CMPSCI 177: Computer Security and Privacy

CMPSCI 177: Computer Security and Privacy, Fall Quarter, 2009

Meeting Times

Lecture: Monday/Wednesday 2:00pm-3:15pm -- Girvetz 2128
Discussion: Friday 9:00am-9:50am -- Girvetz 2112

Instructor

Richard A. Kemmerer
2165 Harold Frank Hall
Phone: 893-4232
Email: kemm AT cs.ucsb.edu
Office Hours: Monday, Wednesday 3:30pm - 4:30pm. Other times by appointment

Teaching Assistant

Ali Zand
1413 Phelps
Email: ali.zand AT gmail.com
Office Hours: Monday 11am-Noon, Tuesday 3pm-4pm, Wednesday: 11am-Noon, Thursday: 3pm-4pm

Purpose

This course will analyze the technical difficulties of producing secure computer information systems that provide guaranteed controlled sharing. Emphasis will be on software models and design. Current systems and methods will be examined and critiqued. The possible certification of such systems will also be investigated

Prerequisites

The prerequisites for this course are some familiarity with programming languages and systems and the courage to read through some difficult-to-read technical papers. The course prerequisite is CMPSC170.

Required Text

Introduction to Computer Security by Matt Bishop
(or Computer Security: Art and Science by Matt Bishop)

Recommended Texts

Security in Computing by Charles P. Pfleeger and Shari Lawrence Pfleeger
Practical Unix and Internet Security by Garfinkel and Spafford.
In addition, a collection of articles from the literature and research papers to read and discuss in class will be available.

Seminar Topics

Threats: spoofing, browsing, leakage, confinement, covert channels (storage and timing), Trojan horse, virus, spyware, aggregation, denial of service, and statistical inference.

Security Mechanisms: capabilities, access control lists, discretionary and mandatory access control, authentication mechanisms, inference controls.

Techniques: penetration analysis, intrusion detection, risk analysis, and information flow analysis (Threat Trees, Shared Resource Matrix, and Covert Flow Trees).

Encryption: conventional and public key encryption, digital signatures, DES, Clipper chip.

Authentication techniques: passwords, challenge-response, and biometrics.

Secure Operating Systems and Databases: reference monitor, security kernel, Multics, PSOS, Data Secure Unix, KSOS, SCOMP, LOCK, and ASOS.

Network Security: cryptographic techniques, firewalls, sniffers, and network browsers.

Security Models: Bell-LaPadula, Clark-Wilson, Take-Grant model, integrity model, container model, simple security, and *-property.

Electronic voting machine security.

Accreditation: DoD Computer Security Center and the Trusted Computer System Evaluation Criteria (TCSEC), European efforts and criteria (ITSEC), The Common Criteria (CC), and formal verification.

Course Requirements

There will be homework assignments, a midterm, and a final exam.

Final Exam

Tuesday December 8, 2009, 4:00pm - 7:00pm, Girvetz 2128