Schedule and Readings

Introduction and Overview

• Overview of Computer Security (Lecture Notes: pdf)

Vulnerabilities in General Software

• Unix Security Basics (Lecture Notes: pdf)
  • Users and Groups.
  • File Permissions: access control, umask, chmod, chown, chgrp, Set-UID.
• Set-UID Programs and Vulnerabilities (Lecture Notes: pdf)
  • Required Reading: Bishop: How to Write a Setuid Program
  • Reading: Checklist for Security of Setuid Programs (a local copy)
• Vulnerabilities
  Lecture Notes: Buffer_Overflow.pdf   Race_Condition.pdf  
                 Input_Validation.pdf  Format_String.pdf  
  • Buffer Overflow:
    • Required Reading: Memory layout and stack
    • Stack Buffer Overflow: Smashing The Stack For Fun And Profit (Aleph One)
    • Heap Overflow: w00w00 on Heap Overflows (by Matt Conover)
  • Format String
    • Required Reading: Exploiting Format Strng Vulnerabilities (scut / team teso)
  • Race Condition:
    • Required Reading: Secure programmer: Prevent race conditions (by David Wheeler)
  • Integer Overflow
    • Basic Integer Overflows (A local copy)
  • Input Validation
    • Required Reading: Chapter 5: Secure Programming for Linux and Unix HOWTO (by David Wheeler)
  • David Wheeler's book: Secure Programming for Linux and Unix HOWTO -- Creating Secure Software

Vulnerabilities in Web Applications (Lecture Notes: pdf)

• Basics of Web Security
  • Session ID and Cookies
  • DOM objects
  • Same Origin Policy (SOP)
• Vulnerabilities
  • Cross-Site Scripting (XSS) Attacks
    • Required Reading: Cross-site Scripting from Wikipedia
    • Required Reading: Cross-Site Scripting Worms and Virses
    • News: Cross-Site Scripting Worm Floods MySpace
    • Technical Details of the Samy Worm
  • Cross-Site Request Forgery (CSRF) Attacks
    • Required Reading: Cross-Site Request Forgeries: Exploitation and Prevention (A local copy)
  • SQL Injection Attacks
    • Required Reading: Steve Friedl's Unixwiz.net Tech Tips: SQL Injection Attacks by Example
    • SQL Injection Comic
    • OWASP's Top-10 List in 2010: The 10 Most Critical Web Application Security Vulnerabilities.
  • Web Tracking and Privacy
    • Required Reading: The Web's New Gold Mine: Your Secrets (The Wall Street Journal, July 30, 2010).
    • Firesheep Highlights Web Privacy Problem (The Wall Street Journal, August 25, 2010).
    • Facebook in Privacy Breach: Top-Ranked Applications Transmit Personal IDs, a Journal Investigation Finds (The Wall Street Journal, October 18, 2010).
    • A Web Pioneer Profiles Users by Name (The Wall Street Journal, October 25, 2010).
• Access Control Case Study: Redesign the Web's Access Control ( Presentation at Microsoft Research, July 2011)
  • Required Reading: Why Are There So Many Vulnerabilities in Web Applications?
  • Required Reading: Escudo: A Fine-grained Protection Model for Web Browsers.
  • Required Reading: Scuta: A Server-Side Access Control System for Web Applications.

System Security (General Concepts)

• Access Control
  
  • Basic concepts (Lecture Notes: pdf)
    • Access Control Matrix
    • Access Control List (ACL)
    • DAC: Descretionary Access Control
    • MAC: Mandatory Access Control
    • Reference Monitor
    • Design Principles
    • Required Reading: Saltzer and Schroeder. The Protection of Information in Computer Systems (read Section I.A)
  • Capabilities (Lecture Notes: pdf)
    • Required Reading: Henry M. Levy, Capability-Based Computer Systems. (read chapter 1).
    • (Case Study) White Paper: Trusted Solaris 8 Operating Environment.
  • Role Based Access Control (RBAC) (Lecture Notes: pdf)
    • Required Reading (First 5 pages): R. S. Sandhu, E.J. Coyne, H.L. Feinstein, C.E. Youman, Role-Based Access Control Models, IEEE Computer 29(2): 38-47, IEEE Press, 1996. - original paper on RBAC framework.
    • Required Reading: NIST. An introduction to Role Based Access Control
    • (Case Study) Solaris RBAC Implementation: White Paper: RBAC in the Solaris Operating Environment.
    • (Case Study) The sudo (superuser do) program.
  • Mandatory Access Control (MAC) and security policy (Lecture Notes: pdf)

• Authentication and Password (Lecture Notes: pdf  doc)
  • The process of login.
  • Password, /etc/passwd, shadow password.
  • Pluggable Authentication Modules (PAM)
    • Red Hat Linux 9 Reference Guide (Chapter 7)
    • Samar and Lai. Making Login Services Independent of Authentication Technologies
  • Dictionary attacks, Login spoofing attacks.
  • Key logger.
    • Reversing and exploiting an Apple firmware update

• Sandboxing Techniques (Lecture Notes: pdf )
  • The chroot Sandbox
    • Required Reading: Steve Friedl, Best Practices for UNIX chroot() Operations.
    • Required Reading (Sections 1 - 6): (Case Study: The FreeBSD Jail Sandbox) Kamp and Watson, Jails: Confining the Omnipotent Root.
  • Virtual Machines.

• Intel x86 Protection Mode (Lecture Notes: pdf )
  • Intel 80386 Reference Programmer's Manual (Chapter 5.1, 6.3, and 8.3).
  • Intel Architecture Software Developer's Guide (Chapter 4).