Lecture: 3 hours

Project: 1 hour

Prerequisite: Course ECS 235A; ECS 120 and ECS 150 recommended

Grading: Letter; homework (50%), project (50%)

Catalog Description:
Theoretical foundations of methods used to protect data in computer and communication systems. Access control matrix and undecidability of security; policies; Bell-LaPadula, Biba, Chinese Wall models;non-interference and non-deducibility; information flow and the confinement problem. Not open for credit to students who have taken course 235.

Introduce definitions of security and relationship of security to policy; foundations, models of confidentiality, integrity, and hybrid models; leaking of information in multilevel models; prevention of inference, deduction; confining information flow; non-lattice policies of information flow; theory of Trojan horses, computer viruses, and computer worms.

Expanded Course Description:

  1. Introduction: what is security, policies, risk analysis, humans and procedural/operational security; principles of secure design
  2. Foundations: access control matrix, Harrison-Ruzzo-Ullman result, Take-Grant Protection Model, other models
  3. Policies and precision; policy languages
  4. Confidentiality policies: Bell-LaPadula, System Z
  5. Integrity policies: Biba, Lipner’s access control matrix madel, Clark-Wilson
  6. Hybrid policies: Chinese Wall, Clinical Information Systems Security, Rose-based access control
  7. Non-interference and non-deducibility
  8. Information flow and the confinement problem
  9. Theory of malicious logic: computer viruses, computer worms

M. Bishop, Computer Security: Art and Science, Addison-Wesley 2003; various papers

Paper surveying a topic in computer security in depth (expected length 20 pages) or a project exploring some aspect of the foundations of computer security. These may be individual or group efforts.

Instructor: M. Bishop

Prepared by: M. Bishop (January 2006)

Overlap Statement:
This course does not overlap with any other course. ECS 153, which mentions one result and gives a very high-level view of some of the models, does not discuss the details of those results, their proofs, or the underlying principles presented in this course, and focuses instead on applications.