1  Late Breaking News

• Cai Guan Yan suggested the following URL for another look at buffer overflow protection on Windows systems.
• Bring your calculators for the final exam. The final exam is comprehensive, it includes everything that has been covered in class, tutorials, or projects. Here's a brief outline of the topics covered from the textbook. Use my lecture slides to determine what to study and what to skip. Student presentations are fair game for the final exam.
  Read all of Chapter 1 for your edification. In Chapter 2, I've skipped Section 2.5 but it's a humorous story that you'll enjoy reading. I've skipped the ADFGX cipher in Section 2.6. I've also skipped Sections 2.10 and 2.11. In Section 2.12, you don't have to understand the analysis of Enigma, just understand how the rotor system works. You must understand all of Chapter 3. In Chapter 4, I've skipped Section 4.3, the property that DES is not a group on page 113, and Section 4.7. You should understand pretty much all of Chapter 5. From Chapter 6, I've skipped Section 6.2, both types of exponent factorization methods, and the Quadratic Sieve method from Section 6.4, Section 6.6 and Section 6.7. In Chapter 7, I've skipped the Pohlig Hellman algorithm on page 167, the Index calculus method,...,all the way up to Section 7.4. I did cover Section 7.4. In Chapter 8, I skipped Sections 8.3 and 8.4 except for meet-in-the-middle attacks on page 188. I also skipped Section 8.5.

  We also did Saltzer & Schroeder's paper, the buffer overflow paper, Blaine Burnham's keynote address in the first two lectures. We looked at SSL in quite some detail including the protocol and packet formats. We studied Joncheray's TCP hijacking attack and other kinds of cache poisoning attacks such as those based on ARP and DNS. We did nmap and its different flavors of scanning. If I've missed something, send me e-mail.

• Hints for the final exam.
  There's a question on DES, one on SSL, and one on network-based attacks. There are others as well of course.
• Congratulations to the best presenters of the class. Enjoy your coffee at Spinelli's.

 2  Overview

The class will meet on Fridays from 8-11am (an ungodly early hour) in LT34 starting Jan 14th 2005. We'll start at 8am on the first day at least.

Pre-requisite: I will assume that you have done CS3235 or equivalent. I will assume that you are well familiar with the contents of the book Introduction to Computer Security by Hugh Anderson which is available in the Science bookstore. Except for chapters 4 and 6 of the book, everything else is relevant to CS4236. In fact, it'd be a good idea to brush up on the course before you start CS4236.

2.1 Administrivia

• I'll hold office hours from 5-6pm every tuesday in my office in S15 #04-08. Try to make it during that hour as much as possible. If you absolutely cannot make it to my office during that time, then we can possibly set up a time for consultation some other time on a as needed basis.
• Unix accounts: Non SoC students' unix accounts must be collected personally at helpdesk (1^st floor of S15), during office hours. Students must produce their matric card for verification. Students with accounts from prior semesters need not come to helpdesk, their accounts should automatically have been re-enabled. If however, you've forgotten your password, you can reset it at https://mysoc.nus.edu.sg/~iforgot/. Those who register late and do not have an account can apply at helpdesk or through eform at https://mysoc.nus.edu.sg/~eform/new/.
• Hugh Anderson's notes from last semester's CS3235 can be found off Neal Wagner's home page. Look at the second book under Writing with the title Intro to Computer Security.

2.2 Grading

• Presentation survey results are here.

 3  Course Contents

Date	Contents
Jan 14	Overview of Computer Security The Goals of Security. Saltzer & Schroeder. Blaine Burnham's Usenix keynote. Gene Spafford's keynote. Buffer Overflow. The Context of Cryptography [Schneier & Ferguson]. Classical Cryptosystems. Readings: Chapter 1-2 of Trappe and Washington. Basic Principles Of Information Protection part A of J. H. Saltzer and M. D. Schroeder's The Protection of Information in Computer Systems. Why cyberterrorists don't care about your PC. Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade. Blaine Burnham's keynote address at Usenix 2000. The example text used in class for monoalphabetic cipher cryptanalysis is ETNAN XFWN LYK Y RYETNA QF EBWKXF LTX KYQP ETQK YPHQWN QK RXA DXB KXF DXB PXFE LYKT DXBAKNMR LNMM KX DXBA RNNE KCNMM MQUN TNMM QR QF VNP LQET Y ZQAM UNNI DXBA KTXNK XF Projects: Hand out project on roiling and unroiling files using the Java crypto APIs. Try out the outstanding graphical implementation of the Enigma here. It requires Java 3D, which you can get here. It's well worth a try even though Java3D will not work on Linux. Try deciphering the following mono alphabetic substitution cipher using mono.cgi. Show...Hide HP PJJI HP QBT AMTHQ OFHUE VTFVTQ KHFF JRQPCST GY FCQQFT WCISJW WHP PBJQ WCQB AMTY, C AJQ RK HIS WTIQ SJWI PQHCMP; TVTMY OJHMS RKJI QBT WHY, HIS TVTMY UMHUE CI TVTMY OJHMS, UHFFCIA HNQTM GT, "PQJK QBCTN!" HIS "ATQ RK, GMP. DJT!" CI QBT KHIQMY, WBCUB WHP NHM GJMT HORISHIQFY PRKKFCTS QBHI RPRHF, JWCIA QJ QBT PTHPJI, C WHP VTMY GRUB HFHMGTS, OY H BHMT BHIACIA RK OY QBT BTTFP, WBJG C MHQBTM QBJRABQ C UHRABQ, WBTI GY OHUE WHP BHFN QRMITS, WCIECIA. C BHS IJ QCGT NJM VTMCNCUHQCJI, IJ QCGT NJM PTFTUQCJI, IJ QCGT NJM HIYQBCIA, NJM C BHS IJ QCGT QJ PKHMT. C PQJFT PJGT OMTHS, PJGT MCIS JN UBTTPT, HOJRQ BHFN H DHM JN GCIUTGTHQ (WBCUB C QCTS RK CI GY KJUETQ-BHISETMUBCTN WCQB GY FHPQ ICABQ'P PFCUT), PJGT OMHISY NMJG H PQJIT OJQQFT (WBCUB C STUHIQTS CIQJ H AFHPP OJQQFT C BHS PTUMTQFY RPTS NJM GHECIA QBHQ CIQJXCUHQCIA NFRCS, PKHICPB-FCLRJMCUT-WHQTM, RK CI GY MJJG: SCFRQCIA QBT PQJIT OJQQFT NMJG H DRA CI QBT ECQUBTI URKOJHMS), H GTHQ OJIT WCQB VTMY FCQQFT JI CQ, HIS H OTHRQCNRF MJRIS UJGKHUQ KJME KCT. C WHP ITHMFY AJCIA HWHY WCQBJRQ QBT KCT, ORQ C WHP QTGKQTS QJ GJRIQ RKJI H PBTFN, QJ FJJE WBHQ CQ WHP QBHQ WHP KRQ HWHY PJ UHMTNRFFY CI H UJVTMTS THMQBTI WHMT SCPB CI H UJMITM, HIS C NJRIS CQ WHP QBT KCT, HIS C QJJE CQ, CI QBT BJKT QBHQ CQ WHP IJQ CIQTISTS NJM THMFY RPT, HIS WJRFS IJQ OT GCPPTS NJM PJGT QCGT. That should be plenty of text! Send me correct answers and I'll announce in class. Don't check the Kasiski checkbox for such a large text. It's OK for text about 15 characters long. Try encrypting some text using the Vigenere cipher.
Jan 21	Hari Raya holiday. No class.
Jan 28	Number theory. Here I'll assume that you are already somewhat familiar with elementary number theory from CS3235. Readings: Chapter 3 of Trappe and Washington. Try out egcd.cgi.
Feb 4	Symmetric Ciphers. DES in grisly detail. Block Cipher Chaining modes. Block cipher design principles. Stream ciphers. Readings: Chapter 4 of Trappe and Washington. A copy of the FIPS specification for DES is here. The technical description of DES starts on page 12. The overall dataflow of DES is on page 13. The DES equations propagated through its Feistel structure are here. No wonder DES is so non-linear! Try playing with DES, a cgi-bin script that programs the Data Encryption Standard. It was written by B. N. Chandan as a class project for a course that I'd taught earlier.
Feb 11	AES. Readings: Chapter 5 of Trappe and Washington. The FIPS specification for AES can be obtained here. The Rijndael home page. Projects: Implementation of AES in Java. Try this rudimentary expression evaluator that I wrote for evaluating expressions in GF(28) mod the AES irreducible. You might need to run this with a Java 1.5 JVM. Download this jar file and run it as java -jar Field.jar. A field element is expressed as two nibbles within braces. For e.g., {04}, {af} etc. To compute the inverse of a field element, divide {01} by it, for e.g., {01}/{af}. To end the program, type CTRL-D at the command prompt. Try this cgi-bin script to see the transformations that AES makes during the encryption process.
Feb 18	RSA, Discrete Logs. Readings: Chapter 6-7 of Trappe and Washington.
Feb 25	We're not saved from the mid-semester break. Signatures and Hashes. Readings: Chapter 8 of Trappe and Washington.
	Protocols. Various types of key exchange & signature protocols. Kerberos. Key escrow. Mental poker. Dining Cryptographers. ZK. Mid-term exam during class hours, probably from 10-11am. Readings: Chapters 11-13 of Trappe and Washington. Pretty much all of Chapter 4 from Pfleeger's book is worth a read except for the parts that I explicitly skipped such as Contract Signing (Section 4.2 page 155) and Certified Mail. Designing an Authentication System: a Dialogue in Four Scenes. Browse around the Kerberos home page for additional information in case the system piques your interest. Please skim through the paper Key Escrowing Today by Dorothy Denning and Miles Smid that appeared in the IEEE Communications Magazine in the September 1994 issue. You can get the article through the ACM Digital library off LINC. The slides for Zero Knowledge are here.
	Access Control Models. Access Matrix, HRU, BLP, Biba, Clarke-Wilson, Chinese Wall. Start on OS Security. I might do away with this lecture because in my past experience, this material was covered well in CS3235. Instead we might have a guest lecture by Shyue Hong Chuang, a CISSP from Cisco Systems. Readings: The paper on the Chinese Wall access control model is here. The paper on the Clark Wilson access control model is here. Use the above two papers as reference material in case you are unclear about some detail relating to these models. The access control matrix for playing around with is here.
Mar 18	Network Security IPSec, SSL, TCP Hijacking, Firewalls, Packet Filters, VPNs, DDOS, Intrusion Detection: Host-based, Network based. NFR, Snort and related tools. Readings: A Look Back at Security Problems in the TCP/IP Protocol Suite. Addressing Weaknesses in the Domain Name System Protocol, Christoph Schuba, Master's Thesis Defense, Purdue University, July 27, 1993. A Simple Active Attack Against TCP. Laurent Joncheray. Steven M. Bellovin, Using the Domain Name System for System Break-Ins, in Proceedings of the Fifth Usenix UNIX Security Symposium, Salt Lake City, UT, June, 1995. A prettied up version of the nmap fingerprinting article is here Skip this one. Brent Chapman's paper on packet filtering. Decode the SSL record layer with a trace captured with Ethereal.
Mar 25	Good Friday holiday. No class.
Apr 1	More Network Security and assorted topics. Readings: The subset of the Linux TCP/IP stack code is here.
	OS Security. Virtual Memory, File System protection, Passwords: One time, Strong Passwords from Weak Ones such as EKE, Jablon. Viruses. Start on Network Security.
Apr 8	Student Presentations
Apr 15	Start of reading week. No class.

3.1 Overflow

• Non-directory based schemes such as Identity-based keys and self-certified keys. Standard PKI functionality as encapsulated in the PKCS standards. SPKI/SDSI. ASN.1.

  Project: Parse and print a certificate encoded in DER and extract fields from it.

• Wireless and Routing Security. WEP Security. Project - parse or create an 802.11 MAC frame. Routing Security in wired and ad hoc networks.
• Cool Tools. Matt Blaze's Crypt FS. Eu-gin Goh's FS. Anderson's Steg FS. NMAP. Encrypting Swap Devices (Niels Provos). Tripwire. GPG. SSH.

  Lab: creating data tunnels to effectively import useful services.

• Single Sign On, Identity Management (RSA).

3.2 Lecture Slides

You may ignore the slides whose titles have a red cross in the right.

• The legend of the silver bullet is described in the last section titled To slay the werewolf of this web page.

 4  Tutorials

The answers to the tutorial questions below are given by students and are meant only to serve as a guide for you. They do not replace the discussion in class (or in my office for tutorial 8) when the question was presented by the student. I don't verify the correctness of every step in the solutions that students send me to put up on the web. Contact the particular student who presented a question to follow up on details of that question.

If you believe that you will expend significant effort preparing the answer for a particular question and want to be assured that you'll be called for it in class, send me e-mail telling me which question(s) you will solve. I will then assign you that question (on a first come first serve basis) and also display the assignment on this web page against the tutorial. That way you'll be assured that your effort won't be completely wasted.

• Tut 1. We'll meet at 8.15am on 28^th morning for the tutorial. Q1 has been assigned to Koh Wee Kiat. Q2 to Cai Guan Yan. Q3 to Quoc Dung. Q6 to Chuan Huey Ling. Q7 to David Li, Q8 to Dinh Thien Anh.
• Tut 2. We'll meet at 8.15am as usual. Q1 assigned to Francis Teo. Q2 & 4 assigned to Nguyen Ngoc Nhan. Q3 (3a, 3b) assigned to Ng Teng Teng. Q5 to Lizhengu. Q6-7 to Cam Hoa.
• Tut 3. Please bid for questions by friday eve the 18^th and I'll assign them not in first come-first serve order this time, but based on how much deficit you have from the highest score in the class.

  Allocations: Q1,2 to Xue Mingqiang, Q3 to Ng Jun Ping, Q4,5 to Quoc Dung, Q6 to Myo Mint, Q7, 8 to Tran Nam Hung. Feel free to discuss the questions with your friends and others while attempting to solve them.

• Tut 4. Questions 2 (1.5 marks) [Dinh Thien Anh], 3 (1.5 marks) [Jun Ping], 4 (1 mark) [Le Quang Vinh], 5 (1.5 marks) [Le Quang Vinh] on page 159 of your textbook.
• Tut 5. Q1 [Chuan Huey Ling], Q2 [Myo Myint], Q3 [Winston Teo], Q4 [Le Quang Vinh], Q5,8 [Peter Lau], Q6 [Huhyn Thien Tam], Q7 [Luc Charpentier].
• Tut 6. Qs 1 [Tan Eik Hong], 2 [Quoc Dung], 5 [Teng Teng], 7 [Ng Jun Ping] on page 191-192 of the text. Each worth 1.5 marks.
• Tut 7. Q6 on page 159 (2 marks) [Thien Tam], Q7 on page 160 (1 mark) [Peter Lau], Q8 on page 160 (1 mark) [Ngoc Nhan], Q9 on page 160 (2 marks) [Ming Qiang], Q10 on page 160 (2 marks) [Chen Lin Liu], Q13 on page 160 (2.5 marks) [Tran Nam Hung], Q14 on page 161 (2 marks) [Derrick Quan], Q13 on page 163 (1.5 marks) [David Li], Q14 on page 163 (2.5 marks) [Derrick Quan].
• Tut 8. This might help you understand the last few lectures better although we won't solve this tutorial explicitly in class and I won't provide any solutions. However, I can help you clarify your thoughts about the tutorial if you come during my office hours.

  Q1 [Nguyen Chi Dung], Q2 [Cai Guan Yan], Q3 [Goh Aik Few], Q4 [Ng Joong Onn], Q5 [Goh Aik Few], Q6 [Ng Joong Onn], Q7 [Luc Charpentier], Q8 [Teo Yong Wei]. Please come during my office hours next week.

 5  Projects

5.1 Project 1

Helper Programs: md5sum.java is the Unix equivalent of md5sum. It might help you understand how hash functions can be programmed in Java. Run it as java md5sum <files>.

Test Data: I roiled file foo with the passphrase foo to get foo.roil. I'm not guaranteeing that it's correct but we can use this as a basis to arrive at a debugged format that everyone can test against. So try decrypting it, finding errors in its format using a binary editor etc. Send me feedback on whether you are or aren't able to decrypt it. I will of course use my implementation to test your programs, so if your implementation works against mine directly, I'll have an easier time grading your project. So you can help me debug this code.

For file foo, n = 8, IV = 0xd1ade718fab0a6806357b428a69ec1b5, AES key = 0xa98ee2eb6d22163728855fb975140eef.

5.2 Project 2

5.3 Project 3

java -jar stunnel.jar -gui www-appn.comp.nus.edu.sg 443

You can just retrieve the data from the remote server without displaying it in a GUI by skipping the -gui option.

Here is project 3.

5.4 Presentation

• Talk about SELinux and its realization in Fedora Core 3 version of Linux.
• Study and present RADIUS, or LDAP + RADIUS.
• Install, play with, and present Ross Anderson's Steganographice File System. Look under the section on Information Hiding.
• Pick a paper of your choice from the Usenix 2004, 2003, or 2002 Security Symposia. Even going further back is fine. You should find enough information from the abstract of the paper to see if you want to read and present it. I can get you the paper that you select in case you can't locate it from the author's or Usenix's home page.
• Any paper from the ACSAC conferences of 2001-2004. All proceedings should be available online at ACSAC.
• Any paper from the NDSS conference of the last three years. All past conference proceedings should be available online at NDSS.
• Any paper from the ACM CCS conference of the last three years. All past conference proceedings should be available online via the ACM portal at ACM ⇒ DL Home ⇒ Proceedings ⇒ Conference on Computer and Communications Security.
• Any paper from the IEEE Symposium on Security and Privacy. All past proceedings should be available online via IEEE Xplore. The 2003 proceedings should be around here somewhere. Search for the keyword security at Conference Proceedings page of IEEE Xplore.

5.4.1 Schedule for this semester

The material relating to student presentations for the Spring '05 semester is currently accessible only within NUS.

Student(s)	Papers	Date & Time
Nguyen Quoc Dung , Huynh Thien Tam, Ng Jun Ping	Security on SmartCard. Research on secure scheme of smart card application system. Mingsheng Liu, Qian Zhong, Yinhua Ma, Shuhai Wang Information Science School, Shijiazhuang Railway Institute, Shijiazhuang, China. Breaking up is hard to do: modeling security threats for smart cards. Bruce Schneier, Adam Shostack. Usenix Workshop on Smartcard Technology, May 1999. Examining Smart-Card Security under the Threat of Power Analysis Attacks. T. S. Messerges, E. A. Dabbish, R. H. Sloan. IEEE Transactions on Computers, vol. 51, no. 5, May 2002.	slides.
Francis Teo, Ng Teng Teng	Homographic Phishing Attacks/Exploits. The Homograph Attack, Communications of the ACM, 45(2):128, February 2002. Firefox Spoofing Flaw. Related material: RFC3490.	slides.
Dinh Thien Anh, Myo Myint	Graphical Passwords - The Image is the Key. Graphical Dictionaries and the Memorable Space of Graphical Passwords, Julie Thorpe and Paul van Oorschot, Carleton University. Proceedings of the 13th USENIX Security Symposium, 2004. On User Choice in Graphical Password Schemes, Darren Davis and Fabian Monrose, Johns Hopkins University; Michael K. Reiter, Carneige Mellon University. Proceedings of the 13th USENIX Security Symposium, 2004. The Design and Analysis of Graphical Passwords. Ian Jermyn, Alain Mayer, Fabian Monrose, Michael K. Reiter, Aviel D. Rubin. Proceedings of the 8th USENIX Security Symposium, 1999.	slides, code.
Chuan Huey Ling, Goh Aik Few	Ad-Hoc Networks Security : Prevent and Detect. PEACE: A Policy-based Establishment of Ad-hoc Communities. Intrusion Detection Tool for AODV-based Ad hoc Wireless Networks. AODV Routing Protocol RFC 3561.	slides, flash animation.
Koh Wee Kiat, Li Zhengguo David, Xue Mingqiang	Timing attacks on software systems. Remote timing attacks are practical. David Brumley & Dan Boneh, 12th USENIX Security Symposium.	slides, code.
Le Quang Vinh, Ho Ngoc Thoai, Thang Cam Hoa	Steganographic File Systems. StegFS: A Steganographic File System. Hwee Hua Pang, Kian Lee Tan, Xuan Zhou. Proceedings of the 19th International Conference on Data Engineering, Bangalore, India, 2003. StegFS: A Steganographic File System for Linux, Andrew D. McDonald, Markus G. Kuhn. In the proceedings of Workshop on Information Hiding, IHW'99, Dresden, Germany, Sept. 29-Oct. 1, 1999, LNCS, Springer-Verlag. The Steganographic File System. Ross Anderson, Roger Needham, Adi Shamir. In David Aucsmith (Ed.): Information Hiding, Second International Workshop, IH'98, Portland, Oregon, USA, April 15--17, 1998, Proceedings, LNCS 1525, Springer-Verlag, ISBN 3-540-65386-4.	slides.
Nguyen Ngoc Nhan, Tran Nam Hung	Digital Watermarking Techniques.	slides, code.
Kok Yew Meng, Liu Chen Lin, Quan Yeqiang, Derrick.	Smart card security. Which Security Policy for Multiapplication Smart Cards?. Efficient Block Ciphers for Smartcards. Mutual Authentication with Smart Cards. Investigations of Power Analysis Attacks on Smartcards. Breaking Up Is Hard to Do: Modeling Security Threats for Smart Cards.	slides.
Ng Joong Onn	Snort intrusion detection architecture and algorithms.	slides.
Cai Guan Yan, Teo Yongwei, Peter Lau	Intrusion Detection System/Worm Containment. Characterization of Network-Wide Anomalies in Traffic Flows. Intrusion Detection: A Bioinformatics Approach. Very Fast Containment of Scanning Worms.	slides.
Luc Charpentier	Implementing Pushback: Router-Based Defense Against DDOS Attacks. Controlling High Bandwidth Aggregates in the Network.	slides.
Tang Eik Hong, Nguyen Chi Dung	Cracking PkZip.	slides, extra stuff.
Tan Chee Kwang Desmond, Tan Tian Xiong Fabian	Primes is in P.	slides, extra stuff.

5.4.2 Schedule for last semester