ECE 597AB/697AB Security Engineering

ECE 597AB/697AB Security Engineering

ECE 597AB/697AB Security Engineering

Syllabus

Course Meetings: Tuesday and Thursday 11:30am-12:45pm, room:Marston 211

Instructor: Wayne Burleson, Electrical and Computer Engineering

Contact: , Office: Knowles 309B, Office Hours: Tues/Thurs 2:30-3:30 (tentative)

Credits: 3

Course Description:

This course provides an introduction to the new area ofSecurity Engineering, and provides examples drawn from recent research at UMASS and elsewhere. Security Engineering is a multi-disciplinary field combining technical aspects of Applied Cryptography, Computer Engineering, and Networking as well as issues from Psychology, Sociology, Policy and Economics. Several guest lectures will be presented

by experts in these disciplines. 597AB is a survey course with a project that reviews and analyzes an existing security implementation from the literature. 697AB is also a survey course but looks more deeply into the topics and requires students to design, implement and analyze their own security implementation.

Text:

Ross Anderson, Security Engineering - A Guide to Building Dependable Distributed Systems , 2nd edition, 2008. Entire book is available free on-line as pdf. Although this book is 9 years old, I still believe it provides a strong foundation for the course. Additional topics will be added from the recent literature.

Pre-requisites:

Students should be seniors or graduate students in either Electrical and Computer Engineering or ComputerScience. Other students should contact the instructor.

Learning Objectives:

  • Students will learn how to model the assets, threats, vulnerabilities and defense mechanisms for various systems.
  • Students will learn how to consider human factors, policy and economics related to computer security.
  • Students will learn about both classical and more recent attacks and how to defend against them.
  • Students will learn how to engineer secure systems, from hardware and software, to applications.

Grading:

Exam and quizzes on basics covered in first portion of course 40%. This material will include an assessment of current security techniques and design principles.

Presentation/Report from the Literature 30%. 547 students will be expected to read the external research literature and present a summary of the key findings in papers.
647 students will be expected to have a deeper understanding of the papers, including criticism of assumptions and methods as well as suggested extensions.

Project 30%. 547 will do a project that reviews and analyzes an existing security implementation from the literature. 647 projects require students to design, implement and analyze their own security implementation.

Selected Topics:

  • Technical engineering basics — applied cryptography, protocols, access controls, cryptography hardware and software implementations.
  • Types of attack — web exploits, card fraud, hardware hacks, electronic warfare , tampering, side-channels, malicious hardware
  • Specialized protection mechanisms — biometrics, seals, smartcards, RFID, alarms, and DRM, and how they fail
  • Security economics — why companies build insecure systems, why it's tough to manage security projects, and how to cope
  • Security psychology — the privacy dilemma, what makes security too hard to use, and why deception will keep increasing
  • Ethics — vulnerability disclosure
  • Policy — why governments waste money on security, why societies are vulnerable to terrorism, and what to do about it
  • How to explore, read, critique, present and extend a wide variety of research literature in security engineering and related fields.
  • How to plan, execute and report a research project

Student Presentations:Small groups (2-4 students will do a ½ hour presentation of 2-3 papers on an important topic in Security Engineering. Papers should at least be summarized, and for 647, should be critiqued, compared and suggestions made for improvement and extension. Topics can be drawn from the extensive bibliography in the textbook as well as recent research at UMass and elsewhere. It is expected that this presentation will lead into your project. Depending on the enrollment of the course, this should take about 3-5 weeks with 2 presentations per class period. All students are expected to attend all presentations, read all of the papers in advance, and actively participate in the discussion. This is part of the presentation grade.

Projects: Projects will involve small groups (2-4 students) and should build on the presentation. Projects will probably involve one of the following: 1) simulation, 2) implementation, 3) comparison, 4) vulnerability analysis. Projects should also consider at least one multi-disciplinary aspects such as Psychology, Economics, Policy, Ethics, etc. Project ideas should be discussed with the instructor and written 5 page proposals will be due by week 6. Final project reports will be due at the end of the semester.

Some project ideas:

  • Implementation of a cryptosystem and analysis of its vulnerabilities across a wide spectrum
  • Study of threat models in a particular application domain and recommendations for protection mechanisms including economic implications.
  • Comparison of two or more different approaches to a security problem.

See research ideas at the end of each textbook chapter. e.g. here are some on p 61.

  • Are there any neat ways to combine things like Passwords, CAPTCHAs, images and games so as to provide sufficiently dependable two-way authentication between humans and computers?
  • Are there any ways of making middleperson attacks sufficiently harder that it doesn’t matter if the Mafia owns your ISP?

This is a collection of recent research papers describing secure systems and components, their design, use and various types of attacks. The papers all appear in IEEE or ACM archives. I also included links to some of the author web-sites that provide more information and papers in these exciting areas. Enjoy!

  1. RFID security and privacy: A research survey

A Juels - IEEE Journal on Selected Areas in Communications, 2006

See also

  1. Comprehensive Experimental Analyses of Automotive Attack Surfaces
    T. Kohno et al - USENIX Security Symposium, August 2011. PDF.

See also

  1. Designing for Audit: A Voting Machine with a Tiny TCB,

R. Gardner, S. Garera, A. Rubin, Financial Cryptography Conference, 2010

  1. They Can Hear Your Heartbeats: Non-Invasive Security for Implanted Medical Devices

S Gollakota, H Hassanieh, B Ransford, D Katabi, K Fu
In Proceedings of ACM SIGCOMM. August 2011. PDF

See also

  1. Who Controls the off Switch?

R. Anderson, S. Fuloria,IEEE International Conference on Grid Communications, 2010

See also

  1. On the power of power analysis in the real world: A complete break of the KeeLoq code hopping scheme

T Eisenbarth, T Kasper, A Moradi, C Paar… - Advances in Cryptology …, 2008

  1. Power-Up SRAM State as an Identifying Fingerprint and Source of True Random Numbers

D.Holcomb, W. Burleson, K. Fu, IEEE Transactions on Computers, 2009

  1. Transient Based Identification of Sensor Nodes,

B Danev, S Capkun, ACM/IEEEIPSN 2009

See also

New possibilities: CLKScrew, something on Block-Chains, something new from Kevin, something new from Christof, Srdjan, Anderson, Bio/Genomic privacy

Accommodation Statement

The University of Massachusetts Amherst is committed to providing an equal educational opportunity for all students. If you have a documented physical, psychological, or learning disability on file with Disability Services (DS), you may be eligible for reasonable academic accommodations to help you succeed in this course. If you have a documented disability that requires an accommodation, please notify me within the first two weeks of the semester so that we may make appropriate arrangements.

Academic Honesty Statement

Since the integrity of the academic enterprise of any institution of higher education requires honesty in scholarship and research, academic honesty is required of all students at the University of Massachusetts Amherst. Academic dishonesty is prohibited in all programs of the University. Academic dishonesty includes but is not limited to: cheating, fabrication, plagiarism, and facilitating dishonesty. Appropriate sanctions may be imposed on any student who has committed an act of academic dishonesty. Instructors should take reasonable steps to address academic misconduct. Any person who has reason to believe that a student has committed academic dishonesty should bring such information to the attention of the appropriate course instructor as soon as possible. Instances of academic dishonesty not related to a specific course should be brought to the attention of the appropriate department Head or Chair. Since students are expected to be familiar with this policy and the commonly accepted standards of academic integrity, ignorance of such standards is not normally sufficient evidence of lack of intent (

Inclusivity Statement

We are all members of an academic community with a shared responsibility to cultivate a climate where all students/individuals are valued and where both they and their ideas are treated with respect. The diversity of the participants in this course is a valuable source of ideas, problem solving strategies, and engineering creativity. If you feel that your contribution is not being valued for any reason, please speak with me privately. You may also speak with Dr. Paula Rees, Assistant Dean for Diversity (, 413.545.6324, Marston 128), submit a comment to the box on the door of Marston 128, or submit an anonymous comment online .

Questionnaire:

(to be returned in first lecture or by email in first week)

Name:

Department/Year (e.g. ECE, 2nd year MS or CompSci, Senior)

Email (legible!):

Why are you taking this course?

Any relevant background? Other courses? Jobs?

Project Ideas?