COMP 5407W (Winter 2017): Authentication and Software Security [A, S]
Last updated: Mar.21, 2017.
Send comments to: paulv (insert @ here) scs.carleton.ca.
Course web site for updates: http://people.scs.carleton.ca/~paulv/5407jan2017.html
Calendar course description:
Specialized topics in security including
those selected from:
advanced authentication techniques,
user interface aspects,
electronic and digital signatures,
security infrastructures and protocols,
software vulnerabilities affecting security,
untrusted software and hosts,
protecting software and digital content.
Essential Course Details
References and Sources.
Lectures will largely be drawn from research papers (generally available online), and
supplementary material given in class; students are thus expected to attend all classes.
For those wishing to brush up on background reading, recommendations include
Stallings and Brown (2014) and Gollman (2011) among others found on
No specific access to computing labs should be required,
but labs in the Herzberg Building require a
Carleton University Campus Card,
with access based on the courses you are registered in
and the School's Lab Access Schedule.
Class times: 2:35-3:55, Tues+Thurs (Jan.5 to Apr.6, 2017)
Location: UC 280 (University Centre), Carleton University
Instructor: Professor P. Van Oorschot
Office hours: Mon+Wed 3:00-4:00pm, 5173HP
COMP 4108 (computer systems security) + COMP 3000 (operating systems),
or equivalents. Otherwise requires instructor permission.
Course Outline (preliminary):
here for outline, and
see also Detailed Topics below.
(dates are firm - please plan in advance):
30% Project 1 (Software Vulnerability Tracking;
click here for more details)
--- Start immediately (first day of class), hard-copy due Thurs. Feb.9 in class.
30% Midterm test: Tues. Mar.7 (in class); covers all material up to test date.
40% Project 2 and participation (Research Paper;
click here for more details)
= (10% in-class presentation +
5% participation/attendance of other presentations +
25% written report, hard-copy due in class Thurs. Apr.6)
See the bottom of this page.
Topics are updated each year. A preliminary plan for this year is
below (these are representative and will be updated as the
term progresses ).
Notation for background references: "HAC ssN" denotes section N in
Handbook of Applied Cryptography, which is available free online;
tbd = to be determined.
Class 1 (Jan.5): Security metrics for password distributions.
Metrics for guessing difficulty, Bonneau (Ch.3 in: Guessing
Human-chosen Secrets, PhD thesis, Cambridge, 2012).
Begin Project 1 immediately.
The science of guessing: analyzing an anonymized corpus of 70 million
passwords, Bonneau (Oakland 2012).
Class 2 (Jan.10): Analyzing a leaked password distribution.
Testing Metrics for
Password Creation Policies, Weir et al. (ACM CCS 2010 - also
Class 3 (Jan.12): Strong Password-Protocols.
EKE: Password-Based Protocols Secure Against Dictionary
Attack, Bellovin and Merritt
(IEEE S&P 1992).
Optional/supplementary (attacks on EKE; alternatives SPEKE, SRP):
Number Theoretic Attacks on Secure Password Schemes,
S. Patel (IEEE S&P 1997);
Strong Password-Only Authenticated Key Exchange, D. Jablon
(ACM Computer Communcations Review, October 1996);
Extended Password Key Exchange Protocols Immune to Dictionary Attack,
D. Jablon (WET-ICE 1997);
The Secure Remote Password Protocol, T. Wu (NDSS 1998).
Class 4 (Jan.17): Off-line dictionary attacks and verifiable text.
Protecting Poorly Chosen Secrets from Guessing Attacks,
Gong et al. (IEEE JSAC vol.11 no.5 June 1993).
Background review: passwords (HAC ss10.2.1-10.2.2),
time variant parameters (HAC ss10.3.1).
Class 5 (Jan.19): Password Aging.
Security of Modern Password Expiration, Zhang et al. (ACM CCS, 2010).
Security Advantage of Password Expiration Policies,
Chiasson and van Oorschot (DCC 2015);
see these slides
with graphs not found in the paper.
Classes 6 & 7 (Jan.24, 26): Defending password attacks; on-line vs. offline attacks.
An Administrator's Guide to Internet Password Research, Florencio et al. (USENIX LISA, 2014).
Florencio et al. (CACM Nov.2016),
on string: The don't care region of password strength.
Classes 8 & 9 (Jan.31, Feb.2): Evaluating alternatives for web user authentication.
The Quest to Replace Passwords, Bonneau et al. (IEEE Oakland, 2012).
Classes 10-12 (Feb.7, 9, 14):
Web server certificates, server authentication/browser trust model, TLS infrastructure.
Project 1 is due in class Feb.9 (hard copy).
Inconvenient Truth about Web Certificates, Vratonjic et al. (WEIS
SSL and HTTPS:
Revisiting past challenges and evaluating certificate trust model enhancements
(omit section III), Clark et al. (IEEE Oakland, 2013).
Background review (supplementary): certificate infrastructure and trust models (HAC, pp.559-560; 572-581)
and implementation issues, RSA signatures (pp.433-434).
Class 13 (Feb.16): Enhancements to HTTPS.
Upgrading HTTPS in Mid-Air (sections I-III), Kranch & Bonneau (NDSS2015);
Transparency, Laurie (CACM Oct.2014) and
IETF RFC 6962
(Certificate Transparency); see also
transparency project site.
Supplementary (issues with SSL infrastructure):
SSL and the Future of Authenticity (Convergence Project), Marlinspike (BlackHat USA 2011).
Feb.20-24: No classes (winter reading week).
Project 2 (see above) topic proposal due: Feb.27.
Classes 14-15 (Feb.28, Mar.2): HTTPS and content delivery networks
and Analysis of Private Key Sharing in the HTTPS
Ecosystem, Cangialosi et al. (ACM CCS 2016)
and Bruce Maggs' related
talk on CDN's (USENIX Security 2016);
HTTPS meets CDN: A Case of Authentication in Delegated
Service, Liang et al. (IEEE Oakland 2014).
Class 16 (Mar.7): Test (in class).
Class 17 (Mar.9): Secure OSs, mandatory access control (MAC), trusted
The Inevitability of Failure: The
Flawed Assumption of Security in Modern Computing Environments,
Loscocco et al. (NISSC 1998).
Supplementary: the previous paper motivates SELinux and trusted computing.
Flask microkernel-based OS:
Flask Security Architecture: System Support for Diverse Security Policies,
Spencer et al. (USENIX Security 1999).
SELinux: Integrating Flexible Support for Security Policies into the Linux Operating System,
Loscocco & Smalley (FREENIX/USENIX Annual, 2001;
62-page extended version also available).
Linux Security Modules: General Security Support for the Linux Kernel, Wright et al. (USENIX Security 2002).
Bootstrapping Trust in Commodity Computers,
Parno et al. (IEEE Oakland 2010; optionally see also
Intel SGX (Software Guard Extensions).
Classes 18-23 (Mar.14-30): student presentations (Project 2, see
above). Plan 30 minutes each (40 minutes max).
It is strongly recommended that topics selected are based on
2014-2016 papers presented at the big-four security conferrences
(NDSS, IEEE Symp. Security & Privacy, USENIX Security, ACM CCS).
Class 18 (Mar.14):
Heng Sun Chao: password meters and the online-offline gap.
Sophie Le Page: federated ID systems/OpenID/OAuth 2.0.
Class 19 (Mar.16):
Srivastav Janapalli: password managers (evolution and our trust in them).
Michael Lutaaya: password managers (evaluation of latest proposals).
Class 20 (Mar.21):
Sana Maqsood: content security policy/web security and XSS/website code injection.
Ramandeep Kaur: web security.
Class 21 (Mar.23):
Jennifer Ubah: secure messaging (IM)/Signal Protocol (TextSecure).
Nelson Umunna: secure email.
Class 22 (Mar.28):
Janarthana Sivaraman: password mneumonics and memorability.
Nilofar Mansourzadeh: password vaults.
Class 23 (Mar.30):
Venkata Brundavanan: phishing.
Amandeep Kaur: big-data security.
Class 24 (Apr.4): Heartbleed TLS incident.
Matter of Heartbleed (Durumeric et al., IMC'14).
Class 25 (Apr.6): Device finger-printing, Internet geolocation, and authentication.
Supplementary background on malware: classic introductory papers.
Virology 101 (Computing Systems, Spring 1989).
Reflections on Trusting Trust (Comm. ACM, Aug.1984).
Computer Virus-Antivirus Coevolution,
Nachenberg (Comm. ACM, Jan. 1997; pdf available online).
The Internet Worm (Spafford, C.ACM 1989 32(6):678-687, pdf available online.
With Microscope and Tweezers: The Worm from MIT's Perspective
(Rochlis and Eichin, C.ACM 1989 32(6):689-698).
Supplementary background on drive-by downloads and browser security.
Ghost in the Browser (Provos et al., USENIX HotBots'07) and
All Your iFRAMEs Point to Us (Provos et al., USENIX Security 2008).
When the Cloud Turns Dark (Provos et al., C.ACM 52(4):42-47, 2009).
Supplementary background on SOP (same-origin policy), XSS attacks:
Cross-site Scripting Worms and Viruses,
Grossman (white paper, updated June 2007);
handbook, Michal Zalewski (2008, 2009 online resource);
Same-Origin Mutual Approval: Mutual Approval for Included Content in Web Pages,
Oda et al. (ACM CCS 2008).
Supplementary background on malware, malware networks, rootkits.
The History and Evolution of Computer Viruses
(Mikko Hypponen, 49min, DEFCON 2011 talk).
(v1.4, Feb.2011, Symantec report by N. Falliere, Liam O Murchu, E. Chien).
Spread of the Sapphire/Slammer Worm (Feb.2003), Moore et al.
version in S&P magazine);
Supplemental background on phishing (web-spoofing) and pharming
Client-Side Defense Against Web-Based Identity Theft, Chou et al. (NDSS'04).
The Phishing Guide, Gunter Ollmann (white paper, 2007);
Stronger Password Authentication Using Browser Extensions,
Ross et al. (USENIX Security 2005).
The Pharming Guide, Gunter Ollmann (white paper, July 2005).
=== University Policies (start) ===
Student Academic Integrity Policy.
Every student should be familiar with the Carleton University student
academic integrity policy. A student found in violation of academic
integrity standards may be awarded penalties which range from a
reprimand to receiving a grade of F in the course or even being expelled
from the program or University. Some examples of offences are:
plagiarism and unauthorized co-operation or collaboration. Information
on this policy may be found in the Undergraduate Calendar.
As defined by Senate, "plagiarism is presenting, whether
intentional or not, the ideas, expression of ideas or work of others as
one's own". Reported offences will be reviewed by the office of the Dean
Unauthorized Co-operation or Collaboration.
Senate policy states that "to
ensure fairness and equity in assessment of term work, students shall
not co-operate or collaborate in the completion of an academic
assignment, in whole or in part, when the instructor has indicated that
the assignment is to be completed on an individual basis". Please refer
to the course outline statement or the instructor concerning this issue.
COMP 4108 addendum:
Beyond any other standard university policies,
any student submitting work including uncited portions originating
from someone else, is subject to a mark of negative 100%
on the entire work item. For example, if an assignment
is worth 10%, the 10% is lost plus an additional 10% penalty, making the
best possible course mark 80%.
Both students may be penalized if the infraction involves copying
from another student.
Each student must write up submitted work individually
unless explicitly allowed otherwise per official instructions
(e.g., in group-based assignments).
Academic Accommodations for Students with Disabilities.
The Paul Menton Centre
for Students with Disabilities (PMC) provides services to
students with Learning Disabilities (LD), psychiatric/mental health
disabilities, Attention Deficit Hyperactivity Disorder (ADHD), Autism
Spectrum Disorders (ASD), chronic medical conditions, and impairments in
mobility, hearing, and vision. If you have a disability requiring
academic accommodations in this course, please contact PMC at
613-520-6608 or firstname.lastname@example.org for a formal evaluation. If you are
already registered with the PMC, contact your PMC coordinator to send
your course instructor
your Letter of Accommodation at the beginning of the term, and no later
than two weeks before the first in-class scheduled test or exam
requiring accommodation (if applicable). After requesting accommodation
from PMC, meet with your course instructor to ensure accommodation arrangements are made.
Please consult the PMC website for the deadline to request
accommodations for the formally-scheduled exam (if applicable) at
Write to the course instructor
with any requests for academic accommodation during the first two
weeks of class, or as soon as possible after the need for accommodation
is known to software and system developmest. For more details visit the
Equity Services website: http://www2.carleton.ca/equity/
Write to the course instructor
with any requests for academic accommodation during the
first two weeks of class, or as soon as possible after the need for
accommodation is known to exist. For more details visit the
Equity Services website: http://www2.carleton.ca/equity/
The official medical certificate (form) accepted by Carleton
University for the deferral of final examinations or assignments in
courses can be accessed from:
=== University Policies (end) ===