System Security: COMPSCI 725, City Campus (S2 2018)

Data security: confidentiality, integrity, availability. System security: prohibitions, permissions, obligations, exemptions. The gold standard of dynamic security: authentication, authorisation, audit. Governance: specification, implementation, assurance. Three-layer defence: prevention, detection, response. Control modalities: architectural, economic, legal, normative. System-centric analyses: attacks, threats, vulnerabilities, information flows. Owner-centric analyses: functionality, security, trust, distrust. Data obfuscation, tamper resistance. System designs.

Two of the following courses: COMPSCI 313, 314, 320, 335, 340, 351, 734, 742.

Students will read approximately 20 technical articles during the first eight weeks of this paper. During weeks 6-12, we'll be listening to student oral presentations on articles in our required list of readings. Each presentation is required to identify an issue that's worthy of our attention in our subsequent in-class discussions. Please note that these discussions will not be recorded, and are examinable.

The required list of readings for this course will be finalised in week 2, when students have selected their articles for oral presentation. The required list of readings will include Lampson's classic article on Computer Security in the Real World which, as discussed in the first weeks of lecture, defines the terminology and conceptual basis for our subsequent discussions of systems security. It will also include our University's Student Academic Conduct Statute, as a description of a "soft" security system which regulates a student's use of computerised systems such as Google-searching, word-processors which provide convenient cut-and-pasting from other documents, and online services providing assistance with homework assignments.

Tutorial sessions will be held during weeks 5 to 11. Students will be awarded 1 mark for rehearsing their oral presentation in a tutorial session in the week before they are scheduled to present it in the classroom. The instructor will offer feedback and suggest improvements.

Your oral presentation (15% of total marks) must be a coherent explanation of an advanced topic in software security, showing your careful reading and understanding of one professional publication. Your presentation should: have a very brief (1-slide) summary of the article, identify one issue that is worthy of careful consideration, briefly explain why this issue is important, and briefly summarise what the article has to say about this issue. You must not explain what other publications, or other people, have to say about this issue; instead your presentation must stay focussed on what information can be gained about this issue, by a careful and well-educated reader, from this article. Lecture slides from student oral presentations will be posted to the Assignments area of the class website.

Your written report (25% of total marks) must demonstrate your critical and appreciative understanding of at least three professional publications -- at least one of which must be a required reading for this course (but not necessarily the same article you presented orally). If more than one of the required readings for this offering of COMPSCI 725 has a direct bearing on the topic of your written report, then you must cite and discuss these readings -- in a way that demonstrates you have formed a critical and appreciative understanding of their relevance to the topic of your written report. Please note that the article by Lampson discussed in the first weeks of the semester is a required reading which is very likely to be directly relevant to any topic you select for your written report.

The University of Auckland does not tolerate cheating, nor does it tolerate assisting others to cheat. As noted above, our University's Student Academic Conduct Statute is a required reading for this offering of COMPSCI 725.

All internally-assessed work in this course (including oral-presentation slideshows) will be spot-checked for signs of plagiarism, using a variety of methods. Please note that you will not be awarded academic credit for your submission of anyone else's phrases, sentences, or graphics, unless make it clear that you are quoting or paraphrasing or adapting their work. Extensive copying or paraphrasing will be treated as an academic offense, unless the source is cited. If you do cite your sources, but you show no understanding beyond an ability to cut-and-paste with some adjustment of phrasing or wording, then you will get a failing grade on that assignment. However: if you show strong understanding of your topic through your appropriate quotation, paraphrase, adaptation and discussion of information gained from authoritative and cited sources, then you will get excellent marks.

In this class, we will discuss plagiarism, quotation, and paraphrase, both in the theoretical context of intellectual property, and also in the practical context of academic writing for our class assignments.

We will give some general advice on the appropriate use of direct quotation and paraphrase. We also teach a few other "tricks of the trade" in technical writing, because in prior years we have found that few of our entering students are highly skilled in academic writing.

Students may earn an "A+" in our course, even if they turn in work with minor grammatical errors. Major grammatical errors may cause us to misunderstand the author's intent, and we will assign low marks when we are not sure of a student's understanding of the material they are presenting in their report. Students should take special care with the spelling of technical terms, especially acronyms, for an incorrect spelling can cause great confusion in the mind of a reader who thinks the author is referring to some other technical term with a similar spelling! Passing marks are awarded if, and only if, a student's work demonstrates their understanding of the software security technologies, techniques, and analyses discussed in this course.