Computer security and privacy

COM-301

Media

22, Lecture 5.4 - Authentication - Tokens

03.11.2021, 14:25

In this lecture, we discuss:

- Shortcomings of biometrics

- What is a token

- How tokens work

- Two factor authentication

13, Lecture 3.6 -Mandatory Access Control - Multi-property Security Models

10.10.2021, 10:37

In this block we discuss:

- The Chinese Wall model, that enables to combine confidentiality and integrity in the context of conflicts of interest

- A summary of the Mandatory Access Control lecture

12, Lecture 3.5 - Mandatory Access Control - Integrity Models

10.10.2021, 10:36

In this block we discuss:

- The Biba model for integrity

- Different implentations of security level change in Biba

- The process of Sanitization 

21, Lecture 5.3 - Authentication - Biometrics

28.10.2021, 10:22

In this lecture we discuss:

- Problems with passwords

- What are biometrics and their advantages

- How to enroll (record) and verify (check) biometrics

- Biometrics require balancing false positives and false negatives

20, Lecture 5.2 - Authentication - Passwords

28.10.2021, 10:21

In this lecture we discuss:

- What are passwords

- How to transfer passwords securely

- How to store passwords securely

- How to check passwords securely

- Techniques to increase the security of passwords

19, Lecture 5.1 - Authentication - Basics

28.10.2021, 10:18

In this lecture we discuss:

- What is authentication

- Methods for user authentication

24, Lecture 6.2 - Adversarial thinking - Defender - Threat modelling

03.11.2021, 14:26

In this lecture we discuss:

- What is threat modelling

- A few threat modeling methodologies

23b, Demo Sudo bug (Lecture 6.1)

03.11.2021, 14:26

This video contains a demo of how to exploit a bug in Sudo 

https://access.redhat.com/security/cve/cve-2019-14287

11, Lecture 3.4 - Mandatory Access Control - Confidentiality Models

10.10.2021, 10:36

In this block we discuss:

- The Bell La Padula model for confidentiality

- Covert Channels

- The difficulties of declassification

23, Lecture 6.1 - Adversarial thinking - Reasoning as an adversary

03.11.2021, 14:26

In this lecture we discuss:

- Why are attacks important

- What is the attacker thinking process and how to systematically find weaknesses

(The demo for the last bug will be given live in the Thursday Q&A)


This file is part of the content downloaded from Computer security and privacy.
Course summary

General Information

General

Lecturer: Prof. Thomas Bourgeat, Dr. Theresa Stadler 

Assistants

  • Saiid El Hajj Chehade (SPRING)
  • Christian Knabenhans (SPRING)
  • Eric Jollès (SPRING)
  • Malo Perez (CVLab)
  • Mohamed Abbes (AE)
  • Donia Gasmi (AE)
  • Julian Levkov (AE)
  • Robin Nicole (AE)
  • André Peiry (AE)
  • Samuel Steullet (AE)

Most Important Information

  • Lectures will be held only in-person every Thursday 9h15-12h00 in the STCC. 
  • Exercise sessions will be live and in-person every Thursday, 13h15-15h00
  • the mid-term will be in-person and on site (on Thursday Nov 6 (closed book))
  • the final exam will be held in-person and on site during the exam session in Jan/Feb (closed book)


In More Detail


Course Logistics

From Thursday Sept 6 on, every following week will have the same structure: 

  • Thursday (9h15-12h00 in the STCC). In-person lecture followed by an interactive problem solving session led by Prof. Thomas Bourgeat.   
  • Thursday (13h15-15h00 in INF019, INF213): Q&A time. During the Q&A time, the TAs will be available to answer questions about the programming assignments (graded assignments), theory exercises, practice problem sets, or lecture material. The TAs best suited to answer questions about the programming homework are: Mohamed, Donia, Julian, Robin, André and Samuel. The TAs best suited to answer questions about theory are Eric, Saiid, Christian, and Malo. 

Course Activities

There are four different types of activities that you are expected to actively participate in

  • Lectures: Lectures will be held live and in-person this year. Slides (without notes) will be published before the start of each week's lecture. The lectures will convey the theoretical foundations that you will need to participate in all other course activities. You are expected to attend lectures to follow the course material. As a backup, recordings of the lectures from 2021 will be published.
  • Interactive Problem Solving: Interactive exercise are a set of questions we will solve together (either the whole class or in small groups, see above) in an interactive manner. Mostly, these questions are very open and thus do not have one single correct solution. You are not expected to solve these exercises before coming to the interactive exercise session. The only preparation needed is to attend the lecture given that week. Some notes about the proposed solutions will be published after the exercise sessions. However, these are not a replacement for attending the exercise session itself and actively participating in the discussion. We expect students to actively participate in the interactive exercise sessions on Tuesdays and Thursdays. Actively participating enables students to practice their security skills and learn from their mistakes. This helps to better understand of the concepts taught in this course and will greatly help at the time of taking exams.
  • Practice Problem Sets: Previous exams questions that we encourage you to solve during the exercise sessions Thursday afternoon.
  • Programming assignments: These are graded assignments that you are expected to solve on your own and individually at home. If you get stuck or need help, the TA team will be available during dedicated hours to answer your questions.
  • Theory exercises: Each week, we will publish an exercise sheet with some theory questions about the content of the course. These exercises are meant to help you revisit the course material and prepare for the midterm and the final exam. At the end of each week, we will release written solutions to these exercises. You are expected to solve theory exercises at home. If you have trouble solving some of the exercises or to understand the proposed solutions, the TA team will be available during dedicated hours to answer your questions.


"I have a question"
Thursday Q&As: The best way we can help you is in-person, during the dedicated Q&A time every Thursday between 13h15-15h00 (see above). No matter whether it is about the programming homeworks or about the lecture material, during this hour there will be someone around who can sit down with you and discuss your question with you in detail. We strongly encourage you to make use of this time.

Ed Forum: Outside the exercise sessions, the Ed platform is a great place for asking a question. The big benefit of asking a question on Ed is that you will very quickly realise that at least two (probably more) of your peers were asking themselves the exact same question and will be very grateful that someone posted about it here. You will also benefit from the fact that you might have to wait much less for an answer given that not only the teaching team but also other students can respond to your question, often steering a much more interesting discussion than what the teaching team could come up with.

Mail: If you want to ask a question by mail, please send it to com301@groupes.epfl.ch. We will do our best to answer questions quickly but please be considerate that we do not guarantee to check mails over the weekend or holidays. If you haven't heard anything from us for more than two working days, we would appreciate a quick reminder because your message might have gotten lost somewhere.

Student hours: We have hours reserved in our calendars to have one-to-one (or small group) meetings. To set up a meeting send an email to the person you want to meet with to agree on when and how to meet.

Grading

The final grade is computed as the maximum of the following two combinations

  • 60% final ; 30% mid-term ; 10% programming assignments
  • 90% final; 10% programming assignments

This means that the other activities: theory exercises, practice problem sets, in-class participation, will not be graded. Yet, we strongly recommend you perform them with the same attention as they will greatly help you in your graded activities

Programming assignments will be announced on the grading system (com301.epfl.ch). Each homework will be graded on 100 points. The final assignment grade will be computed on the total of 500 points.  There is zero tolerance for collaboration on the homeworks.  Before the first homework, get your Linux environment ready (Virtualbox).  You may collaborate on the setup.  More information on the homeworks and the publication and hand-in days can be found in the Programming homeworks page.

Reference books

(Here you can find a mapping between concepts taught in the course and these books in the section below)



Resources (previous exams, videos, programming homeworks)


Week 1.0: Preliminaries and Course Info


Week 1.1: Basic Concepts


Week 2: Security Principles


Week 3: Access Control I - Discretionary Access Control


Week 4: Access Control II - Mandatory Access Control

Videos for Lectures available here:

MAC-Part 1MAC-Part 2, MAC-Part 3


Week 5: Applied Cryptography I


Week 6: Applied Cryptography II


Week 7: Authentification

Videos for Lectures available here:

Authentication 1, Authentication 2Authentication 3Authentication 4




Week 8: Adversarial Thinking & Midterm

Videos for Lectures available here:

Adversarial Thinking 1, Sudo bug demo, Adversarial Thinking 2


Week 9: Adversarial Thinking II


Week 10 - Software Security


Week 11 - Network Security I


Week 12 - Network Security II


Week 13 - Privacy


Week 14 - Malware