Syllabus

CS 556 - Computer Security

Description

Computer and system security, authentication, access control, privacy.

Overview

CS 556 introduces the principles of computer security. Information is an important strategic and operational corporate asset. These days computers and computer networks, are increasingly being used for storing and retrieving information. Some of these information may be of a sensitive nature. Consequently they need to have adequate security measures that can safeguard sensitive information. In this course, we will begin by investigating some of the security measures that can be employed to safeguard information. For the most part we will look into the theory that goes into designing these measures rather than studying security tools and techniques. This is because there are too many of those tools out there and they are changing frequently. The course examines how system designs, network protocols, and software engineering practices can result in vulnerabilities. The course explores how to better design and implement future systems in order to mitigate vulnerabilities. In addition, the course explores how to detect and mitigate vulnerabilities in existing systems.

Understanding security requires understanding system concepts such as memory and network access models, stacks, and buffers. Although the official pre-requisite for this course is CS 451 or an equivalent undergraduate course in Operating Systems, this being an graduate level computer science course, students are expected to have broad understanding of different aspects of how computer systems work. It is strongly recommended that the student have a working knowledge in computer networks. The student should also feel comfortable with algorithmic concepts and modular arithmetic. If they do not, they are strongly encouraged to refresh their skills in these areas. Experimentation through programming exercises in C/C++ and scripting languages is one of the activities of the course. Students should be ready with these skills.

Prerequisites

CS 451 - Operating Systems or equivalent or permission of instructor (strictly enforced)
Knowledge of programming language C/C++ and (shell) scripting language (expected)
Students are expected to have broad understanding of different aspects of how computer systems work.
It is strongly recommended that the student have a working knowledge in computer networks.
The students should also feel comfortable with algorithmic concepts and modular arithmetic.

Course Objectives

By the end of the course, students should be able to:

Understand the fundamental principles of access control models and techniques, authentication and secure system design
Have a strong understanding of different cryptographic protocols and techniques and be able to use them
Apply methods for authentication, access control, intrusion detection and prevention
Indentify and mitigate software security vulnerabilities in existing systems.

Audience

The course is geared toward graduate students and seniors in computer science, math, and information technology students who already have exposure to system design principles.

Textbook

There is no required text for this course as the materials covered are too broad to be covered by a single text book. Lecture notes will be made available at this site. Two recommended references are:

Charles P. Pfleeger, "Security in Computing", Prentice Hall.
William Stallings, "Cryptography and Network Security: Principles and Practice.", Prentice-Hall.

Charlie Pfleeger's book contains sections for a major portion of the topics that we will cover. William Stallings book does a good job for cryptography.
Other reference books that you may want to have a look at, are:

William R. Cheswick and Steven M. Bellovin, "Firewalls and Internet Security: Repelling the Wily Hacker", Addison-Wesley.
Charlie Kaufman, Radia Perlman and Mike Spencer, "Network Security: Private Communication in a Public World", Prentice Hall.
Marshall D. Adams, Sushil Jajodia and Harold J. Podell, eds., "Information Security: An Integrated Collection of Essays". IEEE Computer Society Press.
Edward Amoroso, "Fundamentals of Computer Security Technology", Prentice-Hall.
Dorothy E. Denning, "Cryptography and Data Security", Addison-Wesley.
Peter J. Denning, "Computers under Attack", Addison-Wesley.
Douglas R. Stinson, "Cryptography: Theory and Practice", CRC Press.
Morrie Gasser, "Building a Secure Computer System", Van Nostrand Reinhold
D. Brent Chapman and Elizabeth D. Zwicky, "Building Internet Firewalls", O'Reilly and Associates

CS 556 Web Page: http://www.cs.colostate.edu/~cs556/

Where & When

Lecture Time and Location:

Tuesdays and Thursdays, 2:00 pm - 3:15pm, COMSC 325.

Lectures will be a combination of slide presentations, whiteboard presentations, and discussions of students' questions.

Schedule

Following is tentative schedule for this class. Note that as the term progresses we are most likely to digress quite a bit. However, dates for term paper/project and exams are fixed and will not change.

Week 1 - Introduction, security concepts, threats, risks and security services
Week 2 - Access control models: Discretionary access control
Week 3 - Access control models: Mandatory access control
Week 4 - Access control models: Covert channels and Chinese Wall
Week 5 - Access control models: Commercial security and RBAC
Week 6 - Software Security
Week 7 - Software Security. Intrusion Detection
Week 7 - Introduction to cryptography, Secret key cryptosystems
Week 8 - Key escrow
Week 9 - Modular Arithmetic and Public key cryptosystems
Week 10 - Public key cryptosystems
Week 11 - Diffie-Hellman and RSA
Week 11 - Other public key cryptosystems (continued)
Week 11 - Message digests, digital signatures
Week 12 - Identification and authentication, Passwords, Biometrics
Week 12 - One-time passwords and challenge response schemes, Kerberos
Week 13 - Kerberos, SSL, SSH
Week 14- Privacy

Important Deadlines

Please familiarize yourself with the following deadlines related to exams and term paper/project submission. These are firm deadlines. Due dates for project submissions will be announced as and when the projects will be assigned.

August 21, Tuesday	First day of class
September 4, Tuesday	Term paper / project topic identification
September 25, Tuesday	Term paper / project abstract due
October 9, Tuesday	Midterm Examination
October 15, Monday	Last day for drop with "W"
November 6, Tuesday	Term paper / project update due
November 17, Saturday	Thanksgiving break begins
November 25, Sunday	Thanksgiving break ends
December 4, Tuesday	Term papers / project due
December 13, Thursday	Final examination (2:00 - 4:00 pm)

Grading Policy

The final grade for this course will be computed as follows: 1 midterm examination (25%), 1 final examination (25%), online quizzes (10%), several hands on security projects (20%), and a term paper / project (20%).

Midterm Examination	25%
Final Examination	25%
Quizzes	10%
Hands on Projects	20%
Term Paper / Project	20%

The final letter grades for the course are based on your final class average. Grades will be assigned according to the following table:

96 and up	A+	82 to 88	B	60 to 70	D
92 to 96	A	80 to 82	B-	below 60	F
90 to 92	A-	78 to 80	C+
88 to 90	B+	70 to 78	C

Programming Projects

There will be several hands-on security projects. Some of these projects will require programming. These need to be done (preferably) on the department's workstations. Other projects in this class will use DETER. Quoting directly from the DETER website, "The DETERlab testbed is a general-purpose experimental infrastructure that supports research and development on next-generation cyber security technologies. The testbed allows repeatable medium-scale Internet emulation experiments for a broad range of network security projects, including experiments with malicious code." DETER is ideal for our purposes as we want to experiment wtih network security, malicious code, and other hands on security education activities.

The projects used in this course are being jointly developed by the University of Southern California Information Sciences Institute (Dr. Mirkovic - lead PI), the University of California at Los Angeles (Dr. Reiher), Lehigh University (Dr. Chuah), the University of North Carolina at Charlotte (Dr. Kang) and of course Colorado State University (Dr. Massey and Dr. Ray).

No late projects will be accepted. If you have not completed the project by the due date, be sure to submit whatever results you have for partial credit. If you submit nothing by the due date, you will receive no credit for the project.

Exams

Periodic quizzes will be given in class throughout the semester. In addition, there will be a midterm exam and a final exam.

Midterm Exam: will be given in class on October 9 (no exception).

Comprehenisive Final Exam: will be given on the CSU assigned final exam date & time (December 13, 2:00 pm - 4:00 pm).

No make-up exams will be given. It is unfair to the rest of the class if some students take the quizzes, midterm, or final exams at a different time, take substitute exams, or take an exam more than once. Plan to attend the exam or expect to receive a zero on the exam.

Other Policies

Policies on cheating, plagiarism, incomplete grades, attendance, discrimination, sexual harassment, and student grievances are described in the Student Information Guide ( http://www.CS.ColoState.EDU/advising/student-info.html). All other matters follow the policies set in the current Colorado State University General Catalog. Students are responsible for all the information in these documents.