COMS W4187: Security Architecture & Engineering (Fall 2017)
Lecture Details
Instructor: Suman Jana
Office: Mudd 412
Office hours: Monday (4-6 pm) or by appointment
TA Office hours: Plaban Mohanty(pm2878 AT columbia.edu) Tuesday & Thursday (5-6:30 pm) CS IA room
Classroom: Mudd 545
Class hours: Monday and Wednesday (2:40-3:55 pm)
Description
This class will teach you different concepts and tools for building secure systems. We will start from the fundamentals of computer security and cryptography. Next, we will examine how these concepts are implemented in modern systems. Finally, we will demonstrate how common mistakes made by the developers undermine the security of deployed real-world systems and describe how to avoid making such mistakes.
Note:There will be no assigned textbook for the class and you are expected to read the assigned articles/papers/slides carefully.
Prerequisite
There is no formal prerequisite for this class but you should be generally comfortable to deal with complex large source code (> 1000 lines of C/C++ code) and have basic knowledge of testing/debugging tools like gdb, gcov, etc. Feel free to send me an email if you have any specific questions.
Grading
- programming assignments (6) - 54%
- Midterm - 20%
- Final (non-cumulative) - 20%
- Class participation - 6%
Schedule
| Date | Topics | Lecture slides & Reading |
| Sep 6 | Introduction | intro.pptx, intro.pdf |
| Sep 11 | Principle of least privilege/Access control | principles.pptx, principles.pdf Reading materials: SetUID demystified, Operating Systems Security (Chapter 4), qmail security architecture |
| Sep 13 | Principle of least privilege/Access control (cntd.) | |
| Sep 18 | Principle of least privilege/Access control (cntd.) | PA1 is posted in CourseWorks and is due by 11:59pm on 27th Sep. |
| Sep 20 | Sandboxing & Isolation | isolation.pptx, isolation.pdf Reading materials: Traps and Pitfalls: Practical Problems in System Call Interposition Based Security Tools, Efficient Software-Based Fault Isolation |
| Sep 25 | Sandboxing & Isolation (cntd.) | |
| Sep 27 | Authentication | authentication.pdf Reading materials: Password security: a case history, The Limits of SMS for 2-Factor Authentication |
| Oct 2 | Cryptography basics | crypto_summary.ppt, crypto_summary.pdf Reading materials: Network Security: Private Communication in a Public World 2nd ed. by Kaufman et al. (Chapters 5.1-2, 5.6-7, 2.1-6, 4.2, and 6.1-6) PA2 is posted in CourseWorks and is due by 11:59pm on 11th Oct. |
| Oct 4 | Cryptography basics (cntd.) | |
| Oct 9 | Cryptography basics (cntd.) | |
| Oct 11 | Cryptography basics (cntd.) | PA3 is posted in Courseworks and is due by 11:59pm on 20th Oct. |
| Oct 16 | Cryptography basics (cntd.) | |
| Oct 18 | How crypto goes wrong in practice? | crypto_fails.ppt, crypto_fails.pdf |
| Oct 23 | SSL/TLS | ssl.ppt, ssl.pdf Reading materials: Network Security: Private Communication in a Public World 2nd ed. by Kaufman et al. (Chapters 15.1-7 and 19) PA4 is posted in Courseworks and is due by 11:59pm on 27th Oct. |
| Oct 25 | SSL/TLS (cntd.) | |
| Oct 30 | Midterm | |
| Nov 1 | Midterm | |
| Nov 6 | No class (Academic Holiday) | |
| Nov 8 | SSL/TLS (cntd.) | |
| Nov 13 | SSL/TLS (cntd.) | PA5 is posted in Courseworks and is due by 11:59pm on 22nd Nov. |
| Nov 15 | Memory corruption attacks | memory_attacks.pptx, memory_attacks.pdf Additional reading: Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade Basic integer overflows |
| Nov 20 | Memory corruption attacks (cntd.) | |
| Nov 22 | No class (Academic Holiday) | |
| Nov 27 | Crypto application: Bitcoin | bitcoin.pdf Reading materials: How the bitcoin protocol actually works by J. Moller |
| Nov 29 | Viruses and rootkits | malware.ppt, malware.pdf |
| Dec 4 | Viruses and rootkits (cntd.) | |
| Dec 6 | Final exam | |
| Dec 11 | Final exam |