August 28, 2003Course ObjectiveCourse MaterialPrerequisitesCourse OutlineGradingContactCourse PoliciesSecurity Assured Information Systems Track (SAIS)Introduction to SecurityInformation Systems SecurityBasic Components of SecurityInterdependenciesInformation Security 20 years backInformation security todayTerminologyAttack Vs ThreatCommon security attacksClasses of ThreatsGoals of SecurityPolicies and MechanismsAssumptions and TrustTypes of MechanismsSlide 24Information AssuranceAssuranceOperational IssuesHuman IssuesTying all together: The Life CycleProtection SystemSlide 31Access Control Matrix ModelAccess Control MatrixSlide 34Access Controlled by HistorySlide 36Solution: Query Set Overlap Control (Dobkin, Jones & Lipton ’79)ACM of Database QueriesBut Query 2State TransitionsPrimitive commands (HRU)Create SubjectCreate ObjectAdd RightDelete RightDestroy SubjectDestroy ObjectSystem commands using primitive operationsConditional CommandsAttenuation of privilegeFundamental questionsWhat is a secure system?Safety Problem: formallyDecidability Results (Harrison, Ruzzo, Ullman)What is the implication?Take-Grant Protection ModelSlide 57Take-Grant Protection Model: SharingAny two subjects with tg-path of length 1 can share rightsSlide 60Other definitionsBridgeTheorem: Can_share(α,x,y,G0) (for subjects)What about objects? Initial, terminal spansTheorem: Can_share(α,x,y,G0)Courtesy of Professors Prasant Krisnamurthy, Chris Clifton & Matt BishopINFSCI 2935: Introduction of Computer Security1August 28, 2003August 28, 2003Introduction to Introduction to Computer SecurityComputer SecurityINFSCI 2935: Introduction to Computer Security 2Course ObjectiveCourse ObjectiveThe objective of the course is to cover the The objective of the course is to cover the fundamental issues of information system fundamental issues of information system security and assurance.security and assurance.INFSCI 2935: Introduction to Computer Security 3Course MaterialCourse MaterialTextbookTextbookComputer Security: Art and Science, Matt Bishop, Addison- Wesley, 2003Will follow the book mostlyWill be supplemented by other material (references and papers)Errata URL: http://nob.cs.ucdavis.edu/~bishop/Other ReferencesOther ReferencesSecurity in Computing, 2nd Edition, Charles P. Pfleeger, Prentice HallSecurity Engineering: A Guide to Building Dependable Distributed Systems, Ross Anderson, Wiley, John & Sons, Incorporated, 2001Building Secure Software: How to avoid the Security Problems the Right Way, John Viega, Gary McGraw, Addison-Wesley, 2002PapersPapersList will be provided as supplemental readings and review assignmentsINFSCI 2935: Introduction to Computer Security 4PrerequisitesPrerequisitesAssumes the following backgroundAssumes the following backgroundGood programming experienceWorking knowledge of Operating systems, algorithms and data structures, database systems, and networksMathematicsUndergraduate mathematicsSome knowledge of mathematical logicNot sure? Not sure? SEE MESEE MEINFSCI 2935: Introduction to Computer Security 5Course OutlineCourse OutlineSecurity Basics (1-8)Security Basics (1-8)General overview and definitionsSecurity models and policy issuesBasic Cryptography and Network security (9-12, 26)Basic Cryptography and Network security (9-12, 26)Introduction to cryptography and classical cryptosystemAuthentication protocols and Key ManagementSystems Design Issues and Information assurance (13-21, 24, ??)Systems Design Issues and Information assurance (13-21, 24, ??)Design principlesSecurity MechanismsAuditing SystemsRisk analysisSystem verification and evaluationIntrusion Detection and Response (23, 25, ??)Intrusion Detection and Response (23, 25, ??)Attack Classification and Vulnerability AnalysisDetection, Containment and Response/RecoveryMiscellaneous Issues (22, ??)Miscellaneous Issues (22, ??)Malicious code, Mobile codeDigital Rights Management, ForensicsEmerging issues: E/M-commerce security, Multidomain Security Issues etc.INFSCI 2935: Introduction to Computer Security 6GradingGradingLab + Homework/Quiz/Paper review 30%Lab + Homework/Quiz/Paper review 30%Midterm 20%Midterm 20%Paper/Project 15%Paper/Project 15%List of suggested topics will be posted; Encouraged to think of a project/topic of your interestComprehensive Final 35%Comprehensive Final 35%INFSCI 2935: Introduction to Computer Security 7ContactContactJames JoshiJames Joshi721, IS Building721, IS BuildingPhone: 412-624-9982 Phone: 412-624-9982 E-mail: E-mail: [email protected]@mail.sis.pitt.eduWeb: Web: www2.sis.pitt.edu/~jjoshi/INFSCI2935www2.sis.pitt.edu/~jjoshi/INFSCI2935Office Hours:Office Hours:Fridays: 2.00 – 4.00 p.m.By appointmentsGSA: will be announced laterGSA: will be announced laterINFSCI 2935: Introduction to Computer Security 8Course PoliciesCourse PoliciesYour work MUST be your ownYour work MUST be your ownNo copying from web or other books without understanding the materialZero tolerance for cheating You get an F for the course if you cheat in anything however small – NO DISCUSSIONHomeworkHomeworkThere will be penalty for late assignments (15% each day)Ensure clarity in your answers – no credit will be given for vague answersHomework is primarily the GSA’s responsibilitySolutions will be posted in the libraryCheck webpage for everything!Check webpage for everything!You are responsible for checking the webpage for updatesINFSCI 2935: Introduction to Computer Security 9Security Assured Information Security Assured Information Systems Track (SAIS)Systems Track (SAIS)INFSCI 2935 will likely be INFSCI 2935 will likely be TEL2810TEL2810INFSCI 2935 is the foundation INFSCI 2935 is the foundation course for the SAIS trackcourse for the SAIS trackSAIS CoursesSAIS CoursesProf. Krishnamurthy TELCOM 2820 – CryptographyTELCOM 2821 – Network Security(??)Several interesting electives (??)Several interesting electives (??)TELCOM 2825: Information System and Infrastructure ProtectionDr. Tipper – Fall 2003SAIS TrackCore(12 credits)SAIS TrackCore(12 credits)SAIS TrackElectives(3 credits)SAIS TrackElectives(3 credits)TEL-2810 IntroTo SecurityTEL-2820 CryptographyTEL-2821 NetworkSecurityTEL-2830 Capstone Course in SecurityTEL-2810 IntroTo SecurityTEL-2820 CryptographyTEL-2821