Course Syllabus

Spring 2009


Lecture 1: 3/31/09 (mit)	Course overview [pdf, ppt] Reading: Reflections on Trusting Trust, Ken Thompson Botnets, Cybercrime, and Cyberterrorism: Vulnerabilities and Policy Issues for Congress (Congressional Research Services report)

Part 1: Basics

Lecture 2: 4/ 2/09 (mit)	Secure system design, access control, and protection [pdf, ppt] Reading: The Confused Deputy, Norm Hardy Preventing privilege escalation, Provos et al. 2003

Lecture 3: 4/ 7/09 (bon)	Control hijacking attacks: exploits and defenses [pdf, ppt] Reading: Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade, Crispin Cowan, et al. Smashing The Stack For Fun And Profit, Aleph One Basic Integer Overflows, blexim Optional: Bypassing Browser Memory Protections, A. Sotirov (a detailed analysis of Windows memory protection)

Lecture 4: 4/ 9/09 (inv)	Testing for security via fuzzing [pdf, ppt] Reading: How hackers look for bugs by Dave Aitel Real world fuzzing, by Charlie Miller Effective Bug Discovery, vf.

Lecture 5: 4/14/09 (inv)	Tools for writing robust application code [pdf, ppt] Reading: KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs, by C. Cadar, D. Dunbar, D. Engler Finding Security Vulnerabilities in Java Applications with Static Analysis, by B. Livshits and M. Lam

Lecture 6: 4/16/09 (bon)	Dealing with bad (legacy) application code: sandboxing and isolation [pdf, ppt] Reading: Traps and Pitfalls: Practical Problems in System Call Interposition Based Security Tools, T. Garfinkel Efficient Software-Based Fault Isolation, Robert Wahbe, et al. A note on the confinement problem, Butler Lampson

Lecture 7: 4/21/09 (mit)	Use of cryptography in computer security [ppt] Reading: Five-minute university Why cryptosystems fail, Ross Anderson

Part 2: Network security

Lecture 8: 4/23/09 (bon)	Security problems in network protocols: TCP, DNS, SMTP, and routing [pdf, ppt] Reading: A look back at Security Problems in the TCP/IP Protocol Suite, S. Bellovin, ACSAC 2004. A survey of BGP security, 2005. DNS cache poisoning, Steve Friedl

Lecture 9: 4/28/09 (mit)	Network defense tools: Firewalls, VPNs, Intrusion Detection, and filters [pdf, ppt] Reading: DNSSEC - The Theory , G. Huston Network Firewalls, S.M. Bellovin and W.R. Cheswick Bro: A System for Detecting Network Intruders in Real-Time, V. Paxon

Lecture 10: 4/30/09 (bur)	Malware: Computer viruses, Spyware, and key-loggers [pdf, ppt] Reading: Hunting for metamorphic, Szor, P. Ferrie

Lecture 11: 5/ 5/09 (bur)	bot-nets: attacks and defenses [pdf, ppt] Reading: Inside the slammer worm, S. Savage An Analysis of Conficker's Logic and Rendezvous Points Know Your Enemy: Fast-Flux Service Networks, Honeynet

Lecture 12: 5/ 7/09 (bon)	Unwanted traffic: denial of service attacks and spam email [pdf, ppt] Reading: Practical network support for IP Traceback, S. Savage, et al. A DoS-Limiting Network Architecture, Yang, Wetherall, and Anderson A detailed DDoS extortion story

Lecture 13: 5/12/09 (bur)	Network security testing [pdf, ppt] Reading: The Art of Port Scanning , Fyodor pOf 2: Dr. Jekyll had something to Hyde, Zalewski

Part 3: Web Security

Lecture 14: 5/14/09 (bur)	Basic web security model [pdf, ppt] Reading: Securing Browser Frame Communication. Adam Barth, Collin Jackson, and John C. Mitchell The Security Architecture of the Chromium Browser. Adam Barth, Collin Jackson, Charles Reis, and the Google Chrome Team

Lecture 15: 5/19/09 (mit)	User authentication and session management [pdf, ppt] Reading: Secure Session Management With Cookies for Web Applications. Chris Palmer Designing and Conducting Phishing Experiments, Finn and Jakobsson, 2007 Threat Metrix, Device Fingerprinting and Fraud Protection Whitepaper Iovation, Solving Online Credit Fraud Using Device Identification and Reputation

Lecture 16: 5/21/09 (bon)	HTTPS: goals and pitfalls [pdf, ppt]

Lecture 17: 5/26/09 (mit)	Web site security [pdf, ppt] Reading: Cross site scripting explained, Amit Klein SQL Injection attacks, Chris Anley Robust Defenses for Cross-Site Request Forgery. Adam Barth, Collin Jackson, and John C. Mitchell

Part 5: Final topics

Lecture 18: 5/28/09 (bon)	Digital Rights Management [ppt] Reading: Hardware-assisted circumvention of self-hashing software tamper resistance, Oorschot et al.

Lecture 19: 6/ 2/09 (inv)	Final lecture

CS155 Computer and Network Security

Course Syllabus

Spring 2009