ECS 153. Computer Security. Winter 2009

ECS 153. Computer Security

Winter 2009	CRN: 30745
Lecture:	Monday, Wednesday, and Friday, 1000-1050, 184 Young.
Section:	Friday 0800-0850, 212 Wellman.
Instructor:	Hao Chen <`hchen` AT `cs.ucdavis.edu`> Office hours: Monday and Friday, 1100-1200, 3055 Kemper.
TA:	Benjamin Davis <`bendavis` AT `ucdavis.edu`> Office hours: Tuesday 1100-1200, 55 Kemper.
Mailing list:	`ecs153-w09@ucdavis.edu` Web interface (for announcements from instructional staff)
Newsgroup:	ucd.class.ecs153.d Web interface (for discussions)
Communication:	If you have a non-personal question, send it to the ucd.class.ecs153.d news group. If you have a personal question, send the instructor or a TA an email whose subject line starts with `ecs153w09`.

Announcements

Homework 2 is out. It is due in class on Wednesday, March 11.
Poster session is at 1000-1200, Monday, March 16 at 1131 Kemper. I will provide poster boards (each large enough to host 9 letter-size pages) and glue.
Project report is due by 2200 on Wednesday, March 18. Each team submits one report in the PDF format. I don't have a page requirement, but a reasonable report is typically between 8-10 pages. Submit your report using:
handin cs153 report /path/to/your/report

Homework

Buffer overflow attacks. Due 10:00pm, Sunday, Feb 1, 2009.
Handout: buflab-handout.tar
You can check the class's progress at the grading page, which is updated minutely. If the page is stale for more than 5 minutes, please notify me.
x86 assembly language references:
- Intel opcodes
- Informal Intel vs. AT&T syntax guide
Design secure systems. Due in class on Wednesday, March 11.

Goals

This course introduces principles, mechanisms, and implementations of computer security. You will learn how hackers attack systems, how to defend against the attacks, and how to design systems to withstand the attacks.

Topics

Security principles
Security Mechanisms
- Cryptography: symmetric key, public key, PKI, key management
- Authentication: password, challenge/response, cryptographic protocols
- Access control: access control list, capabilities, theories
- Network security: security mechanisms on the Internet, firewall, intrusion detection
- Confinement: isolation, covert channels
- Security policies
Practical security challenges
- Software vulnerabilities and secure programming.
- Malware: worms, viruses, spyware.
- Security usability
Other topics as time permits and according to student interest.

Prerequisites

ECS 150

Requirements and grading

Reading: we will use materials from the following textbook as well as selected papers. You must read the assigned reading before each class.
Textbook: M. Bishop, Computer Security: Art and Science, Addison-Wesley, Boston, MA. ©2003. ISBN 0-201-44099-7
Homework
Exam: The midterm exam is open print-materials. You may bring any printed books or notes. However, you shall not use any electronic device (including but not limited to computers, PDAs, cell phones) or share materials during the exams. There is no final exam.
Project
Grading: homework: 30%; exam: 30%; project: 30%; classroom participation: 10%

Lectures

Week	Date	Topic	Reading
1	Jan 5	Introduction
	Jan 7	Design principles	§1.1-1.3; §13;
	Jan 9	Buffer overflow	Smashing The Stack For Fun And Profit. Aleph One.
2	Jan 12	Buffer overflow	Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade. Cowan et al.
	Jan 14	Buffer overflow
	Jan 16
3	Jan 19	MLK Day. No class.
	Jan 21	Symmetric key cryptography	§9.1, §9.2.1, §9.2.2.2, §9.2.3
	Jan 23	Block ciphers	Notes
4	Jan 26	Guest lecture: Cross-site Scripting	Cross site scripting explained, Klein.
	Jan 28	Block ciphers
	Jan 30	Public key cryptography	§9.3
5	Feb 2	Public key cryptography	Notes
	Feb 4	Digital signatures; Public key infrastructure	§10.6, §10.4.2
	Feb 6	Authentication	§12.1-12.3
6	Feb 9	Guest lecture: Cross-site Request Forgery	Cross-Site Request Forgeries: Exploitation and Prevention, Zeller, Felten. Robust Defenses for Cross-Site Request Forgery, Barth, Jackson, Mitchell. (Optional)
	Feb 11	Midterm
	Feb 13	Message Authentication	§9.4
7	Feb 16	President's Day. No class.
	Feb 18	Kerberos	§10.2.2
	Feb 20	Protocol design	Slides PDF
8	Feb 23	Access control	§2.1; §2.4; §4.4; §15.1-15.2
	Feb 25	Confidentiality and integrity models	§5.1, 5.2.1, 6.1, 6.2
	Feb 27	Privilege management	Setuid Demystified. Chen, Wagner, Dean.
9	Mar 2	Privilege separation	Preventing Privilege Escalation. Provos, Friedl, Honeyman.
	Mar 4	Sandbox	A secure environment for untrusted helper applications:confining the wily hacker. Goldberg, Wagner, Thomas, and Brewer.
	Mar 6	Sandbox	Traps and Pitfalls: Practical Problems in System Call Interposition Based Security Tools, Garfinkel.
10	Mar 9	Virtual machines	Whenvirtual is better than real. Chen and Noble.
	Mar 11	Virtual machines	When Virtual is Harder than Real: Security Challenges in Virtual Machine Based Computing Environments. Garfinkel and Rosenblum.
	Mar 13	Usability	Why Phishing Works. Dhamija, Tygar, and Hearst.
11	Mar 16	Poster Presentation

Warning

From time to time, we may discuss vulnerabilities in widely-deployed computer systems. This is not intended as an invitation to go exploit those vulnerabilities. It is important that we be able to discuss real-world experience candidly; students are expected to behave responsibly.

The campus's policy (and my policy) on this should be clear: you may not break into machines that are not your own; you may not attempt to attack or subvert system security. Breaking into other people's systems is inappropriate, and the existence of a security hole is no excuse.

Feedback

I always welcome any feedback on what I could be doing better. You are also welcome to send me feedback anonymously.

Hao Chen <hchenATcs.ucdavis.edu>
Last modified March 1, 2009.