Information Security and Computer Systems: An Integrated Approach Mark A. Holliday and Bill Kreahling, Dept of Mathematics and Computer Science Western

Information Security and Computer Systems: An Integrated Approach

Mark A. Holliday and Bill Kreahling, Dept of Mathematics and Computer ScienceWestern Carolina University

InfoSecCD 2006Kennesaw, GA23 September 2006

23 September 2006 2

Acknowledgements

Thank-you for financial support from Software Producibility, Office of Naval Research,

Award #N000140510817, 2005-2006.

23 September 2006 3

Overview

Motivations for Change Guidelines: ACM, IEEE-CS, ABET-CAC New Curriculum Framework Initial Information Security Option Final Information Security Option InfoSec I and Internet Protocols InfoSec II and Operating Systems Conclusions

23 September 2006 4

Motivations for Change

Issue: How to create a prominent role for Information Security in

– a B.S. in Computer Science curriculum – consistent with ACM/IEEE-CS/ABET-CAC guidelines– a small computer science program– a way that shows the close connection to computer

systems Result: One Design and Rationale

23 September 2006 5


Why? Information security is of increasing importance Want to reinforce the computer systems

courses and the information security courses by showing their interconnections– Goal is technical insight, not technical skill per se

Want to provide the students more choices– in a way that organizes those choices into coherent

themes

23 September 2006 6


Additional constraints– Must be consistent with curriculum guidelines for a

B.S. in Computer Science degree– Must be feasible for a small computer science

program (70 majors; 10-15 graduates per year)

We present one design and its rationale that meets these constraints

23 September 2006 7

Guidelines: ACM, IEEE-CS, ABET-CAC

2001 ACM/IEEE Computer Society Curriculum Guidelines for Computer Science– Encourages a small core combined with options– Body of Knowledge (BoK)– Subset of BoK that should be in any computer

science curriculum

23 September 2006 8

Guidelines: ACM, IEEE-CS, ABET-CAC

ABET-CAC (Computing Accreditation Commission) Accreditation Criteria– “IV-6. The core materials must provide basic

coverage of algorithms, data structures, software design, concepts of programming languages, and computer organization and architecture.”

23 September 2006 9

23 September 2006 10

New Curriculum Framework: The Options

How many courses and how many prerequisites?

Ideal– Many courses in an option to cover the area well– Student must have completed all of the courses in

the core (with at least a grade of C)



Reality– Degree needs to be 120 credit hours– 54 credit hours of Liberal Studies and General

Electives– Student must be able to graduate in four years

(assuming satisfactory progress)– 2+2: Transfer students with an A.S. degree

should be able to graduate in two years



Compromise– Major has 40 hours of CS courses and 31 hours

of Mathematics and Sciences– CS Core is 25 hours– Options are 15 hours (5 courses of 3 credit hours)– Option courses have as prerequisites

• second programming course (our CS2, locally CS151)• our intro to computer systems course (for most option

courses)



Three Options:– Computer Systems– Information Security– Custom

All options allow at least one free choice– Recall goal of more student choices=> at most four required courses in an option


Initial Information Security Option

Two key computer systems courses– Operating Systems and Internet Protocols

Pair each with an information security course that covers the corresponding security issues– Operating Systems => Computer Security– Internet Protocols => Internet Security

The two pairs are independent



Final Information Security Option

Independence does not work because so many topics build on cryptography and its security uses

Solution: – Order them with new names

• Information Security I and II

Internet Protocols co-req first – Since cryptographic applications are more

naturally developed for internet security



InfoSec I and Internet Protocols

Example Cross-Connections InfoSec I: authentication and example

attacks Internet Protocols: TCP connection establishment handshake

– 3-way, random start sequence numbers, including random start sequence number for the other side



Example Cross-Connections InfoSec I: message integrity and non-

repudiation=>Digital signatures and message digests=> Hash functions

Internet Protocols: hash functions for error detection

– Checksums in UDP, TCP, and IP– Cyclic Redundancy Check in Ethernet



Example Cross-Connections InfoSec I: trusted intermediaries, key

distribution, and certification Internet Protocols: development of IPC (Inter-Process Communication)

– Sockets– Remote Procedure Call/Remote Method Invoc.– Web services– Grid computing (Globus, SimpleCA certificate

authority)



Example Cross-Connections InfoSec I: firewalls and packet filtering rules

Internet Protocols: IP routing tables and key packet header fields

– IP addresses– UDP/TCP source and destination ports– ICMP message type– Other TCP header bits: SYN and ACK


InfoSec II and Operating Systems

Example Cross-Connections InfoSec II: process address space

vulnerabilitiesOperating Systems: segment protection (read-only versus read-write), stack overflow, memory management protection features (segmentation faults during address translation)



Example Cross-Connections InfoSec II: program vulnerabilities, buffer

overflows and software reverse engineeringOperating Systems: assembly language, code analysis, automatic bounds checking



Example Cross-Connections InfoSec II: system vulnerabilities

Operating Systems: – trapping to the kernel (PSW and Interrupt Vector

Table) and changing from user mode to kernel mode (not allowed machine instructions)

– access control, file permission modes, setuid bit


Conclusions

Issue: How to create a prominent role for Information Security in

– a B.S. in Computer Science curriculum – consistent with ACM/IEEE-CS/ABET-CAC guidelines– a small computer science program– in a way that shows the close connection to computer

systems Result: One Design and Rationale

Documents

Information Security and Computer Systems: An Integrated Approach Mark A. Holliday and Bill Kreahling, Dept of Mathematics and Computer Science Western