System Architecture and Security, Fall 2008

Breaking News

2008-12-08 some updates: Presentations 8 and 9 are available from the webpage, the remaining ones will be published during this week.
2008-11-15 More noise coming: If you need more load for your iPod on security issues, check out the Security Now podcast.
2008-11-10 Slides and exercises for lecture 6: Slides for lecture 6 and (optional) exercises are available. Exercises handed in before 28 NOV 2008 will be corrected.
2008-11-07 Slides for Presentation 4,5,6: Slides for Presentation 4,5,6 are available from the homepage of the course.
2008-11-05 Paper for lecture 10 available: The paper for lecture 10 is available for download from the course web page.
2008-10-17 An interesting interview: The Software Engineering Radio brought this interesting interview with Gary McGraw on Security. Load their mp3 on your player; may be he will talk you into reading some of his other books :)
2008-10-13 Slides for Presentation 3: Slides for Presentation 3 are available from the homepage of the course.
2008-10-8 Slides for Presentation 2: Slides for Presentation 2 are available from the homepage of the course.
2008-10-6 Slides for Presentation 1: Slides for Presentation 1 available from the homepage of the course.
2008-10-3 Updated Schedule for presentations: Check your schedule and contect the organizer if you want any modification.
2008-9-29 Slides for Lecture 5: Slides for Lecture 5 available from the homepage of the course.
2008-9-22 Slides for Lecture 4: Slides for Lecture 4 available from the homepage of the course.
2008-9-11 Slides for Lecture 3: Slides for Lecture 3 available from the homepage of the course.
2008-9-5 Groups and presentations: Groups have been conformed and the topics for presentation have been published in the homepage of the course. If you still don't have a group please contact the course manager.
2008-9-4 Slides for Lecture 2: Slides for Lecture 2 available from the homepage of the course.
2008-8-28 Updated lecture plan for weeks 4 and 5: The lecture plan for weeks 4 and 5 has been updated.
2008-8-28 Slides for Lecture 1: Slides for Lecture 1 available from the homepage of the course.
2008-8-11 Course website: This magnificent website has been established.

Practicalities

Where and when: We will have lectures and seminar sessions on Fridays, 10:00-12:00 in room 4A16. The course is run as a seminar. There is no regular exercises in the course, but on some dates we will use the afternoon slot too (13:00-15:00). See the schedule (subject to change!)

A PC Lab is reserved for students all Friday afternoons 13:00-15:00 (4A56, 4A58) for work on practical assignments.

Teachers	Role	Email	Office
René Rydhof Hansen	the course manager and a security guru	rrh somewhere-at cs.aau.dk	at AAU :(
Mikkel Bundgaard	gives you a crash course in networks	mikkelbu somewhere-at itu.dk	3C16
Hugo Andres Lopez	the seminar czar	hual somewhere-at itu.dk	3C03
Andrzej Wąsowski	strives to put all this together	wasowski somewhere-at itu.dk	3C08

You are welcome with any problems, concerns, questions etc. regarding the contents, organization, style etc. of the course. Contact the teachers any time you can catch them.

However our main medium of communication, apart from lectures, is the course newsgroup. All teachers read and respond to questions in the newsgroup.

Textbook:

[KR] James F. Kurose and Keith W. Ross. Computer Networking, 4/e. Addison-Wesley 2008 (the book has an informative website, that we should use in the course)

[VM] John Viega and Gary McGraw. Building Secure Software. Addison-Wesley 2002

Both books are available from IT-bogladen with a discount, when bought in a bundle.

Coursework

This course has a substantial amount of mandatory work, which is included in the final evaluation at the exam. The work is done in four person groups. Hugo will organize the groups. He also has the power to exempt from the group size, under some circumstances.

You are expected to take active part in the seminar, both by giving presentations and engaging into discussions.

In order to be admitted to the exam each student has to pass a mini project (evaluated pass/fail), give a presentation in the seminar (at least once), and act as an discutant in the seminar (at least once). Moreover your presentation slides, discussion summaries, solutions to some exercises and a project are included in the final exam.

During a semester you will be asked to create a report, a course log, where solutions to selected exercises, and other tasks will be documented. This course log has to be handed in to the exam office, when the semester ends. It will evaluated by the examiner during the exam.

The exam is oral, and includes a short presentation by each student.

You are expected to use 12 hours a week on average on this course, including classes.

Newsgroup

Please post questions and comments to the SSAS newsgroup (it-c.courses.SSAS) so that others may answer your questions and/or share your insights. Feel free to answer each other's questions and comment on messages. The newsgroup is our discussion forum. Sending and receiving news messages is very similar to sending and receiving e-mails. You can use mozilla, the standard mail&news client at ITU, to read the newsgroups. Ask SysAdm if you need help setting up your software for reading news. There is also this information about newsgroups, available from SysAdm.

Schedule

The following schedule is permanently tentative. Please report any errors you can see in the schedule or in the course material to René.

Week	Date	Time	Learning Activity
1	Aug 29	10:00—12:00	Lecture [MB]: Introduction to the Course and Introduction to Networking. Reading: KR pp. 27-92, 102-105, skip pp. 84-91 (history) if you are not interested. Time budget:max 2.5h Assignments: for weeks 1—3 Resources: rfc.zip Slides: Lecture 1
2	Sep 5	10:00-12:00	Lecture [MB]: Application Layer Reading: KR pp. 107-204 Time budget: max 3h Slides: Lecture 2
2	Sep 5	13:00-15:00	Labs open for independent work on exercises [MB assists]
3	Sep 12	10:00—12:00	Lecture [MB]: Transport Layer and Network Layer: an Overview Reading: KR pp. 221-240, 266-277, 335-385. Time budget: max 3h Slides: Lecture 3
3	Sep 12	13:00-15:00	Labs open for independent work on exercises [MB assists]
4	Sep 19	10:00—12:00	Lecture [RRH]: Introduction to Security Reading: VM chapters 1, 2. Time budget: max 2h. Slides: Lecture 4
4	Sep 19	13:00-15:00	[RRH]: Discussion based on VM chapters 3 and 5 Reading: VM chapter 3 (skimming only), 5. Time budget: max 1h.
5	Sep 26	10:00-12:00	Lecture [RRH]: Auditing, Vulnerabilities, and Exploits Reading: VM chapters 6, 9, and 10 (only pp. 231-234, 238-241, 254-255, 263-265). Time budget: max 3h. Slides: Lecture 5
5	Sep 26	13:00—15:00	Seminar [RRH]: Password Authentication [HJAF] Slides: Presentation 1
6	Oct 3	10:00—12:00	Seminar [HL]: Applying Crypto [FPWZ] Slides: Presentation 2 Demo tool available from here
7	Oct 10	10:00-12:	Seminar [RRH]:XSS [JLPL] Slides: Presentation 3
7	Oct 10	13:00-15:00	[RRH]: Introducing mini-projects (topic selection, group meetings with RRH,room 4A56) Lab [RRH]: Tool support for implementation audits
Fall Vacation (Oct 13—17)
8	Oct 24	10:00—12:00	Seminar [HL]: Open Source vs. Closed Source [BMJL] Slides: Presentation 4
9	Oct 31	10:00—12:00	Seminar [HL]: Case: The Storm Botnet [LKJE] Slides: Presentation 5
10	Nov 7	10:00—12:00	Seminar [RRH+HL]: Malware [KSLF] Slides: Presentation 6
10	Nov 7	13:00—15:00	Lecture [RRH]: Language-Based Security Reading: [VSI96] (sections 5 and 6 can be skimmed but you should spend a non-trivial amount of time and effort on understanding Section 4). Time budget: max 3h.
11	Nov 14	10:00—12:00	Seminar [HL]: students presenting: Case: The Internet Worm [NHWP] Slides: Presentation 7
12	Nov 21	10:00—12:00LR	Seminar [HL]: students presenting, topics [LMKH] Slides: Presentation 8
13	Nov 28	10:00—12:00	Seminar [HL]: students presenting, topics [LRP] Slides: Presentation 9
14	Dec 5	10:00—11:00	Seminar [RRH]: students presenting, topics [HK] Slides: Presentation 10
		11:00—12:00	Lecture [RRH]: Design and Development of a Secure Web App Reading:OWASP Design Guide (v2.0.1) (pp. 16-52) Slides: Lecture 14
		12:00—13:00	Lecture [RRH]: (lecture continued)
		14:00—15:00	[RRH]: Course summary & What now?

Seminar Topics

You and your group are expected to become active in the seminar by giving seminars and contributing in the discussions planned every lecture. You should select one of the topics and prepare a 50 minutes lecture on the topic, preferably including some time for questions during the presentation (so not a very packed 50 minutes). Contact Hugo with some time in advance so you can receive some hints for the lecture. You can also discuss the presentations with some days in advance to receive some improvement ideas (the point here is: avoid presentations being made on the last day). The presentations will be evaluated on a pass/fail scheme. The tentative list of topics include:

Topic	Presenter
Password Authentication [VM, Ch. 13]	[HJAF]
Applying crypto [VM, Ch. 11]	[FPWZ]
Case: The Internet Worm aka. The Morris Worm	[NHWP]
Case: The Debian OpenSSL Scandal
Case: The Storm Botnet	[LKJE]
XSS	[JLPL]
Malware	[KSLF]
Open Source vs. Closed Source [VM, Ch. 4]	[BMJL]
OWASP	[LMKH]
CVE/CWE
Common Criteria
Security in P2P environments: Tor and Mute	[LRP]
Plugin and Automatic update security	[HK]

After every hour of presentations, a second group will lead an ¨active session¨. An active session is a highly dynamic part of the seminar that aims to strenght and complement the first hour of presentation. How the session would be conduced is defined by the leading group, and can include some group work, controversial presentations, discussions or exercises. Contact Rene or Hugo for some suggestions.

Group Formation

[LKJE] Kåre Hvid Lind, Per Kristensen, Toke Jeberg, Niels Ridder Ebbesen.

[BMJL] Nynne T. N. Bundgaard, Anders Møldrup, Nils Tore Saxe Jessen, Jack Lee.

[HJAF] Garry Hopwood, Marguerite Johnsen, Nele Andersen, Christian F. Larsen.

[NHWP] Michael Nielsen, Frederik Hantho, Jan Wiberg, Christian K. Poulsen.

[KSLF] Magnus Koch, Tomas Kegel Sørensen, Esben Birkebæk Larsen, Christoph Froeschel.

[JLPL] Lars Dahl Jørgensen, Antonio Lagrotteria, Andrea Picardi, Alexandru Lazar.

[FPWZ] Paulo Ferreira, Nicola Pascelupo, Alexander Sascha Westh, Zongbo Zhang.

[LRP] Jeppe Winther Larsen, Jørn Schou-Rode, Andreas Nauta Pedersen.

[LMKH] António Leitão, Héctor Pérez Martínez, Theodoros Kaloumenos, Ales Havlik.

[HK] Maxamed Hilowle, Sanjay Kamble

Course log

The course log (aka. portfolio) is supposed to contain at least the following:

* Your mini project report
* Slides (and possibly notes) form your presentation
* Material from your active session
* Specially designated exercises (only from the network part of the course)
* Optionally: personal insights and/or comments regarding course material, e.g., other presentations, other exercises, lectures, papers, class discussions, newsgroup discussions.

You should hand in three (3) copies of the course log in paper form.

Mini Project

The mini project report is expected to contain approximately three (3) to six (6) pages of real content pr. group member, i.e., excluding code, logs, etc.

System Architecutre and Security, Fall 2008