CS5430: System Security (Fall 2023)
- Course
Overview and Organization.
- Lecture times, teaching staff, office hours, prerequisites, assignments
and grading policy.
- Topic
Outline.
- High-level listing of topics to be covered along with recommended
readings.
-
Announcements
- [11/20] HW 3 is available.
See below.
- [11/6] Notes for Information Flow now posted.
These notes can be accessed through
Topic Outline.
- [11/6] Phase 2 due date extended to Sunday Nov 12 at 11:59pm.
- [11/1] Lecture cancelled on Friday Nov 3.
The provost memo of November 1 suggests we all use this day as
"restorative time".
- [10/17] Class will not meet (revised):
- Nov 10 (Fri).
- Nov 15, 17 (Wed, Fri).
- Nov 29 (Wed).
- [10/17] Project phase 2 is now posted.
See below.
- [10/11] Special lecture Monday Oct 16, 3-4pm, Gates 122.
Hear Ulfar Urlingsson (Chief Architect at Lacework) speak about
"The New Normal: Achieving Security in an Ever-Changing Cloud".
- [10/5] Next Java/Project Q+A is Monday Oct 23 730-930pm in Gates G01.
It will provide an opportunity to ask questions about phase 2.
- [10/5] Phase 1 hint: Build a single key-value store
that is shared by all users. Phase 2 will extend the functionality of
a single key-value store that is shared by multiple users. So that is the
appropriate functionality to build in phase 1 (rather than building a phase 1 system
that creates a separate key-vale store for each user).
- [9/29] Phase 1 hint: Using timestamps for nonces is
a bad idea for phase 1.
     In an actual distributed system,
a client and a server would be running
on different processors. Clocks on different processors run at slightly
different rates and, therefore, it is not sound to assume that those clocks would be
synchronized. A secure clock-synchronization protocol would have to be running
to keep clocks at different processors synchronized.
     Assumptions are potential vulnerabilities.
Protocols that use
nonces based on timestamps obtained from clocks that are assumed
to be synchronized could have a vulnerability if clocks are
not synchronized or clock
synchronization could be disrupted. Systems with vulnerabilities
will have grade deductions.
     The distributed system simulator for phase 1
(unfortunately) does not provide access
to the clocks at the client and server and, therefore, you do not have the needed access
for building a secure clock-synchronization protocol.
The simulator also gives the misleading impression that the clocks at the client
and server are perfectly synchronized --- but that might not be true for the
network we use in grading your submission.
     Forewarned is forearmed.
Use the clock to generate nonces only if your use of those nonces is not
assuming clock synchronization.
- [9/18] Project phase 1 is now posted.
See below.
- [9/15] Phase 1 / Java Tutorial and Discussion Sessions.
Gates G01, 8pm-10pm on Wed nights 9/20, 9/27, 10/4, 10/11.
- [9/15] HW 2 is available.
See below.
- [9/07] TA office hours start week of 9/11.
See Course Overview and Organization.
- [8/30] Project phase 0 is now posted.
See below.
- [8/30] HW 1 is available.
See below.
- [8/21] Class will not meet the week of August 21.
Professor Schneider is ill.
- [8/21] Class will not meet:
- Sept 25, 27 (Mon, Wed).
- Nov 10 (Fri).
- Nov 15, 17 (Wed, Fri).
- Other dates to be announced.
- [8/21] The midterm examination
is the evening of Oct 26 (Thurs).
Here is an an old exam
and the solutions.
This semester's class will cover a slightly different list of topics,
so some of the questions asked on that old exam concern material
that the Fall 2023 midterm exam will not cover.
The exam this year will cover all material from lecture through
our discussion of RBAC, the corresponding readings, homework,
and project phases 0 and 1.
- [8/21] TA office hours.
TA office hours begin the week of August 28.
Times and places will be listed in
Course Overview and Organization
-
Homework
- Homework 1
(Articulating Security Goals)
due 9/8 at 11:59pm.
- Homework 2
(Authentication of Machines)
due 9/29 at 11:59pm.
- Homework 3
(Information Flow)
due 12/1 at 11:59pm.
-
Project
- Project Phase 0
(An insecure key-valye store),
due 9/18 at 11:59pm.
- Project Phase 1
(An authenticated key-valye store),
due 10/16 at 11:59pm.
- Project Phase 2
(DAC Authorization for key-value store),
due 11/8 at 11:59pm.
Extended to Sunday Nov 12 at 11:59pm.