Software Security
CompSci 725 S2C 07
Clark Thomborson
Handout 1: General InformationVersion 1.0 of 15 July 2007
Prof Clark Thomborson (Supervisor). Email: <cthombor@cs.auckland.ac.nz>
(CompSci 330 Language Implementation) and (CompSci 320 Algorithmics or CompSci 340 Operating Systems)
Subject to an enrolment limit of 30 students, the instructor is willing to accept postgraduate students who have attained a "B" or better grade in any two of the following: CompSci 330 Language Implementation, CompSci 333 Functional Programming & Language Implementation, CompSci 320 Algorithmics, CompSci 313 Computer Organisation, CompSci 314 Data Communications Fundamentals, CompSci 340 Operating Systems, CompSci 335 Distributed Objects and Algorithms, CompSci 350 Mathematical Foundations of Computer Science, CompSci 702 Topics in Software Engineering, CompSci 720 Advanced Design and Analysis of Algorithms, CompSci 735 Object-Oriented Systems, CompSci 742 Data Communications and Networks.
Second semester 2006 City campus, Monday 12-1pm, Wednesday 4-5pm, and Friday 3-4pm in Computer Science Seminar room 303.279.
Tutorial sessions will be held during weeks 4 - 11; times and rooms will be arranged in the second week of classes. Students are invited (but not required) to rehearse their oral presentations during these tutorials. The instructor will offer feedback and suggest improvements.
Students will read approximately 30 technical articles during the first eight weeks of this paper, and selected chapters from Mark Stamp, Information Security: Principles and Practice, John Wiley & Sons, Inc., September 2005, ISBN: 0-471-73848-4. These readings will be the basis of our in-class discussions. Most of these articles are available online; I will hand out hardcopies of the other articles.
Please note that the licenses of some of our Library's online databases do not grant permission to make additional copies, even for classroom use -- students will have to download these articles through http://www.library.auckland.ac.nz/.
Software security is taking on new importance as e-commerce moves from hype to reality. Software systems are susceptible to a variety of attacks including eavesdropping, playback, denial of service, and unauthorised use. In this paper we will survey the field of software security, with a particular focus on technical and legal means for protection against unauthorised use.
Denial of service, privacy violations, primary and collateral damage. Eavesdropping, playback, binary tampering during delivery, introduction of hostile code, malicious hosts. Unauthorised use by copying, dongle mimicry, decompilation and recompilation, reverse engineering. Software patents, copyrights, trade secrets. Sandbox, blackbox, and cryptographic security. Steganography. Obfuscation, robust and fragile watermarks, fingerprints.
60% exam, 25% project, 15% seminar.
You have two options for your project: a term paper or a project report.
If you write a term paper, it must demonstrate your critical and appreciative understanding of at least three professional publications, at least one of which must be a required reading for this course. You must also cite and (at least briefly) discuss any other required class readings that are closely related to the topic of your term paper.
If you write a project report, it must demonstrate your competence and creativity in practical work. You must cite and (at least briefly) discuss at least two required class readings that are relevant to your term project.
Your seminar must be a coherent explanation of an advanced topic in software security, showing your careful reading and understanding of one professional publication. Lecture slides from student oral presentations will be posted to the Assignments area of the class website.
We follow departmental and University policies on academic honesty.
The
The departmental cheating policy is available at http://www.cs.auckland.ac.nz/CheatingPolicy.php. Students in CompSci 725 should take particular note of the following passages: "... The Computer Science Department uses many ways to check that the work students submit for marking is their own and was not produced by, or copied from, someone else... Turnitin.com may be used on essays and reports. This detects similarity to online material and submitted works in its own database... All assignments deemed to be too similar are automatically allocated a zero mark. All students who submitted these assignments are entered in the duplicate assignment register. [Students] ... may be referred to the University Disciplinary Committee. ..."
In this class, we will discuss plagiarism, quotation, and paraphrase, both in the theoretical context of intellectual property, and also in the practical context of academic writing for our class assignments. If you accurately cite the source of your direct quotations or close paraphrases, you cannot be accused of plagiarism. However submitting someone else's work or ideas is not evidence of your own understanding of the material, and such submissions will not earn you marks.
We will give some general advice on the appropriate use of direct quotation and paraphrase. We also teach a few other "tricks of the trade" in technical writing, because in prior years we have found that few of our entering students are highly skilled in academic writing.
Students may earn an "A+" in our course, even if they turn in work with minor grammatical errors. Major grammatical errors may cause us to misunderstand the author's intent, and we will assign low marks when we are not sure of a student's understanding of the material they are presenting in their paper. Students should take special care with the spelling of technical terms, especially acronyms, for an incorrect spelling can cause great confusion in the mind of a reader who thinks the author is referring to some other technical term with a similar spelling! Passing marks are given only when a student's work clearly demonstrates their understanding of the software security technologies, techniques, and analyses discussed in this course.
The Library http://www.library.auckland.ac.nz/instruct/instruct.htm offers resources and tuition on searches and citations.
Our University offers some support in the use of the English language by non-native speakers, see https://www.delna.auckland.ac.nz/support.php.
The Student Learning Centre http://www.slc.auckland.ac.nz/ offers resources and workshops on writing and oral presentations.
Aegrotat / Compassionate Consideration information is available at http://www.auckland.ac.nz/uoa/for/currentstudents/academiclife/aegrotatinfo.cfm.
We will discuss vulnerabilities in widely-deployed computer systems. This is not an invitation for you to exploit these vulnerabilities! Instead you are expected to behave responsibly. Don't break into computer systems that are not your own. Don't attempt to subvert any security system in any other way, for example by taking over someone else's "digital identity".