CIS 551 / TCOM 401 - Computing and Network Security

CIS 551 / TCOM 401 - Computer and Network Security
Spring 2012

Topics Reading Projects Grading Lectures Policies

Time: Mon. & Weds. 1:30 - 3:00
Room: Towne 311

Instructor:

Steve Zdancewic
e-mail: cis551 (AT) seas.upenn.edu
office hours: Tues. 11:00am-noon (and by appointment) Levine 511

Teaching Assistants:

John Sonchack
office hours: Mon. 3:00-4:00pm (Moore Lab)

Sumanth Sathyanarayana
office hours: Tues. 3:00-4:00pm (Moore 207)

Course contact information:

Class mailing list: CIS551-401-12A (AT) lists.upenn.edu (open to all members of the class)
Piazza Discussion Group

Topics:

System Security: hacker behavior, intrusion & anomaly detection, hacker and admin tools
Networks & Infrastructure: TCP/IP, Denial of Service, IPSEC, TLS/SSL
Basic Cryptography: Shared key crypto (AES/DES), Public Key Crypto (RSA), hashes
Crypto software: Open SSL library, applications (authentication, digital signatures)
Trust & Configuration management
Malicious code: buffer overflows, viruses, worms, protection mechanisms
Covert Channels

Reading

The following books contain useful course material, and much of the lecture content is derived from them (and other sources). Copies of these books are on reserve in the Penn Engineering Library.

Security in Computing (3rd edition) by Pfleeger and Pfleeger
Computer Networks: A Systems Approach (3rd edition) by Larry L. Peterson and Bruce S. Davie
Applied Cryptography (2nd edition) by Bruce Schneier

In addition, the following papers and web sites provide supplementary material. Reading selections from these sources will be announced in class.

Security Engineering, Ross Anderson's textbook
The Protection of Information in Computer Systems, Saltzer & Schroeder (1975)
Smashing the Stack for Fun and Profit, Aleph One (1996)
Cyclic Redundancy Check (CRC) on Wikipedia
The Internet Worm Program: An Analysis, Gene Spafford (1988)
Kerberos: An Authentication Service for Open Network Systems, Steiner, Neuman, Schiller (1988)
Kerberos FAQ
Introduction to the Internet Protocols, Charles L. Hedrick (Rutgers). This 1987 tutorial is surprisingly up to date, and is a very concise introduction to the basics of the Internet protocols.
Open SSL web page. The OpenSSL library is installed on eniac-l.
"A look Back at 'Security Problems in the TCP/IP Protocol Suite'". S. M. Bellovin. 20th Computer Security Applications Conference. December 2004.
"Advanced 4.4BSD Interprocess Communication Tutorial." Lefler, et al.
Why Cryptosystems Fail, Ross Anderson (1993)
Inside the Slammer Worm, Moore et al. (2003).
How to 0wn the Internet in Your Spare Time , Staniford, Paxson, and Weaver (2002).
Top Speed of Internet Flash Worms, Staniford, Moore, Paxson, and Weaver (2004).
Internet Quarantine: Requirements for Containing Self-propagating Code, Moore et al. (2003)
Automated Worm Fingerprinting, Singh et al. (2004)
Corrupted DNS Resolution Paths: The rise of a malicious resolution authority, Dagon et al. (2008)
Bro Intrusion Detection System
Bro: A System for Detecting Network Intruders in Real-Time, Vern Paxson. (1998)
NSA Central Security Service
TCSEC
CERT
National Information Assurance Training and Information Center
Infranet: Circumventing Web Censorship and Surveillance, Feamster et. al (2002).
Why Phishing Works by Dhamija, Tygar, and Hearst
Protecting Browser State from Web Privacy Attacks, Jackson et al.
Dos and Don'ts of Client Authentication on the Web, Kevin Fu et al.
SQL Injection attacks, Chris Anley
Cross site scripting explained, Amit Klein
Terra: A Virtual Machine-Based Platform for Trusted Computing, Garfinkel, et al.
Nexus, Sirer, et al.
Analysis of an Electronic Voting System, Kohno, et al.
Followup and rebuttals from the Diebold voting machine analysis
Civitas: Toward a Secure Voting System (Michael Clarkson, Stephen Chong, Andrew Myers)
Technical Trends in Phishing Attacks (Milletary)
The Emperor's New Security Indicators (Schechter et al. 2007)
The Battle Against Phishing: Dynamic Security Skins (Dhamija and Tygar) 2005

Projects

Project 1:

Buffer Overflows (Two parts, due: Feb. 8th and Feb. 17th)
badbuf.c
Virtual Machine

Project 2:

Intrusion Detection Systems (due: March 14)

Project 3:

Secure Distributed Banking (due: April 4)

Project 4:

Web Security (due: April 24)
box2.tar.gz

Grading Criteria

27% Midterm - Feb. 29 in class. (Solutions)
30% Final exam - April 30th noon-2:00
40% Course projects (group projects)
03% Course participation

Example exams from previous instances of 551

(Note that the order of the course content may have differed):

Lecture Slides and Notes

Schedule
Date	Topic	Notes
1/9
1/11	Introduction & Course Overview	First Day of Class Reading: The Protection of Information in Computer Systems, Saltzer & Schroeder (1975)
1/16	MLK	No Classes
1/18	Malware and Buffer Overflows	Reading: Smashing the Stack for Fun and Profit, Aleph One (1996)
1/23	Mitigating Buffer Overflows	Reading: HardBound and SoftBound
1/25	Impact of Malware / Software Security	Reading: Top Speed of Internet Flash Worms
1/30	Reacting to Worms	Reading: Internet Quarantine: Requirements for Containing Self-propagating Code
2/1	Review of Networks I: Ethernet
2/6	Review of Networks II: IP, UDP, TCP
2/8	Firewalls, Content Filtering, Intrusion Detection
2/13	Automated Worm Fingerprinting	Automated Worm Fingerprinting Fingerprinting by Random Polynomials" Michael Rabin
2/15	Access Control	Protection in Operating Systems Harrison, Ruzzo, Ullman
2/20	Access Control II: Capabilities, Stack Inpsection
2/22	Information Flow and Covert Channels
2/27*		NO CLASS
2/29*	Midterm Exam	Solutions
3/5	Spring Break	No Class
3/7	Spring Break	No Class
3/12	Covert Channels / Intro to Cryptography
3/14	DES and AES
3/19	Hashes, Diffie-Hellmann and Public Key Cryptography
3/21	Public Key Cryptography
3/26	Authentication Protocols
3/28	Key Exchange/Distribution, SSH, Kerberos
4/2	Public Key Infrastructure, Human Authentication
4/4	Web Security I
4/9	Web Security II / Anonymity
4/11	Onion Routing / Electronic Voting I	Civitas: Toward a Secure Voting System
4/16	Zero Knowledge Proofs & Secret Sharing
4/18	Analysis of an Electronic Voting System
4/23	TPM and TCB / Course Wrap-up	Last Class
4/25	Reading Days	No Class
4/30	FINAL EXAM: Monday, April 30th noon-2:00, Berger Auditorium
*indicates dates when Prof. Zdancewic will be away.

Course Policies

Individual homework assignments will be available on the web pages. They are to be completed independently and turned in at the beginning of class on the due date.
Late homework will not be accepted without prior permission of the instructor unless there are emergency circumstances.
Teams for group projects will consist of two or three students. Students are not permitted to work individually on the team projects.

Regrade Policy

Regrade requests should be sent to the TA. Only reasonable requests will be considered. The entire homework or exam will be regraded. Note that this means that the score on a regraded homework might decrease.

Academic Integrity

This course will abide by the University's Code of Academic Integrity. In particular, for individual projects and group projects, the following guidelines should be followed:

For individual projects, you must type in and edit your own code, documentation, and any other materials submitted for grading.
- Copying someone else's file is not allowed.
- Allowing someone else to copy a file of yours, either explicitly or implicitly by leaving your code unprotected, is not allowed.
- Editing each other's files is not allowed
Regarding the ethics of what you may or may not discuss with others:
- "High level" discussions are fine.
  For example, discussions about the problem statement.
- "Low level" discussions are fine.
  For example, discussions about C syntax or using gdb, understanding compiler error messages, understanding the mechanics of the tools and libraries used for the projects.
- "Mid level" discussions require discretion. In this CIS course, discussions at this level must be limited. Unless explicitly stated otherwise, you may not collaborate significantly with classmates (except group project members) at this level. If you have minor discussions with others at this level or get help from outside resources (tutors, web sites, etc), you must cite at the top of the submitted projects the names of the people or websites who helped you and how they did. For example:
```
      /**
       * Chris Brown
       * Project 1
       * 5/6/2008
       * I received tips from Jo Johnson on the i/o and example.com/mem.htm on memory
       */
        
```
If there is any doubt about the use of external sources or collabortation, please ask for clarification by the course staff.

CIS 551 / TCOM 401 - Computer and Network Security Spring 2012

Time: Mon. & Weds. 1:30 - 3:00 Room: Towne 311