COMP 5407F / CSI 5116 (Fall 2007): Authentication and Software Security

Calendar course description: Specialized topics in security including those selected from: advanced authentication techniques, user interface aspects, electronic and digital signatures, security infrastructures and protocols, software vulnerabilities affecting security, untrusted software and hosts, protecting software and digital content.
Essential Course Details Office Hours: 11:30-12:30pm, Monday and Wednesday.

Marking Scheme: (Note: no extensions on project dates)
25% - Project 1: Software Vulnerability Tracking (click here for more details).
--- Start immediately (first day of class), due Mon. Oct.15 in class.
30% - Test: Monday Oct.29 (in class).
35% - Project 2: Research Paper (click here for more details).
--- 10% in-class presentation + 25% written report due Wed. Dec.5
10% - Class participation. Includes preparation (readings in advance), contributions to discussion within class, attendance (including of other students' presentations).

Policy re: Unethical Behaviour. Any student submitting work including portions originating from someone else, without crediting the original source, is subject to a mark of minus 100% (-100%) on the entire work item. For example, if a project is worth 20%, the 20% is lost plus an additional 20% penalty, making the best possible course mark 60%. If the infraction involves copying from another student, then both students may be penalized. You may, and often should, discuss work with others, but each student must write up submitted work individually. In addition to the above, harsher penalties following from any standard university policies will be pursued where appropriate.

Special Needs Students. Students with disabilities requiring academic accommodations in this course are encouraged to contact a coordinator at the Paul Menton Centre (PMC) for Students with Disabilities to complete the necessary lettters of accommodation. After registering with the PMC, make an appointment to meet and discuss your needs with the instructor at least two weeks prior to the first in-class test or midterm exam, to ensure sufficient time for necessary arrangements. The deadline for submitting completed forms to the PMC for formally scheduled exam accommodations is typically early November for fall term courses.

References and Sources. Lectures will largely be drawn from recent research papers (available online where possible), and supplementary material given in class; students are thus expected to attend all classes. For those wishing to brush up on background reading, recommendations include Gollman (2006), Stallings (2002) or Kaufman et al. (2002), as found in this list.

Detailed Outline. Topics studied are from the list in the official calendar course description (see top of page). The course is updated from year to year, and may also change due to suggestions by students. The current plan for this year's course follows (subject to change). Notation for background references: "HAC ssN" denotes section N in Handbook of Applied Cryptography, which is available free online.

  • Class 1 (Sept.10): Automated Turing Tests. Telling Humans and Computers Apart Automatically, von Ahn et al., C.ACM (Feb.2004, pp.57-60). Visit the CAPTCHA Project site. Using Character Recognition and Segmentation to Tell Computer from Humans, P.Y. Simard et al., ICDAR'03. Begin Project 1 immediately (optional background: see reading for Class 15 below).

  • Class 2 (Sept.12): On-line password dictionary attacks. Securing Passwords Against Dictionary Attacks, Pinkas and Sander, ACM CCS 2002. Optional/supplementary: On Countering Online Dictionary Attacks with Login Histories and Humans-in-the-Loop, van Oorschot and Stubblebine, ACM TISSEC vol.9 issue 3 (Aug.2006).

  • Class 3 (Sept.17): Off-line password dictionary attacks. Protecting Poorly Chosen Secrets from Guessing Attacks, Gong et al., IEEE JSAC vol.11 no.5 (June 1993). Background review: passwords (HAC ss10.2.1-10.2.2), time variant parameters (HAC ss10.3.1).

  • Class 4 (Sept.19): Graphical Passwords (example: PassPoints). Authentication Using Graphical Passwords: Basic Results, Wiedenbeck et al., HCII 2005. Human-Seeded Attacks and Exploiting Hot-Spots in Graphical Passwords, Thorpe et al., USENIX Security 2007.

  • Class 5 (Sept.24): Phishing (web spoofing). Why Phishing Works, Dhamija et al., CHI'06.

  • Class 6 (Sept.26): Anti-phishing (client-end tools). Client-Side Defense Against Web-Based Identity Theft, Chou et al., NDSS'04.

  • Class 7 (Oct.1): Anti-phishing, anti-keylogging, and password managers. Stronger Password Authentication Using Browser Extensions, Ross et al., USENIX Security 2005. Optional/supplementary: A Convenient Method for Securely Managing Passwords, Halderman et al., World Wide Web Conference 2005; and Halting Password Puzzles - Hard-to-Break Encryption from Human-Memorable Keys, X. Boyen, USENIX Security 2007.

  • Class 8 (Oct.3): Authentication using social networks. Fourth-factor authentication: somebody you know, Brainard et al., ACM CCS 2006. Optional/supplementary: Message Authentication by Integrity with Public Corroboration, P. van Oorschot, NSPW 2005.

  • Class 9 (Oct.10): Digital Signatures. A Comparison of Digital and Handwritten Signatures (D. Fillingham, 1997 MIT course paper). Optional/supplementary: Keep Your Enemies Close: Distance Bounding Against Smartcard Relay Attacks, Drimer and Murdoch, USENIX Security 2007.

  • Class 10 (Oct.15): Public Key Infrastructure. Note: Project 1 is due in class today. Public-key certificates (HAC, pp.559-560), certificate trust models (572-576), key life cycle (pp.576-581) and implementation issues. Background on RSA signatures (pp.433-434). Optional/supplementary: All Sail, No Anchor II: Acceptable High-End PKI, Blakley and Blakley, Int. J. Information Security (2004) 2(2):66-77.

  • Class 11 (Oct.17): Biometrics. An Introduction to Biometric Recognition, Jain et al., IEEE Trans. on Circuits and Systems for Video Tech. (Jan. 2004). Optional/supplementary: Biometrics: A Tool for Information Security, Jain et al., IEEE Trans. Info. Forensics and Security (June 2006).

  • Class 12 (Oct.22): Computer Viruses and Trojan Horses. McIlroy, Virology 101 (Computing Systems, Spring 1989); and Thompson, Reflections on Trusting Trust (Comm. ACM, Aug.1984).

  • Class 13 (Oct.24): Anti-Virus. Nachenberg, Computer Virus-Antivirus Coevolution (Comm. ACM, Jan. 1997); pdf available online.

  • Class 14 (Oct.29): Test (in class).

  • Class 15 (Oct.31): The Internet Worm of 1988. "Crisis and Aftermath (The Internet Worm)", G. Spafford, Comm. ACM, vol.32 no.6 (1989), pp.678-687; pdf available online.

  • Class 16 (Nov.5): More Recent Computer Worms. How to 0wn the Internet in Your Spare Time, Staniford et al., USENIX Security 2002. Optional/supplementary: The Spread of the Sapphire/Slammer Worm (Feb.2003), Moore et al.; Reflections on Witty, N. Weaver, ;login, vol.29 no.3, June 2004; Blaster; Self-stopping Worms, Ma et al., 2005 ACM WORM.

  • Class 17 (Nov.7): Buffer overflow exploits and defenses. A Comparison of Publicly Available Tools for Dynamic Buffer Overflow Prevention, Wilander and Kamkar, NDSS'03. More recent tehniques: class notes.

  • Classes 18-22: student presentations.
    Nov.12: Marie Poirier, Saania Khan
    Nov.14: Amirali Salehi-Abari
    Nov.19: David Barrera, Mohammad Nikseresht
    Nov.21: Itzhak Bayaz
    Nov.26: Ian Kennedy, Kathryn Garson

  • Class 23 (Nov.28). Web security and cross-site scripting. The Ghost in the Browser: Analysis of Web-based Malware, Provos et al., HotBots'07.

  • Class 24 (Dec.3): XSS attacks. Cross-site Scripting Worms and Viruses, Grossman, April 2006 (white paper). Disregard the marketing on pp.20-21.


    • Last updated: November 26, 2007 1:00
    For comments, mail to: paulv (insert @ here) scs.carleton.ca.