COMP 5407F / CSI 5116 (Fall 2011): Authentication and Software Security
Calendar course description:
Specialized topics in security including
those selected from:
advanced authentication techniques,
user interface aspects,
electronic and digital signatures,
security infrastructures and protocols,
software vulnerabilities affecting security,
untrusted software and hosts,
protecting software and digital content.
Essential Course Details
Professor P. Van Oorschot
11:30am-12:55pm, Mon+Wed (Sept.12/2011 to Dec.5/2011)
112PA (Paterson Hall), Carleton University
COMP 4108 (computer systems security) + COMP 3000 (operating systems),
or equivalents. Otherwise requires instructor permission.
None. See References and Sources below.
Access to computing labs on Herzberg floors 4 and 5 requires a
Carleton University Campus
Card, and is based on the courses you are registered in and the School's
Lab Access Schedule.
(project dates are firm; please plan in advance)
25% Project 1: Software Vulnerability Tracking
(click here for more details).
--- Start immediately (first day of class), due Monday Oct.17 in class.
30% Test: Monday Oct.31 (in class). Covers all material up to test date.
35% Project 2: Research Paper
(click here for more details).
--- 10% in-class presentation + 25% written report due Monday Dec.5
10% Class participation. Includes preparation (readings in advance), contributions to discussion within class, attendance (including of other students' presentations).
In the event of a pandemic flu outbreak we may need to modify the
planned course delivery and/or deadlines and/or assignments.
Specific details will be provided if
this becomes necessary. In the event that you become ill and have to
miss class or assignments, upon becoming well, you are expected to
communicate with your instructor to identify missed in-class material,
assignments and/or to arrange accommodations.
Policy re: Unethical Behaviour.
Any student submitting work including portions originating from someone else,
without crediting the original source, is subject to a mark
of minus 100% (-100%) on the entire work item. For example, if a project
is worth 20%, the 20% is lost plus an additional 20% penalty, making the
best possible course mark 60%. If the infraction involves copying
from another student, then both students may be penalized.
You may, and often should, discuss work with others,
but each student must write up submitted work individually.
In addition to the above, harsher penalties following from
any standard university policies will be pursued where appropriate.
If you require special arrangements to meet your academic obligations
during the term, please follow the processes as detailed on the
Equity Services pages for the following cases:
References and Sources.
Lectures will largely be drawn from recent research papers
(available online where possible), and
supplementary material given in class; students are thus expected to
attend all classes.
For those wishing to brush up on background reading, recommendations include
Goodrich and Tamassia (2010), Stallings and Brown (2007) or
Gollman (2006), as found in
Pregnancy Obligation or Religious Obligation:
write to the course instructor with any requests for academic
accommodation during the first two weeks of class, or as soon as
possible after the need for accommodation is known to exist.
Students with disabilities requiring academic accommodations in this
course must register with the Paul Menton Centre for Students with
Disabilities (PMC) for a formal evaluation of disability-related needs.
Documented disabilities could include but are not limited to
mobility/physical impairments, specific Learning Disabilities (LD),
psychiatric/psychological disabilities, sensory disabilities, Attention
Deficit Hyperactivity Disorder (ADHD), and chronic medical conditions.
Registered PMC students are required to contact the PMC, 613-520-6608,
every term to ensure that the course instructor receives
your Letter of Accommodation, no
later than two weeks before the first assignment is due or the first
in-class test/midterm requiring accommodations. If you only require
accommodations for your formally scheduled exam(s) in this course,
please submit your request for accommodations to PMC by the deadlines
the PMC website.
Topics studied are from the list in the official calendar course description
(see top of page).
The course is updated from year to year, and also changes
due to student input. A preliminary plan for this year's
course follows (note: these are representative only,
and are subject to change).
Notation for background references: "HAC ssN" denotes section N in
Handbook of Applied Cryptography, which is available free online.
tdb = to be determined.
Class 1 (Sept.12): Threat models, attack trees, thinking like attackers. Class notes.
Begin Project 1 immediately
(optional background: read up on the 1988 Internet Worm - see Class 15 below).
Class 2 (Sept.14): On-line password dictionary attacks.
Securing Passwords Against Dictionary Attacks,
Pinkas and Sander (ACM CCS 2002).
Follow-up papers (optional):
ACM TISSEC 2006,
IEEE TDSC 2012.
Class 3 (Sept.19): Off-line dictionary attacks and verifiable text.
Protecting Poorly Chosen Secrets from Guessing Attacks,
Gong et al. (IEEE JSAC vol.11 no.5 June 1993).
Background review: passwords (HAC ss10.2.1-10.2.2),
time variant parameters (HAC ss10.3.1).
Class 4 (Sept.21): "Strong" Password-Protocols.
Encrypted Key Exchange: Password-Based Protocols Secure Against Dictionary
Attack, Bellovin and Merritt
(IEEE S&P 1992).
Optional/supplementary (attacks on EKE; alternatives SPEKE, SRP):
Number Theoretic Attacks on Secure Password Schemes,
S. Patel (IEEE S&P 1997);
Strong Password-Only Authenticated Key Exchange, D. Jablon
(ACM Computer Communcations Review, October 1996);
Extended Password Key Exchange Protocols Immune to Dictionary Attack,
D. Jablon (WET-ICE 1997);
The Secure Remote Password Protocol, T. Wu (NDSS 1998).
Class 5 (Sept.26): Phishing - by web spoofing.
Why Phishing Works, Dhamija et al. (CHI'06).
Class 6 (Sept.28): Phishing - broader context and countermeasures.
Notes from class, plus (re: client-end tools and toolbars)
Client-Side Defense Against Web-Based Identity Theft,
Chou et al. (NDSS'04).
Additional reading (optional):
The Phishing Guide, Gunter Ollmann (white paper, 2007);
Phishing and Countermeasures, Jakobsson and Myers (eds.), Wiley 2007.
Class 7 (Oct.3): Pharming and DNS-based exploits (motivating DNSSEC).
Class notes plus:
The Pharming Guide, Gunter Ollmann (white paper, July 2005).
Class 8 (Oct.5): Graphical Passwords.
Passwords: Learning from the First Twelve Years, Biddle et al.
(2011; to appear, ACM Computing Surveys).
Oct.10: No class (Thanksgiving Holiday).
Class 9 (Oct.12): Entropy, Estimating Password Strength, and
Evaluating Alternative Password Schemes.
Class notes plus:
User Study, Analysis, and Usable Security of
Passwords based on Digital Objects,
Biddle et al. (IEEE TIFS, Sept.2011).
TwoStep: An Authentication Method Combining Text and Graphical
Passwords,van Oorschot et al. (MCETECH 2009).
Class 10 (Oct.17): Browser trust model, web certificates and SSL.
Note: Project 1 is due in class today.
The Inconvenient Truth about Web Certificates (Vratonjic et al., WEIS 2011).
public key infrastructure and certificates (HAC, pp.559-560),
certificate trust models (572-576),
key life cycle (pp.576-581) and implementation issues,
RSA signatures (pp.433-434).
SSL Observatory Project (EFF); and
All Sail, No Anchor II: Acceptable High-End PKI,
Blakley and Blakley, Int. J. Information Security (2004) 2(2):66-77.
Class 11 (Oct.19): Host site authentication and man-in-the-middle attacks.
Perspectives: Improving SSH-style Host Authentication with Multi-Path Probing,
Wendlandt et al. (USENIX Annual 2008).
Convergence project and
(BlackHat 2011, Marlinspike).
Class 12 (Oct.24): Secure Software Update Mechanisms.
Class notes plus pp.1-5 of:
Survivable Key Compromise in Software Update Systems,
Samuel et al. (ACM CCS 2010).
Class 13 (Oct.26): Android Self-Secured Software Update.
Self-signed Executables: Restricting Replacement of Program Binaries by
Malware, Wurster et al. (USENIX HotSec'07);
and Sections 1, 2, and 5.1 (pp.1-4 and 11) in extended version
Reducing Unauthorized Modification of Digital Objects
(IEEE Trans. Soft. Eng., to appear, 2011).
Class 14 (Oct.31): Test (in class).
Class 15 (Nov.2): The Internet worm of 1988.
Crisis and Aftermath: The Internet Worm
(Spafford, C.ACM 1989 32(6):678-687; pdf available online).
With Microscope and Tweezers: The Worm from MIT's Perspective
(Rochlis and Eichin, C.ACM 1989 32(6):689-698).
Class 16 (Nov.7): Advanced computer worms: Stuxnet.
(v1.4, Feb.2011, Symantec report by N. Falliere, Liam O Murchu, E. Chien).
How to 0wn the Internet in Your Spare Time,
Staniford et al. (USENIX Security 2002);
The Spread of the Sapphire/Slammer Worm (Feb.2003), Moore et al.;
Reflections on Witty,
N. Weaver (;login: 29(3), June 2004);
Self-stopping Worms, Ma et al. (ACM WORM 2005).
Class 17 (Nov.9): Smartphone security: models, application
markets, software installation.
Software Installation on Smartphones (D. Barrera, IEEE S&P Magazine
Advanced reading (optional):
Defending Users Against Smartphone Apps: Techniques and Future
Directions (W. Enck, ICISS 2011).
Classes 18-21 (Nov.14-23): student presentations.
(Suggested references: papers from major 2009-2011 conferences
Nov.14: Daniel McCarney (password managers), M. Vefa Bicakci (h/w auth. tokens)
Nov.16: Abdelrahman M. Abdou (geolocation), Scott Durno
Nov.21: Mohamad Alsharnouby (cross-site scripting), Ann Fry (QR-codes
Nov.23: Marsha Bissessarsingh (mouse dynamics), Tarush Saul (smartphone
Class 22 (Nov.28): Security & third-party software: stakeholder and economic influences.
Inglorious Installers: Security in the Application Marketplace,
J. Anderson, J. Bonneau, F. Stajano (WEIS 2010).
Class 23 (Nov.30): Rootkits. Class notes.
Countering Unauthorized Code Execution on Commodity Kernels: A Survey
of Common Interfaces Allowing Kernel Code Modification,
Jaeger et al. (Computers & Security, 2011).
Rootkits: Subverting the Windows Kernel
(Hoglund and Butler, Addison-Wesley, 2005).
Designing BSD Rootkits: An Introduction to Kernel Hacking
(Kong, No Starch Press, 2007).
Class 24 (Dec.5):
Top-ten security vulnerability lists, and classifying vulnerabilities.
2011 CWE/SANS Top 25 Most
Dangerous Software Errors (web site and document).
OWASP Top 10 Project (web application security).
24 Deadly Sins of Software Security: Programming Flaws and How to Fix Them (Howard, LeBlanc, Viega; McGraw Hill, 2010).
CWE - Common Weakness
Enumeration (formal list of software weakness types).
A Taxonomy of Computer Program Security Flaws
(Landwehr et al., ACM Computing Surveys, 1994).
A Taxonomy of UNIX System and Network Vulnerabilities (Bishop, UC Davis tech report CSE-95-10, 1995).
Additional topics (from previous years, or for future years):
Memory management exploits (buffer overflows, etc.).
Modern Exploitation and Memory Protection Bypasses,
Alex Sotirov, invited talk/slides (USENIX Security 2009).
A Defense Against Heap-spraying Code Injection Attacks,
Ratanaworabhan et al. (USENIX Security 2009).
A Comparison of Publicly Available Tools for Dynamic Buffer Overflow Prevention,
Wilander and Kamkar (NDSS'03).
Malware: background and overview.
Classifying malware (worms, viruses, Trojan horses).
Virology 101 (Computing Systems, Spring 1989); and
Reflections on Trusting Trust (Comm. ACM, Aug.1984).
Computer Virus-Antivirus Coevolution,
Nachenberg (Comm. ACM, Jan. 1997; pdf available online).
Drive-by downloads and web security.
All Your iFRAMEs Point to Us, Provos et al. (USENIX Security 2008).
The Ghost in the Browser: Analysis of Web-based Malware (Provos et al., HotBots'07).
Cybercrime 2.0: When the Cloud Turns Dark (Provos et al., C.ACM 52(4):42-47, 2009).
Browsers and their evolution.
The multi-principal OS construction of the Gazelle web browser,
Wang et al. (USENIX Security 2009).
handbook, Michal Zalewski (2008, 2009 online resource).
Browser extension security (USENIX Security 2010 papers:
Bandhakavi et al.; Djeric et al.).
Browsers, same-origin policy and cross-site scripting.
SOMA: Mutual Approval for Included Content in Web Pages,
Oda et al. (ACM CCS 2008).
Cross-site Scripting Worms and Viruses,
Grossman (white paper, April 2006; disregard the marketing on pp.20-21).
Restricting system configuration privileges.
System Configuration as a Privilege,
Wurster et al. (USENIX HotSec'09; full paper is CCS 2010).
Bootstrapping trust in commodity computers (Parno et al., IEEE Oakland
See papers cited in:
Security, Platform Security and Usability
(extended abstract, van Oorschot, ACM STC'10).
More password research.
The Security of Modern Password Expiration: An Algorithmic Framework and Empirical Analysis (Zhang et al., ACM CCS 2010);
Metrics for Password Creation Policies by Attacking Large Sets
of Revealed Passwords (Weir et al., ACM CCS 2010);
Password Thicket: Technical and Market Failures in Human Authentication
on the Web (Bonneau and Preibusch, WEIS 2010).
Last updated: December 15, 2011.
Send comments to: paulv (insert @ here) scs.carleton.ca.