1 Introduction 1
1.1 Fundamental Concepts . . . . . . . . . . . . . . . . . . . . . 2
1.2 Access Control Models . . . . . . . . . . . . . . . . . . . . . 19
1.3 Cryptographic Concepts . . . . . . . . . . . . . . . . . . . . . 25
1.4 Implementation and Usability Issues . . . . . . . . . . . . . . 39
1.5 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

2 Physical Security 55
2.1 Physical Protections and Attacks . . . . . . . . . . . . . . . . 56
2.2 Locks and Safes . . . . . . . . . . . . . . . . . . . . . . . . . 57
2.3 Authentication Technologies . . . . . . . . . . . . . . . . . . . 71
2.4 Direct Attacks Against Computers . . . . . . . . . . . . . . . 88
2.5 Special-Purpose Machines . . . . . . . . . . . . . . . . . . . 99
2.6 Physical Intrusion Detection . . . . . . . . . . . . . . . . . . . 13
2.7 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

3 Operating Systems Security 113
3.1 Operating Systems Concepts . . . . . . . . . . . . . . . . . . 114

3.2 Process Security . . . . . . . . . . . . . . . . . . . . . . . . . 130
3.3 Memory and Filesystem Security . . . . . . . . . . . . . . . . 136

3.4 Application Program Security . . . . . . . . . . . . . . . . . . 149
3.5 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166

4 Malware 173

4.1 Insider Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . 174
4.2 Computer Viruses . . . . . . . . . . . . . . . . . . . . . . . . 181
4.3 Malware Attacks . . . . . . . . . . . . . . . . . . . . . . . . . 188
4.4 Privacy-Invasive Software . . . . . . . . . . . . . . . . . . . . 202

4.5 Countermeasures . . . . . . . . . . . . . . . . . . . . . . . . 208
4.6 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215

5 Network Security I 221
5.1 Network Security Concepts . . . . . . . . . . . . . . . . . . . 222
5.2 The Link Layer . . . . . . . . . . . . . . . . . . . . . . . . . . 229
5.3 The Network Layer . . . . . . . . . . . . . . . . . . . . . . . . 236
5.4 The Transport Layer . . . . . . . . . . . . . . . . . . . . . . . 246
5.5 Denial-of-Service Attacks . . . . . . . . . . . . . . . . . . . . 256

5.6 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264

6 Network Security II 269
6.1 The Application Layer and DNS . . . . . . . . . . . . . . . . . 270
6.2 Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
6.3 Tunneling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292

6.4 Intrusion Detection . . . . . . . . . . . . . . . . . . . . . . . . 299
6.5 Wireless Networking . . . . . . . . . . . . . . . . . . . . . . . 313

6.6 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322

7 Web Security 327
7.1 The World Wide Web . . . . . . . . . . . . . . . . . . . . . . 328
7.2 Attacks on Clients . . . . . . . . . . . . . . . . . . . . . . . . 347

7.3 Attacks on Servers . . . . . . . . . . . . . . . . . . . . . . . . 368
7.4 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382

8 Cryptography 387
8.1 Symmetric Cryptography . . . . . . . . . . . . . . . . . . . . 388
8.2 Public-Key Cryptography . . . . . . . . . . . . . . . . . . . . . 406
8.3 Cryptographic Hash Functions . . . . . . . . . . . . . . . . . 417
8.4 Digital Signatures . . . . . . . . . . . . . . . . . . . . . . . . . 421
8.5 Details on AES and RSA . . . . . . . . . . . . . . . . . . . . 425
8.6 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439

9 Distributed-Applications Security 487
9.1 Database

Accessible to the general-knowledge reader.

Authors Goodrich and Tamassia recognize that prerequisites for an extensive background in CS and mathematics are not only unnecessary for learning but also arguably contribute to a reduction in enrollments and a shortage of computer-security experts. Therefore, the authors assume only the most basic of prerequisite knowledge in computing, making this text suitable for beginning computer science majors, as well as computer science minors and non-majors.

Teaches general principles of computer security from an applied viewpoint.

In this new text, the authors cover specific computer security topics while providing necessary material on the foundations of computing needed to understand these topics. As a result, students learn about vital computer security topics such as access control, firewalls, and viruses as well as a variety of fundamental computer-science concepts like algorithms, operating systems, networking, and programming languages.

Topics covered include:

o Common cyberattacks including viruses, worms, Trojan horses, password crackers, keystroke loggers, denial of service, spoofing, and phishing.

o Techniques for identifying and patching vulnerabilities in machines and networks as well methods for detecting and repairing infected systems.

o Fundamental building blocks of secure systems such as encryption, fingerprints, digital signatures and basic cryptographic protocols.

o Human and social aspects of computer security, including usability, interfaces, copyright, digital rights management, social engineering, and ethical issues.

A practical introduction that will prepare students for careers in a variety of fields.

This text encourages students to think about security issues and to deploy security mechanisms early in designing software applications or in making software purchase/ deployment decisions. This skill will be appreciated by future employers--who may include corporations in the financial, healthcare and technology sectors--for whom the security of software applications is a critical requirement.

The material in the text will also provide readers with a clear understanding of the security ramifications of using computers and the Internet in their daily lives (e.g., for online banking and shopping), as well as the potential threats to individual privacy (as seen in recent debates on electronic voting, for example), and possibly to democracy itself, that may arise from inappropriate use of computer security technology.

Projects

The authors provide a collection of creative, hands-on projects at three levels of difficulty that can be used both in computer security and computer security-related courses. A wide set of options will allow instructors to customize the projects to suit a variety of learning modes and lab resources.

In each project, students are given a realistic, though simplified, version of a working system with multiple vulnerabilities and a list of allowed attack vectors. They may be asked to work in “break-it” mode, which will require students to attack a system by developing exploits that take advantage of the discovered vulnerabilities, or they may be asked to work in “fix-it” mode in which the student hardens the system by developing mechanisms for removing or mitigating the vulnerabilities.

SUPPLEMENTS

A collection of slide presentations created by the authors each suitable for a one-hour lecture, covering all the course topics. The presentations will include links to relevant resources on the web and will have extensive notes. The slide presentations have been created in