Updated 12/22/2011 1130

George Mason University

Department Of Computer Science

Information Security Theory and Practice

Fall 2011

Monday 7:20 p.m. - 10:00 p.m.
Krug Hall 242
Dr. Michael Smeltzer
Spammers lead unfulfilling lives
Office Hours: By Appointment


Course Catalog: A technical introduction to the theory and practice of information security, which serves as the first security course for the MS-ISA degree, is required as a prerequisite for all subsequent ISA courses (at the 600 and 700 levels) and subsumes many topics covered by the CISSP examination. Also serves as an entry-level course available to non-ISA students, including MS-CS, MS-IS, and MS-SWE students.


INFS 501 - Discrete and Logical Structures for Information Systems
INFS 515 - Computer Organization
INFS 519 - Program Design and Data Structures
SWE 510 - Object-Oriented Programming in Java

The following concepts from INFS 501 will be used in the course with minimal or no instruction:

  • Discrete math notation
  • Boolean logic
  • Directed graphs
  • Functions, relations; POSets, and lattices
  • Modular Arithmetic
  • Finite State Machines
    1. I will define and talk about Turing Machines as a way to address decidability regarding security of a system.
    2. I may also touch on the subject of Formal Languages and the associated notation to explain one of the access control models.

Bishop, Matt. Computer Security: Art and Science. Addison Wesley/Pearson. 2003. 11th Printing 2009.

Errata1      Errata2      Errata3      Errata4      Errata5

DIGITAL LIBRARY: The GMU Digital Library provides access to ACM and IEEE papers.


Week Topic Reading Foundational Papers in IA - Supplemental Reading
8/29 Introduction
Ch #1 1. OWASP Top Ten - 2010 
2. Zetter, Kim. "How Digital Detectives Deciphered Stuxnet, the Most Menacing Malware in History" , Wired agazine. July, 2011.
3. Howard, John D. and Thomas A. Longstaff. A Common Language for Computer Security Incidents Sandia National Laboratories. October, 1998.
9/5 Labor Day     
9/12 Access Control Matrix 
Ch #2
Ch #15  

1. Lampson, Butler W. "Protection." Xerox Corporation, 1971.
2. Graham G. S. and P.J. Denning. "Protection - Principles and Practice." Proceedings of Spring Joint Comoputer Conference, AFIPS, 1972, pp.417-429   GMU Digital Library - ACM
9/19 Decidability of Safe Systems  

Several Updates 10/18
Ch #3 Sections 3.0 through 3.3

Homework #1 due  

Harrison M, W. Ruzzo, and J.Ullman. Protection in Operating Systems. Communications of the ACM , 1976. 
9/26 Decidability of Safe Systems (cont'd)   A. Jones, R. Lipton, and L. Snyder. A Linear Time Algorithm for Deciding Security. Proc. 17th Annual Symp. on the Foundations of Computer Science (Oct. 1976), 33-41  [The Take Grant Model]
10/3 Security Policies and Policy Languages    

Ch #4

Homework #2 due  

1. Jones, Anita K. and Richard J. Lipton. "The Enforcement of Security Policies for Computation". ACM SIGOPS Operating Systems Review, 1975.
2. Moses, Tim, Editor. " eXtensible Access Control Markup Language (XACML)" OASIS Standard, 1 Feb 2005. 
10/10 Exam #1      Homework #3 assigned
10/17 Bell LaPadula and LBAC/MAC

Take Home Exam Due

Ch #5

1. Bell, D. Elliot and Leonard J. LaPadula. Secure Computer Systems: A Mathematical Model An electronic reconstruction by Len LaPadula of the original MITRE Technical Report 2547, VolumeI titled "Secure Computer Systems: Mathematical Foundations" by D. Elliot Bell and Leonard J. LaPadula dated 1March, 1973.
2. Karger, P.A. The Lattice Security Model in a Public Computing Network. Proceedings 1978 Annual Conference. 4-6 December 1978, Washington, DC Association for Computing Machinery. p. 453-459 GMU Digital Library 
10/24 Integrity Policies (Biba and Clark Wilson) Ch #6  

Homework #3 due
1. Clark, D.D. and D. R. Wilson. "A Comparison of Commercial and Military Computer Security Policies." Proceedings of the IEEE Symposium on Security and Privacy. 1987. pages 184-194.
2. Biba, K., Integrity Considerations for Secure Computer Systems , ESD-TR-76-372, ESD/AFSC, Hanscom AFB, Bedford, MA (Apr. 1977)  
10/31 Hybrid Policies (Chinese Wall, ORCON, RBAC) Ch #7

1. Brewer, David and Michael Nash. "The Chinese Wall Security Policy." IEEE Symposium on Research in Security and Privacy. 1989.
2. Ferraiolo, D.F,. R. Sandhu, S. Gavrila, D. R. Kuhn and R. Chandramouli. Proposed NIST Standard for Role-Based Access Control ACM Transactions on Information System Security, Vol 4, No. 3, August, 2001. Pages 224-274.  
11/7 Exam #2    
11/14 Basics of Cryptography
Ch #9

1. NSA's American Cryptology During the Cold War
2. FBI's Ricky McCormick Story 
3. NSA National Cryptologic Museum
11/21 Basics of Cryptography (cont'd)
Homework #4 due

11/28 Key Management Ch #10
12/5 Ciphers
(May not get this far)
Ch #11
Homework #5 due
12/19 Exam #3

There will be three exams which will carry equal weight. I will assume you know the material from all previous lectures, but the questions will focus on the lectures since the last exam
  • Take Home Exam 1
    • Posted October 9
    • Due October 17
  • Exam 2 - Nov 7
  • Exam 3 - Dec 19
GMU Honor Code
CS Department Honor Code
University Finals Schedule

You can NOT make up the exams, and you must take the final during the registrar's official scheduled time slot
Coordinate your travel accordingly.

I reserve the right to compare papers submitted by students to any other papers written in this class, in another class or anywhere else by any means necessary (automated or non-automated) to identify plagerism which is a violation of the GMU Honor Code. Please notice that the Dean has identified plagiarism as a serious problem at every level of study, and any identified plagiarism will be reported to GMU as an honor code violation.

There will NOT be an option for extra credit.