ECS 153 -- Computer Security (Winter 2006)

Contact

Material

• Course web page
• 01/11, Robust programming. Fragile example program: fragile.c
• 02/08, Fortify Source Code Analyzer. Hint: Use a command like
  /usr/local/FortifySoftware/SCAS-TE/sourceanalyzer -format fvdl gcc file.c > results.xml
  to run sourceanalyzer on file.c and dump the results in the XML file results.xml. Then use the nice graphical auditworkbench:
  /usr/local/FortifySoftware/SCAS-TE/auditworkbench results.xml &
• 02/22, Campus authentication system and Kerberos. See links below.
• 03/01, Security auditing tools: Nmap and Nessus. See links below.
• 03/08, Process user-IDs, stat and chown syscalls. Example for stat(), Example for seteuid(), also see links.

Links

• Schneier on Security. Highly recommended security blog by Bruce Schneier.
• Light Blue Touchpaper. Blog by the Security Research Group at Cambridge University.

• Fortify Taxonomy of Software Security Errors
• Secure Programming for Linux and Unix HOWTO
• The Open Group Single UNIX Specification
• Flawfinder (a free static analysis tool, very informative homepage with lots of links)

• Campus authentication system explained
• Designing an Authentication System: A Dialogue in Four Scenes. Humorous play describing how the design of Kerberos evolved.
• Handbook of Applied Cryptography. Very good (and free!) book. See chapter 12, p. 500-501 for Kerberos.
• Kerberos 5 RFC (proposed standard)
• Kerberos Wikipedia page

• As always, use the auditing tools below ethically and with the consent of the system administrator and the target machine's owner!
• Nmap homepage (very resourceful and entertaining!)
• Nessus Vulnerability Scanner
• Google for "Nmap tutorial"
• Google for "Nessus tutorial"
• DShield Distributed IDS, also has live maps about current attacks. Neat.
• Interview with Nmap creator Fyodor
• Very instructive video tutorials

• Writing Safe Setuid Programs. Talks and tutorials by Matt Bishop.
• Advanced Programming in the UNIX(R) Environment. Book by W. Richard Stevens.
• Advanced UNIX Programming Book by Marc J. Rochkind.
• Linux Magazine article explaining setuid programs (sorry, you need to register for this. It's free, though.)
• Setuid Demystified Paper by Hao Chen, David Wagner, and Drew Dean.
• Unix Incompatibility Notes: UID Setting Functions. By Jan Wolter.