Learning Objectives

In this course, student will systematically study the fundamental principles of computer system security, including authentication, access control, capability, security policies, sandbox, software vulnerabilities, and web security. Most of these principles will be studied within the scope of concrete systems, such as Linux and Windows. The course emphasizes "learning by doing", and requires students to conduct a series of lab exercises. Through these labs, students can enhance their understanding of the principles, and be able to apply those principles to solve real problems. After completion of the course, students should be able to possess the following skills:

  • be able to explain security principles,
  • be able to explain how various security mechanisms work, and correlate these security mechanisms with security principles,
  • be able to compare various security mechanisms, and articulate their advantages and limitations,
  • be able to apply security principles to solve problems,
  • be able to analyze and evaluate software systems for its security properties,
  • be able to evaluate risks faced by computer systems,
  • be able to explain how various attacks work,
  • be able to detect common vulnerabilities in software,
  • be able to design and implement basic security mechanisms to protect computer systems,
  • be able to describe and generalize various software vulnerabilities.

Instructor

Professor: Wenliang (Kevin) Du
Office: SciTech Building, Room 4-285
Phone: 443-9180
Email address: wedu@syr.edu

Texts

Wenliang Du. Computer Security: A Hands-on Approach

Grading (subject to change)

  • Labs and Projects: 40% (Late-homework policy: 10% penality per day)
  • Final Exam and Quizzes: 60%
  • Note: students who do very poorly on the final exam (e.g., getting less than 30 points), they will receive F automatically, regardless of how well they did on the labs. This is because the final exam has questions that directly come from the labs. Getting less than 30 means that they even fail on those questions. That indicates that they either didn't do the labs themselves, or have no idea what they were doing, so their grades on the labs will be ignored. They can challenge this decision by demonstrating all the labs to the professor within 30 days after the grade is posted, i.e., their labs will be re-graded.

Topics

  • Introduction and Basics
    • Class Introduction (syllabus, policies, and projects)
    • An Overview of Computer Security
    • Course projects (labs)
    • Unix Security Basics

  • Software Security: Vulnerabilities, Attacks, and Countermeasures
    • Privileged programs (Set-UID programs) and vulnerabilities
    • Buffer Overflow vulnerability and attack
    • Return-to-libc attack
    • Race Condition vulnerability and attack
    • Format String vulnerability and attack
    • Input validation

  • Web Security: Vulnerabilities, Attacks, and Coutermeasures
    • Same Origin Policy
    • Cross-Site Scripting Attack
    • Cross-Site Request Forgerty Attack
    • SQL-Injection Attack
    • Click-Jacking Attack
    • Web Tracking

  • Smartphone Security
    • Access control in Android operating system
    • Rooting Android devices
    • Repackaging attacks
    • Attacks on apps
    • Whole-disk encryption
    • Hardware protection: TrustZone

  • Acess Control and Authentication
    • Authentication and Password
    • Access Control Concept
    • ACL: Access Control List
    • Capability
    • DAC: Discretionary Access Control
    • MAC: Mandatory Access Control
    • Sandboxing
    • 80x86 Protection Mode (access control in hardware)