Software Security

CompSci 725 S1C 03
Handout 1: General Information

Lecturers

Prof Clark Thomborson (Supervisor), <cthombor@cs.auckland.ac.nz>

Prof Jim Goodman, <jgoo052@cs.auckland.ac.nz>

Published prerequisites

(CompSci 330 Language Implementation) and (CompSci 320 Algorithmics or CompSci 340 Operating Systems)

Acceptable prerequisites

Subject to an enrolment limit of 30 students, the instructor is willing to accept postgraduate students who have aatained a "B" or better grade in any two of the following: CompSci 330 Language Implementation, CompSci 333 Functional Programming & Language Implementation, CompSci 320 Algorithmics, CompSci 313 Computer Organisation, CompSci 314 Data Communications Fundamentals, CompSci 340 Operating Systems, CompSci 335 Distributed Objects and Algorithms, CompSci 350 Mathematical Foundations of Computer Science, CompSci 702 Topics in Software Engineering, CompSci 720 Advanced Design and Analysis of Algorithms, CompSci 735 Object-Oriented Systems, CompSci 742 Data Communications and Networks.

Scheduled Lecture and Tutorial Times

Lectures: Computer Science Seminar room 303.279, TuWeFr 9-10.

Tutorials: 17 March through 28 May in Computer Science Tutorial room 303.110, Mo 9-10 and We 10-11.

Required Reading

You will read approximately 40 technical articles during the first eight weeks of this paper. These will be the basis of our in-class discussions. Some of these articles are available online, and we will hand out the others in hardcopy.

Description

Software security is taking on new importance as e-commerce moves from hype to reality. Software systems are susceptible to a variety of attacks including eavesdropping, playback, denial of service, and unauthorised use. In this paper we will survey the field of software security, with a particular focus on technical and legal means for protection against unauthorised use.

Content

Denial of service, privacy violations, primary and collateral damage. Eavesdropping, playback, binary tampering during delivery, introduction of hostile code, malicious hosts. Unauthorised use by copying, dongle mimicry, decompilation and recompilation, reverse engineering. Software patents, copyrights, trade secrets. Sandbox, blackbox, and cryptographic security. Steganography. Obfuscation, robust and fragile watermarks, fingerprints.

Each student will prepare and deliver an oral presentation based on a published article chosen from a reading list provided by the instructors in the first week of lectures.  There will be two or three different oral presentations (from different students) on each article in the reading list; every student in class is expected to have read the article before the lecture period in which these oral presentations are delivered.  Each student will present a draft of their oral presentation in a tutorial session one week before their scheduled presentation to the class; the instructors will offer constructive comments and suggestions for revision after this draft presentation.

Each student will write a 10-page term paper, which may be based either on additional reading or on practical work undertaken during the term.

Policies on Plagiarism, Direct Quotation, Paraphrase, Academic Writing, and Collaboration

We follow departmental and University policies on academic honesty.  Please see Section 5.6 of the 2003 Undergraduate Handbook for Computer Science (http://www.cs.auckland.ac.nz/handbook/CS-2003-PG-handbook.pdf): "... Plagiarism is the inclusion in your assignment [term paper, project report, or seminar presentation] of material copied or closely paraphrased from someone else's writings (including textbooks and assignments by other students[, and commentary found on the world-wide web]) without an explicit indication of the source of the material.  It is considered to be cheating....  Departmental penalties for plagiarism extend from a zero grade on the assignment to an overall coursework grade of zero.  Formal disciplinary proceedings may also be instituted through the University Disciplinary Committee, which may lead to cancellation of paper credits, suspension or expulsion from the University.  [If you explicitly indicate the source of your direct quotations or close paraphrases, you cannot be accused of plagiarism.  However] submitting someone else's work or ideas is not evidence of your own understanding of the material and cannot earn you marks."

We will discuss plagiarism, quotation, and paraphrase in class lecture, both in the theoretical context of intellectual property and also in the practical context of academic writing for our class assignments.  We will give some general advice on the appropriate use of direct quotation and paraphrase.  We also teach a few other "tricks of the trade" in technical writing, because in prior years we have found that few of our entering students are highly skilled in academic writing.  Students may earn an "A+" in our course, even if they turn in work that has grammatical errors.  We are less lenient on spelling errors, as we expect students to use a spell-checker on their oral presentation slides and term reports.  We will not give a passing grade to a student who shows no ability to use technical terms with precision, spelling these carefully and using them in a way that clearly demonstrates their understanding of software security technology.

We encourage our students to discuss class readings and lecture notes freely with each other, for we believe that any person who asks a carefully-considered question about a technical topic is worthy of respect and assistance.  Any person who forms a careful response to a carefully-considered question is likely to find that they gain a clarity of understanding that they lacked before they formed their response.  Accordingly, we encourage our students to practice their oral presentations with each other, and to give each other feedback freely on what they think is (or isn't) understandable, interesting, relevant or well-structured.  We encourage students to read each other's draft term papers, and offer constructive comments and gentle criticism.  However this feedback must not be so extensive as to deny anyone the chance to "do their own work".  We insist that each student come to their own conclusions about the material they read for this class, and to communicate these conclusions to us in their oral and written work, for this is the basis on which we form our assessment of each student's accomplishment in our course.

Assessment

60% exam, 25% written project, 15% oral presentation. The questions on the exam will be based on the material in the class readings, with emphasis on the topics and discussions in lecture by instructors and by students.  If you write a term paper for your "project", it must demonstrate your critical and appreciative understanding of at least three professional publications. If you write a project report, it must demonstrate your competence and creativity in practical work. Your oral presentation must be a coherent explanation of an advanced topic in software security, demonstrating a critical and appreciative reading and understanding of one professional publication.

Tentative Schedule

Warning

We will discuss vulnerabilities in widely-deployed computer systems. This is not an invitation for you to exploit these vulnerabilities! Instead you are expected to behave responsibly. Don't break into computer systems that are not your own. Don't attempt to subvert any security system in any other way, for example by taking over someone else's "digital identity". See Department of Computer Science Computer System Regulations and University of Auckland Computer System Regulations.