I. Preliminaries for the first meeting A. staff introductions ------------------------------------------ WELCOME TO CIS 4615 SECURE SOFTWARE DEVELOPMENT AND ASSURANCE Professor Gary T. Leavens 437D Harris Center (Bldg. 116) Phone: (407)823-4758 Email: Leavens@ucf.edu Office Hours: URL: http://www.cs.ucf.edu/~leavens/CIS4615 Pick up handouts: ( of them) ------------------------------------------ B. staff introductions C. student introductions II. the course itself A. What is this course about? 1. Overall goals of security and assurance ------------------------------------------ OVERALL GOALS (Computer) systems should be in the face of malicious attacks ------------------------------------------ What would that mean for a self-driving car? For Florida's electrical grid? For a fighter jet or UAV? For a heart pacemaker? For a word processor? For a medical doctor's patient database? For the white house web site? 2. Assurance and Trust a. trustworthy ------------------------------------------ TRUST def: A system is *trustworthy* iff there is ------------------------------------------ So what is "trust"? Why is evidence important? b. security assurance ------------------------------------------ SECURITY ASSURANCE def: *Security assurance* is ------------------------------------------ How would you give evidence for assurance? 3. Basic concepts of security ------------------------------------------ SECURITY SERVICES A secure computer system should provide: Confidentiality Integrity Availability ------------------------------------------ a. confidentiality ------------------------------------------ CONFIDENTIALITY def: *Confidentiality* means Applications: - Government - military - health care - Industry - trade secrets - personnel information ------------------------------------------ What is information? b. integrity ------------------------------------------ INTEGRITY def: *Integrity* means Data integrity Origin integrity ------------------------------------------ Why does integrity matter in a secure system? What kinds of data integrity matter to a military system? What about a hospital database? c. availability ------------------------------------------ AVAILABILITY def: A system is *available* when ------------------------------------------ Why is availabity important to an airline company? What's the name for common attacks that make a system unavailable? d. security ------------------------------------------ SECURITY def: A system is *secure* if it satisifies its requirements for ------------------------------------------ ------------------------------------------ FOR YOU TO DO Which security service is incorrect in a system that: - doesn't correct check passwords? - crashes (for all users) whenever any user makes a mistake? - answers queries from users by giving them the requested information for all users? - puts user input into database queries? ------------------------------------------ B. objectives What are your objectives for this course? How do you want this course to help you in 5 years? ------------------------------------------ COURSE OBJECTIVES Securely Implement Analyze Reverse Engineer ------------------------------------------ C. outcomes ------------------------------------------ LEARNING OUTCOMES Securely Construct Validate Reversing ------------------------------------------ D. plan for the course ------------------------------------------ PLAN FOR THE COURSE Broad outline: - overview - secure implementation - analysis - reverse engineering We will use C, C++, and Java plus x86 assembler, and some JavaScript ------------------------------------------ 1. grading ------------------------------------------ GRADING + No curve grading + Your grade is 60% based on tests 40% on homework ------------------------------------------ 2. cooperation and cheating ------------------------------------------ COOPERATION Can talk with others about homework - but must cite them Can cooperatively do homework - but must use a "group" in webcourses (see grading policy for details) CHEATING Hacking of instructor (or computers) Exchange of finished answers - without cooperation in solving them - without certification Using ideas of others - without citation Copying answers from the web - without citation ------------------------------------------ 3. ask for questions/concerns