Introduction to Computer Security

Course schedule overview

The scheduling and selection of lecture topics is subject to minor adjustment as the semester progresses, but the assignment and exam dates are not expected to change.

Date	Lecture topic	Assignments due
Monday 9/4	No class, Labor Day
Wednesday 9/6	Introduction and logistics
Monday 9/11	Part 1 overview: security failures in action
Wednesday 9/13	Low-level vulnerabilities
Friday 9/15		HA1 attack 1
Monday 9/18	Low-level attack techniques
Wednesday 9/20	Low-level defenses and counter-attacks 1	Project pre-proposal
Friday 9/22		HA1 attack 2
Monday 9/25	Low-level defenses and counter-attacks 2
Wednesday 9/27	Defensive programming and design 1
Thursday 9/28		Exercise set 1
Friday 9/29		HA1 attack 3
Monday 10/2	Defensive programming and design 2
Wednesday 10/4	Access control basics
Friday 10/6		HA1 attack 4 and design
Monday 10/9	Information-flow and mandatory access control
Wednesday 10/11	Protection, isolation, and assurance	Project progress report #1
Thursday 10/12		Exercise set 2
Friday 10/13		HA1 attack 5
Monday 10/16	In-class midterm exam
Wednesday 10/18	Part 2 overview: protocols and attacks
Monday 10/23	Symmetric cryptography
Wednesday 10/25	Public-key cryptography
Monday 10/30	"S" protocols for the Internet
Wednesday 11/1	Guest lecture, SFI
Monday 11/6	Web security: server side
Wednesday 11/8	Web security: client side	Project progress report #2
Thursday 11/9		Exercise set 3
Monday 11/13	Crypto and protocol failures
Wednesday 11/15	Security middleboxes
Friday 11/17		Hands-on assignment 2 due
Monday 11/20	Malware and network DoS
Tuesday 11/21		~~Exercise set 4~~
Wednesday 11/22	Privacy-enhancing network overlays
Monday 11/27	Usability of security
Tuesday 11/28		Exercise set 4
Wednesday 11/29	Application: electronic voting
Monday 12/4	Application: electronic cash	Project progress report #3
Wednesday 12/6	Project presentations
Monday 12/11	Project presentations
Tuesday 12/12		Exercise set 5
Wednesday 12/13	Project presentations, last class	Project final report
Monday 12/18	Final exam 8:00am-10:00am

Detailed reading and lecture schedule

Wednesday, September 6th (6-up slides): High level overview, roll call, course assignments and grading logistics. No readings.
Monday, September 11th (6-up slides): Overview of course first half, examples of software and OS-level vulnerabilities and attacks. Readings: Anderson Chapter 1, "What Is Security Engineering?"; Anderson Chapter 25, "Managing the Development of Secure Systems".
Wednesday, September 13th (6-up slides): Low-level vulnerabilities. Reading: Crispin Cowan, Perry Wagle, Calton Pu, Steve Beattie, and Jonathan Walpole. Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade, DISCEX 2000. .
Monday, September 18th (6-up slides): Low-level attack techniques. Reading: Tilo Müller, ASLR Smack & Laugh Reference (posted with permission of the author)
Wednesday, September 20th (6-up slides, demo notes): Low-level defenses and counter-attacks, part 1. Reading: Martín Abadi, Mihai Budiu, Úlfar Erlingsson, and Jay Ligatti. “Control-flow integrity”, ACM CCS 2005. (Campus download link)
Monday, September 25th (6-up slides, demo notes): Low-level defenses and counter-attacks, part 2. Reading: Hovav Shacham. “The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86)”, ACM CCS 2007, and Nicolas Carlini, Antonio Barresi, Mathias Payer, David Wagner, and Thomas R. Gross, “Control-Flow Bending: On the Effectiveness of Control-Flow Integrity”, USENIX Security 2015.
Wednesday, September 27th (6-up slides): Defensive programming and design 1. Readings: Jerome H. Saltzer and Michael D. Schroeder, The Protection of Information in Computer Systems. Part I: Basic Principles Of Information Protection. David Wheeler, Secure Programming for Linux and Unix HOWTO, chapter 6: Avoid Buffer Overflow and chapter 7: Structure Program Internals and Approach.
Monday, October 2nd (6-up slides): Defensive programming and design 2. Reading: Daniel J. Bernstein, Some thoughts on security after ten years of qmail 1.0, CSAW 2007.
Wednesday, October 4th (6-up slides): OS security: authentication and basic access control. Readings: Anderson Chapter 2 Usability and Psychology sections 2.4-2.5: "Passwords" and "System Issues", and Chapter 15 Biometrics.
Monday, October 9th (6-up slides): OS security: access control. Readings: Anderson Chapter 4 Access Control and Chapter 8 Multilevel Security, and Mark S. Miller, Ka-Ping Yee, and Jonathan Shapiro, "Capability Myths Demolished" Technical Report SRL2003-02, Systems Research Laboratory, Johns Hopkins University.
Wednesday, October 11th (6-up slides): OS security: high assurance? Readings: Anderson Chapter 9 Multilateral Security sections 9.1-9.2 and Chapter 26, System Evaluation and Assurance.
Monday, October 16th: no lecture or readings, in-class midterm. The 2013, 2014, and 2015 midterms are available for comparison. Now also the 2013, 2014, and 2015 solutions. This year's midterm is here, and the solution set here.
Wednesday, October 18th (6-up slides): Introduction to network security: protocols and attacks. Readings: Firewalls and Internet Security: Repelling the Wily Hacker. William R. Cheswick, Steven M. Bellovin, and Aviel D. Rubin, Second Edition. Chapter 2, A Security Review of Protocols: Lower Layers and Chapter 3, Security Review: The Upper Layers.
Monday, October 23rd (6-up slides): Symmetric cryptography. Readings: Anderson Chapter 5, Crypography, sections 5.1-5.6.
Wednesday, October 25th (6-up slides): Public-key cryptography. Readings: Anderson Chapter 5 section 5.7. And Introduction to Modern Cryptography, Jonathan Katz and Yehuda Lindell, Chapter 1, Introduction, sections 1.1, 1.2, and 1.4.
Monday, October 30th: (6-up slides) Crypto protocols, "S" protocols for the Internet, and PKI. Reading: David Kaloper-Meršinjak, Hannes Mehnert, Anil Madhavapeddy, and Peter Sewell, "Not-Quite-So-Broken TLS: Lessons in Re-Engineering a Security Protocol Specification and Implementation.", Sections 2-3.
Wednesday, November 1st: Software-based Fault Isolation (guest lecture by Navid Emamdoost, 6-up slides): Reading: Robert Wahbe, Steven Lucco, Thomas E. Anderson, and Susan L. Graham. "Efficient software-based fault isolation", SOSP 1993. (campus download link).
Monday, November 6th: (6-up slides) Web security part 1. Reading: OWASP Top 10 - 2017 RC2: The Ten Most Critical Web Application Security Risks, release candidate.
Wednesday, November 8th: (6-up slides) Web security part 2. No additional reading.
Monday, November 13th: (6-up slides) More crypto protocols, and crypto failures. Readings: Anderson Chapter 3, Protocols. Another reference for the protocol parts is the paper "Programming Satan's Computer", by Ross Anderson and Roger Needham, Computer Science Today 1995. It provides even more examples of broken protocols and design principles, but it's optional: you're not responsible for anything from it beyond what was in lecture.
Wednesday, November 15th: (6-up slides) Firewalls and intrusion detection. Readings: Anderson Chapter 11, Physical Protection; Cheswick and Bellovin Chapter 3 (first edition), Firewall Gateways; David Wagner and Paolo Soto, "Mimicry Attacks on Host-Based Intrusion Detection Systems", ACM CCS 2002 (campus download link).
Monday, November 20th: (6-up slides) Malware and network DoS. Readings: David Moore, Colleen Shannon, Geoffrey M. Voelker, and Stefan Savage, "Internet Quarantine: Requirements for Containing Self-Propagating Code", INFOCOM 2003; Marius Barat, Dumitru-Bogdan Prelipcean, and Dragoș Teodor Gavriluț, "A study on common malware families evolution in 2012" Journal of Computer Virology and Hacking Techniques, November 2013 (campus download link).
Wednesday, November 22nd: (6-up slides) Privacy-enhancing network overlays. Readings: Anderson section 23.4, Privacy Technology (part of chapter 23, The Bleeding Edge); Roger Dingledine, Nick Mathewson, and Paul Syverson, "Challenges in deploying low-latency anonymity (draft)".
Monday, November 27th: (6-up slides) Usability of security. Readings: Anderson Chapter 2, "Usability and Psychology". Devdatta Akhawe and Adrienne Porter Felt, "Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness". USENIX Security Symposium, August 2013.
Wednesday, November 29th: (6-up slides) Electronic voting. Readings: Anderson section 23.5, Elections (part of chapter 23, The Bleeding Edge); Joseph A. Calandrino, Ariel J. Feldman, J. Alex Halderman, David Wagner, Harlan Yu, and William P. Zeller. "Source Code Review of the Diebold Voting System", Executive Summary through Section 3: Major Attacks (pp. i-17); David Chaum, Richard Carback, Jeremy Clark, Aleksander Essex, Stefan Popoveniuc, Ronald L. Rivest, Peter Y. A. Ryan, Emily Shen, and Alan T. Sherman. "Scantegrity II: End-to-End Verifiability for Optical Scan Election Systems using Invisible Ink Confirmation Codes", EVT 2008.
Monday, December 4th: (6-up slides) Bitcoin. Reading: Satoshi Nakamoto, "Bitcoin: A Peer-to-Peer Electronic Cash System".
Wednesday, December 7th: final project student presentations #1
Monday, December 11th: final project student presentations #2
Wednesday, December 13th: final project student presentations #3; last lecture
Monday, December 18th: final exam, 8:00-10:00am in Mechanical Engineering 108 (same room as lectures)