ECS 153. Computer Security. Spring 2006

ECS 153. Computer Security

Winter 2007	CRN: 40983
Lecture:	Monday, Wednesday, and Friday, 1:10-2:00pm; 212 Wellman.
Instructor:	Hao Chen <`hchen`AT`cs.ucdavis.edu`> Office hours: Friday 2:00pm-4:00pm, 3055 Kemper.
Mailing list:	`ecs153-w07@ucdavis.edu` Web interface (for announcements from instructional staff)
Newsgroup:	ucd.class.ecs153.d Web interface (for discussions)

Announcements

Project has been assigned.
Class photos are available.

Goals

This course introduces principles, mechanisms, and implementations of computer security. You will learn how hackers attack systems, how to defend against the attacks, and how to design systems to withstand the attacks.

Topics

Security principles
Security Mechanisms
- Cryptography: symmetric key, public key, PKI, key management
- Authentication: password, challenge/response, cryptographic protocols
- Access control: access control list, capabilities, theories
- Network security: security mechanisms on the Internet, firewall, intrusion detection
- Confinement: isolation, covert channels
- Security policies
Practical security challenges
- Software vulnerabilities and secure programming.
- Malware: worms, viruses, spyware.
- Security usability
Other topics as time permits and according to student interest.

Prerequisites

ECS 150

Requirements and grading

Reading: we will use materials from the following textbook as well as selected papers. You must read the assigned reading before each class.
Textbook: M. Bishop, Computer Security: Art and Science, Addison-Wesley, Boston, MA. ©2003. ISBN 0-201-44099-7
Homework
Exam
Project
Grading: homework: 30%; exam: 30%; project: 30%; reviews and classroom participation: 10%

Homework

Buffer overflow attacks. Due 11:59pm, Sunday, January 21, 2006.
Handout: buflab-handout.tar
You can check the class's progress at the grading page, which is updated minutely. If the page is stale for more than 5 minutes, please notify me.
x86 assembly language references:
- Intel opcodes
- Informal Intel vs. AT&T syntax guide
Applied cryptography.

Lectures

Week	Date	Topic	Reading
1	Jan 3	Introduction
1	Jan 5	Design principles	§1.1-1.3; §13; Slides (Wagner)
2	Jan 8	Buffer overflow	Smashing The Stack For Fun And Profit Aleph One.
	Jan 10	Buffer overflow	StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks Cowan et al.
	Jan 12	Secure programming	Slides
3	Jan 15	Holiday.
	Jan 17	Symmetric key cryptography	§9.1, §9.2.1, §9.2.2.2, §9.2.3
	Jan 19	Block ciphers	Notes
4	Jan 22	Block ciphers
	Jan 24	Public key cryptography	§9.3
	Jan 26	Public key cryptography	Notes
5	Jan 29	Message authentication; Digital signatures	§9.4, §10.6
	Jan 31	Message authentication; Digital signatures	§9.4, §10.6
	Feb 2	Public key infrastructure	§10.4.2
6	Feb 5	Authentication	§12.1-12.3
	Feb 7	Protocol design	Slides PS PDF (Wagner)
	Feb 9	Kerberos	§10.2.2
7	Feb 12	Diffie-Hellman key establishment; Zero knowledge proof	§9.3.1; Notes (Wagner)
	Feb 14	Access control	§2.1; §2.4; §4.4; §15.1-15.2
	Feb 16	Access control	§2.1; §2.4; §4.4; §15.1-15.2
8	Feb 19	Holiday.
	Feb 21	Confidentiality and integrity models	§5.1, 5.2.1, 6.1, 6.2
	Feb 23	Isolation	Notes (Wagner)
9	Feb 26	Midterm
	Feb 28	Guest lecture
	Mar 2	Guest lecture
10	Mar 5
	Mar 7
	Mar 9
11	Mar 12
	Mar 14	Poster presentation.

Warning

From time to time, we may discuss vulnerabilities in widely-deployed computer systems. This is not intended as an invitation to go exploit those vulnerabilities. It is important that we be able to discuss real-world experience candidly; students are expected to behave responsibly.

The campus's policy (and my policy) on this should be clear: you may not break into machines that are not your own; you may not attempt to attack or subvert system security. Breaking into other people's systems is inappropriate, and the existence of a security hole is no excuse.

Feedback

I always welcome any feedback on what I could be doing better. You are also welcome to send me feedback anonymously.

Hao Chen <hchenATcs.ucdavis.edu>
Last modified January 4, 2006.