Software Security
CompSci 725 FC 02
Clark Thomborson
Handout 1: General Information
Lecturer
Prof Clark
Thomborson (Supervisor). Email: <cthombor@cs.auckland.ac.nz>
Published prerequisites
(CompSci 330 Language Implementation or CompSci 333 Functional
Programming & Language Implementation) and CompSci 320 Algorithmics.
Acceptable prerequisites
Any two of the following: CompSci 330 Language Implementation, CompSci
333 Functional Programming & Language Implementation, CompSci 320
Algorithmics, CompSci 313 Computer Organisation, CompSci 314 Data
Communications Fundamentals, CompSci 340 Operating Systems, CompSci
335 Distributed Objects and Algorithms, CompSci 350 Mathematical
Foundations of Computer Science, CompSci 702 Topics in Software
Engineering, CompSci 720 Advanced Design and Analysis of Algorithms,
CompSci 735 Object-Oriented Systems, CompSci 742 Data Communications
and Networks.
Scheduled Lecture Times
First semester 2002, City campus, Math/Phys/CS room 246, TWF 9-10.
Required Reading
You will read approximately 40 technical articles during the
first eight weeks of this paper. These will be the basis of our
in-class discussions. Some of these articles are available online,
and I will hand out the others in hardcopy.
Description
Software security is taking on new importance as e-commerce moves
from hype to reality. Software systems are susceptible to a variety
of attacks including eavesdropping, playback, denial of service, and
unauthorised use. In this paper we will survey the field of software
security, with a particular focus on technical and legal means for
protection against unauthorised use.
Content
Denial of service, privacy violations, primary and collateral
damage. Eavesdropping, playback, binary tampering during delivery,
introduction of hostile code, malicious hosts. Unauthorised use
by copying, dongle mimicry, decompilation and recompilation, reverse
engineering. Software patents, copyrights, trade secrets. Sandbox,
blackbox, and cryptographic security. Steganography. Obfuscation,
robust and fragile watermarks, fingerprints.
All students in this paper will prepare and deliver an oral
presentation based on a published article in this field. Each student
will write a 10-page term paper, which may be based either on
additional reading or on practical work undertaken during the term.
Assessment
60% exam, 25% project, 15% seminar. If you write
a term paper for your "project", it must demonstrate your critical and
appreciative understanding of at least three professional
publications. If you write a project report, it must demonstrate your
competence and creativity in practical work. Your seminar must
be a coherent explanation of an advanced topic in software security,
showing your careful reading and understanding of one professional
publication.
Tentative Schedule
- Week 1:
- Tuesday 5 March. First day of lectures. Collect student
information sheets (handout 2). Distribute
the first set of readings (handout 3, available in hardcopy only).
- Wednesday 6 March. Discuss C. Pfleeger, "Is there a security
problem in computing?", Chapter 1 of Security in Computing, 2nd
edition, Prentice Hall, 1997. Also discuss Department
of Computer Science Computer System Regulations and University
of Auckland Computer System Regulations.
- Friday 7 March. Discuss: "Patent Law Basics", Office of
Technology Transfer, University of Arizona, 14 December 1998
(available: http://www.ott.arizona.edu/patbasic.htm,
February 2001); K. Nichols, "The Age of Software Patents", IEEE
Computer, April 1999; IEEE Computer, June 1999;
P. Samuelson, "Encoding the Law into Digital Libraries",
Comm. ACM, April 1998.
- Week 2 (12 - 15 March).
Select papers and dates for student oral presentations in Weeks 3-9.
Discuss how to prepare an oral presentation. Discuss term project
requirements. Select class representative.
- Week 3 (19 - 22 March). Ethical issues in security.
Watermarking, tamper-proofing and obfuscation: tools for software
protection. On Wednesday, 10-page excerpts are due from students
presenting in week 4; these excerpts will be photocopied by the
instructor and handed out to the class on Friday. All students are
expected to read the excerpts before they are presented in
class by other students.
- Weeks 4 - 5 (26 - 28 March, 3 - 5 April). Student oral
presentations: two per day, each presentation will be 10 minutes in
length, with a 10-minute discussion period. Assignment 1 due: Term
paper or project proposal (one sentence).
- Week 6 (9 - 12 April). Selection of topic for your term papers.
How to write a title, synopsis and abstract. Choices of form.
- Week 7 (16 - 19 April). Student oral presentations. Assignment
2 due, for term paper: first draft of title, synopsis, and references.
For term project: first draft of title, goal statement, resources
required (software & hardware), and proposed methodology.
- Weeks 8 - 9 (30 April - 10 May). Student oral presentations. A
step-by-step method for writing a first draft of your term paper.
Sample final exam (an ungraded midterm test). Assignment 3 due: title
and abstract, for publication on class website; and a detailed outline
of your term paper or project report.
- Week 10 - 13 (14 - 17 May, 21 - 24 May, 28 - 31 May, 4 - 7 June).
Student oral presentations. Student oral presentations. Discussion
of student answers to sample final exam. Course overview. Assignment
4 due: final version of your term paper.
Warning
We will discuss vulnerabilities in widely-deployed computer
systems. This is not an invitation for you to exploit these
vulnerabilities! Instead you are expected to behave responsibly.
Don't break into computer systems that are not your own. Don't
attempt to subvert any security system in any other way, for example
by taking over someone else's "digital identity".
See Department
of Computer Science Computer System Regulations and University
of Auckland Computer System Regulations.
Updated 4 March 2002 by CDT.