Software Security
CompSci 725 FC 01
Clark Thomborson
Handout 1: General Information
Lecturer
Prof Clark
Thomborson (Supervisor). Email: <cthombor@cs.auckland.ac.nz>
Published prerequisites
(CompSci 330 Language Implementation or CompSci 333 Functional
Programming & Language Implementation) and CompSci 320 Algorithmics.
Acceptable prerequisites
Any two of the following: CompSci 330 Language Implementation, CompSci
333 Functional Programming & Language Implementation, CompSci 320
Algorithmics, CompSci 313 Computer Organisation, CompSci 314 Data
Communications Fundamentals, CompSci 340 Operating Systems, CompSci
335 Distributed Objects and Algorithms, CompSci 350 Mathematical
Foundations of Computer Science.
Scheduled Lecture Times
First semester 2001, City campus, Math/Phys/CS room 246, TWF 9-10.
Required Reading
You will read approximately 40 technical articles during the
first eight weeks of this paper. These will be the basis of our
in-class discussions. Some of these articles are available online,
and I will hand out the others in hardcopy. Your term paper will be
based on your reading and interpretation of at least two additional
articles of your choice.
Description
Software security is taking on new importance as e-commerce moves
from hype to reality. Software systems are susceptible to a variety
of attacks including eavesdropping, playback, denial of service, and
unauthorised use. In this paper we will survey the field of software
security, with a particular focus on technical and legal means for
protection against unauthorised use.
Content
Denial of service, privacy violations, primary and collateral
damage. Eavesdropping, playback, binary tampering during delivery,
introduction of hostile code, malicious hosts. Unauthorised use
by copying, dongle mimicry, decompilation and recompilation, reverse
engineering. Software patents, copyrights, trade secrets. Sandbox,
blackbox, and cryptographic security. Steganography. Obfuscation,
robust and fragile watermarks, fingerprints.
All students in this paper will prepare and deliver an oral presentation
based on a published article in this field. Each student will write a
10-page term paper on some related topic.
Assessment
60% exam, 25% project, 15% seminar.
Tentative Schedule
- Week 1:
- Tuesday 27 February. First day of lectures. Collect student
information sheets (handout 2). Distribute
the first set of readings (handout 3, available in hardcopy only).
- Wednesday 28 February. Discuss C. Pfleeger, "Is there a security
problem in computing?", Chapter 1 of Security in Computing, 2nd
edition, Prentice Hall, 1997. Also discuss Department
of Computer Science Computer System Regulations and University
of Auckland Computer System Regulations.
- Friday 2 March. Discuss: "Patent Law Basics", Office of
Technology Transfer, University of Arizona, 14 December 1998
(available: http://vpr2.admin.arizona.edu/ott/Guidebook/patbasic.htm,
February 2001); K. Nichols, "The Age of Software Patents", IEEE
Computer, April 1999; Letters to the editor, by Gimlan, Page and
Hayden in response to Nichols' article, IEEE Computer, June
1999; P. Samuelson, "Encoding the Law into Digital Libraries",
Comm. ACM, April 1998.
- Week 2 (6 - 9 March).
Select papers and dates for student oral presentations in Weeks 3-9.
Discuss how to prepare an oral presentation. Discuss term project
requirements. Select class representative.
- Week 3 (13 - 16 March). Ethical issues in security.
Watermarking, tamper-proofing and obfuscation: tools for software
protection.
- Weeks 4 - 5 (20 - 30 March). Student oral presentations: two per
day, each presentation will be 10 minutes in length, with a 10-minute
discussion period.
- Week 6 (3 - 6 April). Selection of topic for your term papers.
How to write a title, synopsis and abstract. Choices of form.
- Weeks 7 - 9 (23 April - 11 May). Student oral presentations.
Jay Garden of the GCSB will be our guest speaker on 24 April.
Sample final exam (an ungraded midterm test).
- Week 10 (15 - 18 May). A step-by-step method for writing a first
draft of your term paper. Student oral presentations. Term paper
title and abstract due.
- Weeks 11 - 12 (22 - 31 May). A step-by-step method for writing
a final draft of your term paper. Student oral presentations. Discussion
of student answers to sample final exam. Course overview.
Warning
We will discuss vulnerabilities in widely-deployed computer
systems. This is not an invitation for you to exploit these
vulnerabilities! Instead you are expected to behave responsibly.
Don't break into computer systems that are not your own. Don't
attempt to subvert any security system in any other way, for example
by taking over someone else's "digital identity".
See Department
of Computer Science Computer System Regulations and University
of Auckland Computer System Regulations.
Updated 23 February 2001 by CDT.