|
|
|
CSci 5271: Introduction to Computer & Network Security
3 Credits
TTh 11:15-12:30, ME 212
Fall 2008
Instructor:
Nick Hopper
EECS 4-211
hopper AT cs.umn.edu
TA:
Dan Feldman
office hours in EE/CS 2-209
feldman AT cs.umn.edu
Google Chat during office hours: csci5271ta
Office Hours:
Regular Office hours are:
|
M
|
T
|
W
|
Th
|
F
|
Nick
|
2-3pm
|
12:30-1:45pm
|
---
|
12:30-1:45pm
|
---
|
Dan
|
---
|
10-11am
|
---
|
4-5pm
|
---
|
If you want to meet with one of us but can't make it to regular office
hours, we will be happy to arrange appointments via email.
Course Overview:
This is an introductory graduate course on Computer Security. It will
cover a broad variety of elementary topics in security, focusing on the
scientific principles involved in various security technologies, rather
than the specifics of any particular technology. For example, we will
discuss firewalls in this course: after this course, you will probably
not know which commercial firewall to pick or the exact details of how
to configure it; but you will know what a firewall can do (in general)
to protect a computer system and what are the inherent limitations of
firewalls. The primary emphasis of this course is on preparing students
for research in security, and teaching how to apply security principles
to research in other CS fields. However, students interested in
practicing security will learn important principles that a more applied
course might not teach.
Goals and Objectives:
The most important aspect of working and doing research in computer
security is learning to "think like an adversary" and I hope you learn
a little about how to do that in this course. At the end of the course
you should be able to:
- Use a computer system in a secure manner.
- Recognize common vulnerabilities in protocols, designs, and
programs.
- Eliminate or minimize the impact of these vulnerabilities.
- Apply the principal security standards in use today to design and
build secure applications.
- Apply principles, concepts, and tools from security to your own
research.
Prerequisites:
The listed prerequisite for this course is an undergraduate course in
operating systems. At UMN, this course is CSci 4061. More generally,
however, we will expect
students to have the skills of someone who has (mostly) completed an
undergraduate computer science major. In particular, students should
be able to write and debug programs in C and Java by themselves - it
is not a proper use of the instructor or TA's time to help get your
code running. Students should also feel comfortable understanding and
modifying programs written in other languages, such as PERL, Unix
shells, and SQL. We expect students to put in time outside of
class to master the concepts presented in class; and we expect students
to be resourceful: if a topic
is mentioned in lecture along with a name, you can probably learn more
using, e.g. google.
Lecture Schedule:
The course website includes a schedule of lectures for this course.
The schedule includes the readings related to each class. Students
are responsible for reading the appropriate materials before the
lecture; we will not cover all of the reading material in the lecture
but it may appear on exams. Lecture slides will be linked from the
schedule within a week after the corresponding lecture.
Textbooks:
There is no required textbook for this course - all assigned readings
will be from documents accessible via the web (from a UMN IP address,
or through the U
of M library). Thus, it is quite possible that you can pass
this course without using a
textbook at all; in addition to the assigned readings, the web provides
a wealth of references on the subject
of computer security and we will provide links to many resources on the
class slides, web pages and discussion forum. Nonetheless, it is
sometimes
useful to have materials collected in one place; so we listed five
optional textbooks for this course:
General
References:
- By far the best book on computer security is Ross Anderson's "Security
Engineering", 2007, John Wiley and Sons. This book contains many
examples of how adversaries think
and is very well-written. The book is also available online; if you
find yourself referencing the book heavily, you should consider buying
a copy (it will be only a little more expensive than printing the whole
thing, and will look much nicer).
- The "required" textbook for past editions of this course was
Dieter Gollmann's "Computer
Security, 2nd edition", 2006, John Wiley and Sons. This book is not
perfect but has the advantage of being
(relatively) inexpensive, while covering most topics at about the right
depth for an introduction. You can read a little about almost
every
lecture topic in this book.
"Software
Security" References:
- A widely-respected source on many of the "software security"
problems and solution techniques we will discuss in the first six weeks
of class is Viega & McGraw's "Building
Secure Software: How to Avoid Security Problems the Right Way,"
2001, Addison-Wesley. In
general, students that have less background in C programming will find
this book very useful for the first four weeks of class, while students
comfortable with C, assembly, and debuggers may not find it very useful.
- A useful online source on software security is
David Wheeler's "Secure
Programming for Linux and Unix." (2003)
"Network
Security" References:
- One of the best references at combining some practical and
theoretical issues of network security is Cheswick, Bellovin, and
Rubin's "Firewalls
and Internet Security, 2nd edition," Addison-Wesley, 2003.
This book covers several of the
concepts we'll be discussing in the second "half" of the course - weeks
7-12. Students with no coursework or experience in networking may
want to purchase this book.
- A somewhat dated but still useful first edition of this book is
available online. If you plan to work in network security, do the
authors a favor and buy the updated edition; it's better anyways.
(For example, you might notice that the first edition mentions a new
invention called the "world wide web")
Cryptography References:
- A very good reference on designing cryptographic software for
common tasks is Schneier and Ferguson's "Practical
Cryptography," John Wiley and Sons.
- Students interested in learning more about cryptography are
encouraged to take CSci 5471. Professor Kim uses Manezes, Van
Oorschot, and Vanstone's "Handbook
of Applied Cryptography", which is also available online here, as the
textbook. Another good introductory reference to the applied
theory of cryptography is this set of
lecture notes by Goldwasser and Bellare.
Students interested in doing computer security work for industry or
government may be interested in Krause and Tipton's "Handbook of
Information Security Management."
A general resource for information security maintained by the
governement is the NIATEC web site.
Grading:
Grading for this course will be based on the following
components:
- Exercises: After every lecture, we
will post, on the class web page, an exercise that will ask you to
apply the concepts covered in class. Every Tuesday by the end
of lecture, you should
turn in one exercise,
written up in electronic form, to be graded. This does not mean you should only solve one exercise! Exam
questions will be of similar difficulty and content to the exercises,
so it is to your advantage to think about solutions to all exercises.
Students may work in pairs on the exercises, but be warned: you are responsible for the choice
of your partner. This means that if your partner "was supposed to
turn in the assignment" and didn't, or "didn't finish part c" of an
exercise, you will not receive any special consideration in grading.
Late submissions:
exercises turned in by 4pm on Wednesday are worth 50%, and after
that they are worth 0.
- Homeworks: There will be
one programming homework for each of the two "units" in the
class: software security and network security. Homeworks
and due dates will be posted to the class web site. Students may
work in pairs on the homeworks as well, with the same caveat about your
choice of partner; however, working
alone on the homeworks is highly discouraged. In order to
succeed on these homeworks you
will need some
understanding of C programming and UNIX shell programming.
Late submissions:
homeworks are worth
50% up to 24 hours after the submission deadline and 0 points after
that.
- Exams: An open-book,
open-notes midterm exam, on Tuesday,
October 7, and an open-book, open-notes final exam on Tuesday, December 16. Both exams
will include
multiple
choice and short answer questions. Please notice that the exam
dates are fixed and there will be no
makeup exams.
- Course Project. Course
projects should attempt to perform
original work related to computer security. Projects will be done in
groups, and will be graded based on a presentation (15%), first draft
(15%) and final
paper
(70%), along with mandatory progress meetings with the
instructor. More
information on
projects will be posted on the course website.
Final scores will be computed as a weighted average of the exercise
score (15%), homework score (15%), midterm score (15%), final
exam score (25%), and project
score (30%). Grades will be assigned strictly on the following scale:
Grade
|
Minimum Score
|
A
|
92.00
|
A-
|
88.00
|
B+
|
84.00
|
B
|
80.00
|
B-
|
76.00
|
C+
|
72.00
|
C
|
68.00
|
C-
|
64.00
|
D+
|
60.00
|
D
|
56.00
|
F
|
0
|
Academic Integrity Policy:
In the course of teaching how an adversary might think, we will often
discuss ways of compromising the security of certain computer
systems. IT IS VERY IMPORTANT THAT YOU NEVER APPLY THESE TECHNIQUES
TO A COMPUTER WITHOUT THE OWNER'S PERMISSION. If we learn that a
student has exploited a vulnerability discussed in class (without
permission of the computer's owner/operator) THAT STUDENT
WILL FAIL.
We will ocassionally encourage the use of online resources for
completing assignments in this course, and of course it is permitted
for students to discuss in general how
to solve problems. However, it
is never acceptable to use someone else's work without acknowledging
it. Every source you use or modify for an exercise,
homework or project must be explicitly acknowledged.
Failure to do so will be considered plagiarism.
The University Student Conduct Code defines scholastic dishonesty as:
submission of false records of academic achievement; cheating on
assignments or examinations; plagiarizing; altering, forging, or
misusing a University academic record; taking, acquiring, or using test
materials without faculty permission; acting alone or in cooperation
with another to falsify records or to obtain dishonestly grades,
honors, awards, or professional endorsement. In this course, a student
responsible for scholastic dishonesty will be assigned a penalty of an
"F" or "N" for the course. If you have any questions regarding the
expectations for a specific assignment or
exam, ask.
|
|
