Software Security

CompSci 725 S2C 2012
Clark Thomborson
Giovanni Russello
Handout 1: General Information

Version 0.96 of 13 July 2012

Instructors

Clark Thomborson (Supervisor). Email: <cthombor@cs.auckland.ac.nz>

Giovanni Russello.  Email: <g.russello@auckland.ac.nz>

Recommended Preparation:

30 points from COMPSCI 313, 314, 320, 335, 340, 351, 702, 734, 742.  Prerequisite: departmental approval.

Scheduled Lecture Times

Second semester 2012: Mo 10-11 in 303.B11; Tu 12-1 in 301.407; We 1-2 in Eng3.406.

Tutorials

Tutorial sessions will be held during weeks 4 – 11: Mo 12-1 in 303.B11; Tu 10-11 in OGG 213; We 10-11 in Arts 206.213.

Students will be awarded 1 mark for rehearsing their oral presentation in a tutorial session in the week before they are scheduled to present it in the classroom.  The instructor will offer feedback and suggest improvements.

Required Reading

Students will read approximately 30 technical articles during the first eight weeks of this paper, and selected chapters from Mark Stamp, Information Security: Principles and Practice, John Wiley & Sons, Inc., 2011.  These readings will be the basis of our in-class discussions. All are available online, either “free” on the internet, or through the University of Auckland’s library system.

Informal Description

Computer security is increasingly important, now that e-commerce is commonplace and e-government is starting to come online.  Computer systems are susceptible to attacks including denial of service, unauthorised modifications, and unauthorised use. In this paper we will briefly survey the field of computer security.  We will then study some technical articles from the recent literature, on specific topics in computer security.  The emphasis in the 2012 offering is on Android security.

Prescription (Calendar copy)

Data security: confidentiality, integrity, availability.  System security: prohibitions, permissions, obligations, exemptions.  The gold standard of dynamic security: authentication, audit, authorisation.  Governance: specification, implementation, assurance.  Three-layer defence: prevention, detection, response.  Control modalities: architectural, economic, legal, normative.  System-centric analyses: attacks, threats, vulnerabilities, information flows.  Owner-centric analyses: functionality, security, trust, distrust.  Data-centric analyses.  Security techniques: encryption, obfuscation, tamper resistance.  System designs.

Assessment

60% exam, 25% term paper, 15% oral presentation.

Your oral presentation must be a coherent explanation of an advanced topic in software security, showing your careful reading and understanding of one professional publication.  Lecture slides from student oral presentations will be posted to the Assignments area of the class website.

Your term paper must demonstrate your critical and appreciative understanding of at least three professional publications, at least one of which must be a required reading for this course.  You must also cite and (at least briefly) discuss any other required class readings that are closely related to the topic of your term paper.

Learning Objectives

Anyone who passes this class is able to

1.      give basic advice on software security, using standard terminology;

2.      read technical literature on software security, demonstrating critical and appreciative comprehension; and

3.      prepare and deliver an informative oral presentation on, and write knowledgeably about, an advanced topic in software security.

Policy on Plagiarism, Direct Quotation, Paraphrase, and Academic Writing

We follow University policies on academic honesty. 

The University of Auckland will not tolerate cheating, or assisting others to cheat, and views cheating in coursework as a serious academic offence. The work that a student submits for grading must be the student's own work, reflecting his or her learning. Where work from other sources is used, it must be properly acknowledged and referenced. This requirement also applies to sources on the world-wide web. A student's assessed work may be reviewed against electronic source material using computerised detection mechanisms. Upon reasonable request, students may be required to provide an electronic version of their work for computerised review.  The University cheating policy, and some discussion of quotation and paraphrase, is available at http://www.auckland.ac.nz/uoa/about/teaching/plagiarism/plagiarism.cfm.

In this class, we will discuss plagiarism, quotation, and paraphrase, both in the theoretical context of intellectual property, and also in the practical context of academic writing for our class assignments.  If you accurately cite the source of your direct quotations or close paraphrases, you are not plagiarising.  However you will not earn marks by submitting someone else's work or ideas, for this is not evidence in favour of you having a strong understanding of the material -- instead it is evidence of you having a weak understanding of the material you have copied.

We will give some general advice on the appropriate use of direct quotation and paraphrase.  We also teach a few other "tricks of the trade" in technical writing, because in prior years we have found that few of our entering students are highly skilled in academic writing.

Students may earn an "A+" in our course, even if they turn in work with minor grammatical errors.  Major grammatical errors may cause us to misunderstand the author's intent, and we will assign low marks when we are not sure of a student's understanding of the material they are presenting in their paper.  Students should take special care with the spelling of technical terms, especially acronyms, for an incorrect spelling can cause great confusion in the mind of a reader who thinks the author is referring to some other technical term with a similar spelling!  Passing marks are given only when a student's work clearly demonstrates their understanding of the software security technologies, techniques, and analyses discussed in this course.

Additional Resources

The Library http://www.library.auckland.ac.nz/instruct/instruct.htm offers resources and tuition on searches and citations.

Our University offers some support in the use of the English language by non-native speakers, see http://www.auckland.ac.nz/uoa/cs-english-language-support.

The Student Learning Centre http://www.slc.auckland.ac.nz/ offers resources and workshops on writing and oral presentations.

Aegrotat / Compassionate Consideration information is available at http://www.auckland.ac.nz/uoa/for/currentstudents/academiclife/aegrotatinfo.cfm.

Warning

In this course, we will discuss vulnerabilities in widely-deployed computer systems. This is not an invitation for you to exploit these vulnerabilities! 

You are expected to behave responsibly; and you are subject to disciplinary action if you violate the laws of New Zealand or the regulations of our University.

We will discuss professional codes of ethics, and legal codes, in classroom lectures.