CS 261, Fall 2007
Computer Security
Instructor:
David Wagner
(daw@cs, 629 Soda Hall,
642-2758)
Lectures:
Tu-Th, 5:00-6:30, 310 Soda
Office Hours:
Wagner: Tu 1-2pm in 629 Soda.
Announcements
- Homework 2 Solution is now available (see below). Sorry for the delay.
- Homework 3 is now available (see below).
- Homework 1 Solution is now available (see below).
- The project proposal is due Monday October 15th.
- Class on Thursday October 11th is cancelled.
- The projects page is now available (see below).
- Homework 2 is now available (see below).
- Homework 1 is now available (see below).
Course Description
CS261: Security in Computer Systems. Prerequisite: CS162.
Graduate survey of modern topics in computer security,
including: protection, access control, distributed access
control, Unix security, applied cryptography, network
security, firewalls, secure coding practices, safe
languages, mobile code, and case studies from real-world
systems. May also cover cryptographic protocols, privacy
and anonymity, and/or other topics as time permits.
Term paper or project required. Three hours of lecture
per week. (3 units)
Prerequisites: CS 162 or equivalent.
Familiarity with basic concepts in operating systems and networking.
Course topics
An approximate list of course topics
(subject to change; as time permits):
- Basic concepts
- Trust, trusted computing base, trusted path, transitive trust.
Reference monitors. Policy vs. mechanism. Assurance.
Lessons from the Orange Book.
- Access control
- Authorization, policy, access matrix. Subjects and objects.
ACLs, capabilities. Rings, lattices. Revocation. Groups.
The role of crypto. Distributed access control.
Mandatory vs. discretionary access control,
compartmentalization, covert channels.
- Protection
- Traditional OS centralized protection: address spaces,
uids, resource management. The Unix security model:
file permissions, the super-user, setuid programs,
system calls, password security.
How networks change the problem space.
- Secure coding
- Design principles: code structure, least privilege,
small security kernels, small interfaces.
Tools: language support, type-safe languages,
static checking.
Common vulnerabilities: buffer overruns, setuid programs,
the confused deputy, race conditions, improper canonicalization.
- Cryptography
- Symmetric key, public key, certificates. Choosing
an algorithm. Protocols.
Integrity, authenticity confidentiality, availability.
Non-repudiation.
- Network security
- TCP/IP. Attacks on network protocols: address spoofing,
hijacking, source routing, SYN floods, smurfing, etc.
DNS attacks, routing vulnerabilities. Attacks on network
daemons. The Internet Worm. TCP wrappers. Intrusion detection
.
- Firewalls
- Philosophy, benefits. Styles: packet filter, application
proxying, stateful inspection. Performance, scalability.
Fail-safety, assurance. Techniques. Do's and don'ts.
- Confining untrusted code
- Motivation: the mobile code problem, implementing least privilege.
Mechanisms:
signed code, interpreted code,
software fault isolation, proof-carrying code,
virtualization, extensible reference monitors.
Practical experience: ActiveX, Java, Javascript.
- Case studies
- Kerberos. PGP and the web of trust.
SSL and centralized certification authorities.
SSH. IPSEC. Cellphones. Therac-25.
Practical issues: risk management, key management, smartcards,
copy protection systems, social engineering.
- Extra topics
- Privacy: Anonymity and traffic analysis;
remailers and rewebbers; practical experience.
Cryptographic protocols: protocol failures, design principles;
logics of authentication; Formal methods.
Others as time permits and according to student interest.
Grading
Class project: 40%
Problem sets: 40%
Scribe notes: 10%
Paper summaries and class discussion: 10%
Projects
There will be a term project.
You will do independent research
in small groups (e.g., teams of 2--3).
Projects may cover any topic of interest in systems security,
interpreted broadly (it need not be a topic discussed in class);
ties with current research are encouraged.
A conference-style report on your results
will be due (date to be determined).
Information on projects is now available.
The project proposal is due October 15th.
The poster session will be held Dec 5th, 4-6pm, in the Woz lounge.
The final reports will be due Monday, Dec 17th, at 9am.
The list of project groups is available.
You are encouraged to start thinking of topics of interest early.
Be ambitious! I expect that the best papers will probably lead to publication
(with some extra work).
Problem Sets
There will be approximately two to four homework assignments throughout
the semester, to appear on the course webpage as they are assigned.
Turn in your homeworks on paper at the beginning
of class on the day they are due. Due dates will be enforced strictly.
Late homeworks will not be accepted.
Work on your own when doing homeworks.
You may use any source you like (including other papers or textbooks),
but if you use any source not discussed in class,
you must cite it.
Scribe notes
You will be expected to write scribe notes for one lecture.
Email me an PDF file with your scribe notes
within one week after the lecture you are assigned to scribe.
Readings
There is no required textbook.
All reading will be from papers.
Whenever possible, handouts and papers will be placed online
on the web page; papers not available online will be handed out
in class.
A schedule of assigned readings is available below.
You will be required to write a brief summary
of each paper you read.
Submit your summary, on paper, before the beginning of the
class when the reading is due.
Your summary should list:
(i) the two or three most significant new insights you took away from
the paper, and (ii) its two or three most significant flaws or weaknesses
or how the paper could be improved.
Your summary does not need to be formal (you may use bullet lists,
incomplete sentences, etc.), and it may be brief, but you should give
it some thought.
Warning
From time to time, we may discuss vulnerabilities in widely-deployed
computer systems. This is not intended as an invitation to
go exploit those vulnerabilities.
It is important that we be able to discuss real-world experience
candidly; students are expected to behave responsibly.
Berkeley's policy (and my policy) on this should be clear: you may not
break into machines that are not your own; you may not attempt to attack
or subvert system security. Breaking into other people's systems is
inappropriate, and the existence of a security hole is no excuse.
Lectures
The following schedule is highly tentative and subject to change.
|
Topic |
Readings |
Notes |
8/28
| Overview; intro; threat models
| (none) [handout]
| Igor Ganichev,
Peter Lau
|
8/30 |
Principles of secure design
| (none) [slides]
|
|
9/4 |
Access control, protection
| (none)
| Colleen Lewis,
Steve Hanna
|
9/6 |
Software vulnerabilities
| Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns, Pincus, Baker.
Exploiting Format String Vulnerabilities.
Basic Integer Overflows.
| DK Moon
|
9/11 |
Runtime defenses
| A Practical Dynamic Buffer Overflow Detector, Ruwase, Lam.
Taint-Enhanced Policy Enforcement: A Practical Approach to Defeat a Wide Range of Attacks, Xu, Bhatkar, Sekar.
| Ashima Atul
|
9/13 |
Static analysis
| MECA: an Extensible, Expressive System and Language for Statically Checking Security Properties, Yang, Kremenek, Xie, Engler.
Finding Security Vulnerabilities in Java Applications Using Static Analysis, Livshits, Lam.
| Man-Kit Leung
|
9/18 |
Inline reference monitors
| Evaluating SFI for a CISC Architecture, McCamant, Morrisett.
| Udam Saini
|
9/20 |
Sandboxing
|
A secure environment for untrusted helper applications: confining the wily hacker, Goldberg, Wagner, Thomas, Brewer.
| Barret Rhoden
|
9/25 |
Sandboxing
| Traps and Pitfalls: Practical Problems in System Call Interposition Based Security Tools, Garfinkel.
| Yu (David) Zhu
|
9/27 |
Privilege separation
| Preventing Privilege Escalation, Provos, Friedl, Honeyman.
Shifting the odds: Writing (more) secure software, Bellovin.
|
|
10/2 |
Privilege management
| Extensible security architectures for Java, Wallach, Balfanz, Dean, Felten.
| Shoaib Kamil
|
10/4 |
Capabilities
| The Confused Deputy, Hardy.
The Oz-E Project: Design Guidelines for A Secure Multiparadigm Programming Language, Spiessens, Van Roy (skip Section 5).
| Cynthia Sturton
|
10/9 |
Network security
| A look back at Security Problems in the TCP/IP Protocol Suite, Bellovin.
| Yanpei Chen
|
10/11 |
| (No class)
|
|
10/16 |
Firewalls
| Firewall Gateways,
Chapter 3 of Firewalls and Internet Security: Repelling the Wily Hacker, Cheswick and Bellovin (1st ed).
| Steve Houston
|
10/18 |
Application-level firewalls
| (no readings)
|
|
10/23 |
DNS security
| Using the Domain Name System for System Break-Ins, Bellovin.
| Karen Hsu
|
10/25 |
Intrusion detection
| Bro: A System for Detecting Network Intruders in Real-Time, Paxson.
| Bor-Yiing (Brian) Su
|
10/30 |
Attacks
| Inside the Slammer Worm, Moore, Paxson, Savage, Shannon, Staniford, Weaver.
A Multifaceted Approach to Understanding the Botnet Phenomenon, Rajab, Zarfoss, Monrose, Terzis.
| Erika Chin
|
11/1 |
Usable security
| Why Johnny Can't Encrypt, Whitten, Tygar
| Florent Robineau
|
11/6 |
Web security
| The Emperor's New Security Indicators: An evaluation of website authentication and the effect of role playing on usability studies, Schechter, Dhamija, Ozment, Fischer
Security for GWT Applications, Google
|
|
11/8 |
Mobile code, Cryptography
| (none)
|
11/13 |
Cryptography
| Why Cryptosystems Fail, Anderson.
| Gunho Lee
|
11/15 |
Kerberos
| Designing an Authentication System: a Dialogue in Four Scenes, Bryant.
| John Bethencourt
|
11/20 |
Cryptographic protocols
| Prudent engineering practice for cryptographic protocols, Abadi, Needham.
| Thomas Kho;
slides
|
11/22
|
| No class! (Thanksgiving holiday)
|
|
11/27 |
E-voting
| Security Analysis of the Diebold AccuVote-TS Voting Machine, Feldman, Halderman, Felten
| Armando Solar-Lezama
|
11/29 |
Privacy
| Privacy, economics, and price discrimination on the internet, Odlyzko
| Vahab Pournaghshband
|
12/4 |
Untrusted platforms
| How to Hurt the Hackers: The Scoop on Internet Cheating and How You Can Combat It, Pritchard
|
|
12/6 |
Economics, wrap-up
| Why Information Security is Hard - An Economic Perspective, Anderson
|
|
Feedback
I always welcome any feedback on what I could be doing better.
If you would like to send anonymous comments or criticisms,
please feel free to use an anonymous remailer to send me email
without revealing your identity, like
this one
or this one.
David Wagner,
daw@cs.berkeley.edu,
http://www.cs.berkeley.edu/~daw/.