Computer security and privacy
COM-301
Media
22, Lecture 5.4 - Authentication - Tokens
03.11.2021, 14:25
In this lecture, we discuss:
- Shortcomings of biometrics
- What is a token
- How tokens work
- Two factor authentication
13, Lecture 3.6 -Mandatory Access Control - Multi-property Security Models
10.10.2021, 10:37
In this block we discuss:
- The Chinese Wall model, that enables to combine confidentiality and integrity in the context of conflicts of interest
- A summary of the Mandatory Access Control lecture
12, Lecture 3.5 - Mandatory Access Control - Integrity Models
10.10.2021, 10:36
In this block we discuss:
- The Biba model for integrity
- Different implentations of security level change in Biba
- The process of Sanitization
21, Lecture 5.3 - Authentication - Biometrics
28.10.2021, 10:22
In this lecture we discuss:
- Problems with passwords
- What are biometrics and their advantages
- How to enroll (record) and verify (check) biometrics
- Biometrics require balancing false positives and false negatives
20, Lecture 5.2 - Authentication - Passwords
28.10.2021, 10:21
In this lecture we discuss:
- What are passwords
- How to transfer passwords securely
- How to store passwords securely
- How to check passwords securely
- Techniques to increase the security of passwords
19, Lecture 5.1 - Authentication - Basics
28.10.2021, 10:18
In this lecture we discuss:
- What is authentication
- Methods for user authentication
24, Lecture 6.2 - Adversarial thinking - Defender - Threat modelling
03.11.2021, 14:26
In this lecture we discuss:
- What is threat modelling
- A few threat modeling methodologies
23b, Demo Sudo bug (Lecture 6.1)
03.11.2021, 14:26
This video contains a demo of how to exploit a bug in Sudo
https://access.redhat.com/security/cve/cve-2019-14287
11, Lecture 3.4 - Mandatory Access Control - Confidentiality Models
10.10.2021, 10:36
In this block we discuss:
- The Bell La Padula model for confidentiality
- Covert Channels
- The difficulties of declassification
23, Lecture 6.1 - Adversarial thinking - Reasoning as an adversary
03.11.2021, 14:26
In this lecture we discuss:
- Why are attacks important
- What is the attacker thinking process and how to systematically find weaknesses
(The demo for the last bug will be given live in the Thursday Q&A)
General Information
General
Lecturer: Prof. Thomas Bourgeat, Dr. Theresa Stadler
Assistants
- Saiid El Hajj Chehade (SPRING)
- Christian Knabenhans (SPRING)
- Eric Jollès (SPRING)
- Malo Perez (CVLab)
- Mohamed Abbes (AE)
- Donia Gasmi (AE)
- Julian Levkov (AE)
- Robin Nicole (AE)
- André Peiry (AE)
- Samuel Steullet (AE)
- Lectures will be held only in-person every Thursday 9h15-12h00 in the STCC.
- Exercise sessions will be live and in-person every Thursday, 13h15-15h00
- the mid-term will be in-person and on site (on Thursday Nov 6 (closed book))
- the final exam will be held in-person and on site during the exam session in Jan/Feb (closed book)
In More Detail
Course Logistics
From Thursday Sept 6 on, every following week will have the same structure:
- Thursday (9h15-12h00 in the STCC). In-person lecture followed by an interactive problem solving session led by Prof. Thomas Bourgeat.
Thursday (13h15-15h00 in INF019, INF213): Q&A time. During the Q&A time, the TAs will be available to answer questions about the programming assignments (graded assignments), theory exercises, practice problem sets, or lecture material. The TAs best suited to answer questions about the programming homework are: Mohamed, Donia, Julian, Robin, André and Samuel. The TAs best suited to answer questions about theory are Eric, Saiid, Christian, and Malo.
Course Activities
There are four different types of activities that you are expected to actively participate in
- Lectures: Lectures will be held live and in-person this year. Slides (without notes) will be published before the start of each week's lecture. The lectures will convey the theoretical foundations that you will need to participate in all other course activities. You are expected to attend lectures to follow the course material. As a backup, recordings of the lectures from 2021 will be published.
- Interactive Problem Solving: Interactive exercise are a set of questions we will solve together (either the whole class or in small groups, see above) in an interactive manner. Mostly, these questions are very open and thus do not have one single correct solution. You are not expected to solve these exercises before coming to the interactive exercise session. The only preparation needed is to attend the lecture given that week. Some notes about the proposed solutions will be published after the exercise sessions. However, these are not a replacement for attending the exercise session itself and actively participating in the discussion. We expect students to actively participate in the interactive exercise sessions on Tuesdays and Thursdays. Actively participating enables students to practice their security skills and learn from their mistakes. This helps to better understand of the concepts taught in this course and will greatly help at the time of taking exams.
- Practice Problem Sets: Previous exams questions that we encourage you to solve during the exercise sessions Thursday afternoon.
- Programming assignments: These are graded assignments that you are expected to solve on your own and individually at home. If you get stuck or need help, the TA team will be available during dedicated hours to answer your questions.
- Theory
exercises: Each week, we will publish an exercise sheet with some
theory questions about the content of the course. These exercises are
meant to help you revisit the course material and prepare for the
midterm and the final exam. At the end of each week, we will release
written solutions to these exercises. You are expected to solve theory
exercises at home. If you have trouble solving some of the exercises or
to understand the proposed solutions, the TA team will be available
during dedicated hours to answer your questions.
"I have a question"
Grading
The final grade is computed as the maximum of the following two combinations
- 60% final ; 30% mid-term ; 10% programming assignments
- 90% final; 10% programming assignments
This means that the other activities: theory exercises, practice problem sets, in-class participation, will not be graded. Yet, we strongly recommend you perform them with the same attention as they will greatly help you in your graded activities
Programming assignments will be announced on the grading system (com301.epfl.ch). Each homework will be graded on 100 points. The final assignment grade will be computed on the total of 500 points. There is zero tolerance for collaboration on the homeworks. Before the first homework, get your Linux environment ready (Virtualbox). You may collaborate on the setup. More information on the homeworks and the publication and hand-in days can be found in the Programming homeworks page.
Reference books
(Here you can find a mapping between concepts taught in the course and these books in the section below)
- Computer security, by D. Gollmann - https://onlinelibrary.wiley.com/doi/full/10.1002/wics.106
- Security Engineering, by R. Anderson - https://www.cl.cam.ac.uk/~rja14/book.html
- Computer Security Principles and practice, by W. Stallings and L. Brown - http://williamstallings.com/ComputerSecurity/
Resources (previous exams, videos, programming homeworks)
- Info: Programming Homeworks (Page)
- Link: Programming Homeworks Server (URL)
- Info: Virtual Machine & Linux Short Manual (File)
- Download: Virtual Machine Image (VirtualBox, x86_64) (URL)
- Download: Virtual Machine Image (UTM, ARM64) (URL)
- Info: Mapping Course Topics to Books (File)
- Resource: Previous Exams (Folder)
- Resource: Video Recordings (URL)
- Link: Anonymous Feedback Form (URL)
Week 1.0: Preliminaries and Course Info
Week 1.1: Basic Concepts
- Lecture 1 - Basics (File)
- Theory Ex. 1 - Basics (File)
- Interactive Ex. 1 - Basics (File)
- Practice Problem Set. 1 - Basics (File)
- W1: Complementary Material (Folder)
Week 2: Security Principles
- Lecture 2 - Principles (File)
- Interactive Ex. 2 - Security Principles (File)
- Practice Problem Set. 2 - Security Principles (File)
- Theory Exercises 2 - Security Principles (File)
- W2: Complementary Materials (Folder)
Week 3: Access Control I - Discretionary Access Control
- Lecture 3 - Access Control I - DAC (File)
- Interactive Ex. 3 - DAC (File)
- Practice Problem Set. 3 - DAC (File)
- Theory Exercises 3 - DAC (File)
- W3: Complementary Materials (Folder)
Week 4: Access Control II - Mandatory Access Control
Videos for Lectures available here:
- Lecture 4 - Mandatory Access Control (File)
- Practice Problem Set. 4 - MAC (File)
- Theory Exercises 4 - MAC (File)
- W4: Complementary Material (Folder)
Week 5: Applied Cryptography I
- Lecture 5 - Applied Cryptography (File)
- Practice Problem Set. 5 - Cryptography I (File)
- Theory Ex. 5- Applied Cryptography (File)
- W5: Complementary Material (Folder)
- Module 1 Video (Kaltura Video Resource)
- Module 2 Video (Kaltura Video Resource)
- Module 3 Video (Kaltura Video Resource)
- Module 4 Video (Kaltura Video Resource)
- Module 5 Video (Kaltura Video Resource)
Week 6: Applied Cryptography II
- Homework 2 (URL)
- Lecture 6 - Applied Crypto II (File)
- Interactive Ex. 6 - Applied Crypto II (File)
- Practice Problem Set. 6 - Applied Crypto II (File)
- Theory Exercises 6 - Applied Crypto II (File)
- W6: Complementary Material (Folder)
- Previous Year Crypto Lecture Videos (Page)
Week 7: Authentification
Videos for Lectures available here:
Authentication 1, Authentication 2, Authentication 3, Authentication 4
- Lecture 7 - Authentication (File)
- Practice Problem Set. 7 - Authentication (File)
- Theory Exercises 7 - Authentication (File)
- W7: Complementary Material (Folder)
Week 8: Adversarial Thinking & Midterm
Videos for Lectures available here:
Adversarial Thinking 1, Sudo bug demo, Adversarial Thinking 2
- Lecture 8 - Adversarial thinking I (File)
- Interactive Ex. 8.1 - Adversarial Thinking I (File)
- W8: Complementary Material (Folder)
Week 9: Adversarial Thinking II
- Lecture 9 - Adversarial thinking - II (File)
- Interactive Exercises 9 - Adversarial Thinking II. (File)
- Practice Problem Set. 9 - Adversarial Thinking II (File)
- Theory Exercises 9 - Adversarial Thinking II (File)
- W9: Complementary Material (Folder)
Week 10 - Software Security
- Lecture 10 - Software Security (File)
- Practice Problem Set. 10 - Software Security (File)
- Theory Exercises 10 - Software Security (File)
- W10: Complementary Material (Folder)
Week 11 - Network Security I
- Lecture 11 - Network security I (File)
- Interactive Exercises 11 - Network Security I (File)
- Practice Problem Set. 11 - Network Security I (File)
- Theory Exercises 11 - Network Security I (File)
- W11: Complementary Material (Folder)
Week 12 - Network Security II
- Lecture 12 - Network Security II (File)
- Interactive Exercises 12 - Network Security II (File)
- W12: Complementary Material (Folder)
Week 13 - Privacy
- Lecture 13 - Privacy (File)
- Interactive Exercises 13 - Privacy (File)
- Practice Problem Set. 13 - Privacy (File)
- Theory Exercises 13 - Privacy (File)
- W13: Complementary Material (Folder)
Week 14 - Malware
- Lecture 14 - Malware (File)
- Interactive Exercises 14 - Malware (File)
- Practice Problem Set. 14 - Malware (File)
- Theory Exercises 14 - Malware (File)
- W14: Complementary Material (Folder)