ICS 280G: Software Security Analysis and Testing
Prof. Debra J. Richardson
Spring 2000
Information and Computer Science
University of California, Irvine
Instructor: Debra J. Richardson
Email: djr@ics.uci.edu
Office hours: by appointment on Wednesdays 1-2 and Thursdays 2-3
Room: ICS2 216
Course Description
Computer security as a discipline was first studied in the early 1970s, although the issues had influenced the development of many earlier systems such as the Atlas system and Multics. Unfortunately, vey little has been done in the area of analyzing and testing systems for security problems before they are deployed.
This course will examine software security issues as well as analysis and testing approaches that have been proposed for addressing those issues. We will rely, at least partially, on knowledge of general analysis and testing techniques (such as those studied in ICS 224).
Course requirements are reading relevant papers, presenting papers to the class, participation in class, satisfactory performance on pop quizzes covering the reading material, and a quarter project. There are several options (discussed below) for the quarter project, the primary requirement being that it focus on analysis and/or testing of security.
Prerequisites
ICS 221 and 224 are recommended but not required.
Lectures
I will give a few background lectures in the beginning, which will be available on-line. If students give me a copy of their presentations, those will be available as well.
Schedule
| Date | Speaker |
| 12 April | Debra Richardson |
| 18 April (tuesday) | Chang Liu |
| 26 April | Michele Rousseau (unavailable), Suraj (dropped) |
| 3 May | Marcio Dias, Jeff Ronne |
| 10 May | Jie Ren, Dan Nicolaescu |
| 17 May | Bharati Jha, Niclas (dropped), Michele Rousseau (moved) |
| 24 May | brief project descriptions from all students |
| 30 May (tuesday) | Marlon Vieira, Sam Robertson |
| 14 June | final projects due |
Assessment
10% Class Participation
30% Presentation of security, A&T, or security A&T topic
Probably one presentation
per student, number will depend in part on enrollment.
Students are expected to
pick a paper from the list below (or some other relevant paper, if so desired),
do a literature search, supplement the reading list, and present the topic.
For the literature search, start with the paper's bibliography, do a library
or web search on the topic,
but also check out the following sources for more recent papers:
Symposium on Research in Privacy and Security (the Oakland Conference)
Journal on Computer Security
Transactions on Information and System Security
10% Project/Paper Description (10 minutes)
50% Term Project, chosen from
Proposed and developed enhancement of some existing analysis or testing technique applicable for evaluating software securityNOTE: There will be no incompletes granted, except in truly rare and unavoidable circumstances. All course work must be completed by the end of finals
Thorough testing or analysis of the security issues of some critical application
Well thought out proposal for an analysis and/or testing technique applicable for evaluating software security
Other topic chosen by student and approved by instructorGraded on effort and on final report (and demonstration, if applicable) at end of class
Three options:
Project done individually for this class alone
Project done for this class alone, but with at most one other person
Project done individually for this class and ICS 224 (only available for those concurrently enrolled in ICS 224)A project done with another person or done for two courses would naturally be larger in scope than one done individually.
Reading List
This list (both topics and order) is subject to change.
We will start by reading some seminal papers in security as background.
The list will grow as both instructor and students identify additional
papers.
Seminal Papers on Security
You can get the first set of papers by bringing a writable CD-ROM to
Marlon and/or Marcio. Papers are also available on-line.
Brief information about each paper is also available on-line.
Thanks to UC Davis' History of Security Project for this selection
of papers.
file on CD-ROM
bibliographic citation
ande72.pdf
James P. Anderson, Computer Security Technology Planning Study, ESD-TR-73-51,
ESD/AFSC, Hanscom AFB, Bedford, MA 01731 (Oct. 1972) [NTIS AD-758 206]
ande80.pdf
James P. Anderson, Computer Security Threat Monitoring and Surveillance,
James P. Anderson Co., Fort Washington, PA (Apr. 1980)
bell76.pdf
David E. Bell and Leonard La Padula, Secure Computer System: Unified
Exposition and Multics Interpretation, ESD-TR-75-306, ESD/AFSC, Hanscom
AFB, Bedford, MA 01731 (1975) [DTIC AD-A023588]
bisb78.pdf
Richard Bisbey II and Dennis Hollingworth, Protection Analysis: Final
Report, ISI/SR-78-13, USC/Information Sciences Institute, Marina Del Rey,
CA 90291 Marina Del Rey, CA 90291 (May 1978)
One of two seminal studies of computer system vulnerabilities.
dod85.pdf
Department of Defense, Trusted Computer System Evaluation Criteria
(the Orange Book), DoD 5200.28-STD (1983, 1985)
Full version of the TCSEC that influenced study and development of
systems.
ford78.pdf
Ford Aerospace, Secure Minicomputer Operating System (KSOS): Executive
Summary Phase I: Design, Western Development Labratories Division, Palo
Alto, CA 94303 (April 1978)
Describes an implementation of a provably secure operating system compatible
with the UNIX operating system.
karg74.pdf
Paul A. Karger and Roger R. Schell, MULTICS Security Evaluation: Vulnerability
Analysis, ESD-TR-74-193 Vol. II, ESD/AFSC, Hanscom AFB, Bedford, MA 01731
(June 1974).
Described a number of attacks, including the trap-door compiler that
Ken Thompson used so effectively in his Turing Award lecture.
lind76.pdf
Theodore A. Linden, Operating System Structures to Support Security
and Reliable Software, NBS Technical Note 919, Institute for Computer Sciences
and Technology, National Bureau of Standards, US Department of Commerce,
Washington DC 20234 (Aug. 1976)
Described capability-based architectures.
myer80.pdf
Philip Myers, Subversion: The Neglected Aspect of Computer Security,
Master Thesis. Naval Postgraduate School, Monterey, CA 93940 (June 1980)
Demonstrated how a Trojan horse could spread to secure system without
the attacker having direct access to that system.
neum75.pdf
Peter G. Neumann, L. Robinson, Karl N. Levitt, R. S. Boyer, and A.
R. Saxena, A Provably Secure Operating System, M79-225, Stanford Research
Institute, Menlo Park, CA 94025 (June 1975)
First formal design of a system, emphasizing proofs of design before
implementation.
niba79.pdf
Grace H. Nibaldi, Proposed Technical Evaluation Criteria for Trusted
Computer Systems, M79-225, The Mitre Corporation, Bedford, MA 01730 (Oct.
1979)
First evaluation criteria with levels (5 of them).
scha75.pdf
J. M. Schacht, Jobstream Separator System Design, MTR-3022 Vol. 1,
The MITRE Corporation, Bedford, MA 01730 (May 1975).
sche73.pdf
Roger R. Schell, Peter J. Downey, and Gerald J. Popek, Preliminary
Notes on the Design of Secure Military Computer Systems, MCI-73-1, ESD/AFSC,
Hanscom AFB, Bedford, MA 01731 (Jan. 1973).
schi75.pdf
W. L. Schiller, The Design and Specification of a Security Kernel for
the PDP-11/45, MTR-2934, The MITRE Corporation, Bedford, MA 01730 (Mar.
1975), First formal specification of a kernel satisfying the Bell-LaPadula
model.
ware70.pdf
Willis Ware, Security Controls for Computer Systems (U): Report of
Defense Science Board Task Force on Computer Security; Rand Report R609-1,
The RAND Corporation, Santa Monica, CA (Feb. 1970).
whit74.pdf J. Whitmore, A. Bensoussan, P. Green, D. Hunt, A. Robziar, and J. Stern, Design for MULTICS Security Enhancements, ESD-TR-74-176, ESD/AFSC, Hanscom AFB, Bedford, MA 01731 (Dec. 1973).
Papers at least remotely related to Security Analysis and Testing (things to look at to start)
T. Aslam, I. Krsul, and E. H. Spafford. A Taxonomy of Security Vulnerabilities.
In Proceedings of the 19th National Information Systems
Security Conference, pages 551-560, Baltimore, Maryland, October 1996.
J. Alves-Foss, K. Levitt , Verification of Secure Distributed Systems in Higher Order Logic: A Modular Approach Using Generic Components, Proc. of the 1991 IEEE Computer Society Symposium on Research in Security and Privacy. Oakland, CA, 20-22 May 1991, pp. 122-35. http://seclab.cs.ucdavis.edu/papers/pdfs/af-kl-91-2.pdf
J. S. Balasubramaniyan, J. O. Garcia-Fernandez, D. Isacoff, E. H. Spafford,
and D. Zamboni. An Architecture for Intrusion Detection using
Autonomous Agents. In Proceedings of the 14th IEEE Computer Security
Applications Conference, December 1998.
Bieber and Cuppens, A Logical View of Secure Dependencies, Journal of Computer Security, Volume 1, Issue 1, 1992.
M. Bishop, M. Dilger , Checking for Race Conditions in File Access. Computing Systems 9(2) (Spring 1996), pp. 131-152. http://seclab.cs.ucdavis.edu/papers/bd96.pdf
M. Bishop, "A Model of Security Monitoring," Proceedings of the Fifth Annual Computer Security Applications Conference, 1989, pp. 46-52. http://seclab.cs.ucdavis.edu/papers/pdfs/mb-89.pdf
C. Chung, M. Gertz, K. Levitt. 1999. "DEMIDS: A Misuse Detection System for Database Systems." To appear in Integrity and Internal Control in Information Systems IFIP WG11.5 1999. http://seclab.cs.ucdavis.edu/papers/IFIP99.pdf
Daniels and Spafford, Identification of Host Audit Data to Detect Attacks on Low-level IP, Journal of Computer Security, Volume 7, Issue 1, 1999.
G. Fink, C. Ko, M. Archer, K. Levitt , Toward a Property-based Testing Environment with Application to Security Critical Software. Proc. of the 4th Irvine Software Symposium. April 1994, pp. 39-48. http://seclab.cs.ucdavis.edu/papers/fkal94.ps
G. Fink, K. Levitt , Property-based Testing of Privileged Programs. Proceedings of the 10th Annual Computer Security Applications Conference Orlando, FL, 5-9 Dec. 1994, pp. 154-163. http://seclab.cs.ucdavis.edu/papers/pdfs/gf-kl-94.pdf
Gray, Ip, Lui, Provable Security for Cryptographic Protocols -- Exact Analysis and Engineering Applications, Journal of Computer Security, Volume 6, Issue 1/2, 1998.
Gudes, Olivier and van de Riet, Modeling, Specifying and Implementing Workflow Security in Cyberspace, Journal of Computer Security, Volume 7, Issue 4, 1999.
Nevin Heintze, Doug Tygar, Jeannette Wing, and Hao-Chi Wong, Model Checking Electronic Commerce Protocols. Second USENIX Workshop on Electronic Commerce, 1996. http://www.cs.cmu.edu/afs/cs.cmu.edu/project/venari/papers/usenix96a/mcecp.ps.
S. Jajodia, P. Samarati, and V. S. Subrahmanian, ``A logical language for expressing authorizations,'' Proc. IEEE Symp. on Research in Security and Privacy, Oakland, Calif., May 1997, pages 31-42.
Darrell M. Kienzle and William A. Wulf, A practical approach to security assessment, Proceedings of the workshop on New security paradigms workshop, 5 - 16, http://www.acm.org/pubs/articles/proceedings/commsec/283699/p5-kienzle/p5-kienzle.pdf
S. Kumar and E. H. Spafford. A Software Architecture to Support Misuse
Intrusion Detection. In Proceedings of the 18th National
Information Security Conference, pages 194-204, October 1995.
Carl Landwehr, Taxonomy of Computer Program Security Flaws, ACM
Computing Surveys, Vol 26, no. 3, Sept. 1994.
http://www.acm.org/pubs/citations/journals/surveys/1994-26-3/p211-landwehr/
Lowe, Towards a Completeness Result for Model Checking of Security Protocols, Journal of Computer Security, Volume 7, Issue 2/3, 1999.
Lowe, Casper: A Compiler for the Analysis of Security Protocols, Journal of Computer Security, Volume 6, Issue 1/2, 1998.
Catherine Meadows, An outline of a taxonomy of computer security research and development, http://www.acm.org/pubs/citations/proceedings/commsec/283751/p33-meadows/
Meadows, Applying Formal Methods to the Analysis of a Key Management Protocol, Journal of Computer Security, Volume 1, Issue 1, 1992.
McLean, Proving Noninterference and Functional Correctness Using Traces, Journal of Computer Security, Volume 1, Issue 1, 1992.
J. Bret Michael, Edgar H.Sibley, and David C.Littleman, Integration
of formal and heuristic reasoning as a basis for testing and
debugging computer security policy, http://www.acm.org/pubs/citations/proceedings/commsec/283751/p69-michael/
Paulson, The Inductive Approach to Verifying Cryptographic Protocols, Journal of Computer Security, Volume 6, Issue 1/2, 1998.
Roscoe and Broadfoot, Proving Security Protocols with Model Checkers by Data Independence Techniques, Journal of Computer Security, Volume 7, Issue 2/3, 1999.
Sandhu and Bhamidipati, Role-based Administration of User-Role Assignment: The URA97 Model and its Oracle Implementation, Journal of Computer Security, Volume 7, Issue 4, 1999.
Thayer, Herzog, and Guttman, Strand Spaces: Proving Security Protocols Correct, Journal of Computer Security, Volume 7, Issue 2/3, 1999.
Vigna and Kemmerer, NetSTAT: A Network-based Intrusion Detection System, Journal of Computer Security, Volume 7, Issue 1, 1999.
James G. Williams, A shift in security modeling paradigms, http://www.acm.org/pubs/citations/proceedings/commsec/283751/p57-williams/
Additional Sources
Journal of Computer Security, IOS Press. http://www2.csl.sri.com/jcs/
ACM Transactions on nformation and System Security (TISSEC), http://www.acm.org/pubs/tissec/
ACM Conference on Computer and Communications Security (CCS), http://java.sun.com/people/gong/conf/acm-ccs/ccs.html
Computer Security Foundations Workshop, http://www2.csl.sri.com/csfw/
Proceedings of the workshop on New security paradigms workshop, http://www.acm.org/pubs/contents/proceedings/commsec/283699/
2000 IEEE Symposium on Security and Privacy, http://www.bell-labs.com/user/reiter/sp2000/
IEEE Technical Committee on Security and Privacy, http://www.issl.org/tc.html
Center for Secure Infomration Systems, http://www.ise.gmu.edu/~csis/projects.html
UC Davis Security Lab, http://seclab.cs.ucdavis.edu
Counterpane Internet Security Cryptography Bibliography, http://www.counterpane.com/biblio/