Software Security
415.725 SC 00
Clark Thomborson
Handout 1: General Information
Lecturer
Prof Clark Thomborson (Supervisor)
Published prerequisites
(415.330 Language Implementation or 415.333 Functional
Programming & Language Implementation) and 415.320 Algorithmics.
Acceptable prerequisites
Any two of the following:
415.330 Language Implementation, 415.333 Functional
Programming & Language Implementation, 415.320 Algorithmics,
415.313 Computer Organisation, 415.314 Data Communications Fundamentals,
415.340 Operating Systems, 415.335 Distributed Objects and Algorithms,
415.350 Mathematical Foundations of Computer Science.
Scheduled Lecture Times
Second semester 2000, City campus, Math/Phys/CS room 246, MWTh 10-11.
Required Reading
You will read approximately 24 technical articles during the
first eight weeks of this paper. These will be the basis of our
in-class discussions. Some of these articles are available online,
and I will hand out the others in hardcopy. Your term paper will be
based on your reading and interpretation of at least two additional
articles of your choice.
Description
Software security is taking on new importance as e-commerce moves
from hype to reality. Software systems are susceptible to a variety
of attacks including eavesdropping, playback, denial of service, and
unauthorised use. In this paper we will survey the field of software
security, with a particular focus on technical and legal means for
protection against unauthorised use.
Content
Denial of service, privacy violations, primary and collateral
damage. Eavesdropping, playback, binary tampering during delivery,
introduction of hostile code, malicious hosts. Unauthorised use
by copying, dongle mimicry, decompilation and recompilation, reverse
engineering. Software patents, copyrights, trade secrets. Sandbox,
blackbox, and cryptographic security. Steganography. Obfuscation,
robust and fragile watermarks, fingerprints.
All students in this paper will prepare and deliver an oral presentation
based on a published article in this field. Each student will write a
10-page term paper on some related topic, and give an oral presentation
on their term project to the class.
Assessment
60% exam, 25% project, 15% seminar.
Tentative Schedule
- Monday 17 July: First day of lectures. Distribute the first
set of readings. Collect "student information sheets".
- Wednesday 19 July. Discuss C. Pfleeger, "Is there a security
problem in computing?", Chapter 1 of Security in Computing, 2nd
edition, Prentice Hall, 1997. Also discuss Department
of Computer Science Computer System Regulations and University
of Auckland Computer System Regulations.
- Thursday 20 July. Discuss K. Nichols, "The Age of Software
Patents", IEEE Computer, April 1999. Letters to the editor, by
Gimlan, Page and Hayden in response to Nichols' article, IEEE
Computer, June 1999. Also P. Samuelson, "Encoding the Law
into Digital Libraries", Comm. ACM, April 1998.
- Monday 24 July. Select papers and dates for student oral presentations
in Weeks 3-9.
- Wednesday 26 July. Discuss C. Pfleeger, "Ethical issues in computer
security", section 11.5 of Security in Computing, 2nd edition,
Prentice-Hall, 1997. C. Mann, "Who Will Own Your Next Good Idea?",
The Atlantic Monthly, September 1998. H. Rossner, "Steal
this Software", The Standard.com, 19 June 2000.
P. Radatti, "CyberSoft, Incorporated
Moral Guidelines", www.cyber.com/papers/locks.html [link visited
March 10, 1999], May 1995.
- Thursday 27 July. C. Collberg and C. Thomborson, "Watermarking,
Tamper-Proofing, and Obfuscation -- Tools for Software Protection,"
submitted to IEEE TSE, July 2000.
- Weeks 3-9 (Monday 31 July through Thursday 24 August, and Monday
11 September through Thursday 28 September): Student presentations and
guest speakers. Student presentations will be 10 minutes in length,
then we will discuss the article in class.
- Weeks 10-12: Oral presentations of term projects. Presentations
will be 10 minutes in length, with a brief period for discussion after
each.
Warning
We will discuss vulnerabilities in widely-deployed computer
systems. This is not an invitation for you to exploit these
vulnerabilities! Instead you are expected to behave responsibly.
Don't break into computer systems that are not your own. Don't
attempt to subvert any security system in any other way, for example
by taking over someone else's "digital identity".
See Department
of Computer Science Computer System Regulations and University
of Auckland Computer System Regulations.
Updated 7 July 2000 by CDT.