Computer Security (ECE 458)
W2013
This course is an
introduction to computer security. I will teach this course in 4
modules. Each module consists of 4-6 lectures. The modules are
described here.
STAFF (Office hours)
| Instructor: Dr. Vijay Ganesh |
Office: DC 2530 |
Date / Time: Tue - Thu / 2:30 - 3:30 PM |
| TA: Carlos Moreno |
Office: EIT 4103 |
Date / Time: Wed / 3:30 - 4:30 PM |
| TA: Frank Imeson |
Office: E5 4119 |
Date / Time: Fri / 1 - 2 PM |
| TA: Alireza Sharifi |
Office: DC 3576 |
Date / Time: Tue / 9 - 10 AM |
Lecture Schedule
| Date |
Lectures |
Assigned Reading (Books chapters, papers) |
| Jan 8, 2013 |
Lecture 1:
Introduction to computer security. basic concepts such as
confidentiality, integrity, availability, SYN cookies, policy and
mechanism, trust and assumptions. Material sourced from Matt Bishop's
book Introduction to Computer Security, and lecture slides by Professor
Bill Young of UT, Austin. |
|
| Jan 10, 2013 |
Lecture 2 (Slides 1-25) (With
permission and courtesy of Professor Dan Boneh of Stanford
University): Control hijack attacks. Buffer overflow vulnerabilities
and stack smashing attacks,
integer overflow vulnerabilities, string format vulnerabilities.
Attacks that combine different kinds of vulnerabilities. |
|
| Jan 15, 2013 |
Lecture 3
(Slides 26 - 58) (With permission and courtesy of Professor Dan Boneh
of Stanford University): Techniques to prevent, detect and recover from
control hijack attacks. Typesafe languages. Address space layout
randomization (ASLR). Stack canaries. Safe libraries (LibSafe).
Heap-spraying attacks. Techniques to protect against heap-spray
attacks. Project guidlines |
|
| Jan 17, 2013 |
Lecture 4:
Testing, analysis and verification for security. Automated testing
techniques, program analysis for security, fuzzing, whitebox fuzzing,
model-checking and advanced verification techniques. |
|
| Jan 22, 2013 |
Lecture 5: Malware, computer
viruses, worms, trojan horses, detailed description of the Stuxnet worm
and comparison with the Aurora worm. |
|
| Jan 24, 2013 |
Lecture 6: Malware analysis.
Static and dynamic techniques to detect malware. Signature-based
detection. Polymorphism and metamorphism. Semantic-aware detection.
Obfuscation. Dynamic information-flow tracking for runtime monitoring.
Explicit and implicit taint. |
|
| Jan 29, 2013 |
Lecture 7:
SAT solvers for software engineering and computer security. Why we need
SAT solvers. Concolic testing revisited. Basic DPLL SAT solver with
backjumping. |
|
| Jan 31, 2013 |
Lecture 8:
Basics of cryptography. One-time pad. Stream and block ciphers. MACs. Public-key cryptography. Uses of cryptography. |
|
| Feb 5, 2013 |
Lecture 9: Side-channel analysis and attacks. Timing, power, cache,... |
|
| Feb 12, 2013 |
Lecture 10: Motivation
for public-key cryptography, Basic number theory, Diffie-Hellman key
exchange protocol, RSA public-key encryption scheme, digital signatures |
|
| Feb 14, 2013 |
Lecture 11:
Cryptographic hash functions. Properties such as collision resistance
(weak and strong), inversion resistance. How hash functions work. |
|
| Feb 26, 2013 |
Lecture 12: (also available in pptx format): Browser security. How browsers work. Same-origin Policy. JavaScript and XSS attacks. |
|
| Feb 28, 2013 |
Lecture 13 (pptx format): CSRF (Cross-Site Request Forgery) attacks |
|
| Mar 5, 2013 |
Review of material covered so far in preparation for the mid-term |
|
| Mar 6, 2013 |
Mid-term |
|
| Mar 7, 2013 |
No class |
|
| Mar 12, 2013 |
Lecture 14: Click-jacking attacks (Excellent Talk by David Lin-shung Huang of CMU) ; Discussion of solutions to mid-term exam questions |
|
| Mar 14, 2013 |
Lecture 15: Security in control systems by Professor Shreyas Sundaram. Detailed analysis of the Stuxnet virus. |
|
| Mar 21, 2013 |
Lecture 16 (pptx format): Network security. Basics of TCP/IP and BGP. TCP Spoofing. BGP attacks. DNS cache poisoning attacks. |
|
| Mar 26, 2013 |
Lecture 17 (pptx format): The problem with formal verification (undecidable) and model-checking (PSPACE-complete). Principles
of secure design: Isolation, compartmentalization, principle of least
privilege, principle of safe defaults, access control (ACLs,
capabilities and role-based). |
|
| Mar 28, 2013 |
Lecture 18 (Overview of computer security concepts. Distributed Denial of Service attacks) |
|
| April 2, 2013 |
Lecture 19 (pptx format): Lecture by Dr. Glenn Wurster from Blackberry. Security in the real world. |
|
| April 4, 2013 |
Project demo starting 1 PM @ EIT 3142 |
|
| Apr 17, 2013 |
Final Exam from 9 AM - 11:30 AM in Rooms RCH 103, 105 |
ACKNOWLEDGEMENTS
I would like to acknowledge the following people who have been very kind in sharing with me the lecture materials, notes etc. from their respective courses, and given me permission to use them as I wish in this course.Professor Dan Boneh (Stanford)
Professor Matt Bishop (UC, Davis)
Professor David Brumley (CMU)
Professor Kevin Du (Syracuse)
Professor Mahesh Tripunitara (Waterloo)
Professor Koushik Sen (Berkeley)
Professor William D. Young (UT, Austin)
Professor Konstantin (Kosta) Beznosov (University of British Columbia)
Professor Cristian Cadar (Imperial College, London)