Computer and system security, authentication, access control, privacy.

CS 556 introduces the principles of computer security. Information is an important strategic and operational corporate asset. These days computers and computer networks, are increasingly being used for storing and retrieving information. Some of these information may be of a sensitive nature. Consequently they need to have adequate security measures that can safeguard sensitive information.  In this course, we will begin by investigating some of the security measures that can be employed to safeguard information. For the most part we will look into the theory that goes into designing these measures rather than studying security tools and techniques. This is because there are too many of those tools out there and they are changing frequently. The course examines how system designs, network protocols, and software engineering practices can result in vulnerabilities. The course explores how to better design and implement future systems in order to mitigate vulnerabilities. In addition, the course explores how to detect and mitigate vulnerabilities in existing systems.

Understanding security requires understanding system concepts such as memory and network access models, stacks, and buffers. Although the official pre-requisite for this course is CS 451 or an equivalent undergraduate course in Operating Systems, this being an graduate level computer science course, students are expected to have broad understanding of different aspects of how computer systems work. It is strongly recommended that the student have a working knowledge in computer networks. The student should also feel comfortable with algorithmic concepts and modular arithmetic. If they do not, they are strongly encouraged to refresh their skills in these areas. Experimentation through programming exercises in C/C++ and scripting languages is one of the activities of the course. Students should be ready with these skills.

1. CS 451 - Operating Systems or equivalent or permission of instructor (strictly enforced)
2. Knowledge of programming language C/C++ and (shell) scripting language (expected)
   
3. Students are expected to have broad understanding of different aspects of how computer systems work.
   
4. It is strongly recommended that the student have a working knowledge in computer networks.
5. The students should also feel comfortable with algorithmic concepts and modular arithmetic.
   

By the end of the course, students should be able to:

• Understand the fundamental principles of access control models and techniques, authentication and secure system design
  
• Have a strong understanding of different cryptographic protocols and techniques and be able to use them
  
• Apply methods for authentication, access control, intrusion detection and prevention
• Indentify and mitigate software security vulnerabilities in existing systems.

The course is geared toward graduate students and seniors in computer science, math, and information technology students who already have exposure to system design principles.

There is no required text for this course as the materials covered are too broad to be covered by a single  text book. Lecture notes will be made available at this site. Two recommended references are:

1. Charles P. Pfleeger, "Security in Computing", Prentice Hall.
2. William Stallings, "Cryptography and Network Security: Principles and Practice.", Prentice-Hall.

Charlie Pfleeger's book contains sections for a major portion of the topics that we will cover. William Stallings book does a good job for cryptography.
Other reference books that you may want to have a look at, are:

1. William R. Cheswick and Steven M. Bellovin, "Firewalls and Internet Security: Repelling the Wily Hacker", Addison-Wesley.
2. Charlie Kaufman, Radia Perlman and Mike Spencer, "Network Security: Private Communication in a Public World", Prentice Hall.
3. Marshall D. Adams, Sushil Jajodia and Harold J. Podell, eds., "Information Security: An Integrated Collection of Essays". IEEE Computer Society Press.
4. Edward Amoroso, "Fundamentals of Computer Security Technology", Prentice-Hall.
5. Dorothy E. Denning, "Cryptography and Data Security", Addison-Wesley.
6. Peter J. Denning, "Computers under Attack", Addison-Wesley.
7. Douglas R. Stinson, "Cryptography: Theory and Practice", CRC Press.
8. Morrie Gasser, "Building a Secure Computer System", Van Nostrand Reinhold
9. D. Brent Chapman and Elizabeth D. Zwicky, "Building Internet Firewalls", O'Reilly and Associates

CS 556 Web Page: http://www.cs.colostate.edu/~cs556/

Lectures will be a combination of slide presentations, whiteboard presentations, and discussions of students' questions.

Schedule

Following is tentative schedule for this class. Note that as the term progresses we are most likely to digress quite a bit. However, dates for term paper/project and exams are fixed and will not change.

Week 1 - Introduction, security concepts, threats, risks and security services
Week 2 - Access control models: Discretionary access control
Week 3 - Access control models: Mandatory access control
Week 4 - Access control models: Covert channels and Chinese Wall
Week 5 - Access control models: Commercial security and RBAC
Week 6 - Software Security
Week 7 - Software Security. Intrusion Detection
Week 7 - Introduction to cryptography, Secret key cryptosystems
Week 8 - Key escrow
Week 9 - Modular Arithmetic and Public key cryptosystems
Week 10 - Public key cryptosystems
Week 11 - Diffie-Hellman and RSA
Week 11 - Other public key cryptosystems (continued)
Week 11 - Message digests, digital signatures
Week 12 - Identification and authentication, Passwords, Biometrics
Week 12 - One-time passwords and challenge response schemes, Kerberos
Week 13 - Kerberos, SSL, SSH
Week 14- Privacy

Important Deadlines

Please familiarize yourself with the following deadlines related to exams and term paper/project submission. These are firm deadlines. Due dates for project submissions will be announced as and when the projects will be assigned.

Grading Policy

The final letter grades for the course are based on your final class average. Grades will be assigned according to the table below. Note that while I will not be cutting higher for these grade ranges, I reserve the right to cut lower. (In other words, while I will not make an A to be 94 - 98 for example, I can make it 88 - 94.)

There will be 4 hands-on security projects. Some of these projects will require programming. These need to be done (preferably) on the department's workstations. Other projects in this class will use DETER. Quoting directly from the DETER website, "The DETERlab testbed is a general-purpose experimental infrastructure that supports research and development on next-generation cyber security technologies. The testbed allows repeatable medium-scale Internet emulation experiments for a broad range of network security projects, including experiments with malicious code." DETER is ideal for our purposes as we want to experiment wtih network security, malicious code, and other hands on security education activities.

The projects used in this course are being jointly developed by the University of Southern California Information Sciences Institute (Dr. Mirkovic - lead PI), the University of California at Los Angeles (Dr. Reiher), Lehigh University (Dr. Chuah), the University of North Carolina at Charlotte (Dr. Kang) and of course Colorado State University (Dr. Massey and Dr. Ray).

No late projects will be accepted. If you have not completed the project by the due date, be sure to submit whatever results you have for partial credit. If you submit nothing by the due date, you will receive no credit for the project.

There will be a midterm exam and a final exam.

Midterm Exam: will be given in class on October 15 (no exception).

Comprehenisive Final Exam: will be given on the CSU assigned final exam date & time (December 16, 9:40 am - 11:40 am).

No make-up exams will be given. It is unfair to the rest of the class if some students take the  midterm, or final exams at a different time, take substitute exams, or take an exam more than once. Plan to attend the exam or expect to receive a zero on the exam.

Policies on cheating, plagiarism, incomplete grades, attendance, discrimination, sexual harassment, and student grievances are described in the Student Information Guide ( http://www.CS.ColoState.EDU/advising/student-info.html). All other matters follow the policies set in the current Colorado State University General Catalog. Students are responsible for all the information in these documents.