Discussion: 1 hour
Summary of Course Content:
- What is computer security: notion of an informal policy, formalization of policy
- Encryption: classical, public-key; implementation, problems; the UNIX file encryption mechanism and its cryptanalysis; the DES and RSA
- Authentication: model of authentication systems, traditional passwords, challenge/response, one-time passwords; cryptographic protocols, simple cryptosystems; the standard UNIX authentication system, its limits and alternate forms; implementations of other mechanisms
- Access control: controlling access to resources, access matrix model, undecidability result, access control lists and capability lists; mandatory controls, originator controls; variants; UNIX scheme and augmentations
- Integrity: cryptographic checksums, malicious logic, viruses, Trojan horses; defenses, prevention; UNIX integrity checking tools and how they work; malicious logic and UNIX
- Security-oriented programming: design principles, focusing on common problems; gates vs. privileged servers; environment, exception handling; writing secure servers and secure setuid/setgid programs in the UNIX environment
- Networks and security: Internet Security Architecture, analysis of Internet protocols, design and implementation considerations; firewalls; UNIX networking and security
- Penetration analysis: common types of flaws, examples, flaw hypothesis methodology, analysis of programs and systems; UNIX instances of problems, flaws, and how to fix them
- Secure systems: types, models, design, changes to non-secure systems; comparative analysis
The project deals with building a tool to analyze and/or improve the security of a computer or installation running the UNIX operating system, or using the Internet. The student will select the goal (the purpose of the software to be developed), determine how to measure success or failure, design the software, implement it under the UNIX operating system, and then analyze its effectiveness to see if the goal of the project was met.
M. Bishop, Computer Security: Art and Science, Addison-Wesley Professional, 2002
Potential Course Overlap
The content of this course overlaps some with course 155 (Computer Security for Non-Majors). This course is designed for majors and is more theoretical than 155 and has more technical depth.