Computer Security
CS-426, Fall 2023
This 3-credits undergraduate course covers the basics of computer security. We will cover a wide range of topics from both offensive and defensive sides, including systems security and exploitation (e.g., buffer overflows), sandboxing and isolation, side channels, network security, cryptography, privacy and anonymity, and legal and ethical issues. Together, we will learn how to build secure computer systems, we will understand security best practices, and we will get to know security failures in existing and emerging computer networks and systems.
By the end of the course, you will have the basic knowledge to reason about common security attacks and defenses, you will become familiar with security engineering best practices, and you will learn how to write better and more secure software, protocols, and systems, and you will have rudimentary skills in security research. I hope that you will have fun taking this course as much as I will enjoy teaching it!
Catalog Description: The course focuses on the principles and foundations of building secure computer systems and on security and privacy challenges in existing and emerging computer networks and systems. The course compares and analyzes security and privacy threats and architectures from an adversarial standpoint to understand how to build more secure protocols that can withstand ever-adaptive attacks.
Instructor
Teaching Assistants
Lectures
Lectures are M/W/F from 9:30 am to 10:20 am, Robert Heine Pharmacy Building 164.
Updated Office Hours on BrightSpace (See Course Calendar).
Prerequisite
The formal prerequisite is undergraduate level CS 25100 minimum grade of C and undergraduate level CS 25200 minimum grade of C [may be taken concurrently] or undergraduate level ECE 46900 Minimum Grade of C or undergraduate level EE 46900 Minimum Grade of C. However, to complete the assignments in this course, you will need to be able to write code in Python, C, and (some) C++, and have some understanding of x86 assembly, JavaScript, PHP, and SQL. We will not teach these in lecture; you are expected to learn them on your own or ask for help in office hours.
Textbook
There is no official textbook for the class. Slides will be provided and reading materials for each topic will be posted before the lectures. However, the following resources are going to be useful:
- Security Engineering – Ross Anderson, Third Edition
- Hacking: The Art of Exploitation by Jon Erickson
We try to be clear about what is okay to skim and what will be helpful to read deeply (See Agenda).
Format
Course format is lectures three days a week. Attendance is not optional. The slides will be available for download before each lecture (See Agenda).
A quick reminder: Active engagement and re-enforcement are keys to successful and effective learning. Therefore, we will have plenty of activities during lectures. These activities also help you to meet and interact with other students. Moroever, assignments, and grading are designed to help with re-enforcement and active engagement.
Online Discussion
Discussions, Q&A, peer-to-peer instruction, etc. take place on our edstem. Use the link in Brightspace to join the class on edstem. You are encouraged to post questions, help answer other students’ questions, and provide feedback and suggestions to your instruction staff. Constructive criticism is always welcome.
While the instruction staff will do their best to answer any question as soon as possible, be aware (and plan ahead) that instruction staff will not be available 24/7.
Grading
An ideal assessment should evaluate learning outcomes, thus your grade should not depend on other student’s performance in class (i.e., no bell curve). We will use the following scale for your final grade:
| A+ >96.7 | A [93,96.7) | A- [90,93) | B+ [86.7,90) | B [83.3,86.7) | B- [80,83.3) | C+ [76.7,80) | C [73.3,76.7) | C- [70,73.3) | D [60,70) | F [0,60) |
|---|
We reserve the right to modify these ranges and the following tentative grading breakdown as the course proceeds.
Weekly Check-in (5%)
During lectures, we will have interactive question and answer activities in the class. We will use Hotseat for polls and discussions. These are opportunities for you to check your understanding and for us to go back and help explain concepts more thoroughly that may be confusing folks. These in-lecture polls will not be graded for correctness or attendance. However, on each Wednesday (from 2nd week onward), we will collect all of the poll questions of the week and release a mini-quiz on BrightSpace. The quiz must be completed by midnight (campus time) the following Thursday. So, you will have at least 24 hours to complete them.
These quizzes are primarily for you, to help you stay on track and to check your own understanding. Therefore, we will not grade them for correctness. If you complete the quiz, you will earn full points for that week. However, if your raw score on a quiz is low, come to discussion sections or office hours and get help!
Homework (60%)
These are longer form assignments that include both programming and a non-programming conceptual section. You are welcome to discuss homework problems with other students or in groups, however, you must complete your final writeup alone.
Homework submission will be via the Gradescope. If you are enrolled in the class you should see the class in your Gradescope account. Regrade requests will also be handled via Gradescope. The window for regrades will be no more than one week after graded homework is returned.
We will have 5 homework sets. Generally they will be released on Mondays and you will have 2-3 weeks to submit. See the tentative schedule for more information on the schedule of the homework assignments (Agenda). Homework 1 will be worth 6% and the remaining homework (Homework 2-5) will each be worth 13.5% of the final grade, making the total Homework grade 6 + 4 * 13.5 = 60% of your final grade.
Midterm (15%)
This course will have one midterm exam. The midterm is scheduled to be in class on Wed Oct 18.
Final (20%)
The final exam will be cumulative over all of the course content.
The registrar has assigned: Wed Dec 13th, 8-10 AM at KRAN G016 as the final exam time slot for this course.
Late Assignments
You will have 3 late days during the whole semester for late homework. You will also have 3 late days for weekly check-ins. You can use your late days however you wish to. Note that the granularity of this is days. That means, if you submit your homework any time in the next 24 hours after the deadline, you are using one of your late days.
Academic Integrity
Cheating WILL be taken seriously. It is not fair to honest students to take cheating lightly, nor is it fair to the cheater to let him/her go on thinking that is a reasonable alternative in life.
The following is not considered cheating:
- discussing the homeworks with other students (with the writeup done separately, later).
The following is:
- Discussing homework with someone who has already completed the problem, or looking at their completed write-up.
- Using homework solutions from the web, previous versions of the class, or anywhere else.
- Receiving, providing, or soliciting assistance from another student during a test.
Penalties – anyone copying information or having information copied on a homework, or an exam, or any other violation of class policy, will receive an F in the class and will not be allowed to drop. They will be reported to their college dean. If you can prove non-cooperative copying took place, your grade may be restored, but you must prove it to the dean.
University Policies and Statements
Please see Brightspace for complete list of university policies and statements.
Agenda (Tentative!)
This is a tentative schedule and we may change it as the course proceeds.
Week-1
- Date
- Topic
- Aug 21
- Aug 23
- Aug 25
- Security Fundamentals
Read: This World of Ours by James Mickens Watch: USENIX Security 2018 Keynote by James Mickens
Week-2
- Aug 28
- Aug 30
- Buffer Overflow Attacks
Read: Smashing the Stack for Fun and Profit by Aleph One; Optional: 0×300-0×320 from Hacking book. 0×200-0×270 if you don’t have a strong C background.
- Sep 01
- Buffer Overflow Attacks 2
Same as prev lecture: Read Smashing the Stack for Fun and Profit by Aleph One; Optional: 0×300-0×320 from Hacking book. 0×200-0×270 if you don’t have a strong C background.
Week-3
- Sep 04
- Sep 06
- Buffer Overflow Attacks 3
Same as prev lectures: Read Smashing the Stack for Fun and Profit by Aleph One; Optional: 0×300-0×320 from Hacking book. 0×200-0×270 if you don’t have a strong C background.
- Sep 08
- Buffer Overflow Attacks 4
Same as prev lectures: Read Smashing the Stack for Fun and Profit by Aleph One; Optional: 0×300-0×320 from Hacking book. 0×200-0×270 if you don’t have a strong C background.
Week-4
Week-5
- Sep 18
- Sep 20
- Memory safety (CFI)
Same as prev lecture and Optional: Control-Flow Integrity by Martin Abadi et al.
- Sep 22
Week-6
- Sep 25
- Sep 27
- Sandboxing and Isolation
Watch: USENIX Security talk by Shravan Narayan Read: The Road to Less Trusted Code: Lowering the Barrier to In-process Sandboxing by Garfinkel et al. Optional: Retrofitting Fine Grain Isolation in the Firefox Renderer by Narayan et al., Operating System Security by Trent Jaeger, Android System and kernel security, and https://www.apple.com/business/docs/iOS_Security_Guide.pdf
- Sep 29
- Sandboxing and Isolation
SAME as prev lecture: Watch: USENIX Security talk by Shravan Narayan Read: The Road to Less Trusted Code: Lowering the Barrier to In-process Sandboxing by Garfinkel et al. Optional: Retrofitting Fine Grain Isolation in the Firefox Renderer by Narayan et al., Operating System Security by Trent Jaeger, Android System and kernel security, and https://www.apple.com/business/docs/iOS_Security_Guide.pdf
Week-7
- Oct 02
- Sandboxing and Isolation
- HW2 Due
SAME as prev lecture: Watch: USENIX Security talk by Shravan Narayan Read: The Road to Less Trusted Code: Lowering the Barrier to In-process Sandboxing by Garfinkel et al. Optional: Retrofitting Fine Grain Isolation in the Firefox Renderer by Narayan et al., Operating System Security by Trent Jaeger, Android System and kernel security, and https://www.apple.com/business/docs/iOS_Security_Guide.pdf
- Oct 04
- Side Channels 1
- HW3 Release
Read:Spectre Attacks: Exploiting Speculative Execution by Paul Kocher et al.
- Oct 06
Week-8
- Oct 09
- Oct 11
- Oct 13
Week-9
- Oct 16
- Oct 18
- Oct 20
- Midterm Discussion & Web Intro
Read:Robust defenses for cross-site request forgery by Adam Barth, et al., and Finding and Fixing DOM-based XSS with Static Analysis by Frederik Brun
Week-10
- Oct 23
- Oct 25
- Oct 27
Week-11
- Oct 30
- Web Attacks-3 and Network Intro
- (guest lecture by Prof. Garman)
- Nov 01
- Hands-on CTF examples
- (by TAs)
- Nov 03
Week-12
- Nov 06
- Nov 08
- Nov 10
Week-13
- Nov 13
- Network Defenses-2 :
- Nov 15
- Nov 17
Week-14
- Nov 20
- Nov 22
- Nov 24
Week-15
- Nov 27
- Nov 29
- Dec 01
Week-16
- Dec 04
- Dec 06
- Final Review-1
- pre-midterm and web
- Dec 08
Final
- Dec 13
DISCLAIMER
The details in this syllabus may change (e.g. schedule, grading policy, assignments, etc.). We will update this syllabus in the event of changes as the course progresses. We will send announcements in the case of significant changes. It is your responsibility to check for the course announcements.
Credit
This page uses materials from many other instructors including Deian Stefan, Dave Tian, Aniket Kate, Pat Pannuto and Dean Tullsen.