experiments,
F. Cohen. DOD/NBS 7th Conference on Computer Security, originally
appearing in IFIP-sec 84, also appearing as invited paper in IFIP-TC11,
``Computers and Security'', V6#1 (Jan. 1987), pp 22-35
-
Reflections on
trusting trust, Ken Thompson, CACM 27:8, August 1984.
-
Viral Attacks On UNIX System Security,
Tom Duff, August 1987.
-
The worm programs -- early
experience with a distributed computation,
John Shoch and Jon Hupp, Communications of the ACM 25:3 (March
1982).
- Tool
turns unsuspecting surfers into hacking help, CNET, March 20, 2007.
- JavaScript
opens doors to browser-based attacks, CNET, July 28, 2006.
- Mar 29
- Logging and Auditing
Reading:
- Apr 3
- Program Structure
Please see the 4.3BSD FTP daemon source.
- Apr 5
- Program Structure
- Apr 10
- System Structure
A real billing system (used with permission)
- Apr 12
- Cryptology and
Physical Security: Rights Amplification in Master-Keyed
Mechanical Locks (Guest lecturer: Matt Blaze)
- Apr 17
- Security Analysis
Reading:
-
The Art of Deception, Kevin Mitnick and William Simon, Wiley, 2002.
(recommended)
(Available as an EBook from the CU library)
-
Silver Needle
in the Skype, P. Biondi and F. Desclaux,
BlackHat Europe, 2-3 March 2006.
- Apr 19
- Physical Security: The Good, the Bad and the Ugly (Guest lecturer: Mark Seiden)
Reading:
- Apr 24
- Security Analysis
Reading:
-
ITS4: A Static
Vulnerability Scanner for C and C++ Code,
John Viega, J.T. Bloch, Tadayoshi Kohno, and Gary McGraw, Annual Computer
Security Applications Conference, 2000.
- Checking
for Race Conditions in File Accesses,
M. Bishop and M. Dilger,
Computing Systems 9:2, pp. 131-152 (Spring 1996)
-
CGI/Perl Taint Mode
FAQ
-
Perl
Advisor: Taint so Easy, Is It?, Randal L. Schwartz, Unix Review,
August 2000.
-
Static analysis
and computer security: New techniques for software assurance.
David Wagner. Ph.D. dissertation, Dec. 2000, University of California at
Berkeley. (recommended)
-
Using CQUAL for Static Analysis of Authorization Hook Placement,
Xiaolan Zhang & Antony Edwards & Trent Jaeger, Proc. Usenix Security,
2002. (recommended)
- Apr 26
- After an Attack
Reading:
- "The Taking of Clark",
Chapter 17, Firewalls and Internet
Security: Repelling the Wily Hacker, William R. Cheswick, Steven M.
Bellovin, and Aviel D. Rubin, Second Edtion, Addison-Wesley, 2003.
-
"File System Analysis", Chapter 4,
Forensic
Discovery, Dan Farmer and Wietse Venema, Addison-Wesley 2004.
Read Chapter 4.
-
Playing
"Hide and Seek" with Stored Keys, Adi Shamir and Nicko van
Someren, Proceedings of the Third International Conference on
Financial Cryptography, 1999. (Recommended)
- May 8, 1:10-4:00
- Final