CSE 643: Computer Security

Syllabus

Objectives

In this course, students will systematically study the fundamental principles of computer system security, including authentication, access control, capability, security policies, sandbox, basic cryptography, and software vulnerabilities. Most of these principles will be studied within the scope of concrete systems, such as Linux, Solaris, Windows, and Minix. The course emphasize on "learning by doing". It requires students to conduct a series of lab exercises to enhance their understanding of principles, and also to provide students with oppurtunities to apply those principles.

Outcomes

After completion of the course, students should be able to possess the following skills:

• Explain security principles.
• Explain how various security mechanisms work.
• Compare various security mechanisms.
• Correlate various security mechanisms with security principles.
• Design and implement security mechanisms to protect computer systems.
• Apply security principles to solve problems.
• Describe and generalize various software vulnerabilities.
• Identify and analyze security problems in computer systems.

Instructor

Professor: Wenliang (Kevin) Du
Office: SciTech Building, Room 4-285
Phone: 443-9180
Email address: wedu@ecs.syr.edu

Texts

Required: A selected list of reading materails assigned in the class.

Suggested: Secure Programming for Linux and Unix HOWTO -- Creating Secure Software
by David Wheeler. This is a free book and can be downloaded from the author's web site.

Suggested: Security in Computing, Third Edition
by Charles P. Pfleeger and Shari Lawrence Pfleeger. ISBN: 0130355488, Prentice Hall PTR, 3rd edition (December 2, 2002).

Suggested: Operating Systems Design and Implementation (3rd Edition)
by Andrew S. Tanenbaum and Albert S. Woodhull. ISBN: 0131429388, Prentice Hall, 2006.
(For those who choose to work on Minix-related projects, this book is useful for understanding Minix).

Grading (subject to change)

• Final Exam: 40%
• Labs and Projects: 60%.
  • Late-homework policy: 10% penality per day
• Attendance Requirement: Class participation is important in this course, so you are required to attend the classes. 2 points will be deducted for each missed class. A student who misses more than five classes will be asked to withdraw from this course, receive an "incomplete" grade, or receive an "F" grade. If you have a legitimate reason to be excused from a class, you need to send me an email before the class. In this case, I will not deduct 2 points from you, but the missed class will still be counted toward the 5-class threshold. If you miss more than 5 classes due to health reasons or the reasons that are out of your control, you will receive an "incomplete" grade. We have to develop a plan for you to complete the course by doing extra work or retaking the course. Note: preparing for the exams or projects for another course is NOT a legitimate reason to miss a class.

Schedule

---

• Introduction and Basics
  • Class Introduction (syllabus, policies, and projects)
  • An Overview of Computer Security
  • Project Preparation

  ---

• Systems Security Mechanisms
  • Unix Security Basics
  • Authentication and Password
  • Access Control and Reference Monitor
  • Access Control List
  • Capability
  • Descretionary Access Control
  • Mandatory Access Control
  • Role-Based Access Control
  • Sandboxing
  • Security Engineering Principles
  • Hardware Archtecture for Protection: Intel x86 (IA-32) Protection Mode
  • Case Studies:
    • Security Enhanced Linux (Currently part of Fedora Linux kernel)
    • Windows Vista
    • Trusted Solaris

  ---

• Software Vulnerabilities and Malicious Logic
  • Buffer Overflow
  • Race Condition
  • Format String
  • Invalid Input
  • Cross-Site Scripting
  • Cross-Site Request Forgerty
  • SQL-Injection
  • Trojan Horses, Viruses, and Worms.
• Basic Cryptography

  ---