Computer Laboratory

Course pages 2011–12

Operating and Distributed System Security

Principal lecturers: Prof Ross Anderson, Dr Frank Stajano, Dr Steven Murdoch, Dr Robert Watson
Taken by: MPhil ACS, Part III
Code: R206
Hours: 16 (8 × two-hour seminar sessions)
Prerequisites: Undergraduate operating systems course; an undergraduate networking course would be useful


This course aims to provide students with an introduction to the history and central themes of operating system and distributed system security, from its 1970s foundations to current research into how to defend cloud-based systems against capable motivated opponents. The course considers first local computer systems and then distributed systems; however, we will rapidly discover that this is an artificial distinction that only becomes more awkward as we enter the current period. Throughout the course, we will consider proposed systems along with the adversarial research intended to identify gaps and vulnerabilities.


There will be eight two-hour seminars on the following topics. Students are expected to read the four set papers before each class. After the first class, all students are expected to submit a two-page written summary of the readings in advance of each class, and students will be nominated to give brief presentations of each paper, or of cross-cutting aspects of all the papers, to lead discussion.

  1. Origins and foundations of computer security
    1. The Protection of Information in Computer Systems, Jerome H Salzer and Michael D Schroder, Communications of the ACM v 17 no 7 (July 1974)
    2. A Note on the Confinement Problem, Butler Lampson, Communications of the ACM v 16 no 10 (Oct 1973) pp 613–615
    3. New Directions in Cryptography, IEEE Transactions on Information Theory v IT-22 (Nov 1976) pp 644–654
    4. Using Encryption for Authentication in Large Networks of Computers, Roger Needham and Michael Schroeder, Communications of the ACM v 21 no 12 (Dec 1978)
  2. Access control systems
    1. Secure Computer System: Unified Exposition and Multics Interpretation, D Elliot Bell and Len LaPadula, ESD-TR-75-306, ESD/AFSC, Hanscom AFB, Bedford, MA 01731 (1975)
    2. Protection Analysis: Final Report, Richard Bisbey II and Dennis Hollingworth, ISI/SR-78-13, University of Southern California/Information Sciences Institute, Marina Del Rey, CA 96291 (May 1978)
    3. MULTICS Security Evaluation, Volume II: Vulnerability Analysis, ESD-TR-74-193, v II, Electronic Systems Division, Air Force Systems Command, Hanscom Field, Bedford, MA 01731 (June 1974)
    4. A Domain and Type Enforcement UNIX Prototype, Lee Badger, Daniel F. Sterne, David L. Sherman, Kenneth M. Walker, Sheila A. Haghighat, Proceedings of the Fifth USENIX UNIX Security Symposium (1996)
  3. Hardware and software capability systems
    1. Eros: a fast capability system, Jonathan Shapiro, Jonathan Smith, David Farber, in Proceedings of the seventeenth ACM Symposium on Operating Systems Principles (SOSP 99)
    2. HYDRA: the kernel of a multiprocessor operating system, W. Wulf, E. Cohen, W. Corwin, A. Jones, R. Levin, C. Pierson, and F. Pollack, Communications of the ACM v 17 no 6 pp 337–345 (1974)
    3. Protection in programming languages, James H Morris, Communications of the ACM v 16 no 1 (1973)
    4. A Security Analysis of the Combex DarpaBrowser Architecture, unpublished work, March 4, 2002
  4. Programming language and information flow security
    1. Reflections on Trusting Trust, Ken Thopmson, Communications of the ACM v 27 no 8 (1984) pp 761–763
    2. Going beyond the sandbox: an overview of the new security architecture in the java TM development Kit 1.2, Li Gong, Marianne Mueller, Hemma Prafullchandra and Roland Schemmers, Proceedings of the USENIX Symposium on Internet Technologies and Systems (USITS'97)
    3. A Decentralized Model for Information Flow Control, Andrew C. Myers, Barbara Liskov, Proceedings of the 16th ACM Symposium on Operating Systems Principles, Saint-Malo, France, 5 –8 October 1997
    4. A Security-Oriented Subset of Java, Adrian Mettler, David Wagner, Tyler Close, Joe-E, Proceedings of the Network and Distributed System Security Symposium, NDSS 2010, San Diego, California, USA, 28th February – 3rd March 2010
  5. Cryptographic protocols: possibilities and limitations
    1. A Logic of Authentication, Mike Burrows, Martín Abadi and Roger Needham, Proc. Roy. Soc. A v 426 no 1871 pp 233–271 (1989)
    2. Prudent Engineering Practice for Cryptographic Protocols, Martín Abadi and Roger Needham, IEEE Transactions on Software Engineering v 22 no 1 (1996) pp 6–15
    3. The History of Subliminal Channels, Gustavus J. Simmons, Information Hiding (1996) pp 237–256
    4. API Attacks, from Security Engineering – A Guide to Building Dependable Distributed Systems, Ross Anderson, second edition, Wiley (2008)
  6. Security of the Internet infrastructure
    1. Using the Domain Name System for System Break-ins, Steve Bellovin, Fifth Usenix Security Symposium (1995)
    2. Information security: where computer science, economics and psychology meet, Ross Anderson, Tyler Moore, Phil Trans Roy Soc A v 367 no 1898 pp 2717–2727 (2009)
    3. News articles on infrastructure failure
    4. Resilience of the Internet Interconnection Ecosystem, Chris Hall, Ross Anderson, Richard Clayton, Evangelos Ouzounis and Panagiotis Trimintzios, at the Workshop on the Economics of Information Security (2011)
  7. Anonymous communications: from deniability to censorship resistance
    1. Protecting Free Expression Online with Freenet, Ian Clarke, Theodore W. Hong, Scott G. Miller, Oskar Sandberg, and Brandon Wiley, IEEE Internet Computing v 6 no 1, 40-49 (2002)
    2. Mixminion: Design of a Type III Anonymous Remailer Protocol, George Danezis, Roger Dingledine, and Nick Mathewson, In Proceedings of the 2003 IEEE Symposium on Security and Privacy pp 2–15
    3. Tor: The Second-Generation Onion Router, Roger Dingledine, Nick Mathewson, and Paul Syverson, Proceedings of the 13th USENIX Security Symposium (2004)
    4. Telex: Anticensorship in the Network Infrastructure, Eric Wustrow, Scott Wolchok, Ian Goldberg, and J. Alex Halderman, Proceedings of the 20th USENIX Security Symposium (2011)
  8. Passwords: technology, human factors and what goes wrong
    1. Password security: a case history, Robert Morris and Ken Thompson, Communications of the ACM v 22 no 11 (1979)
    2. Users are not the enemy, Anne Adams and M. Angela Sasse, Communications of the ACM v 42 no 12 (1999)
    3. Where Do Security Policies Come From? Dinei Florencio and Cormac Herley, Proceedings of SOUPS 2010
    4. The password thicket: technical and market failures in human authentication on the web, Joseph Bonneau and Sören Preibusch, Proceedings of WEIS 2010


On completion of this module, students should:

  • Understand the technical problems of implementing robust access controls and appreciate some of the difficulties in deploying them in global-scale systems.
  • Appreciate what's involved in defending high-value systems against state-level adversaries who may use social engineering to install persistent threats and whose goals may range from information gathering to service denial and attacks on infrastructure.


Participants will be expected to undertake six hours of preparatory work before each meeting. This will involve:

  • Reading 3-4 papers;
  • Following up references and other related work;
  • Writing an essay of about a thousand words summarising of the set papers and discussing their broader context;
  • Submitting the essay by noon two days before the meeting.

Every week, three participants will each introduce an aspect of the set papers by giving a 20 minute presentation as if reporting the work at a conference, followed by 5 minutes of questions and 10 minutes of discussion. The final 15 minutes will be spent discussing the broader issues raised by the week's papers.


Participants on this course will be awarded a percentage score made up from the following two components:

  • 80%: for paper reviews submitted on-time each week, with grades here fed back on a week-by-week basis; and
  • 20%: for your presentations, to be awarded by the course assessor at the end of the course.

1000-word weekly essays are marked on a scale of one to ten, to be scaled as needed to make up 80% of the total course mark, with an evaluation along the following lines:

  • 2 marks for a clear summary of key points in the papers
  • 2 marks for discussing key themes spanning all of the assigned papers
  • 2 marks for considering the broader contemporary context of the papers
  • 2 marks for further exploration of the research literature, both prior and later work
  • 2 marks for four questions intended to motivate classroom discussion to be listed at the end of the essay

Marks may be granted on a fractional basis reflecting the clarity of writing, quality of comprehension, and insight into the research and larger context.

Essays must be turned in by noon on Tuesdays to graduate student administration. In general, extensions will not be granted, as the essays are intended as key forcing functions in (a) ensuring that papers are read before their corresponding class and (b) motivating thinking about the work and its context for a group discussion.

Presentations should be structured as though the speaker were presenting at a conference, and will be twenty minutes long. Slides will be used, and submitted in PDF format to Dr Robert Watson after the class they are presented in completes. If you do not have/want to use your own notebook for the presentation, please e-mail the PDF at least 60 minutes before the class starts. It is advisable to also bring the presentation on a USB stick in case of technical difficulties. Presentations might be structured as follows:

  • Introductory remarks
  • The problem area (be it the nature of a problem to solve, the context for attack, etc)
  • The solution/attack/etc
  • Evaluation
  • Related work – in particular, for historical work, later critiques of the work

As not all of the papers we are reading will fit this exact format, some variation is fine. Presentation marking will place significant emphasis on a clear explanation and evaluation of the technical content of the paper. As students may make either two or three presentations, marks will be scaled as appropriate.

All participants are expected to attend and participate in every class.

Recommended reading

Anderson, R. J. (2008). Security Engineering. Wiley (If you have not done an undergraduate security course then we suggest you read chapters 1-8 before starting.)
Gollmann, D. (2010). Computer Security. Wiley. (Background reading)

Additional preparatory reading

Students might be interested to read papers on state-level threats to information systems such as