Introduction to Computer Security
Autor Michael T. Goodrich, Roberto Tamassiaen Limba Engleză Hardback – 30 sep 2010
Preț: 1151.76 lei
Preț vechi: 1495.79 lei
-23% Nou
Puncte Express: 1728
Preț estimativ în valută:
203.81€ • 237.68$ • 178.95£
203.81€ • 237.68$ • 178.95£
Carte tipărită la comandă
Livrare economică 15-29 ianuarie 26
Preluare comenzi: 021 569.72.76
Specificații
ISBN-13: 9780321512949
ISBN-10: 0321512944
Pagini: 556
Dimensiuni: 208 x 257 x 36 mm
Greutate: 1.32 kg
Ediția:1
Editura: Addison Wesley Longman
Locul publicării:Boston, United States
ISBN-10: 0321512944
Pagini: 556
Dimensiuni: 208 x 257 x 36 mm
Greutate: 1.32 kg
Ediția:1
Editura: Addison Wesley Longman
Locul publicării:Boston, United States
V-ar putea interesa
-
-20%Preț: 1201.15 lei1501.44 lei -
Data Structures and Algorithms in PythonMichael T. Goodrich-20%Preț: 1172.64 lei1465.80 lei -
-20%Preț: 418.45 lei523.07 lei -
Handbook of Graph Drawing and VisualizationRoberto Tamassia-20%Preț: 482.31 lei602.89 lei -
Graph DrawingStephen G. Kobourov-20%Preț: 326.91 lei408.64 lei -
Algorithms and Data StructuresFrank Dehne-20%Preț: 325.69 lei407.10 lei
Descriere
Introduction to Computer Security is a new Computer Security textbook for a new generation of IT professionals. It is ideal for computer-security courses that are taught at the undergraduate level and that have as their sole prerequisites an introductory computer science sequence (e.g., CS 1/CS 2).
Unlike most other computer security textbooks available today, Introduction to Computer Security, 1e does NOT focus on the mathematical and computational foundations of security, and it does not assume an extensive background in computer science. Instead it looks at the systems, technology, management, and policy side of security, and offers students fundamental security concepts and a working knowledge of threats and countermeasures with “just-enough” background in computer science. The result is a presentation of the material that is accessible to students of all levels.
Unlike most other computer security textbooks available today, Introduction to Computer Security, 1e does NOT focus on the mathematical and computational foundations of security, and it does not assume an extensive background in computer science. Instead it looks at the systems, technology, management, and policy side of security, and offers students fundamental security concepts and a working knowledge of threats and countermeasures with “just-enough” background in computer science. The result is a presentation of the material that is accessible to students of all levels.
Cuprins
1 Introduction 1
1.1 Fundamental Concepts . . . . . . . . . . . . . . . . . . . . . 2
1.1.1 Confidentiality, Integrity, and Availability . . . . . . . . 3
1.1.2 Assurance, Authenticity, and Anonymity . . . . . . . . 9
1.1.3 Threats and Attacks . . . . . . . . . . . . . . . . . . . 14
1.1.4 Security Principles . . . . . . . . . . . . . . . . . . . . 15
1.2 Access Control Models . . . . . . . . . . . . . . . . . . . . . 18
1.2.1 Access Control Matrices . . . . . . . . . . . . . . . . . 18
1.2.2 Access Control Lists . . . . . . . . . . . . . . . . . . . 19
1.2.3 Capabilities . . . . . . . . . . . . . . . . . . . . . . . . 21
1.2.4 Role-Based Access Control . . . . . . . . . . . . . . . 22
1.3 Cryptographic Concepts . . . . . . . . . . . . . . . . . . . . . 23
1.3.1 Encryption . . . . . . . . . . . . . . . . . . . . . . . . 23
1.3.2 Digital Signatures . . . . . . . . . . . . . . . . . . . . 28
1.3.3 Simple Attacks on Cryptosystems . . . . . . . . . . . 29
1.3.4 Cryptographic Hash Functions . . . . . . . . . . . . . 32
1.3.5 Digital Certificates . . . . . . . . . . . . . . . . . . . . 34
1.4 Implementation and Usability Issues . . . . . . . . . . . . . . 35
1.4.1 Efficiency and Usability . . . . . . . . . . . . . . . . . 35
1.4.2 Passwords . . . . . . . . . . . . . . . . . . . . . . . . 37
1.4.3 Social Engineering . . . . . . . . . . . . . . . . . . . . 39
1.4.4 Vulnerabilities from Programming Errors . . . . . . . . 40
1.5 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
2 Physical Security 51
2.1 Physical Protections and Attacks . . . . . . . . . . . . . . . . 52
2.2 Locks and Safes . . . . . . . . . . . . . . . . . . . . . . . . . 53
2.2.1 Lock Technology . . . . . . . . . . . . . . . . . . . . . 53
2.2.2 Attacks on Locks and Safes . . . . . . . . . . . . . . . 58
2.2.3 The Mathematics of Lock Security . . . . . . . . . . . 62
2.3 Authentication Technologies . . . . . . . . . . . . . . . . . . . 64
2.3.1 Barcodes . . . . . . . . . . . . . . . . . . . . . . . . . 64
2.3.2 Magnetic Stripe Cards . . . . . . . . . . . . . . . . . . 65
2.3.3 Smart Cards . . . . . . . . . . . . . . . . . . . . . . . 67
2.3.4 RFIDs . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
2.3.5 Biometrics . . . . . . . . . . . . . . . . . . . . . . . . 76
2.4 Direct Attacks Against Computers . . . . . . . . . . . . . . . 80
2.4.1 Environmental Attacks and Accidents . . . . . . . . . 80
2.4.2 Eavesdropping . . . . . . . . . . . . . . . . . . . . . . 81
2.4.3 TEMPEST . . . . . . . . . . . . . . . . . . . . . . . . 86
2.4.4 Computer Forensics . . . . . . . . . . . . . . . . . . . 88
2.4.5 Live CDs . . . . . . . . . . . . . . . . . . . . . . . . . 90
2.5 Special-Purpose Machines . . . . . . . . . . . . . . . . . . . 91
2.5.1 Automated Teller Machines . . . . . . . . . . . . . . . 91
2.5.2 Voting Machines . . . . . . . . . . . . . . . . . . . . . 93
2.6 Physical Intrusion Detection . . . . . . . . . . . . . . . . . . . 95
2.6.1 Video Monitoring . . . . . . . . . . . . . . . . . . . . . 95
2.6.2 Human Factors and Social Engineering . . . . . . . . 97
2.7 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
3 Operating Systems Security 105
3.1 Operating Systems Concepts . . . . . . . . . . . . . . . . . . 106
3.1.1 The Kernel and Input/Output . . . . . . . . . . . . . . 107
3.1.2 Processes . . . . . . . . . . . . . . . . . . . . . . . . . 109
3.1.3 The Filesystem . . . . . . . . . . . . . . . . . . . . . . 113
3.1.4 Memory Management . . . . . . . . . . . . . . . . . . 116
3.1.5 Virtual Machines . . . . . . . . . . . . . . . . . . . . . 120
3.2 Process Security . . . . . . . . . . . . . . . . . . . . . . . . . 122
3.2.1 Inductive Trust from Start to Finish . . . . . . . . . . . 122
3.2.2 Monitoring, Management, and Logging . . . . . . . . 125
3.3 Memory and Filesystem Security . . . . . . . . . . . . . . . . 129
3.3.1 Virtual Memory Security . . . . . . . . . . . . . . . . . 129
3.3.2 Password-Based Authentication . . . . . . . . . . . . 130
3.3.3 Access Control and Advanced File Permissions . . . . 133
3.3.4 File Descriptors . . . . . . . . . . . . . . . . . . . . . . 139
3.3.5 Symbolic Links and Shortcuts . . . . . . . . . . . . . . 141
3.4 Application Program Security . . . . . . . . . . . . . . . . . . 142
3.4.1 Compiling and Linking . . . . . . . . . . . . . . . . . . 142
3.4.2 Simple Buffer Overflow Attacks . . . . . . . . . . . . . 143
3.4.3 Stack-Based Buffer Overflow . . . . . . . . . . . . . . 145
3.4.4 Heap-Based Buffer Overflow Attacks . . . . . . . . . . 153
3.4.5 Format String Attacks . . . . . . . . . . . . . . . . . . 156
3.4.6 Race Conditions . . . . . . . . . . . . . . . . . . . . . 157
3.5 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
4 Malware 169
4.1 Insider Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . 170
4.1.1 Backdoors . . . . . . . . . . . . . . . . . . . . . . . . 170
4.1.2 Logic Bombs . . . . . . . . . . . . . . . . . . . . . . . 173
4.1.3 Defenses Against Insider Attacks . . . . . . . . . . . . 176
4.2 Computer Viruses . . . . . . . . . . . . . . . . . . . . . . . . 177
4.2.1 Virus Classification . . . . . . . . . . . . . . . . . . . . 178
4.2.2 Defenses Against Viruses . . . . . . . . . . . . . . . . 181
4.2.3 Encrypted Viruses . . . . . . . . . . . . . . . . . . . . 182
4.2.4 Polymorphic and Metamorphic Viruses . . . . . . . . 183
4.3 Malware Attacks . . . . . . . . . . . . . . . . . . . . . . . . . 184
4.3.1 Trojan Horses . . . . . . . . . . . . . . . . . . . . . . . 184
4.3.2 Computer Worms . . . . . . . . . . . . . . . . . . . . 186
4.3.3 Rootkits . . . . . . . . . . . . . . . . . . . . . . . . . . 191
4.3.4 Zero-Day Attacks . . . . . . . . . . . . . . . . . . . . . 194
4.3.5 Botnets . . . . . . . . . . . . . . . . . . . . . . . . . . 195
4.4 Privacy-Invasive Software . . . . . . . . . . . . . . . . . . . . 197
4.4.1 Adware . . . . . . . . . . . . . . . . . . . . . . . . . . 197
4.4.2 Spyware . . . . . . . . . . . . . . . . . . . . . . . . . . 199
4.5 Countermeasures . . . . . . . . . . . . . . . . . . . . . . . . 203
4.5.1 Best Practices . . . . . . . . . . . . . . . . . . . . . . 203
4.5.2 The Impossibility of Detecting All Malware . . . . . . . 206
4.5.3 The Malware Detection Arms Race . . . . . . . . . . . 208
4.5.4 Economics of Malware . . . . . . . . . . . . . . . . . . 209
4.6 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
5 Network Security I 217
5.1 Network Security Concepts . . . . . . . . . . . . . . . . . . . 218
5.1.1 Network Topology . . . . . . . . . . . . . . . . . . . . 218
5.1.2 Internet Protocol Layers . . . . . . . . . . . . . . . . . 219
5.1.3 Network Security Issues . . . . . . . . . . . . . . . . . 223
5.2 The Link Layer . . . . . . . . . . . . . . . . . . . . . . . . . . 225
5.2.1 Ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . 225
5.2.2 Media Access Control (MAC) Addresses . . . . . . . . 228
5.2.3 ARP Spoofing . . . . . . . . . . . . . . . . . . . . . . 229
5.3 The Network Layer . . . . . . . . . . . . . . . . . . . . . . . . 232
5.3.1 IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
5.3.2 Internet Control Message Protocol . . . . . . . . . . . 236
5.3.3 IP Spoofing . . . . . . . . . . . . . . . . . . . . . . . . 238
5.3.4 Packet Sniffing . . . . . . . . . . . . . . . . . . . . . . 240
5.4 The Transport Layer . . . . . . . . . . . . . . . . . . . . . . . 242
5.4.1 Transmission Control Protocol (TCP) . . . . . . . . . . 242
5.4.2 User Datagram Protocol (UDP) . . . . . . . . . . . . . 246
5.4.3 Network Address Translation (NAT) . . . . . . . . . . . 247
5.4.4 TCP Session Hijacking . . . . . . . . . . . . . . . . . 249
5.5 Denial-of-Service Attacks . . . . . . . . . . . . . . . . . . . . 252
5.5.1 ICMP Attacks . . . . . . . . . . . . . . . . . . . . . . . 252
5.5.2 SYN Flood Attacks . . . . . . . . . . . . . . . . . . . . 254
5.5.3 Optimistic TCP ACK Attack . . . . . . . . . . . . . . . 256
5.5.4 Distributed Denial-of-Service . . . . . . . . . . . . . . 257
5.5.5 IP Traceback . . . . . . . . . . . . . . . . . . . . . . . 258
5.6 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
6 Network Security II 265
6.1 The Application Layer and DNS . . . . . . . . . . . . . . . . . 266
6.1.1 A Sample of Application-Layer Protocols . . . . . . . . 266
6.1.2 The Domain Name System (DNS) . . . . . . . . . . . 267
6.1.3 DNS Attacks . . . . . . . . . . . . . . . . . . . . . . . 274
6.1.4 DNSSEC . . . . . . . . . . . . . . . . . . . . . . . . . 281
6.2 Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
6.2.1 Firewall Policies . . . . . . . . . . . . . . . . . . . . . 284
6.2.2 Stateless and Stateful Firewalls . . . . . . . . . . . . . 285
6.3 Tunneling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
6.3.1 Secure Shell (SSH) . . . . . . . . . . . . . . . . . . . 289
6.3.2 IPsec . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
6.3.3 Virtual Private Networking (VPN) . . . . . . . . . . . . 293
6.4 Intrusion Detection . . . . . . . . . . . . . . . . . . . . . . . . 295
6.4.1 Intrusion Detection Events . . . . . . . . . . . . . . . . 298
6.4.2 Rule-Based Intrusion Detection . . . . . . . . . . . . . 301
6.4.3 Statistical Intrusion Detection . . . . . . . . . . . . . . 302
6.4.4 Port Scanning . . . . . . . . . . . . . . . . . . . . . . 304
6.4.5 Honeypots . . . . . . . . . . . . . . . . . . . . . . . . 308
6.5 Wireless Networking . . . . . . . . . . . . . . . . . . . . . . . 309
6.5.1 Wireless Technologies . . . . . . . . . . . . . . . . . . 310
6.5.2 Wired Equivalent Privacy (WEP) . . . . . . . . . . . . 311
6.5.3 Wi-Fi Protected Access (WPA) . . . . . . . . . . . . . 314
6.6 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
7 Web Browser Security 323
7.1 The World Wide Web . . . . . . . . . . . . . . . . . . . . . . 324
7.1.1 HTTP . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
7.1.2 HTTPS . . . . . . . . . . . . . . . . . . . . . . . . . . 330
7.1.3 Dynamic Content . . . . . . . . . . . . . . . . . . . . . 334
7.1.4 Sessions and Cookies . . . . . . . . . . . . . . . . . . 337
7.2 Attacks on Clients . . . . . . . . . . . . . . . . . . . . . . . . 342
7.2.1 Session Hijacking . . . . . . . . . . . . . . . . . . . . 342
7.2.2 Phishing . . . . . . . . . . . . . . . . . . . . . . . . . . 344
7.2.3 Click-jacking . . . . . . . . . . . . . . . . . . . . . . . 346
7.2.4 Vulnerabilities in Media Content . . . . . . . . . . . . . 347
7.2.5 Privacy Attacks . . . . . . . . . . . . . . . . . . . . . . 351
7.2.6 Cross-Site Scripting (XSS) Attacks . . . . . . . . . . . 352
7.2.7 Cross-Site Request Forgery (CSRF) . . . . . . . . . . 359
7.2.8 Defenses Against Client-Side Attacks . . . . . . . . . 361
7.3 Attacks on Servers . . . . . . . . . . . . . . . . . . . . . . . . 363
7.3.1 Server-Side Scripting . . . . . . . . . . . . . . . . . . 363
7.3.2 Server-Side Script Inclusion Vulnerabilities . . . . . . 365
7.3.3 Databases and SQL Injection Attacks . . . . . . . . . 367
7.3.4 Denial-of-Service Attacks . . . . . . . . . . . . . . . . 373
7.3.5 Web Server Privileges . . . . . . . . . . . . . . . . . . 374
7.3.6 Defenses Against Server-Side Attacks . . . . . . . . . 375
7.4 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
8 Cryptography 383
8.1 Symmetric Cryptography . . . . . . . . . . . . . . . . . . . . 384
8.1.1 Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . 385
8.1.2 Substitution Ciphers . . . . . . . . . . . . . . . . . . . 387
8.1.3 One-Time Pads . . . . . . . . . . . . . . . . . . . . . . 389
8.1.4 Pseudo-Random Number Generators . . . . . . . . . 391
8.1.5 The Hill Cipher and Transposition Ciphers . . . . . . . 393
8.1.6 The Advanced Encryption Standard (AES) . . . . . . 395
8.1.7 Modes of Operation . . . . . . . . . . . . . . . . . . . 398
8.2 Public Key Cryptography . . . . . . . . . . . . . . . . . . . . . 402
8.2.1 Modular Arithmetic . . . . . . . . . . . . . . . . . . . . 402
8.2.2 The RSA Cryptosystem . . . . . . . . . . . . . . . . . 406
8.2.3 The ElGammal Cryptosystem . . . . . . . . . . . . . . 409
8.3 Cryptographic Hash Functions . . . . . . . . . . . . . . . . . 411
8.3.1 Properties and Applications . . . . . . . . . . . . . . . 411
8.3.2 Birthday Attacks . . . . . . . . . . . . . . . . . . . . . 414
8.4 Digital Signatures . . . . . . . . . . . . . . . . . . . . . . . . . 415
8.4.1 The RSA Signature Scheme . . . . . . . . . . . . . . 416
8.4.2 The ElGammal Signature Scheme . . . . . . . . . . . 417
8.4.3 Using Hash Functions with Digital Signatures . . . . . 418
8.5 Details on AES and RSA . . . . . . . . . . . . . . . . . . . . 419
8.5.1 AES Algorithm . . . . . . . . . . . . . . . . . . . . . . 419
8.5.2 The RSA Algorithm . . . . . . . . . . . . . . . . . . . 425
8.6 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433
9 Security Models and Practice 439
9.1 Policy, Models, and Trust . . . . . . . . . . . . . . . . . . . . . 440
9.1.1 Security Policy . . . . . . . . . . . . . . . . . . . . . . 440
9.1.2 Security Models . . . . . . . . . . . . . . . . . . . . . 441
9.1.3 Trust Management . . . . . . . . . . . . . . . . . . . . 442
9.2 Access Control Models . . . . . . . . . . . . . . . . . . . . . 444
9.2.1 The Bell-La Padula Model . . . . . . . . . . . . . . . . 444
9.2.2 Other Access Control Models . . . . . . . . . . . . . . 448
9.2.3 Role-Based Access Control . . . . . . . . . . . . . . . 450
9.3 Security Standards and Evaluation . . . . . . . . . . . . . . . 454
9.3.1 Trusted Computer System Evaluation Criteria . . . . . 454
9.3.2 Governmental Regulations and Standards . . . . . . . 456
9.4 Software Vulnerability Assessment . . . . . . . . . . . . . . . 458
9.4.1 Static and Dynamic Analysis . . . . . . . . . . . . . . 459
9.4.2 Exploit Development and Vulnerability Disclosure . . . 462
9.5 Administration and Auditing . . . . . . . . . . . . . . . . . . . 464
9.5.1 System Administration . . . . . . . . . . . . . . . . . . 464
9.5.2 Network Auditing and Penetration Testing . . . . . . . 467
9.6 Kerberos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469
9.6.1 Kerberos Tickets and Servers . . . . . . . . . . . . . . 469
9.6.2 Kerberos Authentication . . . . . . . . . . . . . . . . . 470
9.7 Secure Storage . . . . . . . . . . . . . . . . . . . . . . . . . . 473
9.7.1 File Encryption . . . . . . . . . . . . . . . . . . . . . . 473
9.7.2 Disk Encryption . . . . . . . . . . . . . . . . . . . . . . 475
9.7.3 Trusted Platform Module . . . . . . . . . . . . . . . . . 476
9.8 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 478
10 Distributed Applications Security 481
10.1 Database Security . . . . . . . . . . . . . . . . . . . . . . . . 482
10.1.1 Tables and Queries . . . . . . . . . . . . . . . . . . . 483
10.1.2 Updates and the Two-Phase Commit Protocol . . . . . 485
10.1.3 Database Access Control . . . . . . . . . . . . . . . . 487
10.1.4 Sensitive Data . . . . . . . . . . . . . . . . . . . . . . 491
10.2 Email Security . . . . . . . . . . . . . . . . . . . . . . . . . . 494
10.2.1 How Email Works . . . . . . . . . . . . . . . . . . . . 494
10.2.2 Encryption and Authentication . . . . . . . . . . . . . 496
10.2.3 Spam . . . . . . . . . . . . . . . . . . . . . . . . . . . 501
10.3 Payment Systems and Auctions . . . . . . . . . . . . . . . . . 507
10.3.1 Credit Cards . . . . . . . . . . . . . . . . . . . . . . . 507
10.3.2 Digital Cash . . . . . . . . . . . . . . . . . . . . . . . . 510
10.3.3 Online Auctions . . . . . . . . . . . . . . . . . . . . . . 511
10.4 Digital Rights Management . . . . . . . . . . . . . . . . . . . 512
10.4.1 Digital Media Rights . . . . . . . . . . . . . . . . . . . 513
10.4.2 Software Licensing Schemes . . . . . . . . . . . . . . 518
10.4.3 Legal Issues . . . . . . . . . . . . . . . . . . . . . . . 520
10.5 Social Networking . . . . . . . . . . . . . . . . . . . . . . . . 521
10.5.1 Social Networks as Attack Vectors . . . . . . . . . . . 521
10.5.2 Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . 522
10.6 Voting Systems . . . . . . . . . . . . . . . . . . . . . . . . . . 524
10.6.1 Security Goals for Electronic Voting . . . . . . . . . . 524
10.6.2 ThreeBallot . . . . . . . . . . . . . . . . . . . . . . . . 525
10.7 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 528
1.1 Fundamental Concepts . . . . . . . . . . . . . . . . . . . . . 2
1.1.1 Confidentiality, Integrity, and Availability . . . . . . . . 3
1.1.2 Assurance, Authenticity, and Anonymity . . . . . . . . 9
1.1.3 Threats and Attacks . . . . . . . . . . . . . . . . . . . 14
1.1.4 Security Principles . . . . . . . . . . . . . . . . . . . . 15
1.2 Access Control Models . . . . . . . . . . . . . . . . . . . . . 18
1.2.1 Access Control Matrices . . . . . . . . . . . . . . . . . 18
1.2.2 Access Control Lists . . . . . . . . . . . . . . . . . . . 19
1.2.3 Capabilities . . . . . . . . . . . . . . . . . . . . . . . . 21
1.2.4 Role-Based Access Control . . . . . . . . . . . . . . . 22
1.3 Cryptographic Concepts . . . . . . . . . . . . . . . . . . . . . 23
1.3.1 Encryption . . . . . . . . . . . . . . . . . . . . . . . . 23
1.3.2 Digital Signatures . . . . . . . . . . . . . . . . . . . . 28
1.3.3 Simple Attacks on Cryptosystems . . . . . . . . . . . 29
1.3.4 Cryptographic Hash Functions . . . . . . . . . . . . . 32
1.3.5 Digital Certificates . . . . . . . . . . . . . . . . . . . . 34
1.4 Implementation and Usability Issues . . . . . . . . . . . . . . 35
1.4.1 Efficiency and Usability . . . . . . . . . . . . . . . . . 35
1.4.2 Passwords . . . . . . . . . . . . . . . . . . . . . . . . 37
1.4.3 Social Engineering . . . . . . . . . . . . . . . . . . . . 39
1.4.4 Vulnerabilities from Programming Errors . . . . . . . . 40
1.5 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
2 Physical Security 51
2.1 Physical Protections and Attacks . . . . . . . . . . . . . . . . 52
2.2 Locks and Safes . . . . . . . . . . . . . . . . . . . . . . . . . 53
2.2.1 Lock Technology . . . . . . . . . . . . . . . . . . . . . 53
2.2.2 Attacks on Locks and Safes . . . . . . . . . . . . . . . 58
2.2.3 The Mathematics of Lock Security . . . . . . . . . . . 62
2.3 Authentication Technologies . . . . . . . . . . . . . . . . . . . 64
2.3.1 Barcodes . . . . . . . . . . . . . . . . . . . . . . . . . 64
2.3.2 Magnetic Stripe Cards . . . . . . . . . . . . . . . . . . 65
2.3.3 Smart Cards . . . . . . . . . . . . . . . . . . . . . . . 67
2.3.4 RFIDs . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
2.3.5 Biometrics . . . . . . . . . . . . . . . . . . . . . . . . 76
2.4 Direct Attacks Against Computers . . . . . . . . . . . . . . . 80
2.4.1 Environmental Attacks and Accidents . . . . . . . . . 80
2.4.2 Eavesdropping . . . . . . . . . . . . . . . . . . . . . . 81
2.4.3 TEMPEST . . . . . . . . . . . . . . . . . . . . . . . . 86
2.4.4 Computer Forensics . . . . . . . . . . . . . . . . . . . 88
2.4.5 Live CDs . . . . . . . . . . . . . . . . . . . . . . . . . 90
2.5 Special-Purpose Machines . . . . . . . . . . . . . . . . . . . 91
2.5.1 Automated Teller Machines . . . . . . . . . . . . . . . 91
2.5.2 Voting Machines . . . . . . . . . . . . . . . . . . . . . 93
2.6 Physical Intrusion Detection . . . . . . . . . . . . . . . . . . . 95
2.6.1 Video Monitoring . . . . . . . . . . . . . . . . . . . . . 95
2.6.2 Human Factors and Social Engineering . . . . . . . . 97
2.7 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
3 Operating Systems Security 105
3.1 Operating Systems Concepts . . . . . . . . . . . . . . . . . . 106
3.1.1 The Kernel and Input/Output . . . . . . . . . . . . . . 107
3.1.2 Processes . . . . . . . . . . . . . . . . . . . . . . . . . 109
3.1.3 The Filesystem . . . . . . . . . . . . . . . . . . . . . . 113
3.1.4 Memory Management . . . . . . . . . . . . . . . . . . 116
3.1.5 Virtual Machines . . . . . . . . . . . . . . . . . . . . . 120
3.2 Process Security . . . . . . . . . . . . . . . . . . . . . . . . . 122
3.2.1 Inductive Trust from Start to Finish . . . . . . . . . . . 122
3.2.2 Monitoring, Management, and Logging . . . . . . . . 125
3.3 Memory and Filesystem Security . . . . . . . . . . . . . . . . 129
3.3.1 Virtual Memory Security . . . . . . . . . . . . . . . . . 129
3.3.2 Password-Based Authentication . . . . . . . . . . . . 130
3.3.3 Access Control and Advanced File Permissions . . . . 133
3.3.4 File Descriptors . . . . . . . . . . . . . . . . . . . . . . 139
3.3.5 Symbolic Links and Shortcuts . . . . . . . . . . . . . . 141
3.4 Application Program Security . . . . . . . . . . . . . . . . . . 142
3.4.1 Compiling and Linking . . . . . . . . . . . . . . . . . . 142
3.4.2 Simple Buffer Overflow Attacks . . . . . . . . . . . . . 143
3.4.3 Stack-Based Buffer Overflow . . . . . . . . . . . . . . 145
3.4.4 Heap-Based Buffer Overflow Attacks . . . . . . . . . . 153
3.4.5 Format String Attacks . . . . . . . . . . . . . . . . . . 156
3.4.6 Race Conditions . . . . . . . . . . . . . . . . . . . . . 157
3.5 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
4 Malware 169
4.1 Insider Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . 170
4.1.1 Backdoors . . . . . . . . . . . . . . . . . . . . . . . . 170
4.1.2 Logic Bombs . . . . . . . . . . . . . . . . . . . . . . . 173
4.1.3 Defenses Against Insider Attacks . . . . . . . . . . . . 176
4.2 Computer Viruses . . . . . . . . . . . . . . . . . . . . . . . . 177
4.2.1 Virus Classification . . . . . . . . . . . . . . . . . . . . 178
4.2.2 Defenses Against Viruses . . . . . . . . . . . . . . . . 181
4.2.3 Encrypted Viruses . . . . . . . . . . . . . . . . . . . . 182
4.2.4 Polymorphic and Metamorphic Viruses . . . . . . . . 183
4.3 Malware Attacks . . . . . . . . . . . . . . . . . . . . . . . . . 184
4.3.1 Trojan Horses . . . . . . . . . . . . . . . . . . . . . . . 184
4.3.2 Computer Worms . . . . . . . . . . . . . . . . . . . . 186
4.3.3 Rootkits . . . . . . . . . . . . . . . . . . . . . . . . . . 191
4.3.4 Zero-Day Attacks . . . . . . . . . . . . . . . . . . . . . 194
4.3.5 Botnets . . . . . . . . . . . . . . . . . . . . . . . . . . 195
4.4 Privacy-Invasive Software . . . . . . . . . . . . . . . . . . . . 197
4.4.1 Adware . . . . . . . . . . . . . . . . . . . . . . . . . . 197
4.4.2 Spyware . . . . . . . . . . . . . . . . . . . . . . . . . . 199
4.5 Countermeasures . . . . . . . . . . . . . . . . . . . . . . . . 203
4.5.1 Best Practices . . . . . . . . . . . . . . . . . . . . . . 203
4.5.2 The Impossibility of Detecting All Malware . . . . . . . 206
4.5.3 The Malware Detection Arms Race . . . . . . . . . . . 208
4.5.4 Economics of Malware . . . . . . . . . . . . . . . . . . 209
4.6 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
5 Network Security I 217
5.1 Network Security Concepts . . . . . . . . . . . . . . . . . . . 218
5.1.1 Network Topology . . . . . . . . . . . . . . . . . . . . 218
5.1.2 Internet Protocol Layers . . . . . . . . . . . . . . . . . 219
5.1.3 Network Security Issues . . . . . . . . . . . . . . . . . 223
5.2 The Link Layer . . . . . . . . . . . . . . . . . . . . . . . . . . 225
5.2.1 Ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . 225
5.2.2 Media Access Control (MAC) Addresses . . . . . . . . 228
5.2.3 ARP Spoofing . . . . . . . . . . . . . . . . . . . . . . 229
5.3 The Network Layer . . . . . . . . . . . . . . . . . . . . . . . . 232
5.3.1 IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
5.3.2 Internet Control Message Protocol . . . . . . . . . . . 236
5.3.3 IP Spoofing . . . . . . . . . . . . . . . . . . . . . . . . 238
5.3.4 Packet Sniffing . . . . . . . . . . . . . . . . . . . . . . 240
5.4 The Transport Layer . . . . . . . . . . . . . . . . . . . . . . . 242
5.4.1 Transmission Control Protocol (TCP) . . . . . . . . . . 242
5.4.2 User Datagram Protocol (UDP) . . . . . . . . . . . . . 246
5.4.3 Network Address Translation (NAT) . . . . . . . . . . . 247
5.4.4 TCP Session Hijacking . . . . . . . . . . . . . . . . . 249
5.5 Denial-of-Service Attacks . . . . . . . . . . . . . . . . . . . . 252
5.5.1 ICMP Attacks . . . . . . . . . . . . . . . . . . . . . . . 252
5.5.2 SYN Flood Attacks . . . . . . . . . . . . . . . . . . . . 254
5.5.3 Optimistic TCP ACK Attack . . . . . . . . . . . . . . . 256
5.5.4 Distributed Denial-of-Service . . . . . . . . . . . . . . 257
5.5.5 IP Traceback . . . . . . . . . . . . . . . . . . . . . . . 258
5.6 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
6 Network Security II 265
6.1 The Application Layer and DNS . . . . . . . . . . . . . . . . . 266
6.1.1 A Sample of Application-Layer Protocols . . . . . . . . 266
6.1.2 The Domain Name System (DNS) . . . . . . . . . . . 267
6.1.3 DNS Attacks . . . . . . . . . . . . . . . . . . . . . . . 274
6.1.4 DNSSEC . . . . . . . . . . . . . . . . . . . . . . . . . 281
6.2 Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
6.2.1 Firewall Policies . . . . . . . . . . . . . . . . . . . . . 284
6.2.2 Stateless and Stateful Firewalls . . . . . . . . . . . . . 285
6.3 Tunneling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
6.3.1 Secure Shell (SSH) . . . . . . . . . . . . . . . . . . . 289
6.3.2 IPsec . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
6.3.3 Virtual Private Networking (VPN) . . . . . . . . . . . . 293
6.4 Intrusion Detection . . . . . . . . . . . . . . . . . . . . . . . . 295
6.4.1 Intrusion Detection Events . . . . . . . . . . . . . . . . 298
6.4.2 Rule-Based Intrusion Detection . . . . . . . . . . . . . 301
6.4.3 Statistical Intrusion Detection . . . . . . . . . . . . . . 302
6.4.4 Port Scanning . . . . . . . . . . . . . . . . . . . . . . 304
6.4.5 Honeypots . . . . . . . . . . . . . . . . . . . . . . . . 308
6.5 Wireless Networking . . . . . . . . . . . . . . . . . . . . . . . 309
6.5.1 Wireless Technologies . . . . . . . . . . . . . . . . . . 310
6.5.2 Wired Equivalent Privacy (WEP) . . . . . . . . . . . . 311
6.5.3 Wi-Fi Protected Access (WPA) . . . . . . . . . . . . . 314
6.6 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
7 Web Browser Security 323
7.1 The World Wide Web . . . . . . . . . . . . . . . . . . . . . . 324
7.1.1 HTTP . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
7.1.2 HTTPS . . . . . . . . . . . . . . . . . . . . . . . . . . 330
7.1.3 Dynamic Content . . . . . . . . . . . . . . . . . . . . . 334
7.1.4 Sessions and Cookies . . . . . . . . . . . . . . . . . . 337
7.2 Attacks on Clients . . . . . . . . . . . . . . . . . . . . . . . . 342
7.2.1 Session Hijacking . . . . . . . . . . . . . . . . . . . . 342
7.2.2 Phishing . . . . . . . . . . . . . . . . . . . . . . . . . . 344
7.2.3 Click-jacking . . . . . . . . . . . . . . . . . . . . . . . 346
7.2.4 Vulnerabilities in Media Content . . . . . . . . . . . . . 347
7.2.5 Privacy Attacks . . . . . . . . . . . . . . . . . . . . . . 351
7.2.6 Cross-Site Scripting (XSS) Attacks . . . . . . . . . . . 352
7.2.7 Cross-Site Request Forgery (CSRF) . . . . . . . . . . 359
7.2.8 Defenses Against Client-Side Attacks . . . . . . . . . 361
7.3 Attacks on Servers . . . . . . . . . . . . . . . . . . . . . . . . 363
7.3.1 Server-Side Scripting . . . . . . . . . . . . . . . . . . 363
7.3.2 Server-Side Script Inclusion Vulnerabilities . . . . . . 365
7.3.3 Databases and SQL Injection Attacks . . . . . . . . . 367
7.3.4 Denial-of-Service Attacks . . . . . . . . . . . . . . . . 373
7.3.5 Web Server Privileges . . . . . . . . . . . . . . . . . . 374
7.3.6 Defenses Against Server-Side Attacks . . . . . . . . . 375
7.4 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
8 Cryptography 383
8.1 Symmetric Cryptography . . . . . . . . . . . . . . . . . . . . 384
8.1.1 Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . 385
8.1.2 Substitution Ciphers . . . . . . . . . . . . . . . . . . . 387
8.1.3 One-Time Pads . . . . . . . . . . . . . . . . . . . . . . 389
8.1.4 Pseudo-Random Number Generators . . . . . . . . . 391
8.1.5 The Hill Cipher and Transposition Ciphers . . . . . . . 393
8.1.6 The Advanced Encryption Standard (AES) . . . . . . 395
8.1.7 Modes of Operation . . . . . . . . . . . . . . . . . . . 398
8.2 Public Key Cryptography . . . . . . . . . . . . . . . . . . . . . 402
8.2.1 Modular Arithmetic . . . . . . . . . . . . . . . . . . . . 402
8.2.2 The RSA Cryptosystem . . . . . . . . . . . . . . . . . 406
8.2.3 The ElGammal Cryptosystem . . . . . . . . . . . . . . 409
8.3 Cryptographic Hash Functions . . . . . . . . . . . . . . . . . 411
8.3.1 Properties and Applications . . . . . . . . . . . . . . . 411
8.3.2 Birthday Attacks . . . . . . . . . . . . . . . . . . . . . 414
8.4 Digital Signatures . . . . . . . . . . . . . . . . . . . . . . . . . 415
8.4.1 The RSA Signature Scheme . . . . . . . . . . . . . . 416
8.4.2 The ElGammal Signature Scheme . . . . . . . . . . . 417
8.4.3 Using Hash Functions with Digital Signatures . . . . . 418
8.5 Details on AES and RSA . . . . . . . . . . . . . . . . . . . . 419
8.5.1 AES Algorithm . . . . . . . . . . . . . . . . . . . . . . 419
8.5.2 The RSA Algorithm . . . . . . . . . . . . . . . . . . . 425
8.6 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433
9 Security Models and Practice 439
9.1 Policy, Models, and Trust . . . . . . . . . . . . . . . . . . . . . 440
9.1.1 Security Policy . . . . . . . . . . . . . . . . . . . . . . 440
9.1.2 Security Models . . . . . . . . . . . . . . . . . . . . . 441
9.1.3 Trust Management . . . . . . . . . . . . . . . . . . . . 442
9.2 Access Control Models . . . . . . . . . . . . . . . . . . . . . 444
9.2.1 The Bell-La Padula Model . . . . . . . . . . . . . . . . 444
9.2.2 Other Access Control Models . . . . . . . . . . . . . . 448
9.2.3 Role-Based Access Control . . . . . . . . . . . . . . . 450
9.3 Security Standards and Evaluation . . . . . . . . . . . . . . . 454
9.3.1 Trusted Computer System Evaluation Criteria . . . . . 454
9.3.2 Governmental Regulations and Standards . . . . . . . 456
9.4 Software Vulnerability Assessment . . . . . . . . . . . . . . . 458
9.4.1 Static and Dynamic Analysis . . . . . . . . . . . . . . 459
9.4.2 Exploit Development and Vulnerability Disclosure . . . 462
9.5 Administration and Auditing . . . . . . . . . . . . . . . . . . . 464
9.5.1 System Administration . . . . . . . . . . . . . . . . . . 464
9.5.2 Network Auditing and Penetration Testing . . . . . . . 467
9.6 Kerberos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469
9.6.1 Kerberos Tickets and Servers . . . . . . . . . . . . . . 469
9.6.2 Kerberos Authentication . . . . . . . . . . . . . . . . . 470
9.7 Secure Storage . . . . . . . . . . . . . . . . . . . . . . . . . . 473
9.7.1 File Encryption . . . . . . . . . . . . . . . . . . . . . . 473
9.7.2 Disk Encryption . . . . . . . . . . . . . . . . . . . . . . 475
9.7.3 Trusted Platform Module . . . . . . . . . . . . . . . . . 476
9.8 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 478
10 Distributed Applications Security 481
10.1 Database Security . . . . . . . . . . . . . . . . . . . . . . . . 482
10.1.1 Tables and Queries . . . . . . . . . . . . . . . . . . . 483
10.1.2 Updates and the Two-Phase Commit Protocol . . . . . 485
10.1.3 Database Access Control . . . . . . . . . . . . . . . . 487
10.1.4 Sensitive Data . . . . . . . . . . . . . . . . . . . . . . 491
10.2 Email Security . . . . . . . . . . . . . . . . . . . . . . . . . . 494
10.2.1 How Email Works . . . . . . . . . . . . . . . . . . . . 494
10.2.2 Encryption and Authentication . . . . . . . . . . . . . 496
10.2.3 Spam . . . . . . . . . . . . . . . . . . . . . . . . . . . 501
10.3 Payment Systems and Auctions . . . . . . . . . . . . . . . . . 507
10.3.1 Credit Cards . . . . . . . . . . . . . . . . . . . . . . . 507
10.3.2 Digital Cash . . . . . . . . . . . . . . . . . . . . . . . . 510
10.3.3 Online Auctions . . . . . . . . . . . . . . . . . . . . . . 511
10.4 Digital Rights Management . . . . . . . . . . . . . . . . . . . 512
10.4.1 Digital Media Rights . . . . . . . . . . . . . . . . . . . 513
10.4.2 Software Licensing Schemes . . . . . . . . . . . . . . 518
10.4.3 Legal Issues . . . . . . . . . . . . . . . . . . . . . . . 520
10.5 Social Networking . . . . . . . . . . . . . . . . . . . . . . . . 521
10.5.1 Social Networks as Attack Vectors . . . . . . . . . . . 521
10.5.2 Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . 522
10.6 Voting Systems . . . . . . . . . . . . . . . . . . . . . . . . . . 524
10.6.1 Security Goals for Electronic Voting . . . . . . . . . . 524
10.6.2 ThreeBallot . . . . . . . . . . . . . . . . . . . . . . . . 525
10.7 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 528
Notă biografică
Professors Goodrich and Tamassia are well-recognized researchers in computer security, algorithms and data structures, having published many papers in this field, with applications to computer security, cryptography, Internet computing, information visualization, and geometric computing. They have served as principal investigators in several joint projects sponsored by the National Science Foundation, the Army Research Office, and the Defense Advanced Research Projects Agency. They are also active in educational technology research.
Michael Goodrich received his Ph.D. in Computer Science from Purdue University in 1987. He is currently a Chancellor’s Professor in the Department of Computer Science at University of California, Irvine. Previously, he was a professor at Johns Hopkins University. He is an editor for the Journal of Computer and Systems Sciences and and Journal of Graph Algorithms and Applications. He is a Fulbright Scholar, an ACM Distinguished Scientist, and a Fellow of the American Association for the Advancement of Science (AAAS) and the Institute of Electrical and Electronics Engineers (IEEE).
Roberto Tamassia received his Ph.D. in Electrical and Computer Engineering from the University of Illinois at Urbana-Champaign in 1988. He is currently professor and chair of the Department of Computer Science at Brown University. He is editor-in-chief for the Journal of Graph Algorithms and Applications. He previously served on the editorial board of Computational Geometry: Theory and Applications and IEEE Transactions on Computers. He is a Fellow of the Institute of Electrical and Electronics Engineers (IEEE).
In addition to their research accomplishments, the authors also have extensive experience in the classroom. For example, Dr. Goodrich has taught data structures and algorithms courses, including Data Structures as a freshman-sophomore level course, Applied Cryptography as a sophomore- junior level course, and Internet Algorithmics as an upper level course. He has earned several teaching awards in this capacity. His teaching style is to involve the students in lively interactive classroom sessions that bring out the intuition and insights behind data structuring and algorithmic techniques. Dr. Tamassia has taught Data Structures and Algorithms as an introductory freshman-level course since 1988 and has recently introduced a new freshman-level computer security course. One thing that has set his teaching style apart is his effective use of interactive hypermedia presentations integrated with the Web.
Michael Goodrich received his Ph.D. in Computer Science from Purdue University in 1987. He is currently a Chancellor’s Professor in the Department of Computer Science at University of California, Irvine. Previously, he was a professor at Johns Hopkins University. He is an editor for the Journal of Computer and Systems Sciences and and Journal of Graph Algorithms and Applications. He is a Fulbright Scholar, an ACM Distinguished Scientist, and a Fellow of the American Association for the Advancement of Science (AAAS) and the Institute of Electrical and Electronics Engineers (IEEE).
Roberto Tamassia received his Ph.D. in Electrical and Computer Engineering from the University of Illinois at Urbana-Champaign in 1988. He is currently professor and chair of the Department of Computer Science at Brown University. He is editor-in-chief for the Journal of Graph Algorithms and Applications. He previously served on the editorial board of Computational Geometry: Theory and Applications and IEEE Transactions on Computers. He is a Fellow of the Institute of Electrical and Electronics Engineers (IEEE).
In addition to their research accomplishments, the authors also have extensive experience in the classroom. For example, Dr. Goodrich has taught data structures and algorithms courses, including Data Structures as a freshman-sophomore level course, Applied Cryptography as a sophomore- junior level course, and Internet Algorithmics as an upper level course. He has earned several teaching awards in this capacity. His teaching style is to involve the students in lively interactive classroom sessions that bring out the intuition and insights behind data structuring and algorithmic techniques. Dr. Tamassia has taught Data Structures and Algorithms as an introductory freshman-level course since 1988 and has recently introduced a new freshman-level computer security course. One thing that has set his teaching style apart is his effective use of interactive hypermedia presentations integrated with the Web.
Caracteristici
Accessible to the general-knowledge reader.
Authors Goodrich and Tamassia recognize that prerequisites for an extensive background in CS and mathematics are not only unnecessary for learning but also arguably contribute to a reduction in enrollments and a shortage of computer-security experts. Therefore, the authors assume only the most basic of prerequisite knowledge in computing, making this text suitable for beginning computer science majors, as well as computer science minors and non-majors.
Teaches general principles of computer security from an applied viewpoint.
In this new text, the authors cover specific computer security topics while providing necessary material on the foundations of computing needed to understand these topics. As a result, students learn about vital computer security topics such as access control, firewalls, and viruses as well as a variety of fundamental computer-science concepts like algorithms, operating systems, networking, and programming languages.
Topics covered include:
o Common cyberattacks including viruses, worms, Trojan horses, password crackers, keystroke loggers, denial of service, spoofing, and phishing.
o Techniques for identifying and patching vulnerabilities in machines and networks as well methods for detecting and repairing infected systems.
o Fundamental building blocks of secure systems such as encryption, fingerprints, digital signatures and basic cryptographic protocols.
o Human and social aspects of computer security, including usability, interfaces, copyright, digital rights management, social engineering, and ethical issues.
A practical introduction that will prepare students for careers in a variety of fields.
This text encourages students to think about security issues and to deploy security mechanisms early in designing software applications or in making software purchase/ deployment decisions. This skill will be appreciated by future employers--who may include corporations in the financial, healthcare and technology sectors--for whom the security of software applications is a critical requirement.
The material in the text will also provide readers with a clear understanding of the security ramifications of using computers and the Internet in their daily lives (e.g., for online banking and shopping), as well as the potential threats to individual privacy (as seen in recent debates on electronic voting, for example), and possibly to democracy itself, that may arise from inappropriate use of computer security technology.
Projects
The authors provide a collection of creative, hands-on projects at three levels of difficulty that can be used both in computer security and computer security-related courses. A wide set of options will allow instructors to customize the projects to suit a variety of learning modes and lab resources.
In each project, students are given a realistic, though simplified, version of a working system with multiple vulnerabilities and a list of allowed attack vectors. They may be asked to work in “break-it” mode, which will require students to attack a system by developing exploits that take advantage of the discovered vulnerabilities, or they may be asked to work in “fix-it” mode in which the student hardens the system by developing mechanisms for removing or mitigating the vulnerabilities.
SUPPLEMENTS
A collection of slide presentations created by the authors each suitable for a one-hour lecture, covering all the course topics. The presentations will include links to relevant resources on the web and will have extensive notes. The slide presentations have been created in a standard file format compatible with both Microsoft PowerPoint and OpenOffice Impress.
Fully developed programming projects, created by the authors, that are designed to stimulate the student’s creativity by challenging them to either break security or protect a system against attacks. Topics include:
1. virus and worm propagation
2. firewalls
3. cryptography and digital rights management
4. web applications
Solution Manual
Solutions to end-of-chapter Questions and Problems.
Companion Website
Valuable resources for both instructors and students.
Author Websites
The instructional Web sites, datastructures.net and algorithmdesign.net, supported by Drs. Goodrich and Tamassia, are used as reference material by students, teachers, and professionals worldwide.
Authors Goodrich and Tamassia recognize that prerequisites for an extensive background in CS and mathematics are not only unnecessary for learning but also arguably contribute to a reduction in enrollments and a shortage of computer-security experts. Therefore, the authors assume only the most basic of prerequisite knowledge in computing, making this text suitable for beginning computer science majors, as well as computer science minors and non-majors.
Teaches general principles of computer security from an applied viewpoint.
In this new text, the authors cover specific computer security topics while providing necessary material on the foundations of computing needed to understand these topics. As a result, students learn about vital computer security topics such as access control, firewalls, and viruses as well as a variety of fundamental computer-science concepts like algorithms, operating systems, networking, and programming languages.
Topics covered include:
o Common cyberattacks including viruses, worms, Trojan horses, password crackers, keystroke loggers, denial of service, spoofing, and phishing.
o Techniques for identifying and patching vulnerabilities in machines and networks as well methods for detecting and repairing infected systems.
o Fundamental building blocks of secure systems such as encryption, fingerprints, digital signatures and basic cryptographic protocols.
o Human and social aspects of computer security, including usability, interfaces, copyright, digital rights management, social engineering, and ethical issues.
A practical introduction that will prepare students for careers in a variety of fields.
This text encourages students to think about security issues and to deploy security mechanisms early in designing software applications or in making software purchase/ deployment decisions. This skill will be appreciated by future employers--who may include corporations in the financial, healthcare and technology sectors--for whom the security of software applications is a critical requirement.
The material in the text will also provide readers with a clear understanding of the security ramifications of using computers and the Internet in their daily lives (e.g., for online banking and shopping), as well as the potential threats to individual privacy (as seen in recent debates on electronic voting, for example), and possibly to democracy itself, that may arise from inappropriate use of computer security technology.
Projects
The authors provide a collection of creative, hands-on projects at three levels of difficulty that can be used both in computer security and computer security-related courses. A wide set of options will allow instructors to customize the projects to suit a variety of learning modes and lab resources.
In each project, students are given a realistic, though simplified, version of a working system with multiple vulnerabilities and a list of allowed attack vectors. They may be asked to work in “break-it” mode, which will require students to attack a system by developing exploits that take advantage of the discovered vulnerabilities, or they may be asked to work in “fix-it” mode in which the student hardens the system by developing mechanisms for removing or mitigating the vulnerabilities.
SUPPLEMENTS
A collection of slide presentations created by the authors each suitable for a one-hour lecture, covering all the course topics. The presentations will include links to relevant resources on the web and will have extensive notes. The slide presentations have been created in a standard file format compatible with both Microsoft PowerPoint and OpenOffice Impress.
Fully developed programming projects, created by the authors, that are designed to stimulate the student’s creativity by challenging them to either break security or protect a system against attacks. Topics include:
1. virus and worm propagation
2. firewalls
3. cryptography and digital rights management
4. web applications
Solution Manual
Solutions to end-of-chapter Questions and Problems.
Companion Website
Valuable resources for both instructors and students.
Author Websites
The instructional Web sites, datastructures.net and algorithmdesign.net, supported by Drs. Goodrich and Tamassia, are used as reference material by students, teachers, and professionals worldwide.