CS 62600: Advanced Information Assurance

TR 10:30-11:45

LWSN B134

Chris Clifton

Email: clifton_nospam@cs_nojunk.purdue.edu (Please put 626 somewhere in the subject for course-related matters.)
Office hours: By appointment (or just drop by LWSN 2142F, I'm generally in 8:30-5)

Course Outline

Course Topics

Advanced topics in information assurance, including selections from the following: penetration testing, formal verification of systems, formal models of information flow and protection, distributed system authentication, protocol design and attack, computer viruses and malware, intrusion and anomaly detection models, multi-level security, active defenses, investigation and forensics, network firewalls, anonymity and identity, e-commerce support, and database security models and mechanisms.

There are two major goals to this course:

  1. To provide a comprehensive view of information security so as to develop a big picture perspective. This expands the focus from protecting individual machines and files to that of developing and managing policy and mechanism for a full enterprise.
  2. To provide exposure to some advanced concepts in information security and assurance, including some recent research results. Students will be expected to exhibit critical assessment skills regarding these concepts.

Course Methodology

The course will be taught through lectures and (largely student-presented) case studies / discussions. Material will be drawn from current events, a good source is Spaf's Blog.

For review (and if you miss a lecture), you can pick them up as a vodcast/podcast. Be warned that the audio isn't great; you only see what is on the screen, not what is written on the chalkboard; and you can't ask (or answer) questions; so it isn't really a viable alternative to attending lecture. If you are presenting in class, and would like your lecture to be recorded and available for the class (and yourself) to view, send me an email with the subject CS626 boilercast registration and your career account ID (@purdue.edu email address, not the numeric Purdue ID.) You'll then need to log in to the computer in the classroom to activate recording. By default, presentations you give will NOT be available.

For now, Professor Clifton will not have regular office hours. Feel free to drop by anytime, or send email with some suggested times to schedule an appointment.

You can also send things to the course email list (if traffic goes beyond 1-2/day, we'll start an alternate forum.)

Prerequisites

The official requirement is CS 52600 (Information Security) and CS 55500 (Cryptography and Data Security) or the equivalent. Students who have not had these courses, but feel they have equivalent experience gained elsewhere, please see the instructor.

Evaluation/Grading

Evaluation will be a subjective process (see my grading standards) based on your understanding of the material as evidenced in your final project, presentations, assignments, and contributions to discussions both in and out of class. Assignments will consist of:

Relative weighting of these items is to be determined, but expect approximately 35% final project, 15% first presentation, 20% second presentation, 5% each review, and 10% class participation. This may be adjusted a bit after I see the final project proposals (if you all suggest extremely deep final projects, I may increase the weight on that a bit.)

Projects and assignments will be evaluated on a ten point scale:

10
Exceptional work. So good that it makes up for substandard work elsewhere in the course. These will be rare.
8
What I'd expect of a Ph.D. candidate. This corresponds to an A grade.
6
Good enough for a Master's degree, but not what I'd like to see for a Ph.D. candidate. This corresponds to a B grade.
4
Okay for a Master's candidate who does extremely well in other courses. This corresponds to a C grade.
2
Not good enough for a graduate student. But something.
0
Missing work, or so bad that you needn't have bothered.

Late work will be penalized 10% per day (24 hour period). This penalty will apply except in case of documented emergency (e.g., medical emergency), or by prior arrangement if doing the work in advance is impossible due to fault of the instructor (e.g., you are going to a conference and ask to start the project early, but I don't have it ready yet.)

Blackboard will be used to record/distribute grades and turn in assignments.

Policy on Intellectual Honesty

Please read the departmental academic integrity policy above. This will be followed unless I provide written documentation of exceptions. In particular, I encourage interaction: you should feel free to discuss the course with other students. However, unless otherwise noted work turned in should reflect your own efforts and knowledge.

For example, if you are discussing an assignment with another student, and you feel you know the material better than the other student, think of yourself as a teacher. Your goal is to make sure that after your discussion, the student is capable of doing similar work independently; their turned-in assignment should reflect this capability. If you need to work through details, try to work on a related, but different, problem.

If you feel you may have overstepped these bounds, or are not sure, please come talk to me and/or note on what you turn in that it represents collaborative effort (the same holds for information obtained from other sources from which you obtained substantial portions of the solution.) If I feel you have gone beyond acceptable limits, I will let you know, and if necessary we will find an alternative way of ensuring you know the material. Help you receive in such a borderline case, if cited and not part of a pattern of egregious behavior, is not in my opinion academic dishonesty, and will at most result in a requirement that you demonstrate your knowledge in some alternate manner.

Syllabus (numbers correspond to roughly to week):

In weeks when you are not presenting, you should plan to do a review for the day corresponding to your next presentation day. (I.e., if your next presentation is on a Tuesday, plan to write a review for Tuesday's lecture in your off weeks.)

  1. Course overview, discussion of the range of issues and answers.
    Information Security Policy
    Reading: Purdue University Policies: Information Technology: Security.
  2. Privacy: What are the Issues?. Reading: Rakesh Agrawal, Jerry Kiernan, Ramakrishnan Srikant, and Yirong Xu, Hippocratic Databases, VLDB02; DIRECTIVE 95/46/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (in particular, clauses 27-31, Article 7.) Further Reading: Documents of the Data Protection Working Party.
    Security Metrics. Reading: Under attack: Common Criteria has loads of critics, but is it getting a bum rap? (Common Criteria documents) Directions in Security Metrics Research. Further Investigation:: Security Metrics Workshops.
  3. Philip Ritchey, Padding Oracle Attacks. Reading: Serge Vaudenay, Security Flaws Induced by CBC Padding Applications to SSL, IPSEC, WTLS..., Juliano Rizzo and Thai Duong, Practical Padding Oracle Attacks, Padding Oracle ASP.NET Vulnerability Explanation, Padding Oracle Attacks: In Depth
    Norman Ahmed, Security in Virtual Machines. Tal Garfinkel and Mendel Rosenblum, Virtual Machine Introspection Based Architecture for Intrusion Detection; Chris Benninger et al., Maitland: Lighter-Weight VM Introspection to Support Cyber-Security in the Cloud; Sina Bahram et al. and Dongyan XU, DKSM: Subverting Virtual Machine Introspection for Fun and Profit; Side Channel Attack Steals Crypto Key from Co-Located Virtual Machines; US-CERT Advisory - VM Vulnerability Discovered on Multiple Platforms; Virtual machine exploits lets attacker take over hosts.
  4. Miguel Villarreal-Vazquez: HTTPS Stripping: A persistent threat. Reading: Prandini, M. ; Ramilli, M. ; Cerroni, W. ; Callegati, F. Splitting the HTTPS Stream to Attack Secure Web Connections, Nick Nikiforakis, Yves Younan, and Wouter Joosen. HProxy: Client-Side Detection of SSL Stripping Attacks, Dongwan Shin, Rodrigo Lopes. An empirical study of visualsecurity cues to prevent the SSLstripping attack. Further reading: HTTPS Stripping attack using SSLstrip (using of tool), Breaking your browser's padlock (news), Software SSLstrip.
    Md Endadul Hoque: Security Threats in the Smartphone Ecosystem. Reading: Android Security Overview, Sascha Fahl et al., Why eve and mallory love android: an analysis of android SSL (in)security, Alessandro Armando et al., Would You Mind Forking This Process? A Denial of Service Attack on Android (and Some Countermeasures), Chunyi Peng et al., Mobile data charging: new attacks and countermeasures.
  5. February 5: Guest Lecture, Prof. Eugene Spafford.
    Michael Stickler: Adversarial Machine Learning. Reading: Barreno, Marco, et al. Can machine learning be secure?. Proceedings of the 2006 ACM Symposium on Information, computer and communications security. ACM, 2006. Nelson, Blaine, et al. Exploiting machine learning to subvert your spam filter. Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats. USENIX Association, 2008. Newsome, James, Brad Karp, and Dawn Song. Paragraph: Thwarting signature learning by training maliciously. Recent Advances in Intrusion Detection. Springer Berlin/Heidelberg, 2006. Tan, K., Killourhy, K., & Maxion, R. (2002). Undermining an anomaly-based intrusion detection system using common exploits. In Recent Advances in Intrusion Detection (pp. 54-73). Springer Berlin/Heidelberg.
  6. Shalini Oruganti: Data Center Security. Readings: Szefer, J.; Jamkhedkar, P. ; Yu-Yuan Chen ; Lee, R.B., Physical attack protection with human-secure virtualization in data centers; Sean Heare, SANS Institute - Data Center Physical Security Checklist; Kelly Jackson Higgins, Five Ways To (Physically) Hack A Data Center; Kreŝimir Popović, Zeljko Hocenski, Cloud computing security issues and challenges.
    February 14: Guest lecture in Lawson 3102, Dr. Allison Lewko: Expanding Capabilities for Functional Encryption. Readings: Dan Boneh, Amit Sahai, and Brent Waters, Functional Encryption: A New Vision for Public-Key Cryptography, CACM 55(11):56-64, November 2012.
    One paragraph description of final project idea(s) due by 08:00 February 15.
  7. Filipo Sharevski: RFID Security and Privacy. Reading: Ari Juels, David Molnar, and David Wagner, Security and Privacy Issues in E-passports Tom Chothia and Vitaliy Smirnov, A Traceability Attack Against e-Passports, Defects in e-passports allow real-time tracking, Additional readings: Gemalto Report, Moving to the third generation of electronic passports , Security Document World , 2/24/2011; ICAO Technical Report, Supplemental Access Control for Machine Readable Travel Documents, ICAO Machine Readable Travel Documents Programme, 12/11/2010.
    Eric Amos: Social Network Privacy. Readings: Laura Brandimarte, Alessandro Acquisti and George Loewenstein, Misplaced Confidences: Privacy and the Control Paradoxenstein; Alessandro Acquisti and Ralph Gross Imagined Communities: Awareness, Information Sharing, and Privacy on the Facebook; Tabreez Govani and Harriet Pashley, Student awareness of the privacy implications when using facebook; Heather Richter Lipford, Andrew Besmer, Jason Watson, Understanding privacy settings in facebook with an audience view. Some ideas about what we might do about it: Paul Ashley, Satoshi Hada, Günter Karjoth, Calvin Powers, and Matthias Schunter, Enterprise Language Privacy Authority; Vineet Kumar, Expert speak: Useful tips to beat PC hackers.
  8. Sumeet Mahaldar: Software Cracking. Readings: Dave Gradijan, Blu-ray, HD DVD Copy Protection Cracked; Introduction to Reverse Engineering and Software Cracking; Luan Bui The and Van Nguyen Khanah, GameGuard: A Windows-based Software Architecture for Protecting Online Games against Hackers; I.J. Jozwiak and K. Marczak, A Hardware-Based Software Protection Systems: Analysis of Security Dongles with Time Meters; A beginners Guide to Cracking.
    Lisa Golden: The Future of Authentication. Readings: Jules Polonetsky, Full Report: Age Verification for Our Children: A Report on Tools and Resources Available for Safeguarding the First Generation of Digital Natives; Markus Jakobsson, Elaine Shi, Philippe Golle, and Richard Chow, Implicit Authentication for Mobile Devices; Antonella De Angeli, Lynne Coventry, Graham Johnson, and Karen Renaud, Is a picture really worth a thousand words? Exploring the feasibility of graphical authentication systems; Burt Kaliski, future directions in user authentication. Additional reading: Anna Lysyanskaya, Authentication without Identification.
  9. Philip Ritchey: Steganography in Information Security. Readings: Noah Shachtman, FBI: Spies Hid Secret Messages on Public Websites, Sean Gallagher, Steganography: How al-Qaeda hid secret documents in a porn video, N. Johnson and S. Katzenbesser, A Survey of Steganographic Techniques, P. Ritchey and V. Rego, Covert Channels in Combinatorial Games. Additional reading: P. Ritchey and V. Rego, Hiding Secret Messages in Huffman Trees, P Ritchey and V. Rego, A Context Sensitive Tiling System for Information Hiding.
    Norman Ahmed: Data Outsourcing to a Cloud. Readings: The Cloud and Outsourcing: A New World Awaits, W.A. Jansen, Cloud Hooks: Security and Privacy Issues in the Cloud, M. Kajko-Mattsson and L. Gustafsson, Cloud Outsourcing requires a proper hand over process, R. Chow et al., Controlling data in the cloud: outsourcing computation without outsourcing control, Md. Tanzim Khorshed, A.B.M. Shawkat Ali, and Saleh A. Wasimi, A survey on gaps, threat remediation challenges and some thoughts for proactive attack detection in cloud computing,
    March 12, 14: Spring Break (no classes).
    Final project proposal due (preferably by 3/13, so you get feedback by 3/18.).
  10. March 19: Guest Lecture, Prof. Ninghui Li: Recent Advances in Differential Privacy
    March 21: Guest Lecture, Dr. Prateek Mittal: Trustworthy Communications using Network Science. Note Location: LWSN 3102.
  11. Miguel Villarreal-Vazquez: Hidden Server Forensics. Reading: Lasse Ovelier, Location Hidden Servers; Bilal Shebaro, Leaving Timing Channel Fingerprints in Hidden Service Log Files; Xiaogang Wang, A potential HTTP-based application-level attack against Tor. Background technical details: Tor project, Apache.
    Md Endadul Hoque: Hidden Secrets of Repackaged Android Apps. Reading: Nick Mediati, Android Trojan Is Bundled in Repackaged Apps; Daniel Ionescu, Google Yanks 21 Malicious Apps From Android Market, Phones; Kevin Mahaffey, Security Alert: DroidDream Malware Found in Official Android Market; Rahul Potharaju, Andrew Newell, Cristina Nita-Rotaru, and Xiangyu Zhang, Plagiarizing Smartphone Applications: Attack Strategies and Defense Techniques; Wu Zhou, Yajin Zhou, Xuxian Jiang, and Peng Ning, Detecting Repackaged Smartphone Applications in Third-Party Android Marketplaces; Wu Zhou, Yajin Zhou, Michael Grace, Xuxian Jiang, and Shihong Zou, Fast, Scalable Detection of Piggybacked Mobile Applications.
  12. Michael Stickler: Secure Multiparty Computation in Practice. Readings: Catrina, O., & Kerschbaum, F., Fostering the uptake of secure multiparty computation in e-commerce. In Availability, Reliability and Security, 2008. ARES 08. Third International Conference on (pp. 693-700). IEEE; Trading Sugar Beet Quotas - Secure Multiparty Computation in Practice; Bogetoft, P., Christensen, D. L., Damgård, I., Geisler, M., Jakobsen, T., Krøigaard, M., Nielsen, J., Nielsen, J., Nielsen, K., Pagter, J., Schwartzback, M., & Toft, T. Secure multiparty computation goes live. In Financial Cryptography and Data Security (pp. 325-343), 2009; Atallah, M., Bykova, M., Li, J., Frikken, K., & Topkara, M.. Private collaborative forecasting and benchmarking. In Proceedings of the 2004 ACM workshop on Privacy in the electronic society, pp. 103-114.
    Also, you might be interested in some historical / theoretical background: Andrew C. Yao, How to generate and exchange secrets, in Proceedings of the 27th {IEEE} Symposium on Foundations of Computer Science, pp. 162-167, 1986; Oded Goldreich, Silvio Micali & Avi Wigderson, How to Play any Mental Game - A Completeness Theorem for Protocols with Honest Majority, 19th ACM Symposium on the Theory of Computing, pp. 218-229, 1987.
    April 4: CERIAS Symposium fireside chat
  13. Filipo Sharevski: Advanced Persistent Threats (APT). Readings: Aditya K Sood and Richard J. Enbody, Targeted Cyberattacks: A Superset of Advanced Persistent Threats IEEE Security and Privacy 11(1): 54-61 (2013); DELL Counter Threat Unit Research, Lifecycle of an Advanced Persistent Threat DELL Secure Works Report, 5/4/2012; MANDIANT APT1, APT1: Exposing One of China's Cyber Espionage Units MANDIANT APT1 Report, 2/19/2013; Joe Stewart, Chasing APT Dell SecureWorks Counter Threat Unit?, Threat Intelligence Report, 7/23/2012. Further Reading: Carrie Jung, Threat Actors Using Mandiant APT1 Report as a Spear Phishing Lure: The Nitty Gritty M-Unition Blog, 2/22/2013; Dmitri Alperovitch, Revealed: Operation Shady RAT McAfee Report, 8/2/2011; Frankie Li, A Detailed Analysis of an Advanced Persistent Threat Malware SANS Institute InfoSec Reading Room, 10/13/2011.
    Shalini Oruganti: QR Codes: Applications and Security. Readings: Kieseberg, Peter, Leithner, Manuel, Mulazzani, Martin, Munroe, Lindsay, Schrittwieser, Sebastian, Sinha, Mayank, and Weippl, Edgar, QR Code Security; Vidas, Timothy, Owusu, Emmanuel, Wang, Shuai, Zeng, Cheng, and Cranor, Lorrie, QRishing : The Susceptibility of Smartphone Users to QR Code Phishing Attacks QRishing : The Susceptibility of Smartphone Users to QR Code Phishing Attacks; Mukhopadhyay, Syamantak and Argles, David, An Anti-Phishing mechanism for Single Sign-On based on QR-Code; Starnberger, G., Froihofer, L., & Goeschka, K. M., QR-TAN: Secure Mobile Transaction Authentication; What are QR Codes?; Disruptive QR Code.
  14. Eric Amos: SCADA security Readings: Newman, T., Rad, T., & Strauchs, J. (2011), SCADA & PLC Vulnerabilities in Corrrectional Facilities; Nicholson, A., Webber, S., Dyer, S., Patel, T., & Janicke, H. (2012), SCADA security in the light of Cyber-Warfare. Stuxnet - Wikipedia, the free encyclopedia. Further readings: The I3P Process Control Systems and Survivability and Recovery of Process Control Systems Projects, in particular the PCS Overview.
    Sumeet Mahaldar: Virus vs. Anti-virus. Readings: Michael Fitzgerald, The Future of Antivirus; Carey Nachenberg, Computer Virus-Antivirus Co-evolution; Daniel J. Sanok, Jr, An analysis of how antivirus methodologies are utilized in protecting computers from malicious code; N. B. Guinde and R. B. Lohani, FPGA based approach for signature based antivirus applications; Mila Dalla Preda, Mihai Christodorescu, Somesh Jha, and Saumya Debray, A semantics-based approach to malware detection
  15. Lisa Golden: Botnets vs. Honeypots. Readings: Defense Strategies Against Modern Botnets; Honeypot-Aware Advanced Botnet Construction and Maintenance; An Advanced Hybrid Peer to Peer Botnet; Counterattacking Honeypot.
    Final project presentations: Filipo Sharevski, Norman Ahmed?, others?
  16. Monday, April 29, 3:30-5:30pm, Lawson B134: Final Project Presentations: Everyone else. (This is our scheduled final exam slot.)

Final exam: Given that the final projects will likely provide ample opportunity to demonstrate the level of knowledge of a big picture perspective of information assurance, I do not anticipate a final exam in this course. Keep in mind when reporting on your final project that you should demonstrate that you have met the course goals, not just understanding of a narrow facet of this area. However, depending on the interests of students (e.g., if many would rather do system building projects with a narrow focus), a final exam may be in order. This will be determined before spring vacation.

Note that the final exam is scheduled for Monday, April 29 3:30-5:30pm in Lawson B134. We will probably be using this slot for continued final project presentations. If you have another exam that day, let me know so we can make sure your final project presentation is not held that day.

In the event of a major campus emergency, course requirements, deadlines and grading percentages are subject to changes that may be necessitated by a revised semester calendar or other circumstances. In such event, this page will be updated to reflect such changes.

Valid XHTML 1.1