Final review

December 10, 2009

I have posted a summary of things to know for the final exam.

Lectures 22 and 23

November 24, 2009

In the past two lectures we have covered several examples of authentication/key-exchange protocols and attacks that can be carried out against them. This topic makes for great exam questions, so make sure you understand everything discussed in class.

Homework 4 is now available. The homework is intended to give you some practice in analyzing such protocols. Those of you who have a copy of the book may also want to look at all the questions at the ends of Chapters 9, 11, and 12.

Lecture 20 and 21

November 16, 2009

We have begun talking about network security, starting with a focus on authentication mechanisms (passwords, keys, biometrics, hardware tokens, …) and protocols.

After we finish discussion the principles underlying the design of such protocols, we will see some real-world examples.

Lecture 19

November 16, 2009

Haven’t posted here in a while…

Lecture 19 covered typical web security vulnerabilities, most prominently cross-site scripting (XSS) attacks and cross-site request forgery (CSRF) attacks.

Lectures 17 and 18

November 5, 2009

The last two lectures dealt with two types of input validation attacks: buffer overflows and SQL injection attacks.

The examples discussed in lecture 17 are posted on the syllabus along with the lecture slides.

As announced in class, HW3 is now out. On this homework you will use buffer overflow attacks to break 3 password authentication programs. I hope you find the homework fun!

Midterm review

October 22, 2009

I have written a brief summary of material that will be covered on the midterm. Please read the caveat at the top, though.

HW2, part II

October 22, 2009

By now you should all have access to another team’s code that you can try to attack. If that is not the case, you should email the TA immediately.

Because of the delay in getting these to you, and due also to the midterm next week, I am going to move the deadline by 48 hours to Nov. 3, 11:59 PM.

Lecture 15

October 21, 2009

This lecture covered database privacy. I hope you enjoyed the lecture — I find this material endlessly interesting since the attacks can be so subtle. It is quite amazing to me that database privacy has been formalized only recently (as I will discuss in class on Nov. 2).

Next Monday there will be a guest lecturer — Paul Syverson will be speaking about Tor, a real-world anonymous network. It promises to be a great lecture! (And in case that doesn’t convince you to come, any material covered is fair game for the final…)

Next Wednesday is the midterm, which will cover all the material through today’s lecture. I will post a review sheet by the end of the week.

Lectures 13-14

October 20, 2009

The past two lectures have focused primarily on access control. We reviewed different mechanisms for ensuring access control (e.g., access control matrices, access control lists, and capablities), following by different policies for access control (discretionary AC, several varieties of mandatory AC, and role-based AC).

We wrapped up the module on system security with a brief discussion of code-based access control and trusted computing.

Lecture 12

October 12, 2009

We wrapped up our discussion of ‘circumventing crypto’ with a brief mention of timing/power attacks. For further information about the original attacks, plus suggested countermeasures, see the website of the company Cryptography Research (founded by Paul Kocher, the one who first published the idea of power attacks).

After this, we began our module on systems security by giving an overview and discussing general principles.

In class I also announced that the midterm will be on Oct. 28, covering material through the class on Oct. 21.

PS: In class I mistakenly said that the Saltzer-Schroeder was required reading. While the material we covered in class is, as always, fair game, you are not required to read the article.