Advanced Computer Security

Module aims

At the end of the course, the student will have an in-depth understanding of the themes and challenges of host-level native, web, and mobile security and privacy. Many of the skills learned in this module will directly influence the student’s ability to create secure and privacy-preserving software. Ability to follow short research papers in this space.

Learning outcomes

Specific outcomes:
ILO1: Analyse software and system designs from a security and privacy point of view
ILO2: Understand security and privacy issues across a range of platforms, including native, web, mobile, and cloud
ILO3: Learn how to understand up-to-date research literature in security and privacy
ILO4: Understand the security architecture of modern smartphone operating systems and popular smart home platforms.
ILO5: Write simple SELinux mandatory access control policies for Android.
ILO6: Critique the strengths and weaknesses of attack detection and prevention mechanisms on smartphones and IoT systems.
ILO7: Assess and design the security of smartphone and IoT system components.
 

Module syllabus

This module covers the following topics:

Basics [5 hours]

  • Secure design principles, OS, and runtime security  
  • Robust application code through analysis
  • Secure system design and threat modelling  


Memory/web/mobile [6 hours]

  • Memory (un)safety and advanced control hijacking attacks (ROP)
  • Advanced topics of Web security model and its pitfalls; browser vulnerabilities
  • Preventing web application issues though code review, static analysis, and runtime enforcement
  • Code de-obfuscation and reverse engineering JavaScript malware and exploit kits
  • Malware: Computer viruses, spyware, and key-loggers
  • Addressing malware anti-debugging mechanisms
  • Ads on the web and ad blocking challenges


Topics [3 hours]

  • Ransomware prevention and detection
  • Cloud security
  • Blockchain security introduction


Smartphone Security [7 hours]

  • Overview of Android and iOS Security Architecture [1]
  • Android Permissions [2]
  • Threats from Mobile Advertising [1]
  • Side Channel Attacks [1]
  • Prevention: Mandatory Access Control [1]
  • [TUTORIAL] SELinux policy tutorial [1]


Security of Emerging IoT Platforms [7 hours]

  • IoT Security Overview [1]
  • Smart-Home Platform Security [2]
  • Voice Assistants Security – Attacks & Defenses [2]
  • Security Challenges in Autonomous and Connected Vehicles [1]
  • Security Challenges in Unmanned Aerial Vehicles (Drones) [1]

Teaching methods

7 weeks of 4 hours of lecture.

  • We will cover a range of advanced systems security topics. These will be introduced through presentations and discussions on both fundamental and state-of-the-art academic papers.
  • The initial 10 minutes will be dedicated to an unmarked quiz on questions related to last session’s topic(s). We will be using mentimeter. At the end of the quiz, the instructor will explain the answers to the questions.
  • Last 15 minutes of each 2-hour session will be dedicated for in-class discussion on the covered topic. A set of open (often debatable ethical and analysis) questions will be presented and you will be encouraged to provide and argue about your views on the subject.
  • 1-hour tutorial on writing SELinux policies for Android (unmarked). You will be provided with a set of policy requirements in plain English which you would have to turn into an equivalent SELinux policy specification. You will be given 30 minutes to complete it and the rest of the time will be dedicated to discussing your answers. The instructor will guide the discussion and explain the correct answers.

End of course wrap up and revision lectures (2 hours).
 

Assessments

There will be two assessed courseworks each counting for 10% of the final grade.

[10%] Security and privacy principles coursework

  • The first assessed exercise will cover topics from the first half of the course, ranging from principles of secure system design, runtime systems, security policies in native code and on the web, topics that involve malware blocking, ad blocking, etc. the multi-page written assignment requires short write-in answers.


[10%] Android Malvertising

  • The second assessed exercise will be undertaken in groups of 2-3 people. You will be guided in developing an Android malware. Aims to help you develop a practical understanding of what adversaries can do on mobile phones.
    • Use the Android IDE (Android Studio).
    • Guided to develop a malicious advertising library running in a mobile app.
    • Develop your own techniques to extract sensitive user information.
    • Reverse engineer a real Android app.
    • Inject malicious payload in a real android app.


For the first coursework you will submit a report with the answers to the provided questions. The instructor and TAs will manually check your answers.

For the second coursework, you will submit a report and relevant source code on CATE. The instructor and TAs will manually assess your material. This will be in the form of a competition. The three most creative adversarial implementations will get a prize and will pitch their approach in class.  Students are encouraged to use Piazza during the assignment for discussing different approaches. Marks are clearly noted per coursework item on the specification sheet. Feedback will be provided on student reports. There will also be FAQs based on the feedback.

Module leaders

Dr Ben Livshits
Dr Soteris Demetriou