Computer and Network Security



Fall 2002




Instructor Bob Fourney (fourney@cs.umd.edu)
TAs Seong-Wook Joo: Office hours: W 10:00 - 12:00 in AVW 1151 (TA room) and by appointment
Hameed Badawy (absalam@eng.umd.edu) Office hours: TTh 11:00 - 12:00 in AVW 1151 (TA room) and by appointment
Class Times Section 0101 TuTh: 12:30 - 1:45
Section 0201 TuTh: 3:30 - 4:45
Class Location Section 0101 CSI 2117
Section 0201 CSI 3120
Office hours My scheduled office hours (in AVW 1430) are:
MW 2:00-4:00
TTh 5:00-6:00
I spend most of my time on campus in the Security Lab (AV Williams 1430). If I'm in, I can usually make time to talk to students. If you are coming from off campus, please contact me by phone or email to make an appointment and ensure that I will be avilable. Phone number: (301)-405-6750.
Please do not disturb me between the hours of 12:00-12:30 or from 2:00 to 2:30 on Tuesdays or Thursdays.
Text Preprint of Computer Security: Art and Science by Matthew A. Bishop to be published by Addison Wesley Longman, Inc.

The text is available only at Kinko's Copy Center in College Park, and includes substantial changes since last semester.

The text will also be supplemented with additional articles and papers, most of which will soon be linked below. The remainder will be linked from this page and/or handed out in class as they are assigned.

News group csd.cmsc414


Breaking News:

1. You should now have a homework 3 grade. For help interpretting your grade, look here.

2. Estimate your project grade based on your demo performance.

3. List of sections and outside material to concentratin on for the final exam.

4. What to expect during your demo, and several grading scenarios.

5. The test scenario that Hameed used to test your second homework it now here. If you feel you deserve more credit for the programming portion of Homework 2, please read and follow the directions.





Prerequisites
A grade of C or better in CMSC 311 and CMSC 330 and permission of the department. 

The material covered in this course is not very difficult, BUT there is a great deal of material and it covers a wide range of topics within the area of computer science. You do not want to fall behind in this class, and if you are unable to quickly grasp these varied concepts you will have difficulty. This is a Computer Science course, and the homeworks and project will involve programming. If you are not comfortable with programming, you will have difficulty in this class. If you fail to complete the final project you will fail this class

Course Description
This class serves as an introduction to information systems security and covers security issues at an undergraduate level

In the past, information systems security has been of legitimate concern only to the military, members of various financial communities, and a very small set of commercial systems . With the recent explosive growth and merging of telecommunications and computing, security has become an integral element of any reliable and robust information systems environment. Unfortunately, most current commercial products ignore security in favor of a user friendly environment and performance. The side-effects of this decision are now well documented in the press. It therefore stands to reason that future computer science graduates will require a working knowledge of the basic security issues discussed in this class. 

Course Work
There will be several homework assignments, each of which will require both written and programming exercises, as well as both a midterm and a final examination. A programming term project will also be required.

Unless otherwise specified, all work that you submit in this course must be your own; unauthorized collaboration is considered academic dishonesty. Please save us both a lot of trouble by realizing that I will pursue any such transgressions to the fullest extent possible.

Details for the submission of each assignment will be included in the assignment. All assignments MUST be turned in prior to the beginning of class on the date due. This may require handing in written results in the classroom prior to the start of class, or submitting them electronically as per the directions included with the assignment. As a rule, late assigments are not generally accepted (e.g., attempting to hand in an assigment after the start of class on the due date will result in a grade of 0 for that assignment).

Late assignments will only be accepted under exceptional circumstances AND with prior arrangement. A penalty may apply.

Grading Policy
 Final grades will be determined via the following breakdown:

 
Homework 15%
Midterm 25%
Project 20%
Final 30%
Class Participation 10%

Programming assignments and the course project will be graded on both correctness and documentation. A project that fails on the provided test cases (and those used in grading) will obviously not receive a favorable grade. A project that passes all tests, but does not contain reasonable documentation will also not receive a favorable grade. Security is a subset of reliability- good design and documentation increases the reliability of your code and thus the security.

Your class participation grade will be determined by your on time attendance to class, your participation in classroom discussions, and your scores on pop quizzes. Pop quizzes, when given, will cover material previously covered in class, previous reading assignments, and simple questions on the current days reading assignment.
 

Please read Making the Grade by Kurt Wiesenfeld and keep his views (which I share) in mind when deciding how much effort to invest in your coursework.

Schedule of Upcoming Classes
No. Date Topic and Reading Assignment
1 Sep 3
Introduction and Motivation 

Chapter 1

Reflections on trusting trust, Thompson. 
Risk Management is Where the Money Is, Daniel Geer. 

Homework 1 handed out in class

2 Sep 5 Foundations: Basic Encryption and Decryption

Chapter 9 through section 9.2.2

The example on breaking Vigenere Ciphers (via Kasiski's method) discussed in class.

More information on Vigenere and index of coincidence.

Vigenere encoder/decoder

3 Sep 10

Foundations: Symmetric Encryption

Sections 9.2.3 and 9.2.4
 

4 Sep 12

Foundations: Asymmetric Encryption and Cryptographic Hashes

Sections 9.3 and 9.4

Why Cryptosystems Fail, Ross Anderson. 

Remedial information on modular arithmetic. You are not responsible for ring or group theory, but should be able to add, subtract, multiply, and raise numbers to an exponent (mod whatever), as well as explain when and why you may not be able to find multiplicative inverses.
5 Sep 17 Foundations: Access Control

Chapter 2

Making the Grade by Kurt Wiesenfeld. Please keep his views (which I share) in mind when deciding how much effort to invest in your coursework.

6 Sep 19 Key Management

Chapter 10

Use the following procedures to hand in Homework 1 Due at NOON today

Do not bring your homework to class. It will be late, and will not be accepted.

Homework 1 Point breakdown
Homework 1 Solutions

Homework 2 (hardcopy handed out in class)

Expected formats for homework 2

Sun's Sockets tutorial

7 Sep 24 Kerberos

Kerberos: An Authentication Service for Computer Networks

Complete Chapter 10

8 Sep 26 Security Policies

Chapter 4

9 Oct 1 Confidentiality and Integrity

Chapter 5 through 5.2.2.2
and 5.3 to 5.3.1

Chapter 6 through 6.3

10 Oct 3 Authentication

Chapter 12

Look at: Ten Windows Password Myths by Mark Burnett. (You won't be tested on anything specific to Windows, but this reading provides some different examples of some of the issues we discuss in Chapter 12)

Homework 2 Due date extended. Now due at 10:00 pm tonight

Homework 2 Point breakdown

Get a head-start on Homework 3 and the accompying (preliminary) format instructions. These will be discussed, and hardcopy will be handed out in class on Tuesday.

Also look at the Homework 3 FAQ

11 Oct 8 Discussed Homework 3, completed Chapter 12 (Authentication)
12 Oct 10 Design Principles (Chapter 13) and intro/justification for Cipher Techniques (Sections 11.1-11.3)
13 Oct 15

Complete Chapter 11 (Cipher Techniques)
Section 11.4 (example protocols)
(I will probably not go into great detail on Section 11.4.1 (Privacy Enhanced Mail) but will instead concentrate on the other two examples in 11.4)

14 Oct 17 Representing Identity (Chapter 14)
15 Oct 22 Homework 3 Due

In Class Midterm Review

16 Oct 24 Topic TBD, but material covered today is fair game for Tuesday's midterm

Evening Review Session CSIC 2117 at 6 PM. Bring questions, I do not intend to lecture.

17 Oct 29 Midterm Exam
18 Oct 31 Access Control, chapter 15
19 Nov 5 Confinement problem

Chapter 17

No evening office hours. Tests will probably be available by Wednesday office hours. I would rather bring them to class on Thursday (they are not sorted). Unless you have some emergency, please wait until Thursday.
20 Nov 7 Malicious Logic

Chapter 22

21 Nov 12 Project Discussion
22 Nov 14 Vulnerability Analysis

Chapter 23

23 Nov 19 Mobile Code and Java Security
Chapters 2 and 3 of Securing Java
by Gary McGraw and Ed Felten,
published by John Wiley & Sons, Inc.

(you may also want to look at Chapter 1, which mainly provides background and motivation which you should have already soaked up by this point in the course.)

24 Nov 21 Mobile Code and Java Security, Continued: Malicious and Attack Applets
Chapter 4 and 5 through section 5.4 of Securing Java
by Gary McGraw and Ed Felten,
published by John Wiley & Sons, Inc.
25 Nov 26 Auditing

Chapter 24

none Nov 28 No Class (University Closed: (U.S.) Thanksgiving Holiday)
26 Dec 3 Intrusion Detection

Chapter 25

27 Dec 5 Class cancelled. Snow
27 Dec 10 Complete Chapters 24 and 25 to the level discussed in class

and discuss Buffer Overflows:

Smashing the Stack for Fun and Profit by Aleph One.

29 Dec 12 Project Documentation is due in class today.

Since this is the last scheduled class, I'd like to have an in class review (for the Final Exam), but need to cover some more material (due to the snow day) so today's topic is still up in the air.

. . . Dec 13 Project Due at 12:00 Noon Use "submit 7" and include everything you need to do your demo (such as files needed to to pre-load the published scenarios).
Demos start at 2:00 this afternoon. If you have not signed up for a demo time by class time on Thursday, you will be assigned a time. Do NOT be late for your demo
. . . Dec 18 Evening review session, CSIC 3117, 6:00 PM. Bring questions, I do not intend for this to be a lecture.
Final Exam Dec 20 1:30-3:30 pm in CSIC 2117 (Section 0101)
Final Exam Dec 21 10:30 am - 12:30 pm in CSIC 3120 (Section 0201)

If your religion prohibits you from taking an exam on a Saturday, please see me ASAP. Barring other University conflicts, I will ask you to take the exam on Friday with section 0101.