CIS 751, Fall 2007
Computer and Information Security
Course Goals
This course aims at providing a comprehensive understanding of computer and information security. The course materials cover basic cryptography, access control, authentication, authorization, network security, software security, and social aspects of security. Not only mechanisms for enhancing security will be taught, a great deal of the course is also to discuss when and where things can go wrong and how design flaws in a system can be exploited to compromise security. Common attack techniques will be introduced and students will have the opportunity to work on course projects that cover both the defense and offense aspects in cyber space. The goal of the course is to provide a solid theoretical foundation for computer and information security, and hands-on experience in applying the theory to practice. Interesting research topics can also be derived from course projects.
Course Schedule
- Aug 20, Lecture 1: Introduction and a small example.
Slides.
The source code getscore.c .
The sample score file score.txt .
- Aug 24, Lecture 2: Setuid program and buffer overflow attacks.
Slides.
Reading Assignment 1:
Setuid Demystified.
- Aug 27, Lecture 3: More on code injection attacks.
Slides.
Supplemental readings:
Non-execute bit.
Mitigating buffer overflows by operating system randomization.
Install-time vaccination of windows executables to defend against stack smashing attacks .
Non-control-data attacks are realistic threats.
- Aug 31, Lecture 4: Basic Cryptographic Primitives
Slides.
-
Sept 7, Lecture 5: Programming Assignment: Remote buffer overflow attack.
- Sept 10, Lecture 6: Authentication protocols.
Slides.
-
Sept 14,
Homework 1. Due Monday Oct 1, before class.
- Sept 17, Lecture 8: Authentication protocols.
Slides.
Reading Assignment 2:
Kerberos: An Authentication Service for Computer Networks
The Evolution of the Kerberos Authentication System.
- Sept 21, Lecture 9: The Kerberos authentication protocol.
Slides.
- Sept 24, Lecture 10: Public-key based authentication.
Slides.
Reading Assignment 3:
Chapter 2: Protocols
in
Security Engineering, by Ross Anderson.
- Sept 28, Lecture 11: X.509 Public-Key Infrastructure
Slides.
Reading Assignment 4:
Peter Gutmann's article
on X.509 and his slides.
Solutions to quiz 1.
- Oct 5, Lecture 12: Discussion on homework 1.
Solutions.
Homework 2. Due Monday Oct 22, before class.
Final-report topics from last year.
- Oct 8, Lecture 13: Logic-based authentication
Slides.
Handout.
Reading Assignment 5:
Binder, a Logic-Based Security Language.
- Oct 15, Lecture 14: Logic-based authorization
Slides.
Programming Assignment 2:
Use the Binder security language to encode the X.509 example we discussed in class,
and implement it in XSB.
Use cis751_submit to submit this assignment before midnight Oct 29.
- Oct 19, Lecture 15: Programming Assignment 3:
A repository manager with logic-based authorization
Due: Nov 9, 11:59pm CST.
The client code.
Client's private key file.
Sample client credential.
Sample server policy.
Server's transcript.
Client's transcript.
- Oct 22, Lecture 16:
Solution to quiz 2.
Solution to homework 2.
- Oct 26, Lecture 17: Network Security.
Slides.
Supplemental reading:
ARP Poisoning Attack.
DNS Cache Poisoning Attack.
IP Spoofing Attack
.
Using the Domain Name System for System Break-Ins.
- Oct 29. Midterm, in class.
- Nov 2, Lecture 18: Discussion on the midterm exam.
Binder program from Problem 3.
- Nov 5, Lecture 19: DNSSEC
Slides.
- Nov 9, Lecture 20: Cryptographic Hash Functions
Slides.
Supplemental reading:
Hash functions: Theory, attacks, and applications
Indigestion: Assessing the impact of knownand future hash function attacks.
- Nov 16, Lecture 21: Message Authentication Code.
Slides.
Supplemental reading: The HMAC papers
- Nov 19, Lecture 22: Secure channel.
Slides.
- Nov 26, Lecture 23: Enterprise network defense.
Slides. Midterm Solutions.
Supplemental readings: Security problems caused by FTP PORT and PASV commands.
US-CERT Vulnerability Note VU#328867
Problems With The FTP PORT Command
Fang: A firewall analysis engine.
MulVAL: A logic-based network security analyzer.
- Nov 30, Lecture 24: Security on the Web.
Slides.
Supplemental readings:
Cross-site Scripting Vulnerability.
Risks of the Passport Single Signon Protocol.
- Dec 7, Lecture 25: Summary of the course.
Slides.
Instructor and course meeting times
-
Instructor: Xinming (Simon) Ou.
-
Meeting time:
Monday 3:30-5:10 and Friday 3:30-4:20, at Nichols 127
-
Office hours:>
Fri, 2-3, Nichols 316B
Prerequisites
Basic understanding of computer systems, including operating systems, networks, compilers, etc.
This is a course that primarily targets graduate students and junior/senior-level undergraduate students in
computer science and computer engineering.
Grading
You will complete several assignments during the semester. An assignment could be a written homework,
a programming project, or a reading task. For every assignment, you have two weeks to finish. At the end of the semester,
you must also turn in a final report that focuses on a particular problem in the field of security. The
topics for the report will be given out throughout the course. You are also welcome to come up with your own
idea on what to write about in the report, but please discuss it with the instructor before you start working on
it. There is also a mid-term exam and possibly quizzes in classes. The purpose of the exam and quizzes is
to make sure you understand the materials presented in the lectures and in the reading tasks. The break down
of the final score of the course is:
-
Assignments (including quizzes): 40%
-
Mid-term: 20%
-
Final report: 40%
Contact
Questions can be emailed to xou (put some stuff here) ksu (a little dot) edu.