SECOND SEMESTER 2022-2023

COURSE HANDOUT (PART II)

Date: 18/07/2024
=====================================================================================
In addition to part-I (General Handout for all courses appended to the time table) this portion gives further
specific details regarding the course.
Course No.: CS F321
Course Title: System Security
Instructor-In-Charge: Prof. Barsha Mitra
Instructors: Mrs. Gorrela Alekhya
Scope of the Course:
Securing systems and the information contained within has become a fundamental necessity in the present day
world. This requires an in-depth understanding of the different types of security policies and mechanisms as
well as the system vulnerabilities and the manner in which they can be exploited. This course will enable students
to understand the security pitfalls, the various types of available defenses and the means to deploy them. Through
this course, the students will gain a detailed understanding of the myriad aspects system security – the
vulnerabilities and how to secure systems despite the presence of vulnerabilities by employing various means.
The course focuses on fundamental security principles, several security models, information security, database
security, program security and different management related issues.

Objectives of the Course:

 To understand the basic guiding and design principles of security
 To learn about the different types of security policies and their applications
 To understand access control, different types of access control models and their implementation
 To know about authentication, database security, program security and operating system security and
how system vulnerabilities can be exploited to launch attacks
 To understand the management related aspects of system security like risk assessment, security plans
and procedures and system audit

Text Book:
T1. Matt Bishop (and Sathyanarayana S. Venkatramanayya), “Introduction to Computer Security”, 1st Edition,
Pearson, Indian Subcontinent Adaptation, 2016.

Reference Books:
R1. William Stallings and Lawrie Brown, “Computer Security: Principles and Practice”, 4 th Edition, Pearson,
2020.

R2. Dieter Gollmann, “Computer Security”, 3rd Edition, Wiley, 2016.

R3. Matt Bishop, “Computer Security: Art and Science”, 2nd Edition, Addison-Wesley, 2019.
Course Plan:

Lecture Learning Objectives Topics to be covered Text/Reference

No. Book Chapters
1-2 To obtain an overview of Overview: CIA Triad, Threats, Policy & T1 – Ch. 1, R1
Computer Security Mechanism, Assumptions & Trust, – Ch. 1
Assurance, Operational Issues, Human
Issues
3 To understand Access Control Access Control Matrix: Subjects, Objects T1 – Ch. 1, 9,
& Access Rights, Protection State, R1 – Ch. 4, R2
Privilege Handling – Ch. 5
4–5 To know about Security Security Polices: Definitions, Types, Role T1 – Ch. 2, R1
Policies of Trust, Types of Access Control – Ch. 4, R2 –
Ch. 5
6 To learn about Confidentiality Confidentiality Policy: Goals, Bell- T1 – Ch. 2, R2
Policies LaPadula Model, Lattice Models – Ch. 11, Class
Notes
7–8 To learn about Integrity Integrity Policies: Goals, Biba Model, T1 – Ch. 2, R2
Policies Lipner’s Model, Clark-Wilson Model – Ch. 12, Class
Notes
9 – 10 To learn about Hybrid Policies Hybrid Policies: Goals, Chinese Wall T1 – Ch. 2, R2
Model, Clinical Information Systems – Ch. 12
Security Model
11 – 12 To understand authentication Authentication & Authorization: Basics, T1 – Ch. 5, R1
and authorization Password Systems, Biometrics – Ch. 3, R2 –
Ch. 4
13 – 14 To gain an understanding of RBAC: Formalism, Core Model, Variants, T1 – Ch. 2, R1
the Role-Based Access Administrative RBAC – Ch. 4, Class
Control (RBAC) Model Notes
15 – 17 To understand the deployment Role Mining: Formal definition of the Class Notes
aspects of RBAC Role Mining Problem (RMP), Mapping
RMP to other problems, RMP Variants,
Heuristic Solutions
18 – 19 To gain an understanding of TRBAC: Need of TRBAC, Formalism, Class Notes
the Temporal Role-Based Deployment – Temporal Role Mining
Access Control (TRBAC)
Model
20 – 21 To gain an understanding of ABAC: Definition, Components, Rules R1 – Ch. 4,
the Attribute-Based Access and Policy, Deployment – Policy Mining Class Notes
Control (ABAC) Model
22 To know about the principlesPrinciples of Secure System Design: T1 – Ch. 7
for designing a secure system
Overview, Design Principles
23 – 24 To understand information Information Flow: Basics, Non-lattice Class Notes
flow information flow policies, Static
Mechanisms, Dynamic Mechanisms,
Integrity Mechanisms
25 – 26 To learn about the Confinement Problem: Problem Class Notes
confinement problem related statement, Isolation, Covert Channels
to program, execution
 27 – 28 To know about assurance and Assurance: Basics of Assurance and Class Notes
building systems with Trust, Building secure and trusted systems,
assurance Integrating assurance throughout the life
cycle
29 – 30 To gain an understanding of Security Evaluation: Formal evaluation, T1 - Ch. 11, R2
evaluation of systems TCSEC, International and Commercial - Ch. 13, Class
Standards and Requirements, FIPS, Notes
Common Criteria
31 – 32 To learn about database Database Security: Need for database R1 – Ch. 5, R2
security security, SQL Injection Attacks, Database – Ch. 10
Access Control
33 – 34 To know about the different Malwares: Types, Propagation, R1 – Ch. 6,
types of malware Countermeasures Class Notes
35 – 36 To know about buffer Buffer Overflow: Stack Overflow, R1 – Ch. 10,
overflow Defenses, Other forms of Buffer Overflow R2 – Ch. 10
37 – 38 To understand about program Program Security: Issues, Handling R1 – Ch. 11
security program input and output, Writing safe
program codes, Interaction with OS and
other programs
39 – 40 To understand security Security Management: IT Security R1 – Ch. 14, 15
management issues and system Management, Risk Assessment, Security T1 – Ch. 14, R1
audit Controls, Plans & Procedures – Ch. 18
Security Audit: Definition, Design,
Mechanism
41 – 42 To learn about the security of Linux Security: Introduction, Principles, R2 – Ch. 7, Ch.
popular operating systems Subject, Objects, Access Control, 8, online
Instances of general security principles, material
Management Issues
Windows Security: Introduction, Subjects
and Objects, Access decisions, Managing
policies, Access rights, Administration

Evaluation:

Component Duration Weightage (%) Date & Time Nature of Component

Mid Semester 90 minutes 25% TBA Closed Book
Examination
Quiz - 10% TBA Open Book
(1 no.)
Assignments 20% TBA Open Book
(2 nos.)
Comprehensive 180 minutes 45% TBA Closed Book
Examination

Note: 40% of the evaluation will be completed at the time of mid-semester grading.
Chamber Consultation Hour:
To be announced in class.

Notices:
Announcements will be made in class and/or put up on CMS.
Make-up Policy:
 Institute rules will apply for make-up for mid-semester and comprehensive examinations. The decision of
the I/C is final. Make-up will be provided in case of serious hospitalization where it is absolutely impossible
for the student to physically come and write the examination. This is to be supported by a doctor’s certificate
stating the absolute inability of the student to write the examination.
 No make up for quiz and assignments will be given.

Academic Honesty and Integrity Policy:

Academic honesty and integrity are to be maintained by all the students throughout the semester and no type of
academic dishonesty is acceptable.

INSTRUCTOR-IN-CHARGE
CS F321