CIS 551 / TCOM 401 - Computer and Network Security
Spring 2007
Topics    
Reading    
Projects    
Grading    
Lectures    
Policies
Time: Tues. & Thurs. 1:30 - 3:00
Room: Towne 303
Instructor:
Steve Zdancewic
      e-mail: stevez AT cis.upenn.edu
      office hours: Tues. 9:30-10:30
(and by appointment) Levine 511
Teaching Assistants:
Jeff Vaughan
      e-mail: vaughan2 AT seas.upenn.edu
      office hours: TBA
Topics:
- System Security: hacker behavior, intrusion & anomaly detection, hacker and admin
tools
- Networks & Infrastructure: TCP/IP, Denial of Service, IPSEC, TLS/SSL
- Basic Cryptography: Shared key crypto (AES/DES), Public Key Crypto (RSA),
hashes
- Crypto software: Open SSL library, applications (authentication, digital signatures)
- Trust & Configuration management
- Malicious code: buffer overflows, viruses, worms,
protection mechanisms
- Covert Channels
Reading
The following books contain useful course material, and much of
the lecture content is derived from them (and other sources). Copies
of these books are on reserve in the Penn Engineering Library.
- Security in Computing (3rd edition) by Pfleeger and Pfleeger
- Computer Networks: A Systems Approach (3rd edition) by Larry L. Peterson and Bruce S. Davie
- Applied Cryptography (2nd edition) by Bruce Schneier
In addition, the following papers and web sites provide supplementary
material. Reading selections from these sources will be announced in class.
- Security
Engineering, Ross Anderson's textbook
- The Protection of Information in Computer Systems, Saltzer & Schroeder (1975)
- Smashing the Stack for Fun and Profit, Aleph One (1996)
- Cyclic Redundancy Check (CRC) on Wikipedia
- The Internet Worm Program: An Analysis, Gene Spafford (1988)
- Kerberos: An Authentication Service for
Open Network Systems, Steiner, Neuman, Schiller (1988)
- Kerberos
FAQ
- Introduction to the Internet Protocols, Charles L. Hedrick (Rutgers). This
1987 tutorial is surprisingly up to date, and is a very concise introduction
to the basics of the Internet protocols.
- Open SSL web page. The OpenSSL
library is installed on eniac-l.
- "A look
Back at 'Security Problems in the TCP/IP Protocol Suite'". S. M. Bellovin.
20th Computer Security Applications Conference. December 2004.
-
"Advanced 4.4BSD Interprocess Communication Tutorial." Lefler, et al.
- Why Cryptosystems Fail, Ross Anderson (1993)
- Inside the Slammer Worm, Moore et al. (2003).
- How to 0wn the Internet in Your Spare Time , Staniford, Paxson, and Weaver (2002).
- Top Speed of Internet Flash Worms, Staniford, Moore, Paxson, and Weaver (2004).
- Internet Quarantine: Requirements for Containing Self-propagating Code, Moore et al. (2003)
- Automated Worm Fingerprinting, Singh et al. (2004)
- Bro Intrusion Detection System
- Bro: A System for Detecting Network Intruders in Real-Time, Vern Paxson. (1998)
- NSA Central Security Service
- TCSEC
- CERT
- National Information Assurance
Training and Information Center
- Why Phishing Works by Dhamija, Tygar, and Hearst
-
Protecting Browser State from Web Privacy Attacks, Jackson et
al.
-
Dos and Don'ts of Client Authentication on the Web, Kevin Fu
et al.
- SQL Injection attacks, Chris
Anley
- Cross site scripting explained, Amit
Klein
-
Terra: A Virtual Machine-Based Platform for Trusted Computing,
Garfinkel, et al.
- Nexus,
Sirer, et al.
- Analysis of an Electronic
Voting System, Kohno, et al.
- Followup
and rebuttals from the Diebold voting machine analysis
- Web pages of previous versions of CIS 551:
[2006]
[2005]
- Example exams from previous instances of 551 (note the order of
the course content may have differed):
Midterm 1
Midterm 2
Midterm 2
Final
Projects
Project 1: Buffer Overflows Due: 1
Feb. 2007 at midnight
Project 2: Network Intrusion Detection Due: 15
Mar. 2007 at 11:59 p.m.
Project 3: Cryptography Due: 3
April 2007 at 11:59 p.m.
Project 4: Secure Distributed Banking Due: 20
April 2007 at 11:59 p.m.
Grading Criteria
- 16% Midterm I - tentative date Feb. 8th
- 16% Midterm II - tentative date Mar. 22nd
- 25% Final exam - date to be determined by registrar
- 40% Course projects (group projects)
- 03% Course participation
Lecture Slides and Notes
Course Policies
- Individual homework assignments will be available on the web
pages. They are to be completed independently and turned in at the
beginning of class on the due date.
- Late homework will not be accepted without prior permission of the
instructor unless there are emergency circumstances.
- Teams for group projects will consist of two or three students.
Students are not permitted to work individually on the team projects.
Regrade Policy
Regrade requests should be sent to the TA. Only reasonable requests
will be considered. The entire homework or exam will be regraded.
Note that this means that the score on a regraded homework might
decrease.
Academic Integrity
This course will abide by the University's Code of Academic
Integrity. In particular, for individual projects and group
projects, the following guidelines should be followed:
- For individual projects, you must type in and edit
your own code, documentation, and any other materials submitted
for grading.
- Copying someone else's file is not allowed.
- Allowing someone else to copy a file of yours, either explicitly or
implicitly by leaving your code unprotected, is not allowed.
- Editing each other's files is not allowed
- Regarding the ethics of what you may or may not discuss with
others:
-
If there is any doubt about the use of external
sources or collabortation, please ask for clarification by the
course staff.
|