Instructor: Ninghui Li
Please contact the instructor if there is any question about prerequisites.
This course is aimed towards
graduate students in Computer Science and ECE. Undergraduate students
interested in taking the course should contact
instructor. In addition to covering
established results in this area, we will also investigate the state of art of
access control theory and techniques both in research literature and in
Give students a systematic and deep understanding of access control theory and techniques. The focus of this course is not on giving an listing of the various models and techniques developed for access control, but rather on understanding the effectiveness and limitation of these models and techniques. While examining research results, we ask the following questions: What are the problems this piece of work tries to solve? To what extent does it solve the problems? Are these the right problems to solve? How could this result be used in practice? What other problems can be asked? While examining existing systems, we ask similar questions about the access control features in these systems.
Give students (especially beginning graduate students) some exposure to research activities such as literature research, independent thinking and analysis, interacting with the instructor and peer students, and organizing and presenting materials and results.
Help interested students to develop long term research interests in this area.
This course will be divided into three parts.
Topics to be covered (tentative) include:
Students will have a semester-long medium-size project that will be related to the above topics and that will have a research flavor. A list of project topics will be provided in class. Students are also welcome to come up with project ideas.
A typical project involves
Jerome H. Saltzer and Michael D. Schroeder, The Protection of Information in Computer Systems. Proceedings of the IEEE, 63(9):1278-1308, 1975.
Part IA is required reading. The rest is recommended, especially for those interested in operating system security.
Carl E. Landwehr, Formal Models for Computer Security. ACM Computing Surveys, 13(3):247--278, 1981.
David D. Clark and David R. Wilson, A Comparison of Commercial and Military Computer Security Policies, in Proceedings of the 1987 IEEE Symposium on Security and Privacy, pp. 184--194, IEEE Computer Society Press, Los Alamitos, CA, 1987.
Robert W. Baldwin. Naming and grouping privileges to simplify security management in large databases. In Proc. IEEE Symposium on Research in Security and Privacy, pages 116-132, 1990.
John McLean. Security Models. In J. Marciniak, editor, Encyclopedia of Software Engineering. Wiley & Sons, 1994.
Ravi S. Sandhu, Edward J. Coyne, Hal L. Feinstein, and Charles E. Youman. Role-based access control models. IEEE Computer, 29(2):38--47, February 1996.
Although no textbook is require, the following books are helpful references. The first three are popular textbooks; and they overlap to a certain degree. Reading the chapters related to access control in some of the following books could be helpful:
Computer Security: Art and Science by Matt Bishop
Computer Security by Dieter Gollmann
Security in Computing, Third Edition by Charles P. Pfleeger, Shari Lawrence Pfleeger, and Willis H. Ware.
Security Engineering by Ross A. Anderson
This book is not very related to this course; however, it is a very good book on practical aspects of security, highly recommended for anyone interested in security.
Cryptography and Data Security by Dorothy Denning
This cryptography part of this book is a bit out of date; however, the discussion of access control is nevertheless still very good.
Role-Based Access Control by David F. Ferraiolo, D. Richard Kuhn, Ramaswamy Chandramouli
This book provides a fairly comprehensive survey of researches in RBAC. It is a very good source of information for those interested in doing research related to RBAC.