Introduction to Computer Security

Professors Goodrich and Tamassia are well-recognized researchers in computer security, algorithms and data structures, having published many papers on these subjects, with applications to computer security, cryptography, cloud computing, information visualization, and geometric computing. They have served as principal investigators in several joint projects sponsored by the National Science Foundation, the Army Research Office, and the Defense Advanced Research Projects Agency. They are also active in educational technology research, and they have published several books, including a widely adopted textbook on data structures and algorithms.Michael Goodrich received his Ph.D. in computer science from Purdue University. He is currently a Chancellor’s Professor in the Department of Computer Science at University of California, Irvine. Previously, he was a professor at Johns Hopkins University. He is an editor for the Journal of Computer and Systems Sciences and the Journal of Graph Algorithms and Applications. He is a Fulbright Scholar, a Distinguished Scientist of the Association for Computing Machinery (ACM), and a Fellow of the American Association for the Advancement of Science (AAAS), the ACM, and the Institute of Electrical and Electronics Engineers (IEEE).Roberto Tamassia received his Ph.D. in electrical and computer engineering from the University of Illinois at Urbana-Champaign. He is currently the Plastech Professor of Computer Science and the chair of the Department of Computer Science at Brown University. He is a founder and editor-in-chief for the Journal of Graph Algorithms and Applications. He previously served on the editorial board of Computational Geometry: Theory and Applications and IEEE Transactions on Computers. He is a Fellow of the Institute of Electrical and Electronics Engineers (IEEE).In addition to their research accomplishments, the authors also have extensive experience in the classroom. For example, Goodrich has taught data structures and algorithms courses, including Data Structures as a freshman-sophomore level course, Applied Cryptography as a sophomore- junior level course, and Internet Algorithmics as an upper level course. He has earned several teaching awards in this capacity. Tamassia has taught Data Structures and Algorithms as an introductory freshman-level course and Computational Geometry as an advanced graduate course. Over the last several years he has developed "Introduction to Computer Systems Security," a new computer security course aimed at sophomores. His teaching of this course since 2006 has helped to shape the vision and topics of this book. One thing that has set his teaching style apart is his effective use of interactive hypermedia presentations integrated with the web.

• 1 Introduction 11.1 Fundamental Concepts . . . . . . . . . . . . . . . . . . . . . 21.2 Access Control Models . . . . . . . . . . . . . . . . . . . . . 191.3 Cryptographic Concepts . . . . . . . . . . . . . . . . . . . . . 251.4 Implementation and Usability Issues . . . . . . . . . . . . . . 391.5 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462 Physical Security 552.1 Physical Protections and Attacks . . . . . . . . . . . . . . . . 562.2 Locks and Safes . . . . . . . . . . . . . . . . . . . . . . . . . 572.3 Authentication Technologies . . . . . . . . . . . . . . . . . . . 712.4 Direct Attacks Against Computers . . . . . . . . . . . . . . . 882.5 Special-Purpose Machines . . . . . . . . . . . . . . . . . . . 992.6 Physical Intrusion Detection . . . . . . . . . . . . . . . . . . . 132.7 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1063 Operating Systems Security 1133.1 Operating Systems Concepts . . . . . . . . . . . . . . . . . . 1143.2 Process Security . . . . . . . . . . . . . . . . . . . . . . . . . 1303.3 Memory and Filesystem Security . . . . . . . . . . . . . . . . 1363.4 Application Program Security . . . . . . . . . . . . . . . . . . 1493.5 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1664 Malware 1734.1 Insider Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . 1744.2 Computer Viruses . . . . . . . . . . . . . . . . . . . . . . . . 1814.3 Malware Attacks . . . . . . . . . . . . . . . . . . . . . . . . . 1884.4 Privacy-Invasive Software . . . . . . . . . . . . . . . . . . . . 2024.5 Countermeasures . . . . . . . . . . . . . . . . . . . . . . . . 2084.6 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2155 Network Security I 2215.1 Network Security Concepts . . . . . . . . . . . . . . . . . . . 2225.2 The Link Layer . . . . . . . . . . . . . . . . . . . . . . . . . . 2295.3 The Network Layer . . . . . . . . . . . . . . . . . . . . . . . . 2365.4 The Transport Layer . . . . . . . . . . . . . . . . . . . . . . . 2465.5 Denial-of-Service Attacks . . . . . . . . . . . . . . . . . . . . 2565.6 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2646 Network Security II 2696.1 The Application Layer and DNS . . . . . . . . . . . . . . . . . 2706.2 Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2876.3 Tunneling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2926.4 Intrusion Detection . . . . . . . . . . . . . . . . . . . . . . . . 2996.5 Wireless Networking . . . . . . . . . . . . . . . . . . . . . . . 3136.6 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3227 Web Security 3277.1 The World Wide Web . . . . . . . . . . . . . . . . . . . . . . 3287.2 Attacks on Clients . . . . . . . . . . . . . . . . . . . . . . . . 3477.3 Attacks on Servers . . . . . . . . . . . . . . . . . . . . . . . . 3687.4 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3828 Cryptography 3878.1 Symmetric Cryptography . . . . . . . . . . . . . . . . . . . . 3888.2 Public-Key Cryptography . . . . . . . . . . . . . . . . . . . . . 4068.3 Cryptographic Hash Functions . . . . . . . . . . . . . . . . . 4178.4 Digital Signatures . . . . . . . . . . . . . . . . . . . . . . . . . 4218.5 Details on AES and RSA . . . . . . . . . . . . . . . . . . . . 4258.6 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4399 Security Models and Practice 4459.1 Policy, Models, and Trust . . . . . . . . . . . . . . . . . . . . . 4469.2 Access Control Models . . . . . . . . . . . . . . . . . . . . . 4509.3 Security Standards and Evaluation . . . . . . . . . . . . . . . 4609.4 Software Vulnerability Assessment . . . . . . . . . . . . . . . 4649.5 Administration and Auditing . . . . . . . . . . . . . . . . . . . 4709.6 Kerberos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4759.7 Secure Storage . . . . . . . . . . . . . . . . . . . . . . . . . . 4799.8 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48410 Distributed-Applications Security 48710.1 Database Security . . . . . . . . . . . . . . . . . . . . . . . . 48810.2 Email Security . . . . . . . . . . . . . . . . . . . . . . . . . . 50010.3 Payment Systems and Auctions . . . . . . . . . . . . . . . . . 51310.4 Digital Rights Management . . . . . . . . . . . . . . . . . . . 51910.5 Social Networking . . . . . . . . . . . . . . . . . . . . . . . . 52810.6 Voting Systems . . . . . . . . . . . . . . . . . . . . . . . . . . 53110.7 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 535