David Basin: Katalogdaten im Herbstsemester 2023 |
Name | Herr Prof. Dr. David Basin |
Lehrgebiet | Informationssicherheit |
Adresse | Institut f. Informationssicherheit ETH Zürich, CNB F 106 Universitätstrasse 6 8092 Zürich SWITZERLAND |
Telefon | +41 44 632 72 45 |
Fax | +41 44 632 11 72 |
basin@inf.ethz.ch | |
URL | http://www.inf.ethz.ch/personal/basin/ |
Departement | Informatik |
Beziehung | Ordentlicher Professor |
Nummer | Titel | ECTS | Umfang | Dozierende | |||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
252-0463-00L | Security Engineering | 7 KP | 2V + 2U + 2A | D. Basin, S. Krstic | |||||||||||||||||
Kurzbeschreibung | Subject of the class are engineering techniques for developing secure systems. We examine concepts, methods and tools, applied within the different activities of the SW development process to improve security of the system. Topics: security requirements&risk analysis, system modeling&model-based development methods, implementation-level security, and evaluation criteria for secure systems | ||||||||||||||||||||
Lernziel | Security engineering is an evolving discipline that unifies two important areas: software engineering and security. Software Engineering addresses the development and application of methods for systematically developing, operating, and maintaining, complex, high-quality software. Security, on the other hand, is concerned with assuring and verifying properties of a system that relate to confidentiality, integrity, and availability of data. The goal of this class is to survey engineering techniques for developing secure systems. We will examine concepts, methods, and tools that can be applied within the different activities of the software development process, in order to improve the security of the resulting systems. Topics covered include * security requirements & risk analysis, * system modeling and model-based development methods, * implementation-level security, and * evaluation criteria for the development of secure systems | ||||||||||||||||||||
Inhalt | Security engineering is an evolving discipline that unifies two important areas: software engineering and security. Software Engineering addresses the development and application of methods for systematically developing, operating, and maintaining, complex, high-quality software. Security, on the other hand, is concerned with assuring and verifying properties of a system that relate to confidentiality, integrity, and availability of data. The goal of this class is to survey engineering techniques for developing secure systems. We will examine concepts, methods, and tools that can be applied within the different activities of the software development process, in order to improve the security of the resulting systems. Topics covered include * security requirements & risk analysis, * system modeling and model-based development methods, * implementation-level security, and * evaluation criteria for the development of secure systems Modules taught: 1. Introduction - Introduction of Infsec group and speakers - Security meets SW engineering: an introduction - The activities of SW engineering, and where security fits in - Overview of this class 2. Requirements Engineering: Security Requirements and some Analysis - Overview: functional and non-functional requirements - Use cases, misuse cases, sequence diagrams - Safety and security 3. Modeling in the design activities - Structure, behavior, and data flow - Class diagrams, statecharts 4. Model-driven security for access control (Part I) - SecureUML as a language for access control - Combining Design Modeling Languages with SecureUML - Semantics, i.e., what does it all mean, - Generation - Examples and experience 5. Model-driven security (Part II) - Continuation of above topics 6. Security patterns (design and implementation) 7. Implementation-level security - Buffer overflows - Input checking - Injection attacks 8. Code scanning - Static code analysis basics - Theoretical and practical challenges - Analysis algorithms - Common bug pattern search and specification - Dataflow analysis 9. Testing - Overview and basics - Model-based testing - Testing security properties 10. Risk analysis and management - "Risk": assets, threats, vulnerabilities, risk - Risk assessment: quantitative and qualitative - Safeguards - Generic risk analysis procedure - The OCTAVE approach - Example of qualitative risk assessment 11. Threat modeling - Overview - Safety engineering basics: FMEA and FTA - Security impact analysis in the design phase - Modeling security threats: attack trees - Examples and experience 12. Evaluation criteria - NIST special papers - ISO/IEC 27000 - Common criteria - BSI baseline protection 13. Guest lecture - TBA | ||||||||||||||||||||
Literatur | - Ross Anderson: Security Engineering, Wiley, 2001. - Matt Bishop: Computer Security, Pearson Education, 2003. - Ian Sommerville: Software Engineering, 6th ed., Addison-Wesley, 2001. - John Viega, Gary McGraw: Building Secure Software, Addison-Wesley, 2002. - Further relevant books and journal/conference articles will be announced in the lecture. | ||||||||||||||||||||
Voraussetzungen / Besonderes | Prerequisite: Class on Information Security | ||||||||||||||||||||
252-0811-00L | Applied Security Laboratory | 8 KP | 7P | D. Basin | |||||||||||||||||
Kurzbeschreibung | Hands-on course on applied aspects of information security. Applied information security, operating system security, OS hardening, computer forensics, web application security, project work, design, implementation, and configuration of security mechanisms, risk analysis, system review. | ||||||||||||||||||||
Lernziel | The Applied Security Laboratory addresses four major topics: operating system security (hardening, vulnerability scanning, access control, logging), application security with an emphasis on web applications (web server setup, common web exploits, authentication, session handling, code security), computer forensics, and risk analysis and risk management. | ||||||||||||||||||||
Inhalt | This course emphasizes applied aspects of Information Security. The students will study a number of topics in a hands-on fashion and carry out experiments in order to better understand the need for secure implementation and configuration of IT systems and to assess the effectivity and impact of security measures. This part is based on a book and virtual machines that include example applications, questions, and answers. The students will also complete an independent project: based on a set of functional requirements, they will design and implement a prototypical IT system. In addition, they will conduct a thorough security analysis and devise appropriate security measures for their systems. Finally, they will carry out a technical and conceptual review of another system. All project work will be performed in teams and must be properly documented. | ||||||||||||||||||||
Skript | The course is based on the book "Applied Information Security - A Hands-on Approach". More information: http://www.infsec.ethz.ch/appliedlabbook | ||||||||||||||||||||
Literatur | Recommended reading includes: * Pfleeger, Pfleeger: Security in Computing, Third Edition, Prentice Hall, available online from within ETH * Garfinkel, Schwartz, Spafford: Practical Unix & Internet Security, O'Reilly & Associates. * Various: OWASP Guide to Building Secure Web Applications, available online * Huseby: Innocent Code -- A Security Wake-Up Call for Web Programmers, John Wiley & Sons. * Scambray, Schema: Hacking Exposed Web Applications, McGraw-Hill. * O'Reilly, Loukides: Unix Power Tools, O'Reilly & Associates. * Frisch: Essential System Administration, O'Reilly & Associates. * NIST: Risk Management Guide for Information Technology Systems, available online as PDF * BSI: IT-Grundschutzhandbuch, available online | ||||||||||||||||||||
Voraussetzungen / Besonderes | * The lab allows flexible working since there are only few mandatory meetings during the semester. * The lab covers a variety of different techniques. Thus, participating students should have a solid foundation in the following areas: information security, operating system administration (especially Unix/Linux), and networking. Students are also expected to have a basic understanding of HTML, PHP, JavaScript, and MySQL because several examples are implemented in these languages. * Students must be prepared to spend more than three hours per week to complete the lab assignments and the project. This applies particularly to students who do not meet the recommended requirements given above. Successful participants of the course receive 8 credits as compensation for their effort. * All participants must sign the lab's charter and usage policy during the introduction lecture. | ||||||||||||||||||||
263-0009-00L | Information Security Lab | 8 KP | 2V + 1U + 3P + 1A | S. Shinde, D. Basin, S. Capkun, K. Paterson, F. Tramèr | |||||||||||||||||
Kurzbeschreibung | This InterFocus Course will provide a broad, hands-on introduction to Information Security, introducing adversarial thinking and security by design as key approaches to building secure systems. | ||||||||||||||||||||
Lernziel | This course will introduce key concepts from Information Security, both from attack and defence perspectives. Students will gain an appreciation of the complexity and challenge of building secure systems. | ||||||||||||||||||||
Inhalt | The course is organised in three-week segments. In each segment, a new concept from Information Security will be introduced. The overall scope will be broad, including cryptography, protocol design, system security, and privacy. | ||||||||||||||||||||
Skript | Will be made available during the semester. | ||||||||||||||||||||
Literatur | Paul C. van Oorschot, Computer Security and the Internet: Tools and Jewels. Dan Boneh and Victor Shoup, A Graduate Course in Applied Cryptography. | ||||||||||||||||||||
Voraussetzungen / Besonderes | Ideally, students will have taken the D-INFK Bachelors course “Information Security" or an equivalent course at Bachelors level. | ||||||||||||||||||||
Kompetenzen |
| ||||||||||||||||||||
268-0102-00L | Applied Security Laboratory | 5 KP | 3P | D. Basin | |||||||||||||||||
Kurzbeschreibung | Hands-on course on applied aspects of information security. Applied information security, operating system security, OS hardening, computer forensics, web application security, project work, design, implementation, and configuration of security mechanisms, risk analysis, system review. | ||||||||||||||||||||
Lernziel | The Applied Security Laboratory addresses four major topics: operating system security (hardening, vulnerability scanning, access control, logging), application security with an emphasis on web applications (web server setup, common web exploits, authentication, session handling, code security), computer forensics, and risk analysis and risk management. | ||||||||||||||||||||
Inhalt | This course emphasizes applied aspects of Information Security. The students will study a number of topics in a hands-on fashion and carry out experiments in order to better understand the need for secure implementation and configuration of IT systems and to assess the effectivity and impact of security measures. This part is based on a book and virtual machines that include example applications, questions, and answers. The students will also complete an independent project: based on a set of functional requirements, they will design and implement a prototypical IT system. In addition, they will conduct a thorough security analysis and devise appropriate security measures for their systems. Finally, they will carry out a technical and conceptual review of another system. All project work will be performed in teams and must be properly documented. | ||||||||||||||||||||
Skript | The course is based on the book "Applied Information Security - A Hands-on Approach". More information: http://www.infsec.ethz.ch/appliedlabbook | ||||||||||||||||||||
Literatur | Recommended reading includes: * Pfleeger, Pfleeger: Security in Computing, Third Edition, Prentice Hall, available online from within ETH * Garfinkel, Schwartz, Spafford: Practical Unix & Internet Security, O'Reilly & Associates. * Various: OWASP Guide to Building Secure Web Applications, available online * Huseby: Innocent Code -- A Security Wake-Up Call for Web Programmers, John Wiley & Sons. * Scambray, Schema: Hacking Exposed Web Applications, McGraw-Hill. * O'Reilly, Loukides: Unix Power Tools, O'Reilly & Associates. * Frisch: Essential System Administration, O'Reilly & Associates. * NIST: Risk Management Guide for Information Technology Systems, available online as PDF * BSI: IT-Grundschutzhandbuch, available online | ||||||||||||||||||||
Voraussetzungen / Besonderes | * The lab allows flexible working since there are only few mandatory meetings during the semester. * The lab covers a variety of different techniques. Thus, participating students should have a solid foundation in the following areas: information security, operating system administration (especially Unix/Linux), and networking. Students are also expected to have a basic understanding of HTML, PHP, JavaScript, and MySQL because several examples are implemented in these languages. * Students must be prepared to spend more than three hours per week to complete the lab assignments and the project. This applies particularly to students who do not meet the recommended requirements given above. Successful participants of the course receive 8 credits as compensation for their effort. * All participants must sign the lab's charter and usage policy during the introduction lecture. | ||||||||||||||||||||
364-1058-00L | Risk Center Seminar Series | 0 KP | 2S | H. Schernberg, D. Basin, A. Bommier, D. N. Bresch, S. Brusoni, L.‑E. Cederman, P. Cheridito, F. Corman, H. Gersbach, C. Hölscher, K. Paterson, G. Sansavini, B. Stojadinovic, B. Sudret, J. Teichmann, R. Wattenhofer, S. Wiemer, R. Zenklusen | |||||||||||||||||
Kurzbeschreibung | This course is a mixture between a seminar primarily for PhD and postdoc students and a colloquium involving invited speakers. It consists of presentations and subsequent discussions in the area of modeling complex socio-economic systems and crises. Students and other guests are welcome. | ||||||||||||||||||||
Lernziel | Participants should learn to get an overview of the state of the art in the field, to present it in a well understandable way to an interdisciplinary scientific audience, to develop novel mathematical models for open problems, to analyze them with computers, and to defend their results in response to critical questions. In essence, participants should improve their scientific skills and learn to work scientifically on an internationally competitive level. | ||||||||||||||||||||
Inhalt | This course is a mixture between a seminar primarily for PhD and postdoc students and a colloquium involving invited speakers. It consists of presentations and subsequent discussions in the area of modeling complex socio-economic systems and crises. For details of the program see the webpage of the colloquium. Students and other guests are welcome. | ||||||||||||||||||||
Skript | There is no script, but a short protocol of the sessions will be sent to all participants who have participated in a particular session. Transparencies of the presentations may be put on the course webpage. | ||||||||||||||||||||
Literatur | Literature will be provided by the speakers in their respective presentations. | ||||||||||||||||||||
Voraussetzungen / Besonderes | Participants should have relatively good mathematical skills and some experience of how scientific work is performed. |