Course Overview

Course Documentation

Term Project

 

Background

This course is intended to provide an overview of computer security principles, from cryptography to network security, to operating systems and software security. The course will guide you in learning the principles and practices of computer security in various computing and networking environments. The goal is to enable you to analyze, understand and evaluate the security of computer systems.

Current Malware Threat Map (requires Java)

Session Topic List

NOTE: The list of topics and/or their ordering may be modified during the course of the semester.
  • Introduction to Computer Security
    • Basic concepts: vulnerabilities, threat models, adversaries, security goals
    • Risk analysis: exposure hazards and cost of countermeasures
  • Cryptography
    • Information security goals: confidentiality, integrity, authentication
    • Basic primitives: hash functions, one-way functions
    • Symmetric primitives: encryption, message authentication codes
    • Public-key primitives: asymmetric encryption, digital signatures
    • Cryptographic protocols: key exchange, key distribution, authentication
  • Network Security
    • Networking background
    • Network security threats: viruses, worms, spoofing, snooping, denial of service
    • Network security defenses: crypto (SSL/TLS, SSH), firewalls, intrusion detection systems
  • Operating System Security
    • Resource separation and memory protection
    • Access control, authentication and authorization
    • Audit logs and accountability
  • Software Security
    • Buffer overflow and other implementation flaws
    • Isolation and sandboxing techniques
    • Software engineering best practices: defensive programming, fail-safe defaults, least-privilege and privilege-separation principles
  • Additional Topics (as time permits)
    • Digital rights management and copy protection, anonymity and privacy, security and the law, ethics, e-voting, e-cash, e-commerce

All lecture notes and other related materials will be posted to the class web site shortly after the session they appeared in (usually by the next day).

Required Text

The main textbook you will be using for this course is:

pfleeger



Security in Computing, 4th Edition (2006)
by Charles P. Pfleeger & Shari Lawrence Pfleeger
Publisher: Prentice Hall
ISBN-13: 978-0132390774




Other useful texts on computer and information security can be found here.

Class Logistics

There are 13 weekly sessions in CS446 starting on 9/8/08 and ending on 12/8/08. Classes are held on Tuesday nights from 6:00pm to 9:05pm in Buckman Hall Rm. 226. There will be no session on 11/24/08 due to the Thanksgiving Day holiday. (NOTE: Timing and content may very well change as the course progresses, so please attend class diligently and check this web site and especially the update notices regularly for any recent changes.)

SESSION DATE
#109/08/09
#209/15/09
#309/22/09
#409/29/09
#510/06/09
SESSION DATE
#610/13/09
#710/20/09
#810/27/09
#911/03/09
#1011/10/09
SESSION DATE
#1111/17/09
HOLIDAY11/24/09
#1212/01/09
#1312/08/09
------

The sessions will include a lecture component, perhaps some videos or demos, and possibly some hands-on exercises requiring the use of a computer and an Internet connection.

During the last two sessions [#12 (after final exam) & #13] students will each give a 10 minute in-class presentation of their Term Project to the assembled class. See the Term Project section below for more information on what's expected as part of the Term Project.

Assignments

Homework will be assigned most weeks and should be posted by noon of the day following the class session (i.e., noon on Wednesdays) in the class assignments section. Besides a few required readings and other written responses to some questions, it may well include tasks that ask for some proof (such as a log file, the contents of an e-mail message, or some other system output) to show that you accomplished them. You can use any reasonable format for the files containing your homework, however I prefer non-proprietary file formats (plaintext, PDF, RTF, OpenOffice oowriter, HTML, etc.) whenever possible.

Following instructions carefully is important, as is keeping up with the work. All of the assigned work will help you master the subject matter over time; none of it is optional. All of the course work must be successfully completed in a timely way in order to earn a grade (other than W or F) in the course.

Please let me know as soon as possible if you think there is an error or some ambiguity in the instructions or if you are experiencing difficulties with the assignments. I will post any corrections on the website and send an e-mail to notify everyone about them.

Every week (unless stated otherwise) every student should find a recent article on the web or in print concerning a security topic we've discussed previously. At the start of each class a few students will be chosen at random to deliver a short "elevator speech" summary of it and we will discuss it. No written submissions are required; you can bring your own notes to class however.

Written homework assignments are due by the start of the next class session. They must be submitted in electronic form and normally uploaded to the class FTP server (or they can be e-mailed in a pinch to cs446@unh-ececs.net, if you cannot do the upload for some reason). You will be using the FTP host, 'ftp://ftp.unh-ececs.net' as a repository for all your work. Students will be assigned an FTP account expressly for that purpose at the beginning of the course and you are expected to upload your work prior to the beginning of the next class. Their will be a subdirectory in your ftp account for each numbered assignment (e.g., "assignment-1"). Please place your respective homework files into the appropriate subdirectory when uploading the file(s). A separate subdirectory will be created for all files related to your 'termproject'.

If you need an ftp client for your system, try one of the following:

  • FireFTP add-on for Firefox

  • MS Windows has an ftp client included that can be accessed as 'ftp' from a DOS console window

  • Linux systems likewise have an 'ftp' command that's accessible from a shell command window

  • FileZilla is a nice open source ftp client (and Windows ftp server) for Windows, Linux and Mac OS X that you can download and install on your own machine

Late submissions of work will be downgraded appropriately (see Grading below for further details). The list of all weekly assignments can be found here.

Exams

There will be two, half-session, in-class exams: a mid-term given during Session #7 and a final exam during the next to last session (#12). The final exam ***may*** also have a separate take-home component, which would be handed out at the end of Session 11 and due back at the beginning of Session 12. See the section on Grading for details on how much exams count toward your final grade.

Term Project

Probably the most important part of the course is the Term Project which must be completed by the end of the semester. Each student (or pair of students; see below) will select a topic of his/her own choice related to computer security, complete a project based on that topic, write it up in a formal document, and, finally, make a 10-minute presentation to the class describing their work. Students who are comfortable with programming can choose to develop a security-oriented application of some sort. These projects will also entail a 10-minute stand-up presentation, but the written part of the deliverables will be shorter (about 1/2 the length of the standard research project) and will focus more on the application's design and other issues involved in building the application. Naturally, a graduate student will be expected to choose a more challenging project than an undergraduate. More details on the Term Project and a list of potential topic areas for research can be found on this page.

While I expect that most students will be doing their Term Project work individually, pairs of students may team up and officially collaborate on a joint topic. Naturally, the output product must reflect that more than one set of hands went into its creation. Both members of the pair will be required to do a portion of the final, in-class presentation.

Term Project Vision Statement

An interim deliverable for the Term Project should be submitted by Session #5. This will consist of a 1 page, single-spaced "Vision Statement" which describes the goals you are trying to achieve with your research, what tools and techniques you expect to be using, and a preliminary, high-level outline of what you expect to deliver at the end. Before you plunge into any serious research however, I will first need to review and sign off on your Vision Statement by the beginning of Session #6.

Term Project Deliverables

The final deliverables for the Term Project include:

  1. A 10-minute stand-up presentation outlining the project and the experience of creating it
  2. A written narrative on the project of at least 8 single-spaced pages
  3. If applicable: Some other deliverable (e.g., a set of working computer programs with security-related features included in them) related to the field of computer security

Attendance

Regular attendance for lectures is very important. Not everything discussed in class may be covered in the weekly assignments or readings, however you will still be responsible for the material come exam time. Of course, there may well be times when you cannot be in class for completely understandable and legitimate reasons and I'll do what I can to accomodate these cases, but you should let me know as soon as possible BEFORE you expect to be missing and why. I need to monitor weekly attendance using sign-in sheets for purely bureaucratic reasons, but keeping track of who attends class and participates actively is also a good indicator of how serious a student is about the course and a definite factor in determining a final grade.

Grading

All grades will be assigned on a curve, which will be guided by past experience and the best performance in the class. The outcome for any student always depends on the effort, motivation, intellectual honesty, and responibility he or she invests in learning. The approximate weights used to compute final grades are:
  • 30% - Quantity and quality of class participation and all homework tasks
  • 30% - Quality, interest, difficulty, and style of your Term Project's content and its final presentation
  • 40% - Mid-term and final exams 50/50

Naturally, given their "elevated" status graduate students will be expected to produce project work of higher quality and/or quantity than undergrads.

IMPORTANT NOTE: Homework which is turned in more than 5 days after it was due will not be reviewed by me, will be considered as not completed, and graded with an F.

Systems & Software

There will be exercises throughout the term that require you to perform various tasks on a computer. This will often include work that can be done with a standard web browser like Firefox or Internet Explorer. All the software required for the course should run equally well on Linux or Windows. The details of what other special software may be required will be discussed during the course of the term.

Policies & Procedures

Class Communications

All homework assignments, lecture notes, error corrections, announcements, suggestions, and other useful information will be posted on the course website. Please check for new postings at least twice each week. These updates will be accessible by clicking on the Updates & Notices choice in the 'Course Documentation' section of the site menu. Any especially time-critical information will also be sent via e-mail to the class distribution list.

With regards to course-related questions and other normal communications please try to contact me first via e-mail using the address: cs446@unh-ececs.net. I will answer them as soon as I can, but I can't promise a specific turnaround time for answers. I can also usually be reached via telephone in my office at 203-655-2400 or on my cell phone at 203-984-6565 in the case of an emergency. Please leave a detailed message explaining your situation and provide a phone # where I can return your call.

One-on-one meeting times can be arranged on an as-needed basis.

And most importantly, communications-wise...

PLEASE LET ME KNOW ASAP WHEN YOU ARE EXPERIENCING SERIOUS DIFFICULTIES!

Simply put, if I don't know that something is broken, then I can do nothing to help fix it and may wind up assuming you are not up to the course or just not trying hard enough. Without on-going interaction and early intervention, I'm afraid I'll have to assume the latter.

Late Work

I can be somewhat flexible about deadlines (assuming the privilege is not abused, of course), but only if I know you are trying hard and have shown yourself to be responsible. Believe me, I can tell the difference between someone who is really working, but having honest difficulty, from someone who is simply goofing off and just trying to get by. Just as in the "real" world, deadlines in this course may be somewhat flexible, but reality is not. The biggest penalty for lateness is that late work will be graded when I get around to it and you may not have it back in time for the next class or the next exam. Also, since each assignment builds on prior assignments, one late program, some missed exercises, or a few skipped readings may cause everything after that to be late too. Work which is consistently turned in late will be graded—lower, that is—accordingly.

Makeup Exams

In general there will be no makeup or late exams given. Any deviation from this policy will require an amazingly good reason IN ADVANCE from the student in question.

Course Ethics & Academic Honesty Policy

REALLY IMPORTANT NOTE:

Aside from the standard reminders about plagiarism, etc., which you must acknowledge and adhere to (see below), the techniques you learn during this course and the security tools that you will use deserve special, separate attention by everyone involved. You will be learning about both sides of the Computer Security equation, that is, both how systems are attacked as well as defended. Some of the tools you will be studying and handling can be used for malicious purposes and even their inadvertant use can possibly be construed as unethical or illegal behavior, so please use them wisely and not against any unsuspecting and/or unwilling targets within the university or elsewhere. Failure to adhere to this policy can make you liable to severe penalties from the university or even criminal prosecution leading to deportation or incarceration.

Your homework assignments and lab assignments are to be done by you and you alone; please, no "sharing" of work with other students unless your collaboration has been sanctioned by me.

It is unacceptable to work so closely with another student that your work output is essentially the same. This kind of "help" will certainly not help you to master the material. The only way to pass the exams is to struggle with the weekly work yourself. If you need serious assistance, don't hesitate to ask me for it. Of course, it's fine for one student to aid another one who doesn't understand some particular abstract concept and asks for that level of assistance, but that is very different from essentially doing their work for them.

Plagiarism (i.e., copying someone else's work) is a serious offense in industry and also in our department. Employees are sometimes fired for it. Any willful plagiarism or any other sort of cheating which is discovered will make the student liable for immediate failure in the course and potential dismissal. Please keep in mind that plagiarism is easier to detect than most folks think. Copying another's work shows a lack of respect for yourself, for the teacher, for the university, and also for the student whose work you copy. Also, copying work is simply very foolish; there is no way to pass the exams without doing the work yourself. Note: In our classes, the "knowing" giver and the borrower are considered equally guilty.

To avoid accidental participation in someone else's offense, do not loan your work to another student at any time for any reason. Do not leave it in the lab, and do not leave copies of your files in publicly-accessible directories.

Lastly, you are expected to read, understand, and follow the UNH policy on academic honesty.

Acknowledgements

Many thanks for the ideas and materials contained in these lectures which have been derived from the work of these and other authors, researchers, and computer security educators:
  • Matt Bishop
  • Chuck Pfleeger
  • Robert C. Newman
  • Nelly Fazio, CCNY
  • David Eggert, U. of New Haven
  • Ross Anderson, U. of Cambridge
  • Markus Kuhn, U. of Cambridge
  • John Fiore, Temple U.
  • James Walden, U. of Toledo
  • Jeff King, Georgia Tech
  • Paul Wagner, U. of Wisconsin, Eau Claire
  • Yoshi Kohno, U. of Washington
  • Fenlieng Lee, U. of Guam

This file last modified Tuesday December 29, 2009 at 12:32PM