University of Maryland, Baltimore County

REQUIRED TEXTBOOK

• Security in Computing , Charles P. Pfleeger, Shari Lawrence Pfleeger, 3rd ed., Prentice Hall, 2003, ISBN: 0130355488. Note: The 4th Edition of this book has recently book published, but is NOT used in our course.

Optional Supplements

• Security Engineering, by Ross Anderson, Wiley, 2001, Online Book Chapters (Free!).
• Introduction to Computer Security, Matt Bishop, ISBN 0-321-24744-2, Addison Wesley Professional, 2005.
• Cryptography and Network Security: Principles and Practice, Third Edition, William Stallings, ISBN 0130914290, Prentice Hall, 2003.

COURSE INFORMATION

• Syllabus and Grading Information.

• Lecture Notes (Does not cover all lectures):
  1. Powerpoint Notes on: Basics of Cryptography - Compiled from William Stallings book on Network Security (see above) and PPT files from that book's website.
  2. Powerpoint Notes on: Mr. Oehler's presentation on Sep 27, 2006 on Access Control and Security Policies; and on Oct 4, 2006 on SELinux.
  3. Documents related to: Mr. Brian Snow's presentation on Oct. 16 2006 on Assurance and Evaluation: Assurance-Overview; Orange Book Summary; Talk at Oakland Conference Summary;
  4. Powerpoint Notes on: Presentation on Oct 23, 2006 on Common Criteria Overview.
  5. Powerpoint Notes on: Secure Coding - covers lecture materials till Nov 6.

• Reference Materials for Additional Information on some of the topics covered in class:
  1. Kerberos: An Authentication Service for Computer Networks , by B. Clifford Neuman and Theodore Ts'o, in IEEE Communications Magazine, Volume 32, Number 9, pages 33-38, September 1994.
  2. A One-Time Password System, by N. Haller, et. al., IETF RFC 2289, Feb. 1998.
  3. Security Enhanced Linux.
  4. Carl E. Landwehr, Formal Models for Computer Security, ACM Computing Surveys (CSUR), Volume 13 , Issue 3 (September 1981), pp. 247 - 278.
  5. M. Bishop, Hierarchical Take-Grant Protection systems, ACM Symposium on Operating Systems Principles, (Pacific Grove, CA), Pages: 109 - 122, 1981.
  6. Secure Programming Related Websites:
     1. http://www.cert.org/secure-coding/ - CERT's Secure Coding Website. In particular, the following links are useful:
        1. Top 10 Secure Coding Practices
        2. Coding Standards for C and C++
     2. Secure Coding in C and C++, by Robert Seacord, Addison-Wesley, 2005. Two sample chapters are at: Encrypted TGZ File; Algorithm: aes-128-cbc; Password: Given out in class.
     3. 8 Simple Rules For Developing More Secure Code, from MSDN's website.
     4. http://projects.cerias.purdue.edu/secprog/ - Purdue CERIAS website
     5. http://www.zork.org/safestr/ - SafeStr Library for Unix.
     6. http://www.mibsoftware.com/libmib/astring/ - Libmib Allocated String Functions (Old - around 1998).
     7. http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO.pdf - Wheeler's free book on Secure Programming.
     8. http://www.secureprogramming.com/ - Secure Programming website.
     9. http://www.securecoding.org/companion/links.php - Several interesting links from authors of "Secure Coding: Principles and Practice" book.
     10. https://buildsecurityin.us-cert.gov/daisy/bsi/home.html - DHS Software Security Site.
     11. Java Security
         • http://java.sun.com/developer/technicalArticles/Security/whitepaper/JS_White_Paper.pdf, SUN's white paper titled "Java Security Overview".
         • http://www.phptr.com/articles/printerfriendly.asp?p=433382&rl=1, Sample Chapter from Java 2 Platform Security, 2006, Ramesh Nagappan, Ray Lai, Christopher Steel. Sample Chapter is provided courtesy of Prentice Hall PTR.
         • http://www.dwheeler.com/javasec/javasec.pdf , David Wheeler's talk on Java Security.
         • http://www.cigital.com/javasecurity/complete.html, a listing of books, articles, on Java Security.
         • http://www.cs.arizona.edu/projects/sumatra/hallofshame/ : a List of weaknesses in Java's Security design/implementation.
         • "Software Vulnerabilities in Java", Fred Long, Technical Note CMU/SEI-2005-TN-044, 2005.
     12. Ethics
         • ACM Code of Ethics.
         • IEEE Code of Ethics.
         • ACM/IEEE-CS Software Engineering Code of Ethics and Professional Practice
         • Ten Commandments Of Computer Ethics, Created by the Computer Ethics Institute. http://onlineethics.org/com/cases.html: For Case Studies on Ethics and Computers.

• Homeworks and Quizzes:
  1. Homework 1: Due: Oct 4, 2006, in class.
  2. Homework 2: Due: Nov. 12, 2006, 11.50pm, online submit.
  3. Quiz 1: Held Oct 4, 2006, in class; Solution.
  4. Quiz 2: Held Nov 13, 2006, in class;

• Tests/Exams:
  1. Midterm 1: Oct 11, Wednesday, 1.00 - 2.15pm; Midterm 1 Syllabus.
  2. Midterm 2: Nov. 15, Wednesday, 1.00 - 2.15pm; Midterm 2 Syllabus.
  3. Final Exam: Dec. 15, Friday, 1.00 - 2.30 pm, ACIV 013.; Final Exam Syllabus; There will also be a take-home component that will be assigned on Dec 14th and due on Dec 17th, 11pm (Online Submit).

• Projects:
  1. Programming PROJECT 1 Description Due: Oct 26, THURSDAY, 11pm; Those who finish by the due date of Oct 22, Sunday, 11pm will be given a 15% extra credit for Project 1, providing that they obtain at least 75% of the total graded points. OpenSSL Sample Code.
     Clarifications and other Information for Project 1:
     1. Additional Openssl information:
        1. OpenSSL home page
        2. Book: Network Security with OpenSSL: Cryptography for Secure Communications, by John Viega, Matt Messier, and Pravir Chandra, O'Reilly, 2002.

     2. Added Sep 25, 2006:
        Formats for the groups file and acls file are as follows:
        • Under each user's home directory, the file groups will be created (unencrypted and no specific access control). The groups file will contain, one line per group for the given user, where each line will have the format:
          groupname user1 user2 ... usern There is no particular sorting order for the file. When groups are deleted, the file entry will be deleted.
        • Under each user's home directory, the file acls will be created (unencrypted and no specific access control). The acls file will contain, one line per directory for which a setal command has been issued for the given user, where each line will have the format:
          dirname groupname permission There is no particular sorting order for the file. When acls are deleted, the file entry will be deleted. Oct 20, 06: Since it is possible to have multiple groups with same permission for a given directory, EITHER one line for each dirname, groupname combination OR one line for each dirname with ALL groupnames included is allowed (as in dirname groupname1 groupname2 groupnameN permission.)

     3. Added Oct 10, 2006: Implementation of the 'cd dirname' command is OPTIONAL.

     4. Added Oct 20, 06: For files encrypted under FORMYEYESONLY directory, you can (optionally) generate a random 128-bit key and 128-bit IV (which will be stored in the encrypted KEYS file) for each file. If you have already implemented this differently, then continue with that implementation and document the fact in your README file.

     5. Added Oct 20, 06: For RSA keys, 1024-bit key size is recommended.

     ---

  2. Term Project for CMSC 626 Students:
     • One-page Abstract Due on Oct 9, 2006, in class.
       
       This will contain the team member(s) name(s), title, and a 200-300 word abstract that describes in reasonable the problem that will be studied: what is new in this work that you plan to do? is this related to or based on some existing published work (include fill citation)? how do you plan to implement this idea? what do you plan to analyze once the implementation is complete? On GL machines, Submit using: submit cs426 tp_abstract filename. Only one of the team members needs to submit the file. The file MUST be in PDF format.

     • Interim Report and Code Due on Nov. 22, 2006, 11pm.
       
       On GL machines, Submit using:
       submit cs426 tp_interim filename. Only one of the team members needs to submit the file.
       
       The written report MUST be in PDF format and will conform to the guidelines described in Term project Interim Report Requirements document.

     • Final Report and Code Due on Dec. 13, 2006, 11pm.
       
       On GL machines, Submit using:
       submit cs426 tp_final filename.tgz; Only one of the team members needs to submit the file.
       
       The tgz file will contain the final report and source code/data. The written report MUST be in PDF format and will conform to the guidelines described in Term project Final Report Requirements document.
       
       The schedule of presentations for CMSC 626 Final Projects is available in this Schedule. Note that this will be done during lecture times on Dec 4, 6, 11. All students are required to attend these lectures and fill out a feedback sheet for each presentation.
       
       CMSC 626 students will also present a demo of their software to Dr. Sivalingam and the TA. The demo slots are listed in the Demo Slots.

     • Conferences and other venues related to Security:
       1. CSI Annual Computer Security Conference (2006).
       2. ACM Conference on Computer and Communications Security (CCS 2006).
       3. IEEE Symposium on Security and Privacy.
       4. Second International Conference on Security and Privacy in Communication Networks
       5. Annual Computer Security Applications Conference.
       6. IEEE Security and Privacy Magazine.
       7. IEEE Computer Society's Technical Committee on Security and Privacy.

     ---

  3. Programming PROJECT 2: CMSC 426 Students are required to complete this project. CMSC 626 students are required to follow coding practices as described in Task 1 of the project description. Clarification added based on Dec 4th discussion in class: run-time system checks are NOT needed.
     • Safestr Library and Example Code
     • https://www.securecoding.cert.org/confluence/display/seccode/Top+10+Secure+Coding+Practices - Top 10 Coding Practices.
     • Coding Standards for C and C++