Preface
This book is intended to provide an introduction to general principles of
provide an introduction to general principles of
..
computer security from an applied viewpoint. Readers of this book will
l y trom an applied viewpoint. Readers of this book will
learn about common cVberattacks. including viruses. worms, password
j, Including viruses, worms, password
crackers, keystroke loggers, denial-of-service, DNS cache poisoning, port
.
. r. 1 1. 1. al. 1 1 1 1.. 1.
scanning sDoofing and Dhishing TheV will learn about techniQues for
b, opoofing, and phishing. They will learn about techniques for
identifying and defending against vulnerabilities in machines and
netying and defending against vulnerabilities in machines and
networks, as well as methods for detecting and repairing infected systems.
They will studV fundamental building blocks of secure sVstems such as
j will study fundamental building blocks of secure systems such as
.. 1...
encryption, digital signatures, crVPtograDhic protocols, and access control
j ption, digital signatures, cryptographic protocols, and access control
models. Also, they will learn about security principles for commonly used
y will learn about security principles for commonly used
items, such as locks, cell phones, ATM machines, and credit cards. Finally,
theV will be exposed to the human, social, and economic aspects of
coma will be exposed to the human, social, and economic aspects of
computer security, including usability, interfaces, digital rights management,
social engineering the business of SDam, and ethical and legal issues.
.Ineerlng, the business of spurn, and ethical and legal issues.
Approach
This book is designed to be self-contained. Rather than assume the reader
.ned to be self-contained. Rather than assume the reader
already has detailed knowledge about operating sVstems, program
execuJ a perating systems, program
execution, networking, databases, and the web, this book presents the necessary
background on these subiects that is needed to understand the securitV
.round on these subjects that is needed to understand the security
.
issues for these topics. Thus, this book is different from an advanced text,
which would likely assume extensive background knowledge of comDuter
J .round knowledge of computer
. 1
science and focus exclusively on commuter securitV aspects. Instead, this
j puter security aspects. Instead, this
book assumes onlV basic prerequisite knowledge in comDuting making it
j prerequisite knowledge in computing, making it
suitable for beginning or intermediate computer science majors, as well
.Inning or Intermediate computer science majors, as well
... 1..
as computer science minors and nonmajors, assuming they have a bit of
puter science minors and nonmajors, assuming they have a bit of
.. 1 1 1 al. 1,. '1 1 r.
computer science background. This book can serve as a textbook for an
nil .round. This book can serve as a textbook for an
introductorV computer securitV course that helDs give students an increasinZ
y puter security course that helps give students an increasing
1 1 1 1
awareness and knowledge of a broad range of tonics in comDuting from the
be of a broad range of topics in computing from the
..
perspective of computer security.
In addition, although it discusses cryptography, this book is different
from a pure cryptography book, which would focus on the mathematical
pure cryptography book, which would focus on the mathematical
and computational foundations of security. This book instead discusses
cryptography first in terms of the functionality it provides and how it can be
used to build secure systems, and later covers some specific cryptoRraDhic
y items, and later covers some specific cryptographic
methods. Nevertheless, the chapter on cryptography, which comes in the
final third of this book, is itself self-contained, so it could be covered early
J
or late, in terms of a computer security course or self-guided study, at the
reader 's discretion.
...
III
.
Iv Preface
Prerequisites
Teaching a course on comDuter securitV has often proven to be both
cone a course on computer security has often proven to be both
controversial and challenging The first issue is the Drereauisites for such a
.lug. rhe first issue is the prerequisites for such a
~ 1.'. 11
course' fraditionallV. computer security courses assume extensive
comy, computer security courses assume extensive
computer science and mathematics background, and they require a variety
of junior/senior courses such as algorithms, operating systems, computer
.
networks, or software engineering as prerequisites. The typical assumption
is that, in order to start learning about computer security, students need an
advanced knowledge of how commuter sVstems function and significant
b puter systems function and significant
abilities in programming and mathematics. This approach gives flexibility
programming and mathematics. This approach gives flexibility
to instructors in selecting advanced topics and Droiects. However, it has led
b advanced topics and projects. However, it has led
.
to a consequent shortage of information technology professionals who are
i b by professionals who are
sufficientlV knowledgeable about commuter securitV. Moreover, this
tradiy knowledgeable about computer security. Moreover, this
traditional approach Duts comDuter securitV courses out of reach for computer
pproach puts computer security courses out of reach for computer
.. 1.
scIence mInors and nonmajors.
jors.
Instead, we have tried to make this book suitable for a computer
securitV course that has as its sole prereouisites an introductorV computer
y course that has as its sole prerequisites an introductory computer
. 1. 1' 1... 1
science sequence, such as the traditional CSI/CSZ sequence that is a part
i, >uch as the traditional CSI/CSZ sequence that is a part
of the original ACM ComDuter Science Curriculum. To deal with needed
.inal ACM Computer Science Curriculum. To deal with needed
background knowledge we cover comDuter security while at the same
.found knowledge, we cover computer security while at the same
time providing necessary tutorials on the foundations of computing needed
,
to understand the specific topics in commuter securitV that we present.
peclfic topics in computer security that we present.
Thus, a course that utilizes this textbook can serve the dual purpose of
purpose of
teaching comDuter-security tonics such as access control, firewalls, and
b computer-security topics such as access control, firewalls, and
. 1 1. 1..
viruses, as well as introducing a variety of fundamental computer-science
'. 1.' 1...
concepts in algorithms, operating systems, netWorking, databases, and
pts in algorithms, operating systems, netWorking, databases, and
. 1 T' T 1 1..
programming languages. We believe it is possible to convey fundamental
..'
computer security concepts and give students a working knowledge of
puter security concepts and give students a working knowledge of
... 1. 1. 1. 1.. 1 1.
security threats and countermeasures by providing lust-enough and
lusty threats and countermeasures by providing just-enough and
justin-time background commuter science material for their understanding
.round computer science material for their understanding.
Therefore, this book leverages and exercises a student's knowledge of
. 1 1.. 1.
programming and algorithms in the setting of information security, since
both a solid programming discipline and efficient algorithms are essential
i .ramming discipline and efficient algorithms are essential
for developing effective security solutions.
In terms of specific prerequisites, we assume that the reader is familiar
with a high-level Drogramming language such as C, C++, Python. or lava,
.n-level programming language, such as C, C++, Python, or Java,
and that he or she understands the main constructs from such a high-level
.n-level
language. In addition, we assume the reader has a familiaritV with the
buage. In addition, we assume the reader has a familiarity with the
fundamental concepts of basic data structures and computer systems.
'
Preface v
Computer Science Concepts
This book is designed to be widelV accessible, so as to encourage students
.lied to be widely accessible, so as to encourage students
to think about securitV issues and to deDlov securitV mechanisms earlV
j. ploy security mechanisms early
.,..
In designing software applications or in making Durchase decisions for
.lling software applications or in making purchase decisions for
'
computer hardware and software. This skill will be certainly appreciated
l y appreciated
by future employers for whom the security of computer systems is often a
critical requirement, including corporations in the financial, health-care and
technology sectors' Besides training information technologV professionals
by sectors' Besides training information technology professionals
.... 1. 1 1.
In security, this book aims to create security-savvy computer users who will
J, this book aims to create security-savvy computer users who will
have a clear underStanding of the SecuritV ramifications of using comDuters
b y ramifications of using computers
and the internet in their daily life (e.g., for online banking and shopping
j.
and social networking). Last, but hardly least, motivated by recent debates
b). Last, but hardly least, motivated by recent debates
on electronic voting and on the tracking of internet users bV advertisers
b and on the tracking of internet users by advertisers
and government agencies, we desire that students become aware of the
b b, we desire that students become aware of the
potential threats to individual privacy, and possibly to democracy itself,
that may arise from inappropriate use of comDuter security technology.
y arise from inappropriate use of computer security technology.
TOpic Grid
Selected topics from this book and related general computer science
concepts are shown in Table 1.
Table 1: Book topics and related general computer science concepts.
.
yi Preface
Exercises and Projects
Each chanter of this book includes an extensive set of exercises and projects'
pier of this book includes an extensive set of exercises and projects.
The exercises are broken down between reinforcement questions, which
.
test the degree to which readers have understood the toDics and DrinciDles
flee to which readers have understood the topics and principles
presented in a chapter, and creativity questions, which test the ability of the
reader to applV knowledge from that chapter in a novel context. In terms of
pply knowledge from that chapter in a novel context. In terms of
.. 1 1 1'.
projects, we have a collection of projects to be used both in courses focused
on computer security and in courses that cover topics related to computer
..,. 1. r.. 1 1.
securitV. A wide set of options allow instructors to customize the Droiects
y. A wide set of options allow instructors to customize the projects
to suit a varietV of learning modes and lab resources.
y b modes and lab resources.
For the Reader
A companion web site provides the following supplementary materials
developed for the readers of the book:
pod for the readers of the book:
T T..
. Hints for selected exercises in the book
. A collection of presentations, in PDF format, covering the main topics
presentations, in PDF format, covering the main topics
.. 1. 1 1
In this book
. An electronic version of the bibliograDhV with links to the
authorita.raphy with links to the
authoritative electronic editions of the cited articles'
For the instructor
The following supplementary materials will helD instructors teach courses
b supplementary materials will help instructors teach courses
..'., 1
using this book:
5 La1S bOOk:
. A collection of presentations, in Powerpoint format, covering the
presentations, in Powerpoint format, covering the
.... 1. 1 1
main topics in this book
pies in this book
. An electronic solutions manual for selected exercises
v 11 1 1 1...
. FullV developed programming Droiects on the following tonics:
y developed programming projects on the following topics:
1. Worm propagation and detection
propagation and detection
ry v. 1 1 r... 1.
2. Firewalls configuration and management
.uration and management
ry T' T 1 1.
3 Web aDnlications and attacks on web servers
J. Web applications and attacks on web servers
pplications and attacks on web servers
4. Digital rights management
.ital rights management
Each project stimulates the student's creativity by challenging them
to either break security or protect a system against attacks.
y or protect a system against attacks.
Preface vii
About the Authors
Professors Goodrich and Tamassia are well-recognized researchers in
corn.nlzed researchers in
computer security, algorithms, and data structures, having published many
.
. 1 1.
papers on these subjects, with applications to computer security,
cryptography, cloud computing, information visualization, and geometric
comput. al 1 1.. 1.'.
lug. rhey have served as principal investigators in several joint projects
, 1 .1 National Science Foundation .1, n 1
sponsored by the National Science Foundation, the Army Research Office,
and the Defense Advanced Research Protects Agency. They are also active
, bency. rhey are also active
.1. .,.1111. 1111 .111 11
In educational technologV research and the have published several books,
by research and the have published several books,
.11 ..111'1.. 111'11.' 1
Including a widely adopted textbook on data structures and algorithms'
b a widely adopted textbook on data structures and algorithms.
Michael Goodrich received his Ph.D. in computer science from Purdue
UniversitV. He is currentlV a Chancellor's Professor in the Department of
j y a Chancellor's Professor in the Department of
Commuter Science at UniversitV of California, Irvine. Previously, he was
puter Science at University of California, Irvine. Previously, he was
a professor at Johns Hopkins University. He is an editor for the IOurnal
Of Computer and Systems Sciences and and journal of Graph Algorithms and
Applications. He is a Fulbright Scholar, a Distinguished Scientist of the
Association for Commuting Machinery (ACM), and a Fellow of the American
puting Machinery (ACM), and a Fellow of the American
Association for the Advancement of Science (AAAS), the ACM, and the
Institute of Electrical and Electronics Engineers (IEEE).
aineers (IEEE).
Roberto Tamassia received his Ph.D. in electrical and computer
enputer
en.. r. 1 T T..
gineering from the University of illinois at Urbana-Champaign. He is
currently the Plastech Professor of ComDuter Science and the chair of the
y the Plastech Professor of Computer Science and the chair of the
Department of Computer Science at Brown University. He is a founder
and editor-in-chief for the journal Of Gmph Algorithms and Applications. He
. 1 1. 1 1.'. 1 1 1 r
previously served on the editorial board of Computational Geometry: Theory
and Applications and IEal Transactions on Commuters. He is a Fellow of the
pplications and IEal Transactions on Computers. He is a Fellow of the
Institute of Electrical and Electronics Engineers (IEEE).
sincers (IEEE).
In addition to their research accomplishments, the authors also have
plishments, the authors also have
extensive experience in the classroom. For example, Goodrich has taught
data structures and algorithms courses including Data Structures as a
b, including Data Structures as a
freshman-sophomore level course, Applied Cryptography as a
sophomore.. 1 1 1 T'
junior level course, and internet Algorithmics as an upper-level course' He
has earned several teaching awards in this caDacitV Tamassia has taught
o paclty. Tamassia has taught
Data Structures and Algorithms as an introductorV freshman-level course
.orlthms as an introductory freshman-level course
and Computational Geometry as an advanced graduate course. Over the
last several Vears, he has developed "Introduction to ComDuter SVstems
years, he has developed "Introduction to Computer Systems
Security," a new computer security course aimed at soDhomores. His
J, a new computer security course aimed at sophomores. His
teaching of this course since 2006 has helDed to shaDe the vision and tonics
a pod to shape the vision and topics
of this book. One thing that has set his teaching style aDart is his effective
o that has set his teaching style apart is his effective
use of interactive hypermedia presentations integrated with the web.
ypermedia presentations integrated with the web.
... n
vill Preface
Acknowledgments
There are several individuals who have made contributions to this book.
We would like to esDeciallV thank Dan Rosenberg who thoroughlV
repecially thank Dan Rosenberg, who thoroughly
researched several subjects and provided several helpful suggestions, which
, provided several helpful suggestions, which
have found their way into a significant amount of the content and figures
y into a significant amount of the content and figures
of the book. This work would not be the book it is todaV without him.
y without him.
Bernardo Palazzi's vast knowledge and teaching exDerience in
coma b perlence in
computer security has been an invaluable resource during the writing of this
book. We are indebted to him for his expert advice and many simulating
discussions.
We also thank Wenliang (Kevin) Du for several suggestions and for his
b \Kevin) Du for several suggestions and for his
work on the NSF-funded Security Education Droject (SEED), which inspired
y Education project (SEED), which inspired
1.
several protects in this book.
projects in this book.
We are grateful to all our research collaborators teaching assistants,
.rateful to all our research collaborators, teaching assistants,
and students who contributed to the development of the vision of the
book, provided feedback on early drafts of chapters, and helped us in
developing exercises, projects, and supplementary materials. In particular,
.
, 1 1. 1
we would like to thank Vesselin AmaudoV, Alex Heitzmann, Aaron Myers,
d
Jonathan Natkins, Aurojit Panda, Charalampos Papamanthou, Neal Poole,
Jennie Rogers, Michael Shim, Nikos Triandopoulos, Saurya Velagapudi,
and Danfeng Yao.
b lao.
Discussion with several colleagues have helped us focus the contents
hues have helped us focus the contents
and presentation format of the book. We would like to esDeciallV' thank
presentation format of the book. We would like to especiallys thank
Mikhail Atallah, Tom Doeppner, Stanislaw Jarecki, Anna Lysyanskaya,
.
John Savage, Robert Sloan, Dawn Song, Gene Tsudik, VN.
Venkatakrishnan, Giovanni Vigna, and William Winsborough.
We are also truly indebted to the outside reviewers for their cODious
j' pious
.
. 1.
comments and constructive criticism, which were extremely useful.
j
We are grateful to our editor, Matt Goldstein, who has been a wonderful
.rateful to our editof, Matt Goldstein, who has been a wonderful
source of advice and support. The team at Addison-Wesley has been
i port. The team at Addison-Wesley has been
terrific' Many thanks go to Chelsea Bell, Jeffrey Holcomb and fen Warner.
y thanks go to Chelsea Bell, Jeffrey Holcomb and Jeri Warner.
This manuscript was prepared primarilV with the LATch typesetting
at was prepared primarily with the LATEX typesetting
package. Most figures were prepared with Microsoft Powerpoint.
Finally we would like to warmlV thank Isabel Cruz, Karen Goodrich,
J, we would like to warmly thank Isabel Cruz, Karen Goodrich,
Giuseppe Di Battista, Franco Preparata, Ioannis Tollis, and our parents for
.
. 1. 1.
providing advice, encouragement, and support at various stages of the
..
preparation of this book. We also thank them for reminding us that there
are things in life beyond writing books'
ac in life beyond writing books'
Michael T. Goodrich
Roberto Tamassia