T. Andrew Yang: CSCI 5533

T. Andrew Yang

Email: yang@uhcl.edu

Web: http://cse.uhcl.edu/yang/

Tel.: (281) 283-3835

Last updated:

3/30: revised class schedule in response to changes caused by the virus

2/19: updated due dates for research draft (4/8) and lab 3 (4/15)

2/11: Lab 1 published; updated due dates

2/5: updated due dates (3/4, 4/15, 4/30) for the research project

2/5: updated hands-on labs information

1/29: TA hours revised

1/26: TA hours posted

1/22: fixed Assignment 1 link, and updated TA hours

1/22: first posted

CSCI 5234-01 Web Security

Spring 2020 (1/21 – 5/4 + final week)

· Important Information:

o (Required) Join the discussing group for announcements and discussions: https://groups.google.com/forum/?hl=en#!forum/csci5234spring2020

Class Notes, Topics & Schedule

- Print out the class notes for the day and bring them to the class.

Assignments & Projects

TA Office Hours

Professor Office Hours

Time & Classroom

Wedn., 1:00pm – 3:50pm (Delta 201)

Prerequisite: Web Applications Development (csci/cinf4230) and Computer Security (csci/cinf4233 or csci5233), or instructor's approval.

Note: If you do not have either of the prerequisites, you MUST talk to the instructor. It is assumed that students enrolled in this class are familiar with fundamental topics such as cryptography (symmetric vs asymmetric encryptions/decryptions), security protocols (RSA, DES, Triple-DES, digital signatures, digital certificates, etc.), and n-tier web applications development.

Course Description: Fundamental coverage of issues and techniques in developing secure web-based applications; related topics such as network security, web server security, application-level security and web database security, etc.

Course Objectives: The primary objective of this course is to study and practice fundamental techniques in developing secure web-based applications, including vulnerability of web-based applications and how to protect those applications from attacks. In addition, advanced topics related to Web, such as E-commerce security, Cloud security, collaborative Web-based applications, etc., will also be studied. Students are encouraged to complete a publishable research paper on one of the related topics.

Learning Outcome:

· Understand security-related issues in Web-based systems and applications.

· Understand the fundamental security components of a computer system.

· Be able to evaluate a Web-based system with respect to its security requirements.

· Understand the process of developing secure networked systems.

· Understand the fundamental mechanisms of securing a Web-based system.

· Be able to implement security mechanisms to secure a Web-based application.

· Understand security issues and common controls in electronic commerce systems.

Class Format: Lectures are combined with discussions and, if applicable, student presentations and discussions of advanced topics. Students are expected to be active participants, by studying the relevant chapters and/or research papers, and participating at in-class discussions.

A note about Bloom's Taxonomy and your learning …

(source: https://tips.uark.edu/using-blooms-taxonomy/ )

Instructor: Dr. T. Andrew Yang

(office) Delta 174

(phone#) (281) 283-3835 (Please leave a message if not available.)

NOTE: If the suite office (D161) is locked, you may use the phone outside the office to call me (by entering the extension 3835).

(email address) yang@uhcl.edu

Important notes:

Emails without a subject line or a signature will be considered as potentially malicious and be discarded. Here is a sample subject line: "CSCI5234 lab#1, question 3".

Although email messages tend to be informal, please check the grammar and spelling of your messages to ensure their legibility.

(Web site) http://cse.uhcl.edu/yang (or http://sceweb.uhcl.edu/yang)
NOTE: Find the assignments and/or projects at the Assignments & Projects page.

Office Hours : See http://cse.uhcl.edu/yang/teaching/officeHours.htm

NOTE: In addition, you are highly encouraged to send your questions to me by e-mails (yang@uhcl.edu). Try to provide sufficient details in your email message, such as the problem(s) you have encountered, the solution(s) you have tried, and the outcome you have got from these solution(s).

Teaching assistant info and office hours:

TA - Bikkumalla, Darshitha (BikkumallaD6604@UHCL.edu)

Office Hours –

Monday     4 pm - 8 pm
Tuesday    12 pm - 3 pm
Wednesday 7 pm - 10 pm
~~Friday~~ Thursday    1 pm - 4 pm
Location – Delta 2^nd floor computer lab

Note: Contact the instructor immediately if you have got any problem with the TA or the office hours.

Required Text:

· Z: Michal Zalewski, The Tangled Web: A Guide to Securing Modern Web Applications, No Starch Press; 1 edition (November 15, 2011). ISBN-10: 1593273886, ISBN-13: 978-1593273880.

· D: Wenliang Du, Computer & Internet Security: A Hands-on Approach, 2nd Edition, May 1, 2019. ISBN-10: 1733003932, ISBN-13: 978-1733003933.

+ Instructor's handouts in the class and/or on the Web

Supplemental Materials

JDBC Security:

o Oracle's secure JDBC

Oracle related links:

o Architecture of Oracle Net Services

o Oracle's Listener Control Utility (lsnrctl)

o Transparent Network Substrate (TNS)

Servlet Security & certificates:

o SSL Configuration HOW-TO, the Apache Tomcat 5.5 Servlet/JSP Container: http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html

Glossaries, RFCs, Related Websites, etc.

Internet Glossaries

o RFC2828: Internet Security Glossary. R. Shirey. May 2000.

o http://www.netlingo.com: searchable online dictionary

o http://www.sharpened.net/glossary/index.php: Definitions of Computer and Internet Terms

HTTP & History of the WWW:

o [HTTP 1991] The Original HTTP as defined in 1991.

o [HTTP 1992] Basic HTTP as defined in 1992.

o [HTTP 1996] RFC1945 : Hypertext Transfer Protocol -- HTTP/1.0. T. Berners-Lee, R. Fielding, H. Frystyk. May 1996. Informational. (Note: This document also defines HTTP/0.9.) local copy

o [HTTP 1999] RFC2616 : Hypertext Transfer Protocol -- HTTP/1.1. R. Fielding, J. Gettys, J. Mogul, H. Frystyk, L. Masinter, P. Leach, T. Berners-Lee. June 1999. DRAFT STANDARD. local copy

o [irt.org 1998] WWW – How It All Began.

o [isoc.org 2000] The Internet Society. A Brief History of the Internet. August 4, 2000.

RFCs related to HTTP:

o Searching the RFC database: https://www.rfc-editor.org/

o The Internet Engineering Task Force (IETF): http://www.ietf.org/

o RFC2616: Hypertext Transfer Protocol -- HTTP/1.1. R. Fielding, J. Gettys, J. Mogul, H. Frystyk, L. Masinter, P. Leach, T. Berners-Lee June. June 1999. DRAFT STANDARD. local copy of rfc2616

o RFC2617: HTTP Authentication: Basic and Digest Access Authentication. J. Franks, P. Hallam-Baker, J. Hostetler, S. Lawrence, P. Leach, A. Luotonen, L. Stewart. June 1999. DRAFT STANDARD. local copy of rfc2617

o RFC2965: HTTP State Management Mechanism. D. Kristol, L. Montulli. October 2000. PROPOSED STANDARD. local copy of rfc2965

o RFC2585: Internet X.509 Public Key Infrastructure Operational Protocols: FTP and HTTP. R. Housley, P. Hoffman. May 1999. PROPOSED STANDARD. local copy of rfc2585 “This document specifies the conventions for using the File Transfer Protocol (FTP) and the Hypertext Transfer Protocol (HTTP) to obtain certificates and CRLs from PKI repositories. Additional mechanisms addressing PKI repository access are specified in separate documents.”

RFCs related to TLS:

o RFC2246: The TLS Protocol Version 1.0. T. Dierks, C. Allen. January 1999. PROPOSED STANDARD. local copy of rfc2246

o RFC2712: Addition of Kerberos Cipher Suites to Transport Layer Security (TLS). A. Medvinsky, M. Hur. October 1999. PROPOSED STANDARD. local copy of rfc2712

o RFC2817: Upgrading to TLS within HTTP/1.1. R. Khare, S. Lawrence. May 2000. PROPOSED STANDARD (Updates RFC2616). local copy of rfc2817

o RFC2818: HTTP over TLS. E. Rescorla. May 2000. INFORMATIONAL. local copy of rfc2818

o RFC2830: Lightweight Directory Access Protocol (v3): Extension for Transport Layer Security. J. Hodges, R. Morgan, M. Wahl. May 2000. PROPOSED STANDARD (Updated by RFC3377). local copy of rfc2830

o RFC3268: Advanced Encryption Standard (AES) Ciphersuites for Transport Layer Security (TLS). P. Chown. June 2002. PROPOSED STANDARD. local copy

Other Related RFCs:

o RFC2827/BCP0038: Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing. P. Ferguson, D. Senie. May 2000. BEST CURRENT PRACTICE. local copy

o RFC3377: Lightweight Directory Access Protocol (v3): Technical Specification. J. Hodges, R. Morgan. September 2002. PROPOSED STANDARD. local copy of rfc3377

Related Web Sites & Documents:

o Man in the middle attack as explained on Wikipedia

o Bejtlick, Richard. "Implementing Network Security Monitoring with Open Source Tools": Interesting discussions of net monitoring issues, including open source tools such as tcpdump, argus, snort, trafd/trafshow, sguil, etc.

o VeriSign Technical Brief. "Building an E-Commerce Trust Infrastructure: SSL Server Certificates and Online Payment Services"

o Cryptography FAQ Index: http://www.faqs.org/faqs/cryptography-faq/

o Cryptography.org: http://www.cryptography.org/

o The Open SSL Project (SDKs for free download): http://www.openssl.org/

· SEEDS Security labs: https://seedsecuritylabs.org/

· SEEDS Web Security labs: http://www.cis.syr.edu/~wedu/seed/labs12_04.html

· Computer & Internet Security - Slides, Problems and Labs: https://www.handsonsecurity.net/resources.html

Topics and Notes
NOTE: The following schedule will be adhered to as closely as possible, although changes are probable. Always check with your instructor if you are not sure what would be covered next week.

week (dates)	Topics & Slides (Book: Chapters)	Due Dates
1 (1/22)	- Syllabus, projects, presentations, etc. A. Overview - Security Mechanisms, Vulnerabilities - Is Your Traditional Security Stack Giving You A False Sense of Security? By Kevin Mitnick, and Perry Carpenter. Jan 7 2020 \| 60 mins	· Form your project team for the hands-on labs (team or individual) · Discussion/selection of research projects (individual)
2 (1/29)	- Overview: security components and mechanisms Exercise about mechanisms and prerequisites
3 (2/5)	- Exercise about mechanisms and prerequisites
4 (2/12)	- Security of Web Applications (Z: Ch 1, Ch 18)	Assignment 1
5 (2/19)	- Cross-Site Request Forgery (D: Ch 10)	2/19: Post your team membership to the discussion group.
6 (2/26)	- Cross-Site Scripting Attack (D: Ch 11) - SQL Injection Attack (D: Ch 12)	Lab 1
7 (3/4)	B. Public Keys, Certificates, SSL/TLS - Public Key Cryptography (D: Ch 23)	3/4: Post the abstract of your research project to the discussion group.
8 (~~3/11~~)	Spring break. No class meeting.
9 (3/18)	~~Midterm Exam~~ Class cancelled because of the virus	Midterm
10 (3/25)	Midterm Exam - ~~Public Key Infrastructure (D: Ch 24)~~	~~Lab 2~~
11 (4/1)	- ~~Transport Layer Security (TLS) (D: Ch 25)~~ - Public Key Infrastructure (D: Ch 24)
12 (4/8)	~~C. Project presentations~~ - Transport Layer Security (TLS) (D: Ch 25)	~~4/8:~~ ~~Post your draft research paper to the discussion group.~~ Lab 2 (4/8)
13 (4/15)	~~No class meeting~~ C. Project presentations <schedule to be published>	~~Lab 3~~ 4/15: Post your draft research paper to the discussion group.
14 (4/22)	- Project presentations <schedule to be published>	Lab 3 (4/22)
15 (4/29)	- Project presentations <schedule to be published> - Review for the final exam > Fill out online evaluation at https://apps.uhcl.edu/OnlineEvals	4/30: Post your final research paper to the discussion group.
16 final exam week	Final exam: comprehensive, open-book (Wednesday, May 6, 4pm - 6pm)	Final exam

Evaluation:

category	Percentage
Assignment (5% X 1)	5%
midterm exam	25%
final exam (open book)	25%
Hans-on labs (10% X 3)	30%
Research project	15%
Total:	100%

⁺⁺ Attendance Policy: You are expected to attend all classes. There will be no penalty for a person’s first two absences without documented excuse. 1% will be taken for each of the absences after the first two absences without excuse. Note: Being tardy is no excuse when a person is found to be absent from the class.

Note: If you ever miss a class, it is your responsibility to get hold of whatever may have been discussed in the class.

⁺⁺⁺ Class Participation: Participating in the class is expected. You should ask or answer questions during the in-class or online discussions.

Grading Scale:

The accumulated points from all the categories determine a person's final grade. There will be no extra-credit projects.

Percentile	Grade	Percentile	Grade
90% or above	A	70% - 73%	C
87% - 89%	A-	67% - 69%	C-
84% - 86%	B+	64% - 66%	D+
80% - 83%	B	60% - 63%	D
77% - 79%	B-	57% - 59%	D-
74% - 76%	C+	Less than 57%	F

Exemption from the final exam: Students who have performed fantastically before the final exam may be exempted from taking the final exam.

Tests & Exams:

Both analytic and synthetic abilities are emphasized. Being able to apply the learned knowledge toward problem solving is also highly emphasized in the tests.

Unless due to unexpected, documented emergency, no make-up exams will be given. No make-up exams will be granted once the exams have been corrected and returned to the class.

Assignments and Late Penalty:

Assignments and projects will be posted at the class web site. Assignments & projects are due before the beginning of the class on the due day. See Topics and Notes for the due dates.

Points will be deducted from late assignments: 20% for the first 24 hours after the due time, 40% for the next 24 hours, 70% for the third 24 hours, and 100% after that. No extension will be granted except for documented emergency. Starting to work on the assignments as early as possible is always the best strategy.

Assignments Guidelines:

a. Identification page: All assignments must have your name, and course name/number/section number (e.g., CSCI5234-01) at the top of the first page.

b. Proper stapling: Staple all the pages together at the top-left corner. NOTE: Do not use paper clips.

c. Order ! Order! Arrange the solutions following the sequence of the questions. Write the question number at the top-right corner of each page.

d. Word processing: It is required that you type your reports (e.g., print them using a printer). Use a word processor and appropriate typesetting and drawing tools to do the assignments. Spell-check the whole document before printing it. You may lose points due to spelling or grammatical errors.

Projects:

The projects will involve the design and implementation of encryption/decryption algorithms and/or application of the algorithms to real-world problems. Students are expected to employ the theories and techniques learned in the class to design the system.

Details of the projects will be later made available at Assignments & Projects.

NOTE: Unless otherwise specified, all assignments and projects are individual work. Students should take caution not to violate the academic honesty policies. Check out the details at this link.

Instructor's Notes:

Important: If you think you have lost some points due to grading errors, make sure you approach the instructor within a week after the assignment, project, or test has been returned to you.
To get the most out of this class, you need to read the textbooks and spend time using computers regularly. Be prepared for a class by previewing the material to be covered in that class and participate in discussions and problem-solving exercises, if applicable, in the class.
Due to the intensive nature of graduate classes, 15-20 hours per week are expected of students in studying the textbook/notes and working on the assignments, in addition to class attendance. Expect to spend more hours during summer sessions.
As a student being trained to become a professional person, you are expected to behave according to the professional codes of conduct (e.g., the IEEE Code of Conduct) or code of ethics (e.g., the ACM Code of Ethics). As a starting point, listed below are some of the common behaviors that do not conform to the codes of ethics:

Being regularly late for the class.
Chatting with another person while the instructor or someone is giving a speech in class.
Being regularly late when submitting assignments.
Asking the instructor or the TA for a favor when submitting a late assignment.
Checking out others’ answers during an exam.
Continuing to write on the paper when an exam’s time is up.
Violating academic honesty when working on the assignments or projects.
Using others’ write-up without proper citing when writing a paper or report.
…

Related Links:

· UHCL General Program Requirements: http://www.uhcl.edu/XDR/Render/catalog/archives/125/06/

· Withdrawals, Appeals, GPA, Repeated Courses, and the 6 Drop Rule: http://www.uhcl.edu/XDR/Render/catalog/archives/125/06/%23A0110#A0110

· ASSESSMENT FOR ACCREDITATION:

The School of Science and Computer Engineering may use assessment tools in this course and other courses for curriculum evaluation. Educational assessment is defined as the systematic collection, interpretation, and use of information about student characteristics, educational environments, learning outcomes, and client satisfaction to improve program effectiveness, student performance, and professional success. This assessment will be related to the learning objectives for each course and individual student performance will be disaggregated relative to these objectives. This disaggregated analysis will not impact student grades, but will provide faculty with detailed information that will be used to improve courses, curriculum, and student performance.

· UHCL Disability Policy:

If you believe that you have a disability requiring an academic adjustment/auxiliary aid, please contact Disability Services by phone at 281-283-2648, or email disability@uhcl.edu, or go to the office in the Student Services Building (SSCB), Room 1.302.

The University of Houston System complies with Section 504 of the Rehabilitation Act of 1973 and the Americans with Disabilities Act of 1990, pertaining to the provision of reasonable academic adjustments/auxiliary aids for students with a disability. In accordance with Section 504 and ADA guidelines, each University within the System strives to provide reasonable academic adjustments/auxiliary aids to students who request and require them.

Go to the Index