Jim Hook CS 4/591

Winter 2007

Class Mechanics:

Class meets on Tuesdays and Thursdays, 6:00 -- 7:50pm, in Cramer Hall 283.

Office Hours: Mondays, 1:00 -- 3:00pm, FAB 120-05.

Texts:

• Matt Bishop, Introduction to Computer Security. Addison-Wesley. 2004.
• Ross Anderson, Security Engineering. John Wiley and Sons. 2001. On line at http://www.cl.cam.ac.uk/~rja14/book.html

Prerequisites: CS 333 (operating systems), CS 350 (algorithms).

Grading:

• Midterm: 100 points
• Final: 100 points
• Term Paper: 100 points
• Assignments, Quizzes, Discussion and Class participation: 50 points
• Annotated Bibliography: 50 points

Class Mailing List

There is a class mailing list, infosec at cecs dot pdx dot edu. The web interface is:
https://mailhost.cecs.pdx.edu/mailman/listinfo/infosec

Please sign up on the list. Critical announcements about class will be made on this list.

Students Requiring Accommodation:
If you are a student with a disability in need of academic accommodations, you should register with Disability Services for Students and notify the instructor immediately to arrange for support services.

Term Paper Assignment

A term paper is due at the beginning of the last lecture. A title, abstract, annotated bibliography, and outline are due the day of the midterm. Assignment details here.

Calendar (with reading assignments): [Revised 1/22/07]

Lecture 1 (1/9): Introduction and Overview ppt pdf slides pdf handouts

• Read: Bishop Chapter 1
• Read: Feldman, Halderman, and Felten, Security Analysis of the Diebold AccuVote-TS Voting Machine, September 2006. link

Lecture 2 (1/11): Access Control ppt pdf slides pdf handouts

• Read: Bishop Chapters 2 and 3
• Read: Anderson Chapter 1

Lecture 3 (1/16): Canceled due to inclement weather.

Lecture 4 (1/18): Guest lecture on BotNets by Jim Binkley

Lecture 5 (1/23): Policy ppt pdf slides pdf handouts

• Read: Bishop Chapter 4
• Scan: Voluntary Voting System Guidelines: http://www.eac.gov/vvsg_intro.htm
• Reference: SANS Institute model policies http://www.sans.org/resources/policies/

Lecture 6 (1/25): Bell-La Padula ppt pdf slides pdf handouts (Download Bishop's slides for Chapter 5)

• Read Bishop Chapter 5
• Read: Anderson Chapter 7
• Read: David Elliott Bell, Looking Back at the Bell-La Padula Model, http://www.acsac.org/2005/papers/Bell.pdf

Lecture 7 (1/30) [Guest lecture by Professor Jim Binkley]: Cryptography

• Read: Bishop Chapters 8 and 9
• Read: Anderson Chapter 2

Lecture 8 (2/1): Integrity Models ppt pdf slides pdf handouts (Download Bishop's slides for Chapters 6 and 7)

• Read: Bishop Chapters 6 and 7
• Read: Anderson Chapter 8
• Suggested: Anderson Chapter 9
• Supplemental: Brewer and Nash, The Chinese Wall Security Policy, IEEE Symposium on Research in Security and Privacy, May 1989. [This is the original paper; it contains more motivation than the text.]
  

Lecture 9 (2/6): Cryptography ppt pdf

• Read: Bishop Chapter 10
• Read: Anderson Chapter 5

Lecture 10 (2/8): Cryptography ppt pdf

Lecture 11 (2/13): Midterm exam. In class. Closed book. Blue book exam.

Hand in annotated bibliography for term paper.

Past study questions and exams are provided below.

• Fall 2006 exam pdf. (For Spring 2007 questions 1 and 2 are out of scope.)
• Fall 2006 exam presentation ppt pdf.
• Some new Study Questions for Fall 2006. Some of these questions still need to be refined. (Question 4 is out of scope for Spring 2007)
• Spring 2006 Study Questions for midterm (question 3 is out of scope for Spring 2007).
• Spring 2006 midterm and grading notes pdf pdf handouts. For Spring 2007 questions 5, 9 and 10 are out of scope.
• Fall 2005 midterm and grading notes ppt pdf handouts. For Spring 2007 question 7 is out of scope.
• Please bring a "blue book" (available from the bookstore) to the exam
• Please come to the PSU campus location to take the exam.

Lecture 12 (2/15): Authentication and Design Principles

• Read: Bishop Chapters 11 and 12
• Read: Anderson Chapter 3
• An excellent original source on Design Principles is the 1975 paper by Saltzer and Schroeder. A web version is available here.

Lecture 13 (2/20): Identity, Public Policy, Data mining, Privacy

• Read: Bishop Chapter 12 and 13
• Read: Anderson Chapter 17 and 21
• Gary M. Weiss (2005). Data Mining in Telecommunications. In O. Maimon and L. Rokach (eds.), Data Mining and Knowledge Discovery Handbook: A Complete Guide for Practitioners and Researchers, Kluwer Academic Publishers, 1189-1201. http://storm.cis.fordham.edu/~gweiss/papers/kluwer04-telecom.pdf
• Corinna Cortes, Daryl Pregibon and Chris Volinsky, "Communities of Interest'', The Fourth International Symposium of Intelligent Data Analysis (IDA 2001), 2001. http://homepage.mac.com/corinnacortes/papers/portugal.ps
  

Lecture 14 (2/22): Access control and Information flow. Download Bishop's slides for Chapter 15
Note: there are a few extra }'s and one slide is repeated.

• Read: Bishop Chapters 14 and 15
• Read: Anderson Chapter 4

Supplementary material:

1. Denning and Denning, 1977, available from ACM portal.
2. Vincent Simonet, Flow Caml in a Nutshell.
3. Flow Caml home page (I got the windows executable to work, but was not successful building the source distribution).
4. A file derived from the flowcaml tutorial presented in class.

Lecture 15 (2/27): Information Flow follow up ppt pdf slides pdf handouts.

• Andrei Sabelfeld and Andrew C. Myers, Language-based Information-Flow Security, http://www.cs.cornell.edu/andru/papers/jsac/sm-jsac03.pdf. Pay particular attention to Section III (Basics of Language-based information flow). Figures 2 and 3 were presented in lecture.
• A file illustrating some issues discussed in class in flowcaml.

Lecture 16 (3/1): Confinement and Virtualization

• Hook slides ppt pdf pdf handouts
• Corrected version of Bishop Chapter 16 slides (one update from errata, one revision) ppt pdf pdf handouts
• Read: Lampson, 1973, CACM article, available from ACM portal as http://doi.acm.org/10.1145/362375.362389 and in html.
• Read: Bishop Chapters 16 and 29
• Read: Intel May 2005 IEEE Computer article on virtualization: ftp://download.intel.com/technology/computing/vptech/vt-ieee-computer-final.pdf

Lecture 17 (3/6): Assurance ppt pdf slides pdf handouts (Download Bishop's slides for Chapter 17) and Evaluation ppt pdf slides pdf handouts (Download Bishop's slides for Chapter 18)

• Read: Bishop Chapters 17 and 18
• Read: Anderson Chapter 23

Lecture 18 (3/8): Malicious Logic

• Read: Bishop Chapter 19
• Read: Anderson Chapter 18

Lecture 19 (3/13): Intrusion Detection

• Read: Bishop Chapter 22

Lecture 20 (3/15): Network Security

• Read: Bishop Chapter 23
• Read: Anderson Chapter 6 [move this earlier?]
• NB: Term paper due at start of lecture

Final Exam: Tuesday, March 20, 7:30 - 9:20pm.

Additional web resources:

National Information Assurance Training and Education Center

Bishop's slides by chapter