CS 361: Fall, 2012
Introduction to Computer Security

Instructor: Dr. Bill Young

Unique number: 53050
Class time: F 10-11am; Location: RLM 6.104
Office: MAIN 2012; Office Hours: MW 10-noon and by appointment
Office Phone: 471-9782; Email: byoung@cs.utexas.edu
TA: Xue Chen; Email: cxzizou@gmail.com
TA Office Hours: Monday 3-5pm, Desk 1
TA: Kai-yang Chiang; Email: kychiang@cs.utexas.edu
TA Office Hours: Thursday 3:30-4:30pm
This website: www.cs.utexas.edu/users/byoung/cs361/syllabus361.html



Important Class Announcements:

Breaking news important to the class will be posted here. Consult this spot often.

The exam location is ETC 2.108, not 2.106 as I previously posted.

The final will be Saturday, December 15 from 9am to noon in ETC 2.108. Here is a review sheet for the final: Final Review. A sample final is here: Sample Final. The vocabulary list is here: Vocabulary List. I will distribute the vocabulary at test time.

Here are the three quizzes we took this semester: Quiz 1, Quiz 2, Quiz 3.

If you do better on the final (percentage-wise) than you did on the midterm, I will drop the midterm grade and count the final twice. If you did poorly on the midterm, use this as an opportunity. A lot is riding on that grade, so study hard.




Some Interesting Links:

Preventing Cyber Pearl Harbor

Cyberjobs Hot
Covert Channel between VMs
Anti-Virus Failures
Info on AES mixColumns
Peter Neumann
Experts needed
Govt wants hackers
Women, minorities in Security
This site contains a nice animation of AES-128: AES
Cute cartoon about Feistel ciphers
Encryption for the masses
Fully Secure OS?
iPad as Secure Device
protecting passwords
DoD Money for Hackerspaces
Cities with Most CS Jobs
Have Hackers Won?
Malware Pre-installed
Smother Cyber Attacks
Sale of Zero-day exploits
Algorithms rule the world
Hotel locks hacked
Cyberwar
Cyber attacks
Flaw in AES
Zodiac Message
One Time Pad
Cyber Camp
Hot Skills for 2011
Cyber attack threat



Course Description:

CS 361 is an introduction to topics in computer security, one of the "hottest" and most relevant areas of computing today. The student will develop an intuition about what computer security means, both in the abstract and in the context of real systems; be able to recognize potential threats to confidentiality, integrity and availability; be aware of some of the underlying formalisms and technologies that attempt to address these challenges; and be conversant with current security-related issues in the field.

Topics to be covered will include:

  1. Scope of the security problem;
  2. Various views of computer security;
  3. Security policies;
  4. Formalizing security properties;
  5. Elementary information theory;
  6. Elementary cryptography;
  7. Cryptographic protocols;
  8. Authentication;
  9. Risk assessment;
  10. Malicious logic;
  11. System evaluation and certification.
Very important: This course has a new, blended format as of Fall, 2011. "Blended" means that a large portion of the course content is delivered on-line. Videotaped mini-lectures will be made available on-line via UT's Quest system: Quest system. You will view these prior to coming to class and answer a series of questions on-line. The class will only once a week, and then only to discuss the material and assignments, and possibly a short quiz to ensure that you've viewed the lectures and done the required preparation. This is not a self-paced course. A chart of the material for each week is here: Log of lectures. You must view the mini-lectures and do the on-line portions as they are assigned, and you must attend class on the days we meet. You will have around 6 programming assignment over the courese of the semester. If you don't have the self-discipline to keep up, you shouldn't take this course. A paper that describes the blended course is available here: Blended class

Using Piazza: This term we will be using Piazza for class discussion. The system is highly catered to getting you help fast and efficiently from classmates, the TA, and myself. Rather than emailing questions to the teaching staff, I encourage you to post your questions on Piazza. If you have any problems or feedback for the developers, email team@piazza.com. The Piazza class page will be posted shortly.

InfoSec Certification: Notice that CS students at UT have the option of completing a number of security-related courses and receiving a government-sanctioned certification in security. See the following link for information: Security certification.

Prerequisites:

You are expected to have taken and passed the following courses (or equivalent) with a grade of at least C-: Computer Science 310 or 310H, 429 or 429H; 336 or 336H; and Mathematics 408D, 408M, or 427L. If you don't have the prerequisites, be sure to clear it with the CS department.

Text:

There is no textbook. If you would like a book for reference purposes, ask me and I can suggest one. All of the lectures, slides, and supplementary materials are on-line. Note that there is a required $22 semester fee for the use of the Quest system. This is very cheap compared to the cost of a textbook.

Fee for Quest System:

This course makes use of the web-based Quest content delivery maintained by the College of Natural Sciences. This service requires a $22 charge per student for its use, which goes toward the maintenance and operation of the resource. Please go to http://quest.cns.utexas.edu to log in to the Quest system for this class. At some point during the semester, when you log into Quest you will be required to pay via credit card on a secure payment site. You may have the option to wait some time to pay while still continuing to use Quest for your assignments. If you are taking more than one course using Quest, you will not be charged more than $50 per semester. Quest provides mandatory instructional material for this course. For payment questions, email quest.fees@cns.utexas.edu.

Class Notes:

All of the class slides will be available on-line. They will be made them available as we cover new material and you are welcome to print them out or view them on-line. Slides will be available in 4-up PostScript (PS) or in PDF format (full size and in 4-ups). The PostScript files can be viewed with Ghostview or printed on any postscript-compatible printer. The PDF files can be viewed with Acroread. A chart of the material for each week is here: Log of lectures.



Week 1: Module 1:

Lecture 1: Introduction PS-4up  PDF-4up  PDF

Lecture 2: Why Security is Hard PS-4up  PDF-4up  PDF

Lecture 3: Security as Risk Management PS-4up  PDF-4up  PDF

Lecture 4: Aspects of Security PS-4up  PDF-4up  PDF



Week 2: Module 2:

Lecture 5: Policies and Metapolicies PS-4up  PDF-4up  PDF

Lecture 6: A Policy Example: MLS PS-4up  PDF-4up  PDF

Lecture 7: MLS Example: Part II PS-4up  PDF-4up  PDF

Lecture 8: MLS Example: Part III PS-4up  PDF-4up  PDF

Lecture 9: MLS Example: Part IV PS-4up  PDF-4up  PDF

Lecture 10: Tranquility and BLP PS-4up  PDF-4up  PDF



Week 3: Module 3:

Lecture 11: Access Control Policies PS-4up  PDF-4up  PDF

Lecture 12: Lattice Based Security PS-4up  PDF-4up  PDF

Lecture 13: Covert Channels I PS-4up  PDF-4up  PDF

Lecture 14: Covert Channels II PS-4up  PDF-4up  PDF

Lecture 15: Covert Channels III PS-4up  PDF-4up  PDF

Lecture 16: Detecting Covert Channels PS-4up  PDF-4up  PDF



Week 4: Module 4:

Lecture 17: Non-Interference PS-4up  PDF-4up  PDF

Lecture 18: Non-Interference II PS-4up  PDF-4up  PDF

Week 4: Module 5:

Lecture 19: What is Integrity? PS-4up  PDF-4up  PDF

Lecture 20: Modeling Integrity PS-4up  PDF-4up  PDF

Lecture 21: Modeling Integrity: Biba PS-4up  PDF-4up  PDF

Lecture 22: Biba's Other Models PS-4up  PDF-4up  PDF



Week 5: Module 6:

Lecture 23: Lipner's Model PS-4up  PDF-4up  PDF

Lecture 24: The Clark-Wilson Model PS-4up  PDF-4up  PDF

Lecture 25: The Chinese Wall Policy PS-4up  PDF-4up  PDF

Lecture 26: Role-Based Access Control PS-4up  PDF-4up  PDF

Lecture 27: Storing the ACM PS-4up  PDF-4up  PDF



Week 6: Module 7:

Lecture 28: Information Theory PS-4up  PDF-4up  PDF

Lecture 29: Information Content PS-4up  PDF-4up  PDF

Lecture 30: Exploring Encodings PS-4up  PDF-4up  PDF

Lecture 31: Languages and Encodings PS-4up  PDF-4up  PDF

Lecture 32: Entropy PS-4up  PDF-4up  PDF

Lecture 33: Entropy II PS-4up  PDF-4up  PDF



Week 7: Module 8:

Lecture 34: Fundamental Theorems PS-4up  PDF-4up  PDF

Lecture 35: Entropy of English PS-4up  PDF-4up  PDF

Lecture 36: Entropy Odds and Ends PS-4up  PDF-4up  PDF

Week 7: Module 9:

Lecture 37: Cryptography PS-4up  PDF-4up  PDF

Lecture 38: Cryptography II PS-4up  PDF-4up  PDF

Lecture 39: Properties of Ciphers PS-4up  PDF-4up  PDF



Week 8: Module 10:

Lecture 40: Substitution Ciphers PS-4up  PDF-4up  PDF

Lecture 41: Using Information PS-4up  PDF-4up  PDF

Lecture 42: A Perfect Cipher PS-4up  PDF-4up  PDF

Lecture 43: Transposition Ciphers PS-4up  PDF-4up  PDF

Lecture 44: Symmetric vs. Asymmetric Encryption PS-4up  PDF-4up  PDF

Lecture 45: Stream and Block Encryption PS-4up  PDF-4up  PDF



Week 9: Module 11:

Lecture 46: Advanced Encryption Standard PS-4up  PDF-4up  PDF

Lecture 47: Modes of Usage PS-4up  PDF-4up  PDF

Lecture 48: Public Key Encryption PS-4up  PDF-4up  PDF

Lecture 49: Public Key Encryption II PS-4up  PDF-4up  PDF

Lecture 50: Cryptographic Hash Functions PS-4up  PDF-4up  PDF

Lecture 51: Key Exchange PS-4up  PDF-4up  PDF

Lecture 52: Diffie-Hellman Key Exchange PS-4up  PDF-4up  PDF



Week 10: Module 12:

Lecture 53: Digital Signatures PS-4up  PDF-4up  PDF

Lecture 54: Certificates PS-4up  PDF-4up  PDF

Lecture 55: Certificates II PS-4up  PDF-4up  PDF

Week 10: Module 13:

Lecture 56: Cryptographic Protocols PS-4up  PDF-4up  PDF

Lecture 57: Cryptographic Protocols II PS-4up  PDF-4up  PDF

Lecture 58: Cryptographic Protocols Abstractly PS-4up  PDF-4up  PDF



Week 11: Module 14:

Lecture 59: Attacks on Cryptographic Protocols PS-4up  PDF-4up  PDF

Lecture 60: The Needham-Schroeder Protocol PS-4up  PDF-4up  PDF

Lecture 61: Attacks on Needham-Schroeder PS-4up  PDF-4up  PDF

Lecture 62: The Otway-Rees Protocol PS-4up  PDF-4up  PDF

Lecture 63: Protocol Verification PS-4up  PDF-4up  PDF

Lecture 64: The BAN Logic PS-4up  PDF-4up  PDF

Lecture 65: The BAN Logic: Needham-Schroeder PS-4up  PDF-4up  PDF



Week 12: Module 15:

Lecture 66: PGP PS-4up  PDF-4up  PDF

Lecture 67: PGP Services PS-4up  PDF-4up  PDF

Lecture 68: PGP Services II PS-4up  PDF-4up  PDF

Lecture 69: PGP Key Management PS-4up  PDF-4up  PDF

Lecture 70: PGP Key Management II PS-4up  PDF-4up  PDF



Week 13: Module 16:

Lecture 71: Availability PS-4up  PDF-4up  PDF

Lecture 72: Availability II PS-4up  PDF-4up  PDF

Lecture 73: Intrusion Detection PS-4up  PDF-4up  PDF

Lecture 74: Anatomy of an Attack: CodeRed PS-4up  PDF-4up  PDF

Lecture 75: CodeRedII PS-4up  PDF-4up  PDF



Week 14: Module 17:

Lecture 76: Certification PS-4up  PDF-4up  PDF

Lecture 77: The Common Criteria PS-4up  PDF-4up  PDF

Lecture 78: Protection Profile Example PS-4up  PDF-4up  PDF

Lecture 79: Security Target Example PS-4up  PDF-4up  PDF

Lecture 80: CC Evaluations PS-4up  PDF-4up  PDF

That's all, folks!



Assignments:

There will also be around 6 programming assigments over the course of the semester. They should be done in the Java programming language. If you don't know Java, discuss it with me and I can make other arrangements. Each student may work on programming assignments in collaboration with one other student. Make sure that all submissions clearly identify which students contributed to the project.

You have another standing assignment: For each video you view, there are several short essay questions to be answered. Collectively, these questions are counted as equal to two programming assignments. They are linked below. The questions are typically due at 5pm on the Friday of the week they are assigned. You are strongly encouraged to attempt them before you come to class on Friday so you can ask any questions you may have.

Programs will be graded on a 10 point scale, and will be accepted up to two days late with a deduction of one point per day late. The number of days late is purely a function of the timestamp recorded when you submit the assignment. The TAs may also allocate a number of "slip days" that you can use at your discretion over the course of the semester. The TAs may turn off the turnin program after the due date, and accept late assignments by email. Please coordinate with the TAs regarding late submissions, or if you desire to re-submit an assignment following the due date.

After an assignment has been graded, it is your responsibility to check Blackboard to see that your assignment grades have been posted correctly. It's not OK to complain at the end of the semester that some grades weren't posted or were posted incorrectly.

Instructions for turnin: Programs and question assignments will be submitted via the turnin program. For every assignment, please submit your homework using the turnin command on CS lab machines. You can read the instructions by typing "man turnin". For example, type "turnin --submit username_ta hw# <file1> <file2>" to submit file1,file2 to TA as homework. You can submit several files or a complete directory with one turnin command, but please do not compress them and only submit necessary files. Note that each assignment will tell you which TA's username to specify (Xue's username is xchen, Kai's username is kychiang). You can use "turnin --verify username_ta hw#" to check your submission.

Xue is going to be grading all of the weekly question assignments. You can submit all of those with "turnin --submit xchen hw# hw#.pdf" where # refers to the week number.

Links to the assignments will appear below. Check this page often and be sure to check that any particular assignment or due date has not been changed. Each week expect one programming assignment and one set of questions on the lectures.

Questions Week 1: Week 1: Due Friday, August 31 by 5pm.

Questions Week 2: Week 2: Due Friday, September 7 by 5pm.

Questions Week 3: Week 3: Due Friday, September 14 by 5pm.

Assignment 1: Due Friday, 9/14/12

Questions Week 4: Week 4: Due Friday, September 21 by 5pm.

Assignment 2: Due Wednesday, 9/26/12

Questions Week 5: Week 5: Due Friday, September 28 by 5pm.

Questions Week 6: Week 6: Due Friday, October 5 by 5pm.

Assignment 3: Due Wednesday, 10/10/12

Questions Week 7: Week 7: Due Friday, October 12 by 5pm.

Assignment 4: Due Friday, 10/26/12

Questions Week 8: Week 8: Due Monday, October 22 by 5pm.

Questions Week 9: Week 9: Due Friday, October 26 by 5pm.

Assignment 5: Due Friday, 11/9/12

Questions Week 10: Week 10: Due Friday, November 2 by 5pm.

Questions Week 11: Week 11: Due Friday, November 9 by 5pm.

Questions Week 12: Week 12: Due Friday, November 16 by 5pm.

Questions Week 13: Week 13: Due Wednesday, November 21 by 5pm.

Assignment 6: Due Friday, 12/7/12

Questions Week 14: Week 14: Due Friday, November 30 by 5pm.

Quizzes:

Short in-class quizzes may be given at any time. These will cover material previously covered or material in the mini-lectures you were expected to view. Material for a week is fair game for a Friday quiz. The goal of quizzes is to test your understanding of the material and to give you an idea of the types of questions that will appear on tests. There will be no makeups for quizzes you miss, but any single quiz is only a small proportion of your final grade.

Tests:

There will be two major tests during the semester: a midterm and final. Tests are closed-book, closed-notes tests, except that you may bring a single handwritten 3 x 5 inch index card of notes (both sides). Your best study strategy is to review the class notes and ensure that you understand thoroughly the topics we have covered. Sample tests and vocabulary lists will be posted.

The midterm will be held in class on Friday, October 19. It will cover the material from weeks 1-7. The final exam will be held on Saturday, December 15 from 9am to noon in ETC 2.108 Don't make travel plans that conflict with that date. A sample midterm and sample final will be posted.

A sample midterm is here: Sample Midterm. A vocabulary list is here: Vocabulary List. You will be handed a copy of the vocabulary list at test time.

The final will be Saturday, December 15 from 9am to noon. A sample final is here: Sample Final. The vocabulary list is here: Vocabulary List

No laptops:

Students should not have laptops or other electronic devices open during class discussions. Copies of all slides are provided. Please just listen, participate and absorb the material.

Grading policies:

Class attendance is mandatory on the days we meet, and will be checked. Excessive unexcused absences will result in a reduced grade. If you don't plan to come to class regularly, please don't register for this class. Signing in for another student not present will be considered cheating by both students.

Grades are averaged using the weighting below:

Component Percent
Attendance, Quizzes and Participation10%
Assignments 30%
Midterm Exam 30%
Final Exam 30%

If you do better on the final (percentage-wise) than you did on the midterm, I will drop the midterm grade and count the final twice. If you did poorly on the midterm, use this as an opportunity. A lot is riding on that grade.

Course grades are assigned on the scale: A = 90-100; B = 80-90; etc. (I don't grade on the +/- grading system.) However, I reserve the right to be more generous than these ranges indicate. That is, I may enlarge any of these ranges; I will not shrink any range.

Scholastic Dishonesty:

Academic dishonesty will not be tolerated. See http://www.cs.utexas.edu/academics/conduct for an excellent summary of expectations of a student in a CS class.

All work must be the student's own effort (with the exception of group effort on programs). Work by students in previous semesters is not your own effort. Don't even think about turning in such work as your own, or even using it as a basis for your work. We have very sophisticated tools to find such cheating and we use them routinely. Several students didn't heed this warning in past semesters and paid a heavy price. Also, if you turn in homework done by a student in an earlier semester, I will assume that they collaborated with you and will reserve the right to change retroactively their grade in the class to an F. If they've graduated, this means that their degree could be invalidated. Don't risk your future and your friends' futures. It's far better to get a 0 on an assignment than to cheat.

No deviation from the standards of scholastic honesty or professional integrity will be tolerated. Scholastic dishonesty is a serious violation of UT policy; and will likely result in an automatic F in the course and may result in further penalties imposed by the department or by the university. Don't do it. If you are caught, you will regret it. And if you're not caught, you're still a cheater.

Students with Disabilities:

Students with disabilities may request appropriate academic accommodations from the Division of Diversity and Community Engagement, Services for Students with Disabilities, 471-6259, http://www.utexas.edu/diversity/ddce/ssd.