Computer Security



This course gives an introduction to computer security from a classical perspective.

Time and Location




The grade will be computed as a weighted sum of the following:

Active participation requires successful completion of homework assignments and projects and is graded on a pass / no pass basis. At least 50% of the cumulative score is required to pass.

The exam will be given in the ZIP Lecture Hall, Takustraße 7.


Please look at this page for information on tutorials and homework assignments.

Lecture 1, Tuesday April 12, Course Information and Motivation


Read: [1], [2], [3], [4]

Lecture 2, Thursday April 14

Guest lecture by Frank Boldewin

Abstract: Trotz immer weiterentwickelten Sicherheitsmechanismen im Windowsbetriebssystem in den letzten paar Jahren, schafften es Malware-Autoren immer wieder, die gelegten Hürden zu überwinden und Schadcode im System zu installieren. Selbst Zusatzmaßnahmen wie Firewall und Virenscanner schützen nicht hundertprozentig vor Korrumpierung. Versagen die gängigen Sicherheitstools ist es unabdingbar mit manuellen Mitteln dem Feind im System zu Leibe zu rücken. Dieser Vortrag zeigt, wie man mit dem Windows Kerneldebugger "Windbg" und diversen Scripts erfolgreich nach Rootkits sucht. Eine Livedemonstration zeigt darüber hinaus, wie man mittels Physicaldump-Memory Analyse ebenfalls Malware aufspürt und für weitere Detailbetrachtungen aus dem Speicher extrahiert.

Lecture 3, Tuesday April 19, What is computer security?


Read: ch. 1-3 of [5]

Lecture 4, Thursday April 21, State transition models


Read: ch. 9 of [5]

Lecture 5, Tuesday April 26, Access control matrix model


Read: ch. 4.7.1-4.7.3 of [6], [7], [8]

Lecture 6, Thursday April 28, Take-Grant protection model


Read: ch. 4.7.4 of [6], [9], [10]

Optional additional reading: [11]

Lecture 7, Tuesday May 03, Mandatory access control models


Read: [12], [13], [14], [15]

Optional additional reading: [16]

Lecture 8, Thursday May 05, Trojan Horses and Covert Channels


Read: [17], [18], [19]

Lecture 9, Tuesday May 10, Lattice model of information flow


Read: ch.5.1 of [6], [20], [21]

Lecture 10, Thursday May 12, Execution-based flow control mechanisms


Read: ch.5.3 of [6], [22]

Lecture 11, Tuesday May 17, Compiler-based flow control mechanisms


Read: ch.5.4 of [6]

Lecture 12, Thursday May 19, Program verification with security requirements


Read: ch.5.5-5.6 of [6], [23]

Lecture 13, Tuesday May 24, Principles of a secure architecture


Read: ch.5,8,10 of [5], [24]

Lecture 14, Thursday May 26, Capabilities and capability-based systems


Read: ch.4.5 of [6], [25], [26], [27]

Additional literature on capabilities and their discussion

Lecture 15, Tuesday May 31, Secure Operating Systems


Read: [31], [32]

No lecture on Thursday June 02, Christi Himmelfahrt

Lecture 16, Tuesday June 07, Trusted path and secure window systems


Read: [33], [34], [35]

Additional literature

Lecture 17, Thursday June 09, Secure Web Browsers


Read: [37], [38]

Lecture 18, Tuesday June 14, Buffer overflows


Read: [39]

Lecture 19, Thursday June 16, Format string vulnerability exploitation


Read: [40]

Lecture 20, Tuesday June 21, Heap and integer overflows


Read: [41], [42]

Additional literature:

Lecture 21, Thursday June 23, Return oriented programming


Read: [45], [46]

Lecture 22, Tuesday June 28, TOCTOU attacks


Read: [47], [48]

Lecture 23, Thursday June 30, Web application security

Topics: (slides)

Lecture 24, Tuesday July 05, Inline reference monitors


Read: [49]

Lecture 25, Thursday July 07, Humans and passwords


Read: [50], [51], [52]

Lecture 26, Tuesday July 12, Pre-exam lecture


Lecture 27, Thursday July 14, Final exam

As announced in prior lectures and recitations, this is the exam day. The exam will be given in the ZIP Lecture Hall, Takustraße 7.


  1. Jason Franklin, Vern Paxon, Adrian Perrig, Stefan Savage, 2007. An inquiry into the nature and causes of the wealth of internet miscreants. In Proc. ACM CCS, 375-388, 2007.
  2. Kanich, C., Kreibich, C., Levchenko, K., Enright, B., Voelker, G. M., Paxson, V., and Savage, S. 2009. Spamalytics: an empirical analysis of spam marketing conversion. Commun. ACM 52, 9 (Sep. 2009), 99-107.
  3. Stone-Gross, B., Cova, M., Cavallaro, L., Gilbert, B., Szydlowski, M., Kemmerer, R., Kruegel, C., and Vigna, G. 2009. Your botnet is my botnet: analysis of a botnet takeover. Proc. ACM CCS (2009), 635--647.
  4. Herley, C. and Florêncio, D. 2008. A profitless endeavor: phishing as tragedy of the commons. In Proc. NSPW, 2008. ACM, 59-70.
  5. Morrie Gasser. Building a Secure Computer System. Van Nostrand Reinhold, 1988.
  6. Robling Denning, D. E. 1982, Cryptography and Data Security. Addison-Wesley Longman Publishing Co., Inc.
  7. B. Lampson. Protection. Proc. 5th Princeton Conf. on Information Sciences and Systems, Princeton, 1971. Reprinted in ACM Operating Systems Rev. 8, 1 (Jan. 1974), pp 18-24.
  8. Harrison, M. A., Ruzzo, W. L., and Ullman, J. D. 1976. Protection in operating systems. Commun. ACM 19, 8 (Aug. 1976), 461-471.
  9. Snyder, L. 1981. Formal Models of Capability-Based Protection Systems. IEEE Trans. Comput. 30, 3 (Mar. 1981), 172-181.
  10. Snyder, L. 1977. On the synthesis and analysis of protection systems. Proc. ACM Symposium on Operating Systems Principles (SOSP). pp. 141-150.
  11. Bishop, M. and Snyder, L. 1979. The transfer of information and authority in a protection system. Proc. ACM Symposium on Operating Systems Principles (SOSP), 45-54.
  12. David E. Bell and Leonard J. LaPadula, Secure Computer System: Unified Exposition and MULTICS Interpretation, MTR-2997 Rev. 1, The MITRE Corporation, Bedford, MA 01730 (Mar. 1976); also ESD-TR-75-306, rev. 1, Electronic Systems Division, Air Force Systems Command, Hanscom Field, Bedford, MA 01731.
  13. David Elliott Bell, Looking Back at the Bell-La Padula Model, Proc. ACSAC, pp.337-351, 2005
  14. Biba, K., Integrity Considerations for Secure Computer Systems, ESD-TR-76-372, ESD/AFSC, Hanscom AFB, Bedford, MA (Apr. 1977) [NTIS ADA039324]
  15. Brewer, D., Nash, M., The Chinese Wall security policy. IEEE Symposium on Security and Privacy, pp. 206-214, Oakland, May 1989
  16. Burrow, A. L. 2004. Negotiating access within Wiki: a system to construct and maintain a taxonomy of access rules. Proc. ACM Conference on Hypertext and Hypermedia 2004. ACM, 77-86.
  17. Thompson, K. 1984. Reflections on trusting trust. Commun. ACM 27, 8 (Aug. 1984), 761-763.
  18. Lampson, B. W. 1973. A note on the confinement problem. Commun. ACM 16, 10 (Oct. 1973), 613-615.
  19. Lipner, S. B. 1975. A Comment on the Confinement Problem. ACM Operating Systems Review 9(5):192-196
  20. Denning, D. E. 1976. A lattice model of secure information flow. Commun. ACM 19, 5 (May. 1976), 236-243.
  21. Jones, A. K. and Lipton, R. J. 1975. The enforcement of security policies for computation. In Proceedings of the Fifth ACM Symposium on Operating Systems Principles (Austin, Texas, United States, November 19 - 21, 1975). SOSP '75. ACM, New York, NY, 197-206.
  22. J. S. Fenton. Memoryless Subsystems. Comput. J. 17(2): 143-147 (1974)
  23. Myers, A. C. 1999. JFlow: practical mostly-static information flow control. Proc. Symposium on Principles of Programming Languages. 1999, 228-241.
  24. Jerome H. Saltzer, Michael D. Schroeder, The Protection of Information in Computer Systems, Proc. IEEE Vol. 63(9) pp. 1278-1308 (Sep. 1975).
  25. Henry M. Levy, 1984. Capability-based computer systems. Digital Press, 1984.
  26. Shapiro, J. S., Smith, J. M., and Farber, D. J. 1999. EROS: a fast capability system. Proc. ACM Symposium on Operating Systems Principles. SOSP '99, 170-185.
  27. Tanenbaum, A.S., Mullender, S.J., and Renesse, R. van. Using Sparse Capabilities in a Distributed Operating System. Proc. Int'l Conf on Distributed Computing Systems, IEEE, pp. 558-563, 1986.
  28. Hardy, N. 1988. The Confused Deputy: (or why capabilities might have been invented). SIGOPS Oper. Syst. Rev. 22, 4 (Oct. 1988), 36-38.
  29. Mark S. Miller, Ka-Ping Yee, Jonathan Shapiro, 2003. Capability Myths Demolished. Technical Report SRL2003-02, Systems Research Laboratory, Johns Hopkins University.
  30. Hardy, N. 1985. KeyKOS architecture. SIGOPS Oper. Syst. Rev. 19, 4 (Oct. 1985), 8-25.
  31. Nickolai Zeldovich, Silas Boyd-Wickizer, Eddie Kohler, and David Mazières. Making information flow explicit in HiStar. In Proceedings of the 7th Symposium on Operating Systems Design and Implementation, Seattle, WA, November 2006.
  32. Zeldovich, N., Boyd-Wickizer, S., and Mazières, D. 2008. Securing distributed systems with information flow control. In Proc. USENIX Symposium on Networked Systems Design and Implementation, 2008. pp. 293-308.
  33. Epstein, J. 2006. Fifteen Years after TX: A Look Back at High Assurance Multi-Level Secure Windowing. In Proc. Annual Computer Security Applications Conference, 301-320.
  34. Shapiro, J. S., Vanderburgh, J., Northup, E., and Chizmadia, D. 2004. Design of the EROS trusted window system. In Proc. USENIX Security Symposium, 2004, 165-178.
  35. Feske, N. and Helmuth, C. 2005. A Nitpicker's guide to a minimal-complexity secure GUI. In Proc Annual Computer Security Applications Conference, 85-94.
  36. Norman Feske, 2009. Securing Graphical User Interfaces. Dissertation, TU Dresden.
  37. Grier, C., Tang, S., and King, S.T. Secure web browsing with the OP web browser. In Proc. IEEE Symposium on Security and Privacy, Oakland, CA, May 2008.
  38. Wang, H. J., Grier, C., Moshchuk, A., King, S. T., Choudhury, P., and Vente, H. The multi-principal OS construction of the Gazelle web browser. In Proc. USENIX Security Symposium, Montreal, Canada, August 2009.
  39. Aleph One, 1996. Smashing the stack for fun and profit. Phrack Magazine No. 49, Nov. 1996.
  40. Scut, 2001. Exploiting Format String Vulnerabilities.
  41. Anonymous, 2001. Once upon a free().... Phrack Magazine 57, 9.
  42. Blexim, 2002. Basic Integer Overflows. Phrack Magazine 11, 60.
  43. Mark Dowd, 2008. Application-Specific Attacks: Leveraging the Action Script Virtual Machine. IBM Global Technology Services Whitepaper, April 2008.
  44. Eric Chien, Peter Szor, 2002. Blended Attacks: Exploits, Vulnerabilities and Buffer-Overflow Techniques in Computer Viruses. Virus Bulletin Conference Sep. 2002, New Orleans, USA, 1-35.
  45. Ryan Roemer, Erik Buchanan, Hovav Shacham and Stefan Savage, 2009. Return-Oriented Programming: Systems, Languages, and Applications. In review.
  46. Ralf Hund, Thorsten Holz, Felix C. Freiling, 2009. Return-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms. Proc. USENIX Security Symposium, 2009.
  47. Dan Tsafrir, Tomer Hertz, David Wagner, Dilma Da Silva, 2008. Portably Solving File TOCTTOU Races with Hardness Amplification. FAST, pp. 189-206.
  48. Xiang Cai, Yuwei Gui, Rob Johnson, 2009. Exploiting Unix File-System Races via Algorithmic Complexity Attacks. IEEE S&P, Oakland, CA, pp.27-41.
  49. Bennet Yee, David Sehr, Gregory Dardyk, J. Bradley Chen, Robert Muth, Tavis Ormandy, Shiki Okasaka, Neha Narula, Nicholas Fullagar, 2010. Native Client: A Sandbox for Portable, Untrusted x86 Native Code. CACM Vol. 53, No. 1.
  50. Florencio, D. and Herley, C. 2007. A large-scale study of web password habits. In Proc. WWW, pp. 657-666.
  51. C. Herley, 2009. So Long, and No Thanks for the Externalities: the Rational Rejection of Security Advice by Users. NSPW
  52. Volker Roth and Kai Richter, 2006. How to fend off shoulder surfers. Journal of Banking and Finance, 30(6):1727-1751.