Course overview

Hyoungshick Kim

Department of Computer Science and Engineering

College of Information and Communication Engineering

Sungkyunkwan University

Security Engineering (2016 Spring)

• Assistant Professor in Department of Computer Science and Engineering

• Research interests:

• security engineering

• usable security (e.g., user authentication)

• security and privacy of online social networks (in PhD)

• software security

• Lecture: Mon 12:00-13:15, Wed 15:00-16:15

• Office hours: Wednesdays 11-12, 27324

• http://seclab.skku.edu/people/hyoungshick-kim/

• Email: hyoung@skku.edu Please include [보안공학] in the subject of your e-mail

Instructor – Hyoungshick Kim

Course orientation

1. Intended audience

2. Aims

3. Textbook

4. Class schedule

5. Evaluation

• Graduate students who

• want to know how a secure system is developed

• want to get background in information security

• might do research in information security

Intended audience

• To give you a through understanding of information security technology

• Security policy (what should be protected)

• Engineering (how we can obtain assurance that the protection provided is adequate)

• Protection mechanisms (cryptography, software security, …)

• Attacks (malicious code, protocol failure …)

• To help you doing a research about information security

Aims

Textbook

• Security Engineering by Ross Anderson: http://www.cl.cam.ac.uk/~rja14/book.html

• Information Security: Principles and Practice by Mark Stamp

• Introduction to Computer Security by Michael Goodrich and Roberto Tamassia

• Handbook of Applied Cryptography by Alfred J. Menezes, Paul C. Van Oorschot, Scott A. Vanstone: http://www.cacr.math.uwaterloo.ca/hac/

• Papers

Class schedule 1st

Week Topic

1 Course overview & Introduction to computer security/security engineering

2 Security policy & Access control

3 Security protocols I

4 Security protocols II

5 Cryptography I

6 Cryptography II

7 Cryptography III

8 Network security

Class schedule 2nd

Week Topic

9 Term project proposal presentations (No Mid term)

10 Software security I

11 Software security II

12 OS security

13 Web security/Usable security

14 Database security / Security economics

15 Mini-conference

16 Final term

Evaluation

• Assignments (25%)

• Final term (25%)

• Term project (40%)

– Proposal (10%)

– Results (30%)

• Participation to classroom discussion (10%)

https://docs.google.com/spreadsheets/d/1GHOwsRwi_-

60zglgKuWG9XgT62tMMpSerEvAMIfkUqw/edit?usp=sharing

Evaluation - Assignments

• 1 reading report (for a security research paper) in

English (10%)

Best reports will be selected for presentation (extra credit 1~5)

• 3 programming assignments (15%)

An assignment winner

in a previous semester

Assignments – Reading report

• Your reading report should be organized as follows:

– Title

– Your name, student ID

– Summary: summary should include

• Motivation of the paper

• Which problem the paper is trying to solve

• Key ideas to solve the problem

• How authors evaluate their solution

– Strength of the paper

– Weakness of the paper

– Future work: not mentioned by the author

You have your own deadline!

Reading report schedule 1st

Week Date Topic

1

2

3 03/14 강현련, 고상준, 김동용

4 03/19 김소영, 김은수, 김이진

5 03/26 김종명, 김지원, 김진우

6 04/02 박재우, 서찬수, 여윤석

7 04/09 이소라, 이수연, 최현재

8

Reading report schedule 2nd

Week Date Topic

9 No Mid term

10 04/30 이형규, 임진호, 조금환

11 05/07 차승훈, 최주섭, 박열

12 05/14 채근홍, 김민창, 김재훈

13 05/21 이경준, 이한나, 조릭

14

15 Term project presentation

16 Final term

How to choose your paper

• You can choose a paper from the top-tier conferences (2013~2016)

– General: IEEE S&P (Oakland), USENIX Security, ACM CCS, NDSS

– (2nd General: ESORICS, Euro S&P, ACSAC, AsiaCCS)

– Hardware: CHES

– Usable Security: CHI, SOUPS

– Security Economics: WEIS

– Privacy: PETS

– Financial Security: FC

– Malware/Intrusion Detection: RAID, DIMVA

– Etc. (e.g., USENIX WOOT: offensive research) You are encouraged to

discuss with me for

choosing your paper.

Final term exam

Open book! Open network!

Term project

• (1) Proposal presentation + (2) Results presentation + (3) Paper submission

• Project types

– Design projects attempt to solve some interesting problem by proposing a design;

implementing a prototype; and using the implementation as a basis for evaluating the

proposed system architecture.

– Analysis projects study some previously-proposed solutions, and existing systems;

evaluate its security properties; find security flaws; and provide new insight into how to

build secure systems.

– Survey projects review previous work on a specific subject and present a structured

work including a set of important references (e.g. papers in ACM Computing Surveys).

Term project – design project

examples

• Sandbox for embedded devices

• Memory protection for operating systems

• User authentication methods for IoT devices

• Secure electronic voting on the Internet

• Secure device paring for home networks

• Hash algorithms for password salts

• Access controls for social networks

• Information flow tracking for user privacy

• Lightweight hypervisor for code integrity

Term project – analysis project

examples

• Software/Hardware attacks on existing systems

• Side channel analysis on software/hardware

• Security analysis of random numbers (in real-world system; e.g., OTP)

• Harvesting private information using online social networks

• Security analysis of location services

• Network traffic analysis

• Analyzing potential privacy risks for new security features (e.g. Samsung payment)

• Analyzing security and usability of existing security applications

• Analyzing correlation between user personality and his privacy concern

• Analyzing ecommerce fraud cases

Term project - rules

• Each project should have some "research" aspect.

• You should work in a small group of 3-4 students.

• Important dates

– Proposal: April 25, 27.

– Results presentation (with 1 minute movie clip at YouTube):

June 11, 9:00

– Final report: June 19, Midnight (NO EXTENSION!!)

Term project - awards

Awards will be announced at the end of the mini-conference in

the following categories:

– Best paper

– Best practical paper

– Best presentation paper

Term project – ethical issues

If your project deals with vulnerabilities (e.g., software

vulnerabilities in a given program or design weaknesses in a

hardware system), you need to discuss in detail the steps they

plan to take to address these vulnerabilities (e.g., by carefully

disclosing vulnerabilities to the vendors).

Term project – academic results

• “We are still vulnerable to clickjacking attacks: about 99% of Korean websites are

dangerous”, WISA: The 14th International Workshop on Information Security

Applications, 2013. pdf

• “Security Analysis of Mobile Authentication using QR-Codes”, NCS: The 7th International

Conference on Network & Communication Security, 2015. pdf,

https://www.youtube.com/watch?v=u7PMdPaC2Vk

• “Wrong Siren! A location spoofing attack on indoor positioning systems: the Starbucks case

study”, 국가암호공모전 2015 논문분야 장려상 (상금 50만원), IEEE Security & Privacy

Magazine (under submssion), https://www.youtube.com/watch?v=tdS7MsyhRWg

Questions?