In general, the problem of buffer overflows or format-string attacks aren't really interesting from a computer science perspective because they aren't an issue with a reasonable language. Sure, making existing code safe is a research-worthy problem (and we talked about a lot of papers that did those sorts of analyses of C code), but in general research into computer security concerns itself with other problems.
Which makes this class next quarter potentially all the more interesting:
590NS: Computer and Network Security
Spring 2004, MW 3:00-4:20, MGH287 on Monday, MUE153 on Wednesday.
Instructors: David Wetherall and Radia Perlman
Security issues are pervasive in the design of computer systems, especially distributed ones such as the Internet, and the many security incidents reported in the press tell us that the state of security is nowhere near as good as is needed. This course will provide a graduate level introduction to computer and network security, covering two kinds of material.
First, we will discuss cryptography. Cryptography provides a very powerful set of primitives that can be used to construct various kinds of secure protocols; the vast majority of secure computer systems you encounter will depend on it. Topics include: threats, confidentiality, integrity and authenticity, private key schemes (DES, AES), secure hashes (SHA1), public key schemes (RSA, Diffie-Hellman, digital signatures), authentication, key management (Kerberos, PKI), examples of protocols in practice (SSL/TL S, IPSEC). The treatment of the cryptographic primivites will emphasize their properties and workings, rather than provide a formal mathematical study.
Second, we will discuss security from the point-of-view of real-world vulnerabilities. The daily security grind that we experience -- viruses and worms, spam, denial-of-service and spyware -- has little to do with crypto per se. It involves topics such as: programs and bugs (buffer overruns, languages), operating system models (access control, sandboxing), user factors (passwords, policies), economic considerations (risk management and liability), the Internet architecture (DOS flooding attacks, firewalls) and implementation flaws in security schemes (randomness, timing attacks). These are diverse topics, and the treatment here will aim to discuss real vulnerabilities and link them with solution approaches.
The course will meet twice a week (MW 3:00-4:20). It will be graded for credit and include both homeworks and a final.
Wetherall taught my undergrad networks class, and he was good. And all of my grad classes so far have been far better than my undergrad experiences.