CS 6393: Cyber Security Models and Systems

Prof. Ravi Sandhu

Spring 2016, Friday 10am-12:30pm, Location: AET 0.214
Class web site: www.profsandhu.com/cs6393_s16
Please send all class related emails to: ravi.cs6393@gmail.com
Office hours: by appointment only. Please request via email to above address.
UTSA common syllabus information: provost.utsa.edu/syllabus.asp

Important Notices:

• 4/28/16 Overall class performance and final grades guidelines are given here: Final grades guidance (docx) (pdf)
• 4/28/16 Exam 3 has been graded. Grading rubric and class performance are given here: Exam 3 rubric and class performance (docx) (pdf)
• Last day for course evaluations in ASAP is Monday 4/18/16.
• Exam 3 has been posted in weekly schedule under date 4/08/16. Due 4/25/16 by 5:00pm.
• 4/15/16 Exam 2 has been graded. Grading rubric and class performance are given here: Exam 2 rubric and class performance (docx) (pdf)
• Exam 2 has been posted in weekly schedule under date 3/11/16. Due 3/28/16 by 5:00pm.
• 3/04/16 Exam 1 has been graded. Grading rubric and class performance are given here: Exam 1 rubric and class performance (docx) (pdf)
• 1/29/16 Exam 1 has been posted in weekly schedule under date 2/5/16. Due 2/15/16 by 5:00pm.
• 12/16/15: Initial web site created.
• Watch this space for important announcements throughout the course.

Course Prerequisites:

Catalog Description:

• 6393 Advanced Topics in Computer Security (3-0) 3 hours credit.
  Analysis of computer security. The topics may include but are not limited to database and distributed systems security, formal models for computer security, privacy and ethics, intrusion detection, critical infrastructure protection, network vulnerability assessments, wireless security, trusted computing, and highly dependable systems. May be repeated for credit when topics vary.
• This course is different from any prior offering of CS 6393. It is eligible for repeated credit.

Course Format:

• Lectures with supporting readings from the literature.

Course Objectives:

• Designed for advanced CS MS and PhD students.
• Develop a fundamental understanding of state-of-the-art cyber security models and systems.
• Identify some high potential topics for cyber security research and innovation.

Grading:

• Grading will be based on: 3 written mid-term examinations and 1 final oral examination.
• Each mid-term examination will be based on the lectures immediately preceding the examination.
• Mid-term examinations will be take-home with prescribed submission deadline.
• Final examination will be optional
• Final examination will cover the three written examinations
• Extra credit at Professor's discretion will be given for the following.
  • Class attendance and participation.
  • Completing course evaluation as per Provost's memo.

Schedule Notes:

• The weekly schedule is subject to change and adjustment as the semester progresses.
• Assigned readings for a lecture should be read in advance of the lecture for maximum benefit.
• Readings are marked as follows.
  • Full: Read in full.
  • Part: Read in part.
  • Ref: Reference.

Schedule by Week: Please visit often as the semester proceeds.

Part 1: Traditional Access Control Models: DAC, MAC, RBAC

• 1/15/16: Lecture 1: Perspective on Cyber Security: The Big Picture
  • Slides: L1.pptx, L1.pdf
  • Readings: Full: Sandhu 2003, Sandhu 2009, Sandhu 2012, Solms 2013
  • Readings: Part: Bellovin 2015
  • Readings: Ref: Chokhani 1992, CC tutorial, NIST SP 800 29, MIT-CSAIL-TR 2015-026

• 1/22/16: Lecture 2: DAC and MAC (LBAC)
  • Slides: L2.pptx, L2.pdf
  • Readings: Full: Sandhu Samarati 1994, Sandhu 1993
  • Readings: Ref: Lipner 1982

• 1/29/16: Lecture 3: RBAC
  • Slides: L3.pptx, L3.pdf
  • Readings: Full: RBAC96 1996 (alternately Sandhu 1998, Chapters 1 and 2), Sandhu 1995, Sandhu 2000, Sandhu 2008, Sandhu 2009
  • Readings: Part: FS et al 2001
  • Readings: Ref: FPS 2012, OSM 2000, SBM 1999, AS 2000, BS 2000

• 2/05/16: Mid-term Examination 1 on Part 1 (written, take-home). No class.
  Exam 1 (pdf) (docx)

• 2/12/16: No class.

  Part 2: Attribute-Based Access Control Models (ABAC)

• 2/19/16: Lecture 4: ABAC
  • Slides: L4.pptx, L4.pdf
  • Readings: Full: Hu 2015, Kuhn 2010, Kandala 2011
  • Readings: Part: NIST SP 800-162, Jin 2012, Dissertation_Xin_Jin-2014 Chapter 3

• 2/26/16: Lecture 5: Usage Control (UCON) or ABAC on Steroids
  • Slides: L5.pptx, L5.pdf
  • Readings: Full: UCON 2003, Pretschner 2006
  • Readings: Part: UCON 2004
  • Readings: Ref: UCON 2005

• 3/04/16: Lecture 6: Relationship-Based Access Control (ReBAC or RAC)
  • Slides: L6.pptx, L6.pdf
  • Readings: Part: Cheng et al 2012-07, Cheng et al 2012-09, Cheng et al 2014, Cheng et al 2015

• 3/11/16: Mid-term Examination 2 on Part 2 (written, take-home). No class.
  Exam 2 (pdf) (docx)

• 3/18/16: Spring Break. No class. Enjoy!!

  Part 3: Cloud IaaS Systems: OpenStack, AWS and Azure

• 3/25/16:
  • Lecture 7, part 1: Views of Cloud Computing
  • Slides: L7-1.pptx, L7-1.pdf
  • Readings: Full: NIST Definition of Cloud Computing
  • Readings: Part: Foster et al 2008: Cloud versus Grid, Armbrust et al 2010: Berkeley View of CLoud
  • Readings: Ref: NIST Guidelines on Security and Privacy in Public Cloud Computing

  • Lecture 7, part 2: Secure Information and Resource Sharing in Cloud Infrastructure as a Service. Guest speaker: Yun (Amy) Zhang. Preview of PhD defense.
  • Slides: L7-2.pdf
  • Readings: Part: Zhang et al 2016 Azure, Zhang et al 2015 AWS, Zhang et al 2015 OpenStack2, Zhang et al 2015 OpenStack1, Zhang et al 2014 OpenStack

• 4/01/16:
  • Lecture 8, part 1: Authentication and Authorization Federation
  • Slides: L8-1.pptx, L8-1.pdf
  • Readings: Part: NIST ABAC Building Block 2015
  • Readings: Ref: https://nccoe.nist.gov/forum/abac-building-block-flow-diagram

  • Lecture 8, part 2: Authorization Federation in Multi-Tenant Multi-Cloud IaaS. Guest speaker: Navid Pustchi. Preview of PhD defense.
  • Slides: L8-2.pptx, L8-2.pdf
  • Readings: Part: Pustchi etal 2015a, Pustchi etal 2015b, Pustchi etal 2016a, Pustchi etal 2016b (Draft)
  • Readings: Ref: Tang etal 2013a, Tang etal 2013b, Tang etal 2013c, Tang etal 2014

• 4/08/16: Mid-term Examination 3 on Part 3 (written, take-home). No class.
  Exam 3 (pdf) (docx)

  Part 4: Miscellaneous Models and Systems

• 4/15/16:
  • Lecture 9, part 1: Provenance-based Access Control (PBAC)
  • Slides: L9-1.pptx, L9-1.pdf
  • Readings: Part: Nguyen et al 2012, Nguyen et al 2013
  • Readings: Ref: Lianshan et al 2015

  • Lecture 9, part 2: Enumerated Policy ABAC. Guest speaker: Prosunjit Biswas.
  • Slides: L9-2-intro.ppt, L9-2-intro.pdf, L9-2.pptx, L9-2.pdf
  • Readings: Part: Biswas et al 2016

• 4/18/16, Monday: Deadline for submitting course evaluation in ASAP

• 4/22/16:
  • Lecture 10, part 1: ReBAC Administration Models
  • Slides: No slides
  • Readings: Full Cheng et al 2016
  • Readings: Part: Crampton Sellwood 2014, Stoller 2015

  • Lecture 10, part 2: Discussion Session: Research Framework for Security and Privacy Enhanced Cloud Compuitng
  • Slides: No slides

• 4/29/16:
  • Lecture 11, part 1: ABAC-ReBAC Relationship. Guest speaker: Tahmina Ahmed.
  • Slides: L11-1.pptx, L11-1.pdf
  • Readings: None

  • Lecture 11, part 2: Policy Machine. Guest speaker: Smriti Bhatt.
  • Slides: L11-2.pptx, L11-2.pdf
  • Readings: Part: NISTIR7987r1 2015

  Final Oral Examination (Optional)

• 5/06/16: Final Oral Examination, 15-30 minutes duration per student, 1-on-1 with Prof. Sandhu in my office NPB 3.122
  Guidelines:
  • I will discuss the written examinations with each student to see if grade can be improved.
  • Will be held on Friday May 6 in my office
  • Please request a 30 minute time slot to meet me by email to ravi.cs6393@gmail.com by Tuesday May 3rd, 5pm. Indicate your availaibility in the 9am to 6pm window.
  • Come prepared to discuss where your answers could be improved.
  • Also come prepared to discuss how there might be alternate approaches to developing an answer, beyond what you considered.
  • Outcome of oral examination will only be used to improve grades. Will not lead to reduction of grade.

• 5/13/16: Final grades due

END