Software Security
CompSci 725 SC 04
Clark Thomborson
Handout 1: General
Information
Version 1.5: 21 July 2004
Lecturer
Prof Clark
Thomborson (Supervisor). Email: <cthombor@cs.auckland.ac.nz>
Published prerequisites
(CompSci 330 Language Implementation) and (CompSci 320
Algorithmics or CompSci 340 Operating Systems)Acceptable prerequisites
Subject to an enrolment limit of 30 students, the instructor is willing to
accept postgraduate students who have attained a "B" or better grade in any two
of the following: CompSci 330 Language
Implementation, CompSci 333 Functional Programming & Language
Implementation, CompSci 320 Algorithmics, CompSci 313 Computer Organisation,
CompSci 314 Data Communications Fundamentals, CompSci 340 Operating Systems,
CompSci 335 Distributed Objects and Algorithms, CompSci 350 Mathematical
Foundations of Computer Science, CompSci 702 Topics in Software Engineering,
CompSci 720 Advanced Design and Analysis of Algorithms, CompSci 735
Object-Oriented Systems, CompSci 742 Data Communications and Networks.Scheduled Lecture Times
Second semester 2004 City campus, Monday 12-1pm, Wednesday 12-1pm, and Friday
2-3pm in Computer Science Seminar room 303.279.Tutorials
Tutorial sessions will be held during weeks 4 - 11; times and rooms will be
arranged in the second week of classes. Students are invited (but not
required) to rehearse their oral presentations during these tutorials. The
instructor will offer feedback and suggest improvements.
Required Reading
Students will read approximately 40 technical articles
during the first eight weeks of this paper. These will be the basis of our
in-class discussions. Most of these articles are available online; I will hand
out hardcopies of the other articles.Please note that the licenses of some of
our Library's online databases do not grant permission to make additional
copies, even for classroom use -- students will have to download these articles
through
http://www.library.auckland.ac.nz/.
Description
Software security is taking on new importance as e-commerce
moves from hype to reality. Software systems are susceptible to a variety of
attacks including eavesdropping, playback, denial of service, and unauthorised
use. In this paper we will survey the field of software security, with a
particular focus on technical and legal means for protection against
unauthorised use.
Content
Denial of service, privacy violations, primary and collateral
damage. Eavesdropping, playback, binary tampering during delivery, introduction
of hostile code, malicious hosts. Unauthorised use by copying, dongle mimicry,
decompilation and recompilation, reverse engineering. Software patents,
copyrights, trade secrets. Sandbox, blackbox, and cryptographic security.
Steganography. Obfuscation, robust and fragile watermarks, fingerprints.
Assessment
60% exam, 25% project, 15% seminar.
If you write a term paper for your "project", it must demonstrate your
critical and appreciative understanding of at least three professional
publications, at least one of which must be a required reading for this course.
You must also cite and (at least briefly) discuss any other required class
readings that are closely related to the topic of your term paper.
If you write a project report for your "project", it must demonstrate your
competence and creativity in practical work. You must cite and (at least
briefly) discuss at least two required class readings that are relevant to your
term project.
Your "seminar" must be a coherent explanation of an advanced topic in
software security, showing your careful reading and understanding of one
professional publication. Lecture slides from student oral presentations
will be posted to the Assignments area of the class website.
Policy on Plagiarism, Direct Quotation, Paraphrase,
and Academic Writing
We follow departmental and University policies on academic honesty.
The departmental cheating policy at
http://www.cs.auckland.ac.nz/CheatingPolicy.html is, in part: "... The Computer Science
Department uses many ways to check that the work students submit for marking is
their own and was not produced by, or copied from, someone else... Turnitin.com
may be used on essays and reports. This detects similarity to online material
and submitted works in its own database... All assignments deemed to be too
similar are automatically allocated a zero mark. All students who submitted
these assignments are entered in the duplicate assignment register. A standard
email (see below) is sent to these students. Repeat offenders may be referred to
the University Disciplinary Committee. ..."
The Postgraduate Handbook for Computer Science, at
http://www.cs.auckland.ac.nz/handbook/current/PostgraduateHandbook/generalInfo.html,
contains the following comments on plagiarism. "... Plagiarism is the
inclusion in your assignment of material copied or closely paraphrased from
someone else's writings (including textbooks and assignments by other students)
without an explicit indication of the source of the material. The University
takes a serious view of plagiarism..."
The University cheating policy, and some discussion of quotation and
paraphrase, is available at
http://www.auckland.ac.nz/cir_teaching/index.cfm?action=display_page&page_title=Plagiarism_Cheating.
We will discuss plagiarism, quotation, and paraphrase in class lecture, both
in the theoretical context of intellectual property, and also in the practical
context of academic writing for our class assignments. If you accurately
cite the source of your direct quotations or close paraphrases, you cannot be
accused of plagiarism. However submitting someone else's work or ideas is
not evidence of your own understanding of the material, and such submissions
will not earn you marks.
We will give some general advice on the appropriate use of direct quotation
and paraphrase. We also teach a few other "tricks of the trade" in
technical writing, because in prior years we have found that few of our entering
students are highly skilled in academic writing.
Students may earn an "A+" in our course, even if they turn in work with
minor grammatical errors. Major grammatical errors may cause us to
misunderstand the author's intent, and we will assign low marks when we are not
sure of a student's understanding of the material they are presenting in their
paper. Students should take special care with the spelling of technical
terms, especially acronyms, for an incorrect spelling can cause great confusion
in the mind of a reader who thinks the author is referring to some other
technical term with a similar spelling! Passing marks are given only when
a student's work clearly demonstrates their understanding of the software
security technologies, techniques, and analyses discussed in this course.
Additional Resources
The Library
http://www.library.auckland.ac.nz/instruct/instruct.htm offers resources and
tuition on searches and citations.
Our University offers some support in the use of the English language by
non-native speakers, see
https://www.delna.auckland.ac.nz/support.php.
The Student Learning Centre
http://www.slc.auckland.ac.nz/ offers resources and workshops on writing and
oral presentations.
Aegrotat / Compassionate Consideration information is available at http://www.auckland.ac.nz/exams.
Tentative Schedule
Note: the date listed for student presentation #x is the earliest possible
date on which this presentation may occur; later dates are possible if our
schedule slips. Students will be assigned numbers by a random process
during the first week of classes.
- Week 1:
- 19 July. First day of lectures. Discuss:
- 21 July - 23 July. Discuss:
- Handout 3, List of Suggested Articles for Oral Presentations (in
preparation)
- Handout 4, Randomly Assigned Student Numbers (in preparation)
- Handout 5, First set of Lecture Slides (in preparation)
- Handout 6, First set of Readings (R1 through R9), hardcopy distributed
21 July 04.
- [R1] B. Lampson, "Computer Security in the
Real World", IEEE Computer 37:6, 37-46, June 2004
- [R2] "Department of Computer Science Computer System Regulations", in
Undergraduate Computer Science Handbook, The University of Auckland,
2004 (available:
http://www.cs.auckland.ac.nz/handbook/ugrad/UG.DoCSCSR.html, July 2004)
- [R3] "IT Acceptable Use Policy", Version 1.3, The University of Auckland, 2004
(available:
http://www.auckland.ac.nz/security/ITAcceptableUsePolicy.htm, July 2004)
- Week 2 (26 July - 30 July). Select class representative. Select papers and dates for student oral
presentations in Weeks 5-13. Discuss how to prepare an oral presentation.
Discuss term project requirements.
- Week 3 (2 August - 6 August). Finalise
the selection of papers and dates for student oral presentations. Discuss:
- [R4] "What Are Patents, Trademarks, Servicemarks, and Copyrights?", US Patent and
Trademark Office, 13 May 2004 (available:
http://www.uspto.gov/web/offices/pac/doc/general/whatis.htm, July 2004)
- [R5] "Patent Law Basics", Office of Technology
Transfer, University of Arizona, 2001 (available:
http://www.ott.arizona.edu/patbasics.htm,
July 2004)
- [R6] "Copyright Basics", Office of Technology Transfer, University of
Arizona, 2001 (available:
http://www.ott.arizona.edu/copybas.htm, July 2004)
- [R7] "Copyright Protection in New Zealand", Ministry of Economic Development,
June 2004 (available:
http://www.med.govt.nz/buslt/int_prop/info-sheets/copyright-prot.html,
July 2004)
- [R8] K. Nichols, "The Age of Software Patents",
IEEE Computer 32:4, 25-31, April 1999
- [R9] P. Samuelson,
"Encoding the Law into Digital Libraries", Comm. ACM 41:4, 13-18,
April 1998
- Week 4 (9 August - 13 August). Tutorial sessions: Students #1
- #4 give practice oral presentations. Discuss:
- Pfleeger, "Ethical issues in computer security," section 11.5 of
Security in Computing, 2nd edition, Prentice Hall, 1997.
- IEEE Code of Ethics, 1990 (available:
http://www.ieee.org/portal/index.jsp?pageID=corp_level1&path=about/whatis&file=code.xml&xsl=generic.xsl,
July 2004)
- "The Ten Commandments of Computer Ethics", Computer Ethics Institute, 1992
(available:
http://www.brook.edu/its/cei/overview/Ten_Commanments_of_Computer_Ethics.htm,
July 2004)
- RSNZ Code of Ethics, 2003 (available:
http://www.rsnz.govt.nz/directory/code_ethics.php, July 2004)
- C. Mann, "Who will own your next good idea?", The Atlantic Monthly, 57-82,
September 1998 (available:
http://www.theatlantic.com/issues/98sep/copy.htm, July 2004)
- H. Rosner, "Steal this software," The.Standard.com, June 19, 2000
(available:
http://www.cnn.com/2000/TECH/computing/06/21/steal.software.idg/, July
2004)
- P. Radatti, "Cybersoft, Incorporated Moral Guidelines," Cybersoft, Inc,
1996 (available:
http://www.cybersoft.com/whitepapers/papers/locks.shtml, July 2004)
- Excerpts from F Woodford, Scientific Writing for Graduate Students,
Rockefeller University Press, 1968.
- A Eisenberg, Writing Well for the Technical Professions, Harper &
Row, 1989, pp. 39-40 and 46-51.
- Week 5 (16 August - 20 August). Student oral presentations #1 - #4: two
presentations
per day, each presentation will be 10 minutes in length, with an 8-minute
discussion period. Tutorial sessions: Students #5 - #10 give
practice oral presentations. Assignment 1 due (in class Friday 20
August): Term paper or project proposal
(one sentence).
- Week 6 (23 August - 27 August). Student oral presentations #5 - #10.
-
Term break (30 August - 12 September)
- Week 7 (13 September - 17 September).
Tutorial sessions: Students #11 - #14 give practice oral presentations. Assignment 2
due (in class Friday 17 September): for term paper: first draft of title, synopsis, and references. For
term project: first draft of title, goal statement, resources required
(software & hardware), and proposed methodology. Discuss:
- C. Collberg, C. Thomborson, "Watermarking, Tamper-Proofing, and
Obfuscation - Tools for Software Protection", IEEE Transactions on Software
Engineering 28:8, 735-746, August 2002.
- B. Schneier, "Foundations", Chapter 1 in Applied cryptography :
protocols, algorithms, and source code in C, 2nd edition, Wiley, 1996.
- E Papadakis, "Why and What for (Four): The Basis for Writing a Good
Introduction", Materials Evaluation 41, Jan 1983, pp. 20-21.
- Week 8 (20 September - 24 September). Student oral presentations #11
- #14. Tutorial sessions: Students #15 - #18 give practice oral
presentations.
- Week 9 (27 September - 1 October). Student oral presentations
#15 - #18. Tutorial sessions: Students #19 - #24 give practice oral
presentations. Friday: Sample final
exam (an ungraded midterm test). Assignment 3 due in class Friday 1
October): title and abstract,
for publication on class website; and a detailed outline of your term paper or
project report.
- Week 10 (4 October - 8 October). Student oral presentations #19 - #24.
Tutorial sessions: Students #25 - #30 give practice oral presentations.
- Week 11 (11 October - 15 October). Student oral presentations #25 - #30.
- Week 12 (18 October - 22 October). Discussion of student answers
to sample final exam. Course overview. Assignment 4 due in class Friday 22
October): final version
of your term paper.
Warning
We will discuss vulnerabilities in widely-deployed computer systems. This is
not an invitation for you to exploit these vulnerabilities! Instead you
are expected to behave responsibly. Don't break into computer systems that are
not your own. Don't attempt to subvert any security system in any other way, for
example by taking over someone else's "digital identity".