IY5512 - Computer Security

IY5512 is one of the four modules making up Core A of the Information Security MSc. The aims of the module are to introduce the security issues that computer systems must address and to describe some of the techniques for implementing security in operating systems.

Lectures took place in Bourne Lecture Theatre 1 (BLT1) on Monday afternoons (14:00 – 17:00) during the autumn term; the first of the eleven lectures was on 28/9/15 and the last was on 7/12/15.

The course leader is Chris Mitchell.

Teaching material

Copies of the lecture presentations for the 2015/16 academic year are provided via this web page. Please note that the handouts will be subject to minor modifications during and after delivery of the course to correct any discovered errors, remove redundancy, and/or add additional clarifications.

Part 0: Preliminaries and introduction to computer systems (available in the following formats for easy printing: 1-up colour, 2-up colour, 1-up monochrome, 2-up monochrome);
Part 1: Introduction to computer security (available in the following formats for easy printing: 1-up colour, 2-up colour, 1-up monochrome, 2-up monochrome);
Part 2: Design and evaluation (available in the following formats for easy printing: 1-up colour, 2-up colour, 1-up monochrome, 2-up monochrome);
Part 3: Hardware security (available in the following formats for easy printing: 1-up colour, 2-up colour, 1-up monochrome, 2-up monochrome);
Part 4: Software security (available in the following formats for easy printing: 1-up colour, 2-up colour, 1-up monochrome, 2-up monochrome);
Part 5: Identification and authentication (available in the following formats for easy printing: 1-up colour, 2-up colour, 1-up monochrome, 2-up monochrome);
Part 6: Authorisation (available in the following formats for easy printing: 1-up colour, 2-up colour, 1-up monochrome, 2-up monochrome);
Part 7a: Unix security - which was presented by Antony Stone on 26th October 2015 (available in the following format only: 1-up colour);
Part 7b: Windows security (available in the following formats for easy printing: 1-up colour, 2-up colour, 1-up monochrome, 2-up monochrome).

This course has the following associated (optional, non-assessed) coursework. Each piece of coursework is associated with one part of the course (as indicated by the number). If feedback is required on your coursework solutions, please submit them via the course page on Moodle before the deadline specified below. Worked solutions will be provided as the course progresses.

Coursework 0. The deadline for submissions requiring feedback was 23:59 UK time on Friday 9/10/15.
Coursework 1. The deadline for submissions requiring feedback was 23:59 UK time on Friday 16/10/15.
Coursework 2. The deadline for submissions requiring feedback was 23:59 UK time on Friday 23/10/15.
Coursework 3. The deadline for submissions requiring feedback was 23:59 UK time on Friday 30/10/15.
Coursework 4. The deadline for submissions requiring feedback was 23:59 UK time on Friday 20/11/15.
Coursework 5. The deadline for submissions requiring feedback was 23:59 UK time on Friday 27/11/15.
Coursework 6. The deadline for submissions requiring feedback was 23:59 UK time on Friday 4/12/15.
Coursework 7a. The deadline for submissions requiring feedback was 23:59 UK time on Friday 6/11/15.
Coursework 7b. The deadline for submissions requiring feedback was 23:59 UK time on Friday 11/12/15.

Background material

Links of potential use for this course are as follows

Computing background: The following books are recommended:

J. L. Hennessy and D. A. Patterson, Computer Architecture: A Quantitative Approach.
A. S. Tanenbaum, Modern Operating Systems. Prentice-Hall.

Security principles:

The text of the Saltzer and Schroeder security principles paper (The Protection of Information in Computer Systems) is available here.
ENISA regularly publishes updated assessments of the current cybersecurity threat landscape [thanks to Dimitra Anastasopoulou for this link].

Security standards links:

The Internet (IETF) documents, including current drafts, are all available at the IETF home page.
For information regarding published ISO standards, see the ISO web site. Note that those ISO standards that are publicly available (only a small number I'm afraid) are available here.

Identity verification:

ENISA (the European Network and Information Security Agency) has published reports on mobile identity management and behavioural biometrics.

Secure software development:

The Microsoft Security Development Lifecycle (SDL) web page is highly recommended. As stated on the page 'The SDL is ... [a] software security assurance process. A Microsoft-wide initiative and a mandatory policy since 2004, the SDL introduces security and privacy throughout the development process'. Of particular interest to all developers are the wide range of development tools provided for free download.
The SDL Progress Report describes the evolution of the SDL and how it has been used in Microsoft.

Vulnerabilities:

The Microsoft Security Intelligence Report (SIR) provides analyses of the changing threat landscape, including software vulnerability disclosures and exploits, malicious software (malware), and potentially unwanted software.
McAfee provides a nice range of free tools to test your understanding of penetration testing and finding vulnerabilities.
This site provides a fascinating insight into how Microsoft manages software vulnerabilities.
A nice example of an attack using DMA is described here [thanks to Daan Stakenburg for the link].
There is a really neat animated explanation of buffer overflow attacks here [thanks to Daan Stakenburg for this one].
SOPHOS provide a very nice analysis of threats and vulnerabilities, amongst many other useful resources on their web pages.

Hardware security:

A helpful description of some of the features of Intel VT-d is provided here.
Information about the historic CIH BIOS-destroying virus is available on this Wikipedia page, and a very nice video of the virus in action is available on YouTube [thanks to Dimitra Anastasopoulou for these links].

Windows security:

A detailed and very helpful description of 'How Security Descriptors and Access Control Lists work' is available here [thanks to Matthew Hodgson for this link].

General:

The European Network and Information Security Agency (ENISA) publishes a wide variety of reports on security topics.
Some classic papers on computer security are available here and here.
The SysSec Project published its Red Book on 1st September 2013. This document provides a roadmap for systems security research, highlighting areas in need of particular attention.

Further security links (including a range of links to security standards pages) are available from Chris Mitchell's home page.

Footnotes

This page was created by Chris Mitchell. Please email all comments and corrections to me@chrismitchell.net. This page was most recently updated on 10/6/16.

Back to the ISG home page, Back to Royal Holloway Home Page