Computer Security
CS-426, Spring 2025
This 3-credits undergraduate course covers the basics of computer security. We will cover a wide range of topics from both offensive and defensive sides, including systems security and exploitation (e.g., buffer overflows), sandboxing and isolation, side channels, network security, cryptography, privacy and anonymity, and legal and ethical issues. Together, we will learn how to build secure computer systems, we will understand security best practices, and we will get to know security failures in existing and emerging computer networks and systems.
By the end of the course, you will have the basic knowledge to reason about common security attacks and defenses, you will become familiar with security engineering best practices, and you will learn how to write better and more secure software, protocols, and systems, and you will have rudimentary skills in security research. I hope that you will have fun taking this course as much as I will enjoy teaching it!
Catalog Description: The course focuses on the principles and foundations of building secure computer systems and on security and privacy challenges in existing and emerging computer networks and systems. The course compares and analyzes security and privacy threats and architectures from an adversarial standpoint to understand how to build more secure protocols that can withstand ever-adaptive attacks.
Instructor
Teaching Assistants
Qi Ling he/him
Lectures
Lectures are M/W/F from 11:30 am to 12:20 pm, LAWSON 1142.
Updated Office Hours on BrightSpace (See Course Calendar).
Prerequisite
The formal prerequisite is undergraduate level CS 25100 minimum grade of C and undergraduate level CS 25200 minimum grade of C [may be taken concurrently] or undergraduate level ECE 46900 Minimum Grade of C or undergraduate level EE 46900 Minimum Grade of C. However, to complete the assignments in this course, you will need to be able to write code in Python, C, and (some) C++, and have some understanding of x86 assembly, JavaScript, PHP, and SQL. We will not teach these in lecture; you are expected to learn them on your own or ask for help in office hours.
Textbook
There is no official textbook for the class. Slides will be provided and reading materials for each topic will be posted before the lectures. However, the following resources are going to be useful:
- Security Engineering – Ross Anderson, Third Edition
- Hacking: The Art of Exploitation by Jon Erickson
We try to be clear about what is okay to skim and what will be helpful to read deeply (See Agenda).
Format
Course format is lectures three days a week. Attendance is not optional. The slides will be available for download before each lecture (See Agenda).
A quick reminder: Active engagement and re-enforcement are keys to successful and effective learning. Therefore, we will have plenty of activities during lectures. These activities also help you to meet and interact with other students. Moreover, assignments, and grading are designed to help with re-enforcement and active engagement.
Online Discussion
Discussions, Q&A, peer-to-peer instruction, etc. take place on our edstem. Use the link in Brightspace to join the class on edstem. You are encouraged to post questions, help answer other students’ questions, and provide feedback and suggestions to your instruction staff. Constructive criticism is always welcome.
While the instruction staff will do their best to answer any question as soon as possible, be aware (and plan ahead) that instruction staff will not be available 24/7.
Grading
An ideal assessment should evaluate learning outcomes, thus your grade should not depend on other student’s performance in class (i.e., no bell curve). We will use the following scale for your final grade:
| A+ >96.7 | A [93,96.7) | A- [90,93) | B+ [86.7,90) | B [83.3,86.7) | B- [80,83.3) | C+ [76.7,80) | C [70,76.7) | D [60,70) | F [0,60) |
|---|
We reserve the right to modify these ranges and the following tentative grading breakdown as the course proceeds.
Weekly Check-in (5%)
During lectures, we will have interactive question and answer activities in the class. We will use iClicker for polls and discussions. These are opportunities for you to check your understanding and for us to go back and help explain concepts more thoroughly that may be confusing folks. These in-lecture polls will not be graded for correctness or attendance. However, on each Wednesday (from 2nd week onward), we will collect all of the poll questions of the week and release a weekly check-in mini-quiz on BrightSpace. The weekly check-ins must be completed by the class time (campus time) the following Friday. So, you will have at least 24 hours to complete them.
These weekly check-ins are primarily for you, to help you stay on track and to check your own understanding. Therefore, we will not grade them for correctness. If you complete the weekly check-in quiz, you will earn full points for that week. However, if your raw score on a weekly check-in is low, come to discussion sections or office hours and get help!
Homework (60%)
These are longer form assignments that include both programming and a non-programming conceptual section. You are welcome to discuss homework problems with other students or in groups, however, you must complete your final writeup alone.
Homework submission will be via the Gradescope. If you are enrolled in the class you should see the class in your Gradescope account. Regrade requests will also be handled via Gradescope. The window for regrades will be no more than one week after graded homework is returned.
We will have 5 homework sets. Generally they will be released on Mondays and you will have 2-3 weeks to submit. See the tentative schedule for more information on the schedule of the homework assignments (Agenda). Homework 1 will be worth 6% and the remaining homework (Homework 2-5) will each be worth 13.5% of the final grade, making the total Homework grade 6 + 4 * 13.5 = 60% of your final grade.
Midterm (15%)
This course will have one midterm exam. The midterm is scheduled to be in class on March 7.
Final (20%)
The final exam will be cumulative over all of the course content.
We are waiting for the registrar to assign a exam slot for us. We will announce the date/time and location as soon as we get a slot.
Late Assignments
You will have 3 late days during the whole semester for late homework. You will also have 3 late days for weekly check-ins. You can use your late days however you wish to. Note that the granularity of this is days. That means, if you submit your homework any time in the next 24 hours after the deadline, you are using one of your late days.
Academic Integrity
Cheating WILL be taken seriously. It is not fair to honest students to take cheating lightly, nor is it fair to the cheater to let him/her go on thinking that is a reasonable alternative in life.
The following is not considered cheating:
- discussing the homeworks with other students (with the writeup done separately, later).
The following is:
- Discussing homework with someone who has already completed the problem, or looking at their completed write-up.
- Using homework solutions from the web, previous versions of the class, or anywhere else.
- Receiving, providing, or soliciting assistance from another student during a test.
Penalties – anyone copying information or having information copied on a homework, or an exam, or any other violation of class policy, will receive an F in the class and will not be allowed to drop. They will be reported to their college dean. If you can prove non-cooperative copying took place, your grade may be restored, but you must prove it to the dean.
University Policies and Statements
Please see Brightspace for complete list of university policies and statements.
Agenda (Tentative!)
This is a tentative schedule and we may change it as the course proceeds.
Week-1
- Date
- Topic
- Jan 13
- Jan 15
- Security Fundamentals
-
Read: This World of Ours by James Mickens Watch: USENIX Security 2018 Keynote by James Mickens
- Jan 17
Week-2
- Jan 20
- MLK Day (No Class)
- HW1 Release
- Jan 22
- Security Fundamentals 2
-
Same as prev lecture: Read: This World of Ours by James Mickens Watch: USENIX Security 2018 Keynote by James Mickens
- Jan 24
- Buffer Overflow Attacks
Read: Smashing the Stack for Fun and Profit by Aleph One; Optional: 0×300-0×320 from Hacking book. 0×200-0×270 if you don’t have a strong C background.
Week-3
- Jan 27
- Buffer Overflow Attacks 2
- HW1 Due
Same as prev lecture: Read Smashing the Stack for Fun and Profit by Aleph One; Optional: 0×300-0×320 from Hacking book. 0×200-0×270 if you don’t have a strong C background.
- Jan 29
- Buffer Overflow Attacks 3
- HW2 Release
Same as prev lectures: Read Smashing the Stack for Fun and Profit by Aleph One; Optional: 0×300-0×320 from Hacking book. 0×200-0×270 if you don’t have a strong C background.
- Jan 31
Week-4
Week-5
- Feb 10
- Memory safety (ROP)
Read: Low-Level Software Security by Example by Ulfar Erlingsson et al. Optional: The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86) by Hovav Shacham, Hacking Blind by Andrea Bittau et al.Read: On the Effectiveness of Address-Space Randomization by Hovav Shacham et al
- Feb 12
- Memory safety (ROP&CFI)
Same as prev lecture and Optional: Control-Flow Integrity by Martin Abadi et al.
- Feb 14
Week-6
Week-7
- Feb 24
- Sandboxing and Isolation
Watch: USENIX Security talk by Shravan Narayan Read: The Road to Less Trusted Code: Lowering the Barrier to In-process Sandboxing by Garfinkel et al. Optional: Retrofitting Fine Grain Isolation in the Firefox Renderer by Narayan et al., Operating System Security by Trent Jaeger, Android System and kernel security, and https://www.apple.com/business/docs/iOS_Security_Guide.pdf
- Feb 26
- Sandboxing and Isolation
SAME as prev lecture: Watch: USENIX Security talk by Shravan Narayan Read: The Road to Less Trusted Code: Lowering the Barrier to In-process Sandboxing by Garfinkel et al. Optional: Retrofitting Fine Grain Isolation in the Firefox Renderer by Narayan et al., Operating System Security by Trent Jaeger, Android System and kernel security, and https://www.apple.com/business/docs/iOS_Security_Guide.pdf
- Feb 28
- Sandboxing and Isolation
SAME as prev lecture: Watch: USENIX Security talk by Shravan Narayan Read: The Road to Less Trusted Code: Lowering the Barrier to In-process Sandboxing by Garfinkel et al. Optional: Retrofitting Fine Grain Isolation in the Firefox Renderer by Narayan et al., Operating System Security by Trent Jaeger, Android System and kernel security, and https://www.apple.com/business/docs/iOS_Security_Guide.pdf
Week-8
- Mar 03
- Side Channels 1
- HW3 Early Due (Bonus)
Read:Spectre Attacks: Exploiting Speculative Execution by Paul Kocher et al.
- Mar 05
- Mar 07
Week-9
- Mar 10
- Mar 12
- Mar 14
- Web Intro
- HW3 Due
Read:Robust defenses for cross-site request forgery by Adam Barth, et al., and Finding and Fixing DOM-based XSS with Static Analysis by Frederik Brun
Week-10
Week-11
- Mar 24
- Mar 26
- Mar 28
Week-12
- Mar 31
- Class Canceled
- guest lecture
- Apr 02
- Web (SQL injection)
- Delivered by TAs (Milad and Qi)
- Apr 04
Week-13
- Apr 07
- Apr 09
- Apr 11
Week-14
- Apr 14
- Apr 16
- Apr 18
Week-15
- Apr 21
- Apr 23
- Apr 25
Week-16
- Apr 28
- Apr 30
- May 02
Final
- May 05
- Final Exam
- 08:00-10:00am MATH 175
DISCLAIMER
The details in this syllabus may change (e.g. schedule, grading policy, assignments, etc.). We will update this syllabus in the event of changes as the course progresses. We will send announcements in the case of significant changes. It is your responsibility to check for the course announcements.
Credit
This page uses materials from many other instructors including Deian Stefan, Dave Tian, Aniket Kate, Pat Pannuto and Dean Tullsen.