This page is organized by the weeks of the quarter in which lectures were given. The weeks are in inverse order, on the assumption you will most often be looking for the most recent week.
This class will be taught by Peter Reiher. The textbook is Computer Security: Art and Science, by Matt Bishop. Assigned readings are from this book, unless otherwise indicated. Dr. Bishop has also published a second textbook that contains selected sections of this book, with a similar title. I can't guarantee that all material assigned will actually be in this other book, and it will definitely be at different pages if it's there at all.
I will be lecturing on these subjects during the class. Note that due dates listed on the syllabus are tentative. Due dates presented on this web page and announced in class will be the correct dates.
The TA for the course will be Joshua Joy -- (jjoy@cs.ucla.edu). The labs for this course will consist of 5 hands-on, practical and exploratory projects covering security-related topics, plus a short introduction to the lab software. Office hour and discussion section information will be determined following the first recitation section and posted here.
Instructions for accessing the homework will be given out via email early in the first week of classes and will be discussed during the first recitation sections.
The final exam for CS 136 will be given on Monday, March 20, in our regular classroom, from 3:00 PM - 6:00 PM. It will be closed book, closed notes. The exam will be similar to the midterm, consisting of multiple choice and short answer questions, but it will be somewhat longer. The exam covers all material from the class, including all material on slides, lectured on, or in assigned reading materials, except for web links to readings that were explicitly accompanied by a note saying they would not be covered. Since many students seemed not to have studied the readings for the midterm, let me emphasize once more: there WILL be questions on material that appeared in the assigned readings that I did not lecture on.
Here is a sample final exam. Here are the answers to the sample final.
The SANS 20 Critical Security Controls. This is the front web page. The links for the 20 controls no longer lead to much useful information, and there's very little on this page. There is a link to a lengthy (90 page) document discussing the controls in much detail, but you need not read that document for this class. Should you find yourself in a position where you need to secure an enterprise system, however, I'd recommend reading it thoroughly.
Lecture 19. Securing Your System.
Observations from the DNSSEC Deployment, E. Osterweil, D. Massey, and L. Zhang, 3d IEEE Workshop on Secure Network Protocols, 2007. A good, short description of DNSSEC and interesting information about its degree of deployment.
Secure Border Gateway Protocol (Secure BGP), Stephen Kent, Charles Lynn, Karen Seo, IEEE Journal on Selected Areas in Communication, Vol. 18, No. 4, April 2000. The original paper proposing Secure-BGP.
Lecture 18. Securing Key Internet Technologies.
Lecture 17. Privacy. Note: This lecture will be given by the TA, Josh Joy, rather than Professor Reiher.
All readings for this lecture are web pages. You should read the entire web page, but need not follow links on the pages to other pages (unless you're interested in doing so, of course - but you won't be tested on the other pages' contents).
An editorial on whether privacy is dead.
A Wikipedia article on various criticisms of Google. You are only required to read the section on privacy issues. Bear in mind that, while this article is specific to Google, much of what is discussed applies equally to other web companies, especially those that have frequent, long-term interactions with users.
A BBC article on privacy implications of the sensor and communications capabilities in modern automobiles.
An Introduction to Information System Risk Management, Steve Elky, 2006.
Threat Modeling: A Process to Ensure Application Security, Steven Burns, 2005.
An OWASP white paper on threat modeling
Lecture 16. Evaluating System Security.
Lecture 14. Secure Programming, Continued.
A detailed description of the bug involving casting a key from a byte stream to a string.
An interesting story about how several programming errors (including the ever-popular not-checking-return-code error, this time on a web request) led to loss of $8000 worth of Bitcoins.
Lecture 15. Web Security.
All readings for this lecture are web pages. You should read the entire web page, but need not follow links on the pages to other pages (unless you're interested in doing so, of course - but you won't be tested on the other pages' contents).
A fairly long article covering a wide range of web security problems and ways to avoid them.
An article on web encryption options.
An article describing SQL injection attacks.
An article describing cross-site scripting attacks.
Lecture 13. Secure Programming.
CERT's Top 10 Secure Coding Practices.
Apple's recommendations on avoiding buffer overflows.
Lecture 12. Malicious Software.
Textbook: Chapter 22 (pages 613-641)
Web links:
Here is an article on Stuxnet that combines a good description of what the worm actually does with discussion of its origins and purpose, specifically avoiding jumping to conclusions. The article is from 2010, so some information in it is outdated, but it gives a pretty good, moderately technical description of the worm in a reasonably brief form. You only need to read the article, not the comments by others that follow it. You are responsible for this article as part of the class' required reading.
If you want to get a deeper explanation of Stuxnet, here is a long, detailed report by Symantec. THIS SYMANTEC REPORT IS OPTIONAL, AND NO MATERIAL FROM IT WILL APPEAR ON THE FINAL EXAM. The link is only provided so those with a deeper interest in this malware can obtain the best available technical information on it.
Midterm exam.
Lecture 11. Intrusion Detection.
Textbook: Chapter 25 (pages 723-767)
Web link (not required reading; not on the final exam):
SANS' frequently asked question page on intrusion detection contains
As indicated in the syllabus, our midterm exam will be on the Tuesday of Week 6. The midterm will be closed book, closed notes, and will cover all material in all lectures and assigned readings through week 5. Material that only appeared in the labs and not in lectures and readings will not appear on the test. Here is a sample midterm that is similar in style to the one you will take. Here are the answers to the sample midterm.
Lecture 9. Network Security.
Textbook: Chapter 26 (pages 773-799)
SYN Cookies, D. J. Bernstein. A good explanation of the details of how SYN cookies handle SYN flooding attacks.
Lecture 10. Network Security, Continued.
Textbook: Chapter 10, sections 10.1-10.2 (pages 245-251)
Textbook: Chapter 11, sections 11.3-11.6 (pages 283-306)
Lecture 7. Authentication.
Textbook: Chapter 12 (pages 309-335)
Web links:
A discussion of technical details related to FBI request for Apple to unlock an iPhone. Subsequent to this article being written, the FBI obtained assistance from an unnamed third party in unlocking this iPhone, using an unspecified method.
A short essay on the limits of using biometrics by Bruce Schneier. This essay is embedded in a longer newsletter. You need only read the section titled "Biometrics in Airports".
Lecture 8. Operating System Security.
Textbook: Chapter 17, Sections 17.1 - 17.2.2 (pages 439-446), introduction to Section 17.3 (pages 446-448), Section 17.3.3 (pages 467-470).
Lecture 5. Cryptographic keys.
Textbook: Chapter 10, sections 10.1, 10.3, 10.4, and 10.5 (pages 245-246, 252-266)
Web link:
Firefox blog post on certificate pinning. You only need to read the post itself, not the comments that follow it.
Lecture 6. Security protocols.
Textbook: Chapter 10, section 10.2 (pages 246-252).
Lecture 4. More on Cryptography.
Textbook: Chapter 9, sections 9.2.3-9.7 (pages 228-241)
Lecture 3. Introduction to Cryptography.
Textbook: Introduction to Section IV and Chapter 9, sections 9.1-9.2.2.2 (pages 215-227).
Textbook: Chapter 2 (pages 31-44) and Chapter 15 (pages 381-396).
Lecture 2. Security Design Principles, Policies, and Tools.
Textbook: Chapter 4, Sections 4.1-4.6 (pages 95-114)
Chapter 5, Sections 5.1-5.2.2 (pages 123-132)
Chapter 6, Sections 6.1-6.2 (pages 151-155)
Chapter 7, Section 7.1 (pages 169-177)
Lecture 1. Introduction.
Textbook: Chapter 1 (pages 1-25)
Web links:
Improving the Security of Networked Systems, Julia Allen, Christopher Alberts, Sandi Behrens, Barbara Laswell, and William Wilson.
Why Computers Are Insecure, Bruce Schneier. (The link leads to an entire web page on various security subjects. Read it all, if you want, but the assignment is only this essay, which is around a page and a half.)
Social Engineering Fundamentals, Part I: Hacker Tactics Sarah Granger.