| Instructor: | Kevin Butler (butler at cs.uoregon.edu) |
| Location: | 200 Deschutes |
| Time: | Tues/Thurs, 10-11:20 AM (unless otherwise noted) |
| Credits: | 4 |
| Office Hours: | Wed 1-2 PM and by appointment with Prof. Butler |
Computer security is one of the most exciting and challenging areas in all of computer science. Many of the world's largest technology companies have unreservedly made security their largest concern, and many of the fundamental issues in securing systems and networks that have vexed us for man years continue to do so or have become even more problematic.
This course provides an introduction to computer and entwork security. Students successfully completing this class will be able to evaluate works in academic and commercial security, and will have rudimentary skills in security research. The course begins by covering the basic elements of cryptography, cryptanalysis, and systems security, and continues by considering applications of these concepts in real-world practice. At the graduate level, selected seminal and current papers in the field will also aid in providing context and further understanding of the area.
Topics covered include network security, authentication, security protocol design and analysis, security modeling, trusted computing, key management, program safety, intrusion detection, DDoS detection and mitigation, architecture/operating systems security, security policy, group systems, biometrics, web security, and other emerging topics. A detailed list of lecture by lecture contents, assignments, and due dates (subject to change as the term evolves) will be available on the course schedule.
We will make extenive use of the textbook required for the course:
Course material will also be drawn from influential papers in the field.
Please contact the instructor if you have questions regarding the material or concerns about whether your background is suitable for the course.
The expectations for the course are that students will attend every class, do the readings assigned for class, actively and constructively participate in class discussions. For the graduate component of this class, readings of papers will be required, and some additional readings may also be required of the undergraduate students. The graduate component will include a research project in security, with the chief product being a conference-style paper. Project topics will be discussed in class and may be proposed through email or during meetings outside of class with Prof. Butler. Do not delay: quarters are very short and in order to be able to perform any interesting work, the sooner a topic is chosen, the better the end-result will be. While time is constrained, there should be real thought and effort exhibited by the work. The project grade will be based on novelty, correctness, depth of understanding, clarity of presentation, and effort. More information about the project will be given during class.
The undergraduate component will focus more heavily on the core material, with mastery demonstrated through examination. At the discretion of the instructor, highly motivated undergraduates may consider pursuing a research project. This option will be discussed further in the first class.
The tentative grading policy is as follows:
20% Quizzes & Assignments (30% for undergrad)
10% Participation
15% Midterm Exam (25% for undergrad)
30% Project (graduate and project option)
25% Final Exam (35% for undergrad)
Quizzes will be assigned sporadically throughout the term and test comprehension of the reading material as well as the previous day's class. Being late for or missing a quiz without an extremely sound reason will result in a zero for it.
Class participation will be a measure of contributing to the discourse both in class, through discussion and questions, and outside of class through contributing and responding to the mailing list. I have little interest in having people spam the class or the list with content-free statements in the hopes of sounding like they are participating; this will be more a measure of engagement with the material. The ability to comprehend the material and the papers read will be essential towards passing the course.
Students are required to follow the university guidelines on academic conduct at all times. Students failing to meet these standards will automatically receive a 'F' grade for the course. The instructor carefully monitors for instances of offenses such as plagiarism and illegal collaboration, so it is very important that students use their best possible judgement in meeting this policy. The instructor will not entertain any discussion on the discovery of an offense, and will assign the 'F' grade and refer the student to the appropriate University bodies for possible further action.
Note that students are explicitly forbidden to copy anything off the Internet (e.g., source code, text) for the purposes of completing an assignment or the final project. Also, students are forbidden from discussing or collaborating on any assignment except were explicitly allowed in writing by the instructor.
This course considers topics involving personal and public privacy and security. As part of this investigation we will cover technologies whose abuse may infringe on the rights of others. As an instructor, I rely on the ethical use of these technologies. Unethical use may include circumvention of existing security or privacy measurements for any purpose, or the dissemination, promotion, or exploitation of vulnerabilities of these services. Exceptions to these guidelines may occur in the process of reporting vulnerabilities through public and authoritative channels. Any activity outside the letter or spirit of these guidelines will be reported to the proper authorities and may result in dismissal from the class and possible more severe academic and legal sanctions.
When in doubt, please contact the course professor for advice. Do not undertake any action which could be perceived as technology misuse anywhere and/or under any circumstances unless you have received explicit permission from Professor Butler.
| Date | Topic |
Class Readings/Notes |
Slides | |
|---|---|---|---|---|
| 01/04/2011 | Introduction |
Stallings, Chapter 1 | ||
| 01/06/2011 | Research Methods |
Reflections on Trusting Trust, Ken Thompson |
Research | |
| 01/11/2011 | Cryptography |
Stallings, Chapter 2 | Crypto | |
| 01/13/2011 | Cryptography |
Stallings, Chapter 19 OUT: Assignment 1 |
||
| 01/18/2011 | Crypto Protocols |
Stallings, Chapter 20 | Protocols | |
| 01/20/2010 | Crypto Protocols |
Using Encryption for authentication in Large Networks of Computers, Roger Needham and Michael Schroeder An Attack on the Needham-Schroeder Public-Key Authentication Protocol, Gavin Lowe Why Cryptosystems Fail, Ross Anderson |
||
| 01/25/2010 | Authentication |
Stallings, Chapter 3 | Auth. | |
| 01/27/2010 | Dist. Auth / PKI | Stallings, Chapter 22 Ten Risks of PKI: What You're Not Being Told About Public Key Infrastructure, Carl Ellison and Bruce Schneier |
||
| 02/01/2010 | Access Control |
Stallings, Chapter 4 | Access | |
| 02/03/2011 | Access Control | Stallings, Chapter 10 Optional Reading: A Note on the Confinement Problem, Butler Lampson Protection, Butler Lampson DUE: Assignment 1 |
||
| 02/08/2011 | Midterm (in-class) | |||
| 02/10/2011 | OS Security | Stallings, Chapter 23 | OS | |
| 02/15/2011 | OS Security | Stallings, Chapter 24 Multics Security Evaluation: Vulnerability Analysis, Karger and Schell Thirty Years Later: Lessons from the Multics Security Evaluation, Karger and Schell OUT: Assignment 2 |
||
| 02/17/2011 | Software Security | Stallings, Chapter 11 |
SW | |
| 02/22/2011 | Exam Takeup |
DUE: Assignment 2 (4:59 PM PST on Wednesday 2/23/2011) |
||
| 02/24/2011 | Network Security | Stallings, 21.2 Security Vulnerabilities in the TCP/IP Protocol Suite, Steven Bellovin Optional Reading: A Look Back at "Security Vulnerabilities in the TCP/IP Protocol Suite", Steven Bellovin End-to-End Arguments in System Design, Jerome Saltzer, David Reed, and David Clark OUT: Assignment 3 |
Netsec | |
| 03/01/2011 | Firewalls | Stallings, Chapter 9 | Firewalls | |
| 03/03/2011 | Intrusion Detection | Stallings, Chapter 6 | IDS | |
| 03/08/2011 | Malware/DDoS/Web | Stallings, Chapter 7 | Worms/DoS | |
| 03/10/2011 | XSS/Project/Wrapup | Stallings, Chaper 12 DUE: Assignment 3 |
Wrapup | |