CPSC 525/625: Principles of Computer Security

Winter 2018

Instructor: Philip W. L. Fong  <pwlfong _AT_ ucalgary _DOT_ ca>
Lectures: Tuesday/Thursday 3:30 - 4:45 PM  ;  ST 139
Office Hours: Wednesday 3:00 - 5:00 PM    ICT 640
TA: Zain Rizvi <szrrizvi _AT_ ucalgary _DOT_ ca>
Simpy Parveen <simpy.parveen1 _AT_ ucalgary _DOT_ ca>
Tutorials: T01: Tuesday/Thursday 12:00 - 12:50 PM  ;  ICT 517
T02: Tuesday/Thursday 1:00 - 1:50 PM  ;  ICT 517
T03: Monday/Wednesday 6:00 - 6:50 PM  ;  MS 160
Course web page: http://www.cpsc.ucalgary.ca/~pwlfong/525
Official Course Outline: TBA


CPSC 457 and one of MATH 271 or 273. CPSC 329 is recommended as preparation for this course.

Marking Scheme

For CPSC 525 Students

Tutorial Participation 5%
Assignments: 40%
Project Proposal 5%
Project Final Report: 50%

For CPSC 625 Students

Assignments: 30%
Project Proposal 5%
Project Interim Report: 15%
Project Final Report: 50%

Important: Each of the above components will be given a letter grade using the official University grading system. The final grade will be calculated using the grade point equivalents weighted by the percentage given above and then reconverted to a final letter grade using the official University grade point equivalents.


Desire2Learn (D2L) will be used for the following purposes:

  1. coursework submissions
  2. distribution of slides and readings materials that are not available from the University Library website
  3. tracking grades for individual coursework components

All other materials concerning this course will be made available at the course website.

The final grade will NOT be posted at D2L.

Assigned Readings

There is no required textbook. All required readings will be available at D2L.

A Reading List will be made available online at D2L. The list specifies the reading assignment for each of Week 2 to Week 12 (excluding week 7, the Mid-Term Break). Students shall complete the readings on a weekly basis.

Tentative Lecture Plan

The following is a tentative lecture plan. Adjustment will be made as the semester progresses.

1 Jan 9, 11 Introduction
Design Principles
2 Jan 16, 18 The Kernel-User Dichotomy
3 Jan 23, 25 Access Control
Memory Protection
4 Jan 30, Feb 1 Vulnerabilities and Exploits A1 due (525 only)
Proposal due
5 Feb 6, 8 Defenses
Unix Security (1)
A1 due (525 only)
Proposal due
6 Feb 13, 15 Unix Security (2)
7 Feb 20, 22 No lecture due to Mid-Term Break. A2 due
8 Feb 27, Mar 1 Database Security
9 Mar 6, 8 Java Security
10 Mar 13, 15 Android Security
Discretionary Access Control (1)
A3 due (525 only)
Interim Report due (625 only)
11 Mar 20, 22 Discretionary Access Control (2)
Safety Analysis
A3 due (525 only)
Interim Report due (625 only)
12 Mar 27, Mar 29 Information Flow Control
Access Control for Commercial Applications (1)
13 Apr 3, 5 Access Control for Commercial Applications (2)
Role-Based Access Control (1)
A4 due
14 Apr 10, 12 Role-Based Access Control (2)
Special topics

Lecture slides will be posted at the course website.

Tutorial Participation (525 Only)

In the tutorial sessions, the TAs will go through the following book with you:

The idea is that those of you who will be doing an "implementation project" (one of the four types of projects recommended in the Suggested Project Topics page on D2L) will be requested to do a little bit of threat modeling. The tutorials are for giving you a rough idea of what that could mean, and to hopefully get you interested enough that you would read the book as part of your project work.

You are not required to read the above book, but only encouraged to do so if you find it relevant to your project work.

To encourage your participation in the tutorial sessions, 5% of the coursework will be allocated to tutorial attendance and participation. You are permitted to skip 2 of the 24 tutorial sessions in weeks 2-14 without receiving any penalty in grades.


Four assignments will be given. Two are reading responses. They are minor writing exercises for students to demonstrate their understanding of the assigned readings. All students (both 525 and 625) shall attempt the reading responses. The other two assignments invite students to do some investigations into technical topics relevant to the course. Only 525 students are required to attempt the investigation assignments.

# Assignment Topic Due Date 525 % 625 %
1 Investigation: Software Vulnerabilities Friday, Feb 2
Monday, Feb 5
10% N/A
2 Reading Response: Weeks 2-6 Friday, Feb 23 10% 15%
3 Investigation: UMA Friday, Mar 16
Friday, Mar 23
10% N/A
4 Reading Response: Weeks 8-12 Friday, Apr 6 10% 15%

All assignments are due at noon on the due dates. Submissions are done via Desire2Learn.

Assignment specifications will be posted at the course website.

Term Project

A major component of the coursework is the term project. For 525 students, the project will be completed by groups of 4. For 625 students, each student will work on his or her own project.

The topic of the project is flexible, but it must be approved by the instructor. The bottomline is that the selected topic shall fall within the scope of this course:

The best way of assuring that your chosen topic is acceptable is to meet with the instructor during the posted office hours, at least one week prior to the due date of the proposal.

A list of Suggested Project Topics will be posted at D2L. It doesn't mean that students must only pick from the list, but it doesn't hurt to do so either.

The project consists of 3 deliverables for 625 students and only 2 for 525 students:

# Project Component Due Date 525 % 625 %
1 Proposal Noon, Friday, Feb 2
Noon, Friday, Feb 9
5% 5%
2 Interim Report Noon, Friday, Mar 16
Noon, Friday, Mar 23
N/A 15%
3 Final Report Noon, Wednesday, April 18 50% 50%

Specification of the requirements for the 3 components will be posted at the course website.

Resources for the project:

$Id: index.html,v 1.13 2018/03/23 16:23:38 pwlfong Exp $