George Mason University
Department Of Computer Science
Information Security Theory and Practice
Fall 2011
Monday 7:20 p.m. - 10:00 p.m.Krug Hall 242
Dr. Michael Smeltzer
Office Hours: By Appointment
DESCRIPTION :
Course Catalog: A technical introduction to the theory and practice of information security, which serves as the first security course for the MS-ISA degree, is required as a prerequisite for all subsequent ISA courses (at the 600 and 700 levels) and subsumes many topics covered by the CISSP examination. Also serves as an entry-level course available to non-ISA students, including MS-CS, MS-IS, and MS-SWE students.
PREREQUISITES :
INFS 501 - Discrete and Logical Structures for Information Systems
INFS 515 - Computer Organization
INFS 519 - Program Design and Data Structures
SWE 510 - Object-Oriented Programming in Java
The following concepts from INFS 501 will be used in the course with minimal or no instruction:
- Discrete math notation
- Boolean logic
- Directed graphs
- Functions, relations; POSets, and lattices
- Modular Arithmetic
-
Finite State Machines
- I will define and talk about Turing Machines as a way to address decidability regarding security of a system.
- I may also touch on the subject of Formal Languages and the associated notation to explain one of the access control models.
TEXT:
Bishop, Matt. Computer Security: Art and Science. Addison Wesley/Pearson. 2003. 11th Printing 2009.
Errata1 Errata2 Errata3 Errata4 Errata5
DIGITAL LIBRARY: The GMU Digital Library provides access to ACM and IEEE papers.
"NOTIONAL" SCHEDULE:
| Week | Topic | Reading | Foundational Papers in IA - Supplemental Reading |
|---|---|---|---|
| 8/29 |
Introduction
|
Ch #1 | 1. OWASP Top Ten - 2010
2. Zetter, Kim. "How Digital Detectives Deciphered Stuxnet, the Most Menacing Malware in History" , Wired agazine. July, 2011. 3. Howard, John D. and Thomas A. Longstaff. A Common Language for Computer Security Incidents Sandia National Laboratories. October, 1998. |
| 9/5 | Labor Day | ||
| 9/12 | Access Control Matrix |
Ch #2 Ch #15 | 1. Lampson, Butler W.
"Protection." Xerox Corporation, 1971.
2. Graham G. S. and P.J. Denning. "Protection - Principles and Practice." Proceedings of Spring Joint Comoputer Conference, AFIPS, 1972, pp.417-429 GMU Digital Library - ACM |
| 9/19 | Decidability of Safe Systems Several Updates 10/18 |
Ch #3 Sections 3.0 through 3.3
Homework #1 due |
Harrison M, W. Ruzzo, and J.Ullman. Protection in Operating Systems. Communications of the ACM , 1976. |
| 9/26 | Decidability of Safe Systems (cont'd) | A. Jones, R. Lipton, and L. Snyder. A Linear Time Algorithm for Deciding Security. Proc. 17th Annual Symp. on the Foundations of Computer Science (Oct. 1976), 33-41 [The Take Grant Model] | |
| 10/3 |
Security Policies and Policy Languages
|
Ch #4
Homework #2 due |
1. Jones, Anita K. and Richard J. Lipton. "The Enforcement of Security Policies for Computation". ACM SIGOPS Operating Systems Review, 1975. 2. Moses, Tim, Editor. " eXtensible Access Control Markup Language (XACML)" OASIS Standard, 1 Feb 2005. |
| 10/10 | Exam #1 | Homework #3 assigned | |
| 10/17 |
Bell LaPadula and LBAC/MAC
|
Take Home Exam Due
Ch #5 |
1. Bell, D. Elliot and Leonard J. LaPadula. Secure Computer Systems:
A Mathematical Model An electronic reconstruction by Len LaPadula of the original MITRE Technical Report 2547, VolumeI titled "Secure Computer Systems:
Mathematical Foundations" by D. Elliot Bell and Leonard J. LaPadula dated 1March, 1973.
2. Karger, P.A. The Lattice Security Model in a Public Computing Network. Proceedings 1978 Annual Conference. 4-6 December 1978, Washington, DC Association for Computing Machinery. p. 453-459 GMU Digital Library |
| 10/24 | Integrity Policies (Biba and Clark Wilson) | Ch #6
Homework #3 due |
1. Clark, D.D. and D. R. Wilson.
"A Comparison of Commercial and Military Computer Security Policies." Proceedings of the IEEE Symposium on Security and Privacy. 1987. pages 184-194.
2. Biba, K., Integrity Considerations for Secure Computer Systems , ESD-TR-76-372, ESD/AFSC, Hanscom AFB, Bedford, MA (Apr. 1977) |
| 10/31 | Hybrid Policies (Chinese Wall, ORCON, RBAC) | Ch #7
|
1. Brewer, David and Michael Nash. "The Chinese Wall Security Policy." IEEE Symposium on Research in Security and Privacy. 1989.
2. Ferraiolo, D.F,. R. Sandhu, S. Gavrila, D. R. Kuhn and R. Chandramouli. Proposed NIST Standard for Role-Based Access Control ACM Transactions on Information System Security, Vol 4, No. 3, August, 2001. Pages 224-274. |
| 11/7 | Exam #2 | ||
| 11/14 |
Basics of Cryptography
|
Ch #9
|
1. NSA's American Cryptology During the Cold War
2. FBI's Ricky McCormick Story 3. NSA National Cryptologic Museum |
| 11/21 |
Basics of Cryptography (cont'd)
|
Homework #4 due |
|
| 11/28 | Key Management | Ch #10
|
|
| 12/5 |
Ciphers (May not get this far) |
Ch #11 Homework #5 due |
|
| 12/19 | Exam #3
7:30-10:15 |
EXAMS:
There will be three exams which will carry equal weight. I will assume you know the material from all previous lectures, but the questions will focus on the lectures since the last exam
-
Take Home Exam 1
- Posted October 9
- Due October 17
- Exam 2 - Nov 7
- Exam 3 - Dec 19
CS Department Honor Code
University Finals Schedule
You can NOT make up the exams, and you must take the final during the registrar's official scheduled time slot
Coordinate your travel accordingly.
I reserve the right to compare papers submitted by students to any other papers written in this class, in another class or anywhere else by any means necessary (automated or non-automated) to identify plagerism which is a violation of the GMU Honor Code. Please notice that the Dean has identified plagiarism as a serious problem at every level of study, and any identified plagiarism will be reported to GMU as an honor code violation.
There will NOT be an option for extra credit.