CS 587: Computer Systems Security

A note about the course

This is a broad, conceptual course about computer security. In general, computer security is the study of what is the effect on computing when there are attackers. The attacker is by defintion an intelligent adversary. Thus the attacker will seek the weakest link(s) in attacking a system. This threat cannot be defended against by a single technique or a single set of techniques. This course paints a broad picture of computer security, with an emphasis on how computer security affects computer systems.

This is a systems course, so it is advisable that students have some systems background and hence it is desirable to have a background in CS 385, CS 366, and/or CS 450. This is not a programming intensive course like CS 486 (Secure Operating System Design and Implementation).


  • Presentations on Thursday and Friday in 1/2 hour slots, Format Q&A and for programming projects be prepared to demo
  • Non-programming projects will be due Wed. Dec 13th at midnight by email to the class account. Non-programming projects should describe the problem being solved, the proposed solution, and an (original) analysis of the solution. All source materials must be cited. Programming projects should bring listing to presentation.
  • There is no final exam.
  • If you got a 0 on question 4 on the test, and have submitted an Ethos program for grading you will need to demonstrate significant knowledge of Ethos programming during your project presentation. I don't believe there is any way that one can do so without doing the Ethos program.
  • Oral exams for those that missed the test will be on Wed. at 3:00
  • Tests have been graded and were handed back in class
  • Nov. 27 class: Questions and Answers for the test
  • HW. solutions handed out Nov. 27th
  • Ethos test on November 29th (you are allowed one 8.5"x11" sheet of paper, printed 10pt or larger)
  • Ethos (revised) project assignment out here. This has student assignments on it.
  • Ethos programming assignment (due Nov.11). Write a program with two functions, populate(count int) and find(pt box.Point).
    • The function populate creates count Boxes with random ll (lower left point) and ur (upper right point) where ll.x < ur.x and ll.y < ur.y. Each box is written to the directory /user/nobody/boxes.
    • The function find goes through the directory /user/nobody/boxes. and prints to the log each box that contains pt.
  • Piazza is up for the course. You should have received email.
  • Ethos Assignment
    • GoOnEthos manual here
    • Download (1.5GB) Ethos image here
    • Download Checksum sha256
    • Check integrity with sha256sum -c Fedora24-ethos-binaries-2017-10-25.ova.sha256
    • Download Ethos program tar here
    • Import Ethos image into VirtualBox
    • Login using to Ethos using the following credentials: login: ethos password: ethos
    • Copy over the ethosProgramExample.tar to home directory and untar it
    • In ~/ethosProgramExample: Run make and make install to create an ethos Instance and install myProgram in it
    • In ~/ethosProgramExample/server: After that run:
      • sudo ethosRun -t (-t specifies the timed mode and it will run for 6 seconds only)
      • Run ethosLog . to see the logs and your expected output
      • Verify the files being written at /user/nobody/
  • Homework 3 has a revised due date below.
  • Typos: when you find typos, please let me know. Give page number and paragraph.
    • judgement -> judgment
    • double x <= y in example
  • Homework 3: Chapter 4: problems 20--30 (Due Oct 23rd midnight)
  • Homework must be in PDF, and is to be submitted by email to cs587@ethos-os.org. Subject should have "Homework 1" for the 1st homework.
  • Classes on 29th of September and 6th October added (LC A7) at 6:00.
  • Classes on 2nd and 4th of October cancelled
  • Homework 2: Chapter 3: problems 42, 43, 47, 50, 56, 57, 59;
  • Homework 1: Chapter 3, problems 1, 4, 5, 7, 10, 14, 17, 20, 22, 24, 29, 36, 41 (Due Oct. 1st midnight)

Required Text

    We'll be using my manuscript which we used last time. Its over 500 pages at this point (we cover about 1/2 in this course) plus front and back matter.

Required work

  1. 1 Midterm (20%)
  2. 1 Final (30%)
  3. Class Project (30%)
  4. Programming project (Ethos) (10%)
  5. Homeworks (10%)


This course explores in depth Computer Security. Computer security is a subject of growing concern as a result of increasing
  1. number of computers on the Internet;
  2. number of services on the Internet;
  3. amount of sensitive information on the Internet;
  4. reliance on computers for organizations; and
  5. commonality of software and hardware.

This course will examine:

  • Definition of computer security
  • Security models (eg. Chinese Wall, Bell-LaPadula, and Clark Wilson) and properties (eg. information flow, non-interference, separation of duties)
  • Computer systems structure and its impact on security
  • Authentication
  • Errant programs
  • Attacks
  • Assurance that systems meet their security goals
  • Access control models, their use and analysis (eg. POSIX/Unix models, Lattice, Type enforcement, LEAP)
  • Covert channels and their analysis
We shall examine these issues from the perspective of the white hats--those that protect the system--and the black hats--those that attack the system.

This is a systems course, and while it is intended to be self-contained will explore issues primarily in software including operating systems and applications software.

Required Work

The work is going to include:
  • homework assignments,
  • programming assignments (these are not intended to be very large),
  • test(s) and
  • Possibly a course project, depending on the availability of software.
Recommended Reading:
  • Ross Anderson, Security Engineering, John Wiley. (Really nice discussions of many topics and very readable. Highly recommended.)
  • Pfleeger and Pfleeger, Security in Computing, Prentice-Hall, 3rd Edition. (Used last time for this course, good coverage of OS issues.)
  • Gollmann, Computer Security, John Wiley. (Broad coverage, but terse)

Undergraduates wishing to take the course should send me email with the following information:

  • Number of completed credit hours
  • Any required courses not yet taken.
  • List of 400 level courses taken (and grades achieved).
  • Background in OS
  • Are you requesting course count as a technical elective (this will be harder)
  • Have you filed a petition?
  • Reason for wanting to take the course

Jon A. Solworth
Last modified: 29 August 2012