CurricuSec: Curriculum Tools for Security

Below we provide a preliminary set of topic ideas to help ground our intentions in a concrete plan for their realization. Our intention is to flesh out all of this material into world-class teaching materials, in keeping with the high standards maintained at CMU/CyLab for such endeavors.

We are partially inspired by the historical development of teaching materials on parallel programming. What was once a niche area only for specialists and cutting edge research is now a part of the basic CS curriculum. We aspire to help to have a similar impact with respect to security – now that the ubiquity of the Internet and financially motivated attackers are here to stay – and emphasize trusted computing technologies in particular.

We hope to make all code developed for laboratory and homework exercises available to other educators. We are in favor of open source but it should not be trivial for students to find the solutions to their assignments.

Preliminary Trusted Computing Curriculum Outline

  1. General Principals of Practical Security

    1. Developing Good Security Judgement, Isolation, Cost/Return

    2. "You aren't cleverer than the rest of the world combined."

    3. How to think about security. Analyze how one's system is going to fail. Identify resources, assets, their value, and the attack surface through which attackers might try to compromise the system. Appreciate the significance of the environment in which their system operates, and do not stare exclusively at the system itself.

    4. Basic security properties: Confidentiality, integrity, authenticity, authorization, non-repudiation, availability

    5. Good crypto hygiene (roles for keys)

    6. IT principles and user principles (e.g., revocation, backup, PII, where is my data?)

  2. History

    1. Many problems in computer security have remained unchanged for decades.

    2. Reference monitor

    3. Rainbow books

    4. Development of today's Trusted Computing efforts

    5. IT experiences

    6. Confidentiality vs integrity, Biba, Chinese wall, etc

  3. Applied Cryptography : Understanding cryptographic tools

    1. Hash functions

    2. Symmetric vs asymmetric cryptography

    3. Key management

    4. "Leave it to the cryptographers" with respect to new algorithms, etc

  4. Threat Analysis : The Critical Analysis of Threats

    1. Common attack types: buffer overflows, return-to-libc, return oritented programming, etc. Possible extension to web technologies.

    2. Dictionary attacks

    3. Data at rest / in motion / in use

  5. Methods of Trusted Execution : Principals of trusting program execution

    1. Break-once run anywhere

    2. Time of check, time of use

    3. Runtime properties vs load-time properties

    4. The value of software identity

  6. Trusted Computing Building Blocks

    1. Hardware roots of trust (TPMs, …), SEDs, Virus Checkers, SCAP, TNC, Smart Cards, TSS

    2. Static vs dynamic root of trust

    3. Device identity

    4. Sealed storage

    5. Integrity measurement

    6. Network access control

  7. Attestation, Event, and Log Analysis, Remediation : Handling Attestations, Events, Logs

    1. Signed code (boot process; applying patches)

    2. Boot process integrity (authenticated boot, sealed storage, etc)

    3. System and network monitoring

    4. Provenance (how to manage third party code in an important system)

  8. Trusted Computing Systems: Different compositions of building blocks, including servers, laptops, mobile, handheld, etc.

    1. TC "in context"

    2. Virtualization

    3. Cloud

    4. Solutions-focused

  9. Certification Strategies : Common Criteria, FIPS, Self-Certification, Industry Standards

  10. Advanced Research Concepts in Trusted Computing : Theory

    1. Sw-based attestation

    2. Property/attribute-based attestation

  11. Laws and regulations

    1. Privacy

    2. Export / import

Project Leads

Local Support Staff

Virgil Gligor, Carnegie Mellon CyLab Ivan Liang, Carnegie Mellon CyLab
Jonathan McCune, Carnegie Mellon CyLab Nichole Dwyer, Carnegie Mellon CyLab


CyLab, Intel Corporation