600.436: High Assurance Systems
This course focuses on the evaluation and construction of design, implementation, and evaluation of high assurance (i.e. certifiably secure) systems. It examines the history of high assurance standards and system building, the state of current standards, and the motivations behind them. It discusses the objectives of high-assurance software construction and the methods by which high-assurance is achieved, and tests these methods against an actual high-assurance software system. In the process, it challenges the assumptions that underly high assurance software processes, and investigates how these assumptions and methods may need to change in the face of open source and/or collaborative software development. Finally, it looks at research topics in high assurance systems.
Permission of the instructor is required.
While the course is not programming-oriented, it does require a certain degree of experience and maturity in reading and understanding the code of large software systems. Students should therefore have taken at least one of the following courses:
|600.467||Fault-Tolerant and Reliable Systems|
Limited to approximately 20 students.
This year, the high-assurance system we will examine is the EROS system. The course will provide an introduction to the EROS system, a characterization of the security-critical components of EROS, and a discussion of the assurance process that has been used for EROS to date. We will critique both the EROS system and the EROS assurance process, with the goal of understanding how it should have been done better and where the deviations from standard processes may have yielded *higher* confidence in the resulting software.
Ross Anderson, Security Engineering
DeMarco and Lister, Peopleware (don't buy this yet -- still deciding).
(Course Pack), Common Criteria, Common Evaluation Method.
Bruce Schneier, Secrets & Lies