Professor	Bill Arbaugh
TA	TBD
Time	MW 9:30 - 10:45
Place	AVW 1112
Office hours	MW 11:00 - 12:00
Text	Computer Security: Art and Science by Matt Bishop (NOTE: We will be using draft chapters as the book is currently awaiting publishing.)  The text will also be supplemented with additional papers which you can find links to on this page.

 
 

Prerequisites

CMSC 412 or equivalent

 
 

Course Description

Until recently, information systems security has only been a focus of the military, and the financial communities. With the recent explosive growth and merging of telecommunications and computing, security has become an integral element of any reliable and robust information systems environment. Unfortunately, most current commercial products ignore security in favor of a user friendly environment and performance. The side-effects of this decision are now well documented in the press. This class will cover information systems security at the graduate level. Students should have an basic understanding of cryptography, networking, operating systems, and information systems security prior to attending the class. The course will begin by covering the various types of flaws that exists in current systems, e.g. buffer overruns, race conditions, and covert channels. The course will then move onto how to design and build systems without these problems, and how to detect and prevent these problems in current systems by examining current research. Note: The course will include a significant systems project. The course will also count towards the Ph.D. coursework requirement. Finally, check this page often as the instructor reserves the right to change the syllabus.

 
 

Course Work

There will be a mid-term examination and a significant term project.

 
 

Grading Policy

Mid Term:                40% Term Project:           50% Term projects are due no later than noon on 12/20/00. Class Participation: 10%

 
 

Schedule of Classes

No. Date Topic and Reading Assignment 1 Aug 30 Introduction; Trust  Reflections on trusting trust, Thompson.  Risk Management is Where the Money Is, Daniel Geer.  Why Cryptosystems Fail, Ross Anderson.   Sep 4 Labor day (Campus closed) 2 Sep 6 Project discussions 3 Sep 11 Introduction; Vulnerability Taxonomy Security Introduction, Matt Bishop Testing for Software Vulnerability Using Environment Perbutation, Wenliang Du and Aditya P. Mathur A Taxonomy of Computer Program Security Flaws, Carl Landwehr et. al. 4 Sep 13 Lab Day - No class 5 Sep 18 Vulnerability Taxonomy and Prevention (Buffer Overflows) Smashing the Stack for Fun and Profit, Aleph One  Attack Class: Buffer Overflows, Evan Thomas  Automatic Detection and Prevention of Buffer-Overflow Attacks, Crispin Cowan et. al. 6 Sep 20 Vulnerability Taxonomy and Prevention (Race Conditions) Checking for Race Conditions in File Accesses, M. Bishop and M. Dilger  Secure UNIX Programming, FAQ, Thamer Al-Herbish  Project Proposals Due 7 Sep 25 Vulnerability Taxonomy and Prevention (Covert Channels)  A Short Note on the Confinement Problem, Butler Lampson. NCSC-TG-030 A Guide to Understanding Covert Channel Analysis of Trusted Systems, Virgil Gligor. Note: You are responsible for Chapters 2, 3, and 5 of NCSC-TG-030. 8 Sep 27 Lab Day - In Lab AVW 3221  9 Oct 2 Vulnerability Taxonomy and Prevention (Denial of Service), and  Covert Channels Continued 10 Oct 4 Integrity Integrity Policies, M. Bishop 11 Oct 9 Integrity Integrity Policies, M. Bishop 12 Oct 11 Confidentiality Confidentiality Policies, M. Bishop 13 Oct 16 Confidentiality Confidentiality Policies, M. Bishop 14 Oct 18 Identity Identity Policies, M. Bishop 15 Oct 23 Access Control Access Control Mechanisms, M. Bishop 16 Oct 25 Policies and Models Security Policies, M. Bishop 17 Oct 30 Java Security Chapter 2 and Chapter 3 of Securing Java, Gary McGraw and Ed Felton. 18 Nov 1 Lab Day - No class 19 Nov 6 Java Security Chapter 4 of Securing Java, Gary McGraw and Ed Felton. 20 Nov 8 Java Security Continued 21 Nov 13 Mid-Term 22 Nov 15 Lab Day - no class 23 Nov 20 Project status reviews in class 24 Nov 22 Project Status reviews continued. 25 Nov 27 Trust Management The Key-Note Trust-Management System, Matt Blaze et. al. 26 Nov 29 TCP/IP Security Security Problems in the TCP/IP Protocol Suite Steve M. Bellovin 27 Dec 4 Intrusion Detection and Secure Network Design: Problems Pitfalls and other assorted fun. (No reading) 28 Dec 6 SSL and Digital Cash Security without Identification: Transactions to make Big Brother Obsolete, David Chaum 29 Dec 11 Lab Day - be sure and schedule project reviews