COMP 5407W / CSI 5116 (Winter 2015): Authentication and Software
Security [A, S]
Last updated: Apr.6, 2015.
Send comments to: paulv (insert @ here) scs.carleton.ca.
Calendar course description:
Specialized topics in security including
those selected from:
advanced authentication techniques,
user interface aspects,
electronic and digital signatures,
security infrastructures and protocols,
software vulnerabilities affecting security,
untrusted software and hosts,
protecting software and digital content.
Essential Course Details
-
Class times: 1:05-2:25, Tues+Thurs (Jan.6 to Apr.7, 2015)
-
Location: ME3356 (Mackenzie Bldg), Carleton University
-
Instructor: Professor P. Van Oorschot
-
Office hours: Tuesday 2:30-3:30pm , Thursday 12:00noon-1:00pm
-
Prerequisites:
COMP 4108 (computer systems security) + COMP 3000 (operating systems),
or equivalents. Otherwise requires instructor permission.
-
Course Text:
None.
-
Course Outline (preliminary):
click
here for outline, and
see also Detailed Topics below.
-
Marking Scheme
(dates are firm - please plan in advance):
30% Project 1 (Software Vulnerability Tracking;
click here for more details)
--- Start immediately (first day of class), due Tues. Feb.10 in class.
30% Midterm test: Tues. Mar.3 (in class); covers all material up to test date.
40% Project 2 and participation (Research Paper;
click here for more details)
= (10% in-class presentation +
5% participation/attendance of other presentations +
25% written report due in class Tues. Apr.7)
References and Sources.
Lectures will largely be drawn from research papers (generally available online), and
supplementary material given in class; students are thus expected to attend all classes.
For those wishing to brush up on background reading, recommendations include
Stallings and Brown (2014) and Gollman (2006) among others found on
this list.
No specific access to computing labs should be required,
but labs in the Herzberg Building require a
Carleton University Campus Card,
with access based on the courses you are registered in
and the School's Lab Access Schedule.
University Policies.
See the
course outline page
for university policies related to:
academic accommodation (Pregnancy Obligation, Religious Obligation, Students with Disabilities);
Medical Certificates necessary for deferral of miderms, exams, projects and assigninments;
and
Academic Integrity, Plagiarism, and Unauthorized Co-operation or Collaboration.
This course has the following additional
Course Policy on Unethical Behaviour:
Any student submitting work including portions originating from someone else,
without crediting the original source, is subject to a mark
of minus 100% (-100%) on the entire work item. For example, if a project
is worth 20%, the 20% is lost plus an additional 20% penalty, making the
best possible course mark 60%. If the infraction involves copying
from another student, then both students may be penalized.
You may, and often should, discuss work with others,
but each student must write up submitted work individually.
In the event of a Pandemic Flu Outbreak, we may need to modify the
planned course delivery and/or deadlines and/or assignments; specific
details will be provided if/as necessary.
Detailed Topics.
Topics are updated each year. A preliminary plan for this year's
course follows (these are representative and subject to change).
Notation for background references: "HAC ssN" denotes section N in
Handbook of Applied Cryptography, which is available free online;
tbd = to be determined.
Class 1 (Jan.6): Security metrics for guessing passwords.
Testing Metrics for
Password Creation Policies, Weir et al. (ACM CCS 2010 - also
here);
and
Metrics for guessing difficulty, Bonneau (Ch.3 in: Guessing
Human-chosen Secrets, PhD thesis, Cambridge, 2012).
Begin Project 1 immediately.
Advanced reading:
The science of guessing: analyzing an anonymized corpus of 70 million
passwords, Bonneau (Oakland 2012).
Class 2 (Jan.8): Strong Password-Protocols.
EKE: Password-Based Protocols Secure Against Dictionary
Attack, Bellovin and Merritt
(IEEE S&P 1992).
Optional/supplementary (attacks on EKE; alternatives SPEKE, SRP):
Number Theoretic Attacks on Secure Password Schemes,
S. Patel (IEEE S&P 1997);
Strong Password-Only Authenticated Key Exchange, D. Jablon
(ACM Computer Communcations Review, October 1996);
Extended Password Key Exchange Protocols Immune to Dictionary Attack,
D. Jablon (WET-ICE 1997);
The Secure Remote Password Protocol, T. Wu (NDSS 1998).
Class 3 (Jan.13): Off-line dictionary attacks and verifiable text.
Protecting Poorly Chosen Secrets from Guessing Attacks,
Gong et al. (IEEE JSAC vol.11 no.5 June 1993).
Background review: passwords (HAC ss10.2.1-10.2.2),
time variant parameters (HAC ss10.3.1).
Class 4 (Jan.15): Password Aging.
The
Security of Modern Password Expiration, Zhang et al. (ACM CCS, 2010).
Optional/supplementary:
Quantifying the
Security Advantage of Password Expiration Policies,
Chiasson and van Oorschot (Designs, Codes and Cryptography, 2015).
Classes 5 & 6 (Jan.20, 22): Defending password attacks; on-line vs. offline attacks.
An Administrator's Guide to Internet Password Research, Florencio et al. (USENIX LISA, 2014).
Classes 7 & 8 (Jan.27, 29): Evaluating alternatives for web user authentication.
The Quest to Replace Passwords, Bonneau et al. (IEEE Oakland, 2012).
Class 9 (Feb.3):
Phishing (web-spoofing).
Client-Side Defense Against Web-Based Identity Theft,
Chou et al. (NDSS'04).
Additional reading (optional):
The Phishing Guide, Gunter Ollmann (white paper, 2007);
on malicious javascript/keylogging:
Stronger Password Authentication Using Browser Extensions,
Ross et al. (USENIX Security 2005).
Class 10 (Feb.5): Pharming and DNS-based exploits (motivating DNSSEC).
Class notes plus:
The Pharming Guide, Gunter Ollmann (white paper, July 2005).
Classes 11 & 12 (Feb.10, 12): SSL browser trust model and
certificate/CA infrastrusture issues; MITM.
Project 1 is due in class (hard copy) Feb.10.
The
Inconvenient Truth about Web Certificates, Vratonjic et al. (WEIS 2011);
SSL and HTTPS: Revisiting past challenges and evaluating certificate
trust model enhancements
(omit section III), Clark et al. (IEEE Oakland, 2013); and
Upgrading HTTPS in Mid-Air (sections I-III), Kranch & Bonneau (NDSS2015).
Background review (optional): certificate infrastructure and trust models (HAC, pp.559-560; 572-581)
and implementation issues, RSA signatures (pp.433-434).
Supplementary (optional):
Convergence Project and issues with SSL infrastructure
- 48-minute video:
SSL and the Future of Authenticity, Marlinspike (BlackHat USA 2011);
An Emprical Evaluation of Security Indicators in Mobile Web Browsers, Amrutkar et al. (IEEE Trans. Mobile Computing, 2015);
HCI challenges in digital signatures
-
All Sail, No Anchor II: Acceptable High-End PKI,
Blakley and Blakley (Int. J. Info. Security 2(2):66-77, 2004)
Feb.16-20: No classes (winter reading week).
Classes 13 & 14 (Feb.24, 26): Trusted computing and mandatory access control.
Project 2 (see above) topic proposal due: Feb.26.
Bootstrapping Trust in Commodity Computers,
Parno et al. (IEEE Oakland 2010; optionally see also
extended
book version).
SELinux:
Integrating
Flexible Support for Security Policies into the Linux Operating
System, Loscocco & Smalley (FREENIX/USENIX Annual, 2001;
62-page extended version also available).
Supplementary (optional): papers cited in
System
Security, Platform Security and Usability
(extended abstract, van Oorschot, ACM STC'10).
Class 15 (Mar.3): Test (in class).
Class 16 (Mar.5): Drive-by downloads and browser security.
The
Ghost in the Browser (Provos et al., USENIX HotBots'07) and
All Your iFRAMEs Point to Us (Provos et al., USENIX Security 2008).
Further reading:
Cybercrime 2.0: When the Cloud Turns Dark (Provos et al., C.ACM 52(4):42-47, 2009).
Supplementary (same-origin policy, XSS attacks):
Cross-site Scripting Worms and Viruses,
Grossman (white paper, updated June 2007);
Browser security
handbook, Michal Zalewski (2008, 2009 online resource);
Same-Origin Mutual Approval: Mutual Approval for Included Content in Web Pages,
Oda et al. (ACM CCS 2008).
Classes 17 & 18 (Mar.10, 12): Computer worms, malware networks, rootkits.
The History and Evolution of Computer Viruses
(Mikko Hypponen, 49min, DEFCON 2011 talk).
The Internet Worm (Spafford, C.ACM 1989 32(6):678-687, pdf available online.
W32.Stuxnet Dossier
(v1.4, Feb.2011, Symantec report by N. Falliere, Liam O Murchu, E. Chien).
Optional/supplementary:
Countering Unauthorized Code Execution on Commodity Kernels: A Survey
of Common Interfaces Allowing Kernel Code Modification,
Jaeger et al. (Computers & Security, 2011).
Rootkits: Subverting the Windows Kernel
(Hoglund and Butler, Addison-Wesley, 2005).
Designing BSD Rootkits: An Introduction to Kernel Hacking
(Kong, No Starch Press, 2007).
The Spread of the Sapphire/Slammer Worm (Feb.2003), Moore et al.
(or
version in S&P magazine);
With Microscope and Tweezers: The Worm from MIT's Perspective
(Rochlis and Eichin, C.ACM 1989 32(6):689-698).
Classes 19-23 (Mar.17-31): student presentations related to Project
2, about 30 minutes each.
See details above. It is strongly recommended that topics selected are based on
2012-2014 papers presented at the big-four security conferrences
(NDSS, IEEE Symp. Security & Privacy, USENIX Security, ACM CCS).
Mar.17:
developer use of static code analysis tools (Hala Assal);
human management of passwords (Leah Zhang-Kennedy)
Mar.19:
web authentication: empirical studies (Rebecca Cooper);
IDS: behaviour models of humans and malware (Andrew Hoo)
Mar.24:
trusted paths (Peter Simonyi);
smartphones: behavioural biometric authentication (Sameer Salahudeen);
Mar.26:
forged SSL certification (Qixiang [Sherlock] Chen);
automated malware analysis (Danil Kirillov)
Mar.31:
drive-by download protection (Vatsal Chavda);
malware attack protection (Mohammad Afzal Ansari)
Apr.2:
smartphones: privacy and security (Xiabei Zhong)
Classes 24 & 25 (Apr.2, 7): Smartphone software security and
architectures - iOS, Google Android.
iOS Security (Apple whitepaper, updated Oct.2014).
Smartphone security models:
Secure
Software Installation on Smartphones (Barrera, IEEE S&P Magazine May-June 2011).
Android application security:
Defending Users Against Smartphone Apps: Techniques and Future Directions (W. Enck, ICISS 2011).
Miscellaneous background on malware: classic introductory papers.
Classifying malware (worms, viruses, Trojan horses).
McIlroy,
Virology 101 (Computing Systems, Spring 1989).
Thompson,
Reflections on Trusting Trust (Comm. ACM, Aug.1984).
Computer Virus-Antivirus Coevolution,
Nachenberg (Comm. ACM, Jan. 1997; pdf available online).