Advanced Computer Security

Module aims

At the end of the course, the student will have an in-depth understanding of the themes and challenges of host-level native, web, and mobile security and privacy. Many of the skills learned in this module will directly influence the student’s ability to create secure and privacy-preserving software. Students will also develop abilities to analyse and critique foundational and state of the art research papers in this space.

Learning outcomes

▫    ILO1: Analyse software and system designs from a security and privacy point of view
▫    ILO2: Analyse and argue about security and privacy issues across a range of platforms, including native, web, mobile, and cloud
▫    ILO3: Criticize and evaluate up-to-date research literature in security and privacy
▫    ILO4: Evaluate the security architecture of modern smartphone operating systems and popular smart home platforms.
▫    ILO5: Create simple SELinux mandatory access control policies for Android.
▫    ILO6: Critique the strengths and weaknesses of attack detection and prevention mechanisms on smartphones and IoT systems.
▫    ILO7: Assess and design the security of cyber-physical systems.
 

Module syllabus

This module covers the following topics:

• Basics [5 hours]
  • Secure design principles, OS, and runtime security  
  • Robust application code through analysis
  • Secure system design and threat modelling  

• Memory/web/mobile [6 hours]
  • Memory (un)safety and advanced control hijacking attacks (ROP)
  • Advanced topics of Web security model and its pitfalls; browser vulnerabilities
  • Preventing web application issues though code review, static analysis, and runtime enforcement
  • Code de-obfuscation and reverse engineering JavaScript malware and exploit kits
  • Malware: Computer viruses, spyware, and key-loggers
  • Addressing malware anti-debugging mechanisms
  • Ads on the web and ad blocking challenges

• Topics [3 hours]
  • Ransomware prevention and detection
  • Cloud security
  • Blockchain security introduction
     
• Smartphone Security [7 hours]
  • Overview of Android and iOS Security Architecture [1] (ILO4)
  • Android Permissions [2] (ILO4, ILO6)
  • Threats from Mobile Advertising [1] (ILO4, ILO6)
  • Side Channel Attacks [1] (ILO4, ILO6)
  • Prevention: Mandatory Access Control [1] (ILO4, ILO6)
  • [TUTORIAL] SELinux policy tutorial [1] (ILO5)

• Security of Emerging IoT Platforms [7 hours]
  • IoT Security Overview [1] (ILO4)
  • Smart-Home Platform Security [2] (ILO4, ILO6)
  • Voice Assistants Security – Attacks & Defenses [2] (ILO4, ILO6)
  • Cyber-physical Security [2] (ILO7)
     

Teaching methods

• 7 weeks of 4 hours of lecture.
  • We will cover a range of advanced systems security topics. These will be introduced through pre-recorded lectures on both fundamental and state-of-the-art academic papers.
  • Unmarked quiz(zes) on questions related to last session’s topic(s) will be given online. At the beginning of the next session, the instructor will explain the answer(s) to the quiz(zes).
  • A set of open (often debatable ethical and analysis) questions will be presented online and you will be encouraged to provide and argue about your views on the subject.
  • 1-hour tutorial on writing SELinux policies for Android (unmarked). You will be provided with a set of policy requirements in plain English which you would have to turn into an equivalent SELinux policy specification. You will be given 30 minutes to complete it. In the last 30 minutes the instructor will explain the correct answers.
• End of course wrap up and revision lecture (2 hours).

An online service will be used as a discussion forum for the module.

Assessments

There will be two assessed courseworks each counting for 10% of the final grade.

[10%] Security and privacy principles coursework

• The first assessed exercise will cover topics from the first half of the course, ranging from principles of secure system design, runtime systems, security policies in native code and on the web, topics that involve malware blocking, ad blocking, etc. the multi-page written assignment requires short write-in answers.

[10%] Android Malvertising

• The second assessed exercise will be undertaken in groups of 2-3 people. You will be guided in developing an Android malware. Aims to help you develop a practical understanding of what adversaries can do on mobile phones.
  • Use the Android IDE (Android Studio).
  • Guided to develop a malicious advertising library running in a mobile app.
  • Develop your own techniques to extract sensitive user information.
  • Reverse engineer a real Android app.
  • Inject malicious payload in a real android app.

For the first coursework you will submit a report with the answers to the provided questions. The instructor and TAs will manually check your answers.

For the second coursework, you will submit a report and relevant source code on CATE. The instructor and TAs will manually assess your material. This will be in the form of a competition. The three most creative adversarial implementations will get an honorable mention on the module’s website and lifelong bragging rights.  Students are encouraged to use Piazza during the assignment for discussing different approaches. Marks are clearly noted per coursework item on the specification sheet. Feedback will be provided on student reports.
 

Reading list

Core reading

• Foundations of security : what every programmer needs to know

  Daswani, Neil, author.

  Apress

Module leaders

Dr Ben Livshits
Dr Soteris Demetriou