Introduction to Computer Security

Course schedule overview

The scheduling and selection of lecture topics is subject to minor adjustment as the semester progresses, but the assignment and exam dates are not expected to change.

Date	Lecture topic	Assignments due
Wednesday 9/8	Introduction and logistics
Monday 9/13	Part 1 overview: security failures in action
Wednesday 9/15	Low-level vulnerabilities
Monday 9/20	Low-level attack techniques
Wednesday 9/22	Low-level defenses and counter-attacks 1	Project pre-proposal
Monday 9/27	Low-level defenses and counter-attacks 2
Wednesday 9/29	Defensive programming and design 1	Exercise set 1
Monday 10/4	Defensive programming and design 2
Wednesday 10/6	Access control basics
Monday 10/11	Information flow and mandatory access control
Wednesday 10/13	Side and covert channels	Project progress report #1
Monday 10/18	Protection, isolation, and assurance
Wednesday 10/20	Part 2 overview: protocols and attacks	Exercise set 2
Monday 10/25	In-class midterm exam
Wednesday 10/27	Symmetric cryptography
Monday 11/1	Public-key cryptography
Wednesday 11/3	"S" protocols for the Internet
Monday 11/8	Web security: server side
Wednesday 11/10	Web security: client side	Project progress report #2
Monday 11/15	Crypto and protocol failures
Wednesday 11/17	Security middleboxes
Monday 11/22	Malware and network DoS
Wednesday 11/24	Privacy-enhancing techniques	Exercise set 3
Monday 11/29	Usability of security
Wednesday 12/1	Electronic cash and blockchains	Project progress report #3
Monday 12/6	Electronic voting
Wednesday 12/8	Project presentations 1	Exercise set 4
Monday 12/13	Project presentations 2	Hands-on assignment
Wednesday 12/15	Project presentations 3	Project final report
Saturday 12/18	Final exam 1:30-3:30pm, 3-230 Keller

Detailed reading and lecture schedule

Wednesday, September 8th (8-up slides): High level overview, course assignments and grading logistics. No readings.
Monday, September 13th (8-up slides): Overview of course first half, examples of software and OS-level vulnerabilities and attacks. Readings: Anderson 3rd Ed Chapter 1, "What Is Security Engineering?", second edition equivalent Chapter 1, "What Is Security Engineering?"; Anderson 3rd Ed Chapter 27, "Secure Systems Development", second edition equivalent Chapter 25, "Managing the Development of Secure Systems".
Wednesday, September 15th (8-up slides): Low-level vulnerabilities. Reading: Crispin Cowan, Perry Wagle, Calton Pu, Steve Beattie, and Jonathan Walpole. Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade (IEEE version, some formatting issues) (local mirror of author's version), DISCEX 2000.
Monday, September 20th (8-up slides, combined): Low-level attack techniques. Reading: Tilo Müller, ASLR Smack & Laugh Reference (posted with permission of the author)
Wednesday, September 22nd (8-up slides, combined): Low-level defenses and counter-attacks, part 1. Reading: Martín Abadi, Mihai Budiu, Úlfar Erlingsson, and Jay Ligatti. “Control-flow integrity”, ACM CCS 2005. (Campus download link)
Monday, September 27th (8-up slides, combined, BCECHO source, BCECHO 64-bit binary, BCECHO demo notes): Low-level defenses and counter-attacks, part 2. Reading: Hovav Shacham. “The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86)”, ACM CCS 2007, and Nicolas Carlini, Antonio Barresi, Mathias Payer, David Wagner, and Thomas R. Gross, “Control-Flow Bending: On the Effectiveness of Control-Flow Integrity”, USENIX Security 2015.
Wednesday, September 29th (8-up slides, combined): Defensive programming and design 1. Readings: Jerome H. Saltzer and Michael D. Schroeder, The Protection of Information in Computer Systems. Part I: Basic Principles Of Information Protection. David Wheeler, Secure Programming for Linux and Unix HOWTO, chapter 6: Avoid Buffer Overflow and chapter 7: Structure Program Internals and Approach.
Monday, October 4th (8-up slides, combined): Defensive programming and design 2. Reading: Daniel J. Bernstein, Some thoughts on security after ten years of qmail 1.0, CSAW 2007.
Wednesday, October 6th (8-up slides, combined): OS security: authentication and basic access control. Readings: Anderson 3rd edition Chapter 3, "Psychology and Usability", section 3.4: "Passwords", second edition equivalent Chapter 2 Usability and Psychology sections 2.4-2.5: "Passwords" and "System Issues". Anderson 3rd edition Chapter 17, "Biometrics", second edition equivalent Chapter 15 Biometrics.
Monday, October 11th (8-up slides, combined): OS security: access control. Readings: Anderson 3rd edition Chapter 6, "Access Control", second edition equivalent Chapter 4 Access Control. Anderson 3rd edition Chapter 9, "Multilevel Security", second edition equivalent Chapter 8 Multilevel Security. Mark S. Miller, Ka-Ping Yee, and Jonathan Shapiro, "Capability Myths Demolished" Technical Report SRL2003-02, Systems Research Laboratory, Johns Hopkins University.
Wednesday, October 13th (8-up slides, carry-over): Side and covert channels. Readings: Dawn Song, David Wagner, and Xuqing Tian. “Timing Analysis of Keystrokes and Timing Attacks on SSH”, USENIX Security 2001; and Claudio Canella, Jo Van Bulck, Michael Schwarz, Moritz Lipp, Benjamin von Berg, Philipp Ortner, Frank Piessens, Dmitry Evtyushkin, and Daniel Gruss. “A Systematic Evaluation of Transient Execution Attacks and Defenses”, USENIX Security 2019.
Monday, October 18th (8-up slides, combined): OS security: high assurance? Readings: Anderson 3rd edition Chapter 10, "Boundaries". second edition equivalent Chapter 9 Multilateral Security. Anderson 3rd edition Chapter 28, "Assurance and Sustainability", second edition equivalent Chapter 26, System Evaluation and Assurance.
Wednesday, October 20th (8-up slides, now with announcements): Introduction to network security: protocols and attacks. Readings: Firewalls and Internet Security: Repelling the Wily Hacker. William R. Cheswick, Steven M. Bellovin, and Aviel D. Rubin, Second Edition. Chapter 2, A Security Review of Protocols: Lower Layers and Chapter 3, Security Review: The Upper Layers.
Monday, October 25th: no lecture or readings, in-class midterm. The 2013, 2014, 2015, 2017, spring 2019, and fall 2019 midterms are available for comparison. Now also the 2013, 2014, 2015, 2017, and fall 2019 solutions. Now also, this semester's midterm and solutions.
Wednesday, October 27th (8-up slides, combined): Symmetric cryptography. Readings: Anderson 3rd edition Chapter 5 "Cryptography" sections 5.1-5.6. Second edition equivalent Chapter 5, Crypography, sections 5.1-5.6.
Monday, November 1st (8-up slides, combined): Public-key cryptography. Readings: Anderson (either edition) Chapter 5 section 5.7. And Introduction to Modern Cryptography, Jonathan Katz and Yehuda Lindell, Chapter 1, Introduction, sections 1.1, 1.2, and 1.4.
Wednesday, November 3rd (8-up slides, combined): Crypto protocols, "S" protocols for the Internet, and PKI. Reading: David Kaloper-Meršinjak, Hannes Mehnert, Anil Madhavapeddy, and Peter Sewell, "Not-Quite-So-Broken TLS: Lessons in Re-Engineering a Security Protocol Specification and Implementation.", Sections 2-3.
Monday, November 8th: (8-up slides, combined) Web security part 1. Reading: OWASP Top 10 - 2021: The Ten Most Critical Web Application Security Risks.
Wednesday, November 10th: (8-up slides, combined) Web security part 2. No additional reading.
Monday, November 15th: (8-up slides, combined) More crypto protocols, and crypto failures. Readings: Anderson 3rd edition Chapter 4, "Protocols"; second edition equivalent Chapter 3, Protocols. Another reference for the protocol parts is the paper "Programming Satan's Computer", by Ross Anderson and Roger Needham, Computer Science Today 1995. It provides even more examples of broken protocols and design principles, but it's optional: you're not responsible for anything from it beyond what was in lecture.
Wednesday, November 17th: (8-up slides) Firewalls and intrusion detection. Readings: Anderson 3rd edition Chapter 13, "Locks and Alarms"; second edition equivalent Chapter 11, Physical Protection; Anderson 3rd edition Chapter 21, Network Attack and Defense, section 21.4, "Defense against network attack"; free and more detailed substitute Cheswick and Bellovin Chapter 3 (first edition), Firewall Gateways. David Wagner and Paolo Soto, "Mimicry Attacks on Host-Based Intrusion Detection Systems", ACM CCS 2002 (campus download link).
Monday, November 22nd: (8-up slides, combined) Malware and network DoS. Readings: David Moore, Colleen Shannon, Geoffrey M. Voelker, and Stefan Savage, "Internet Quarantine: Requirements for Containing Self-Propagating Code", INFOCOM 2003; Marius Barat, Dumitru-Bogdan Prelipcean, and Dragoș Teodor Gavriluț, "A study on common malware families evolution in 2012" Journal of Computer Virology and Hacking Techniques, November 2013 (campus download link).
Wednesday, November 24th: (8-up Tor slides, updated with announcements) Privacy-enhancing technologies. Readings: Anderson 3rd edition section 20.4, "Tor"; second edition equivalent section 23.4, Privacy Technology (part of chapter 23, The Bleeding Edge). Roger Dingledine, Nick Mathewson, and Paul Syverson, "Challenges in deploying low-latency anonymity (draft)". Thien Duc Nguyen, Markus Miettinen, and Ahmad-Reza Sadeghi, "Long Live Randomization: On Privacy-preserving Contact Tracing in [a] Pandemic", Workshop on Moving Target Defense, November 2020.
Monday, November 29th: (8-up slides) Usability of security. Readings: Anderson third edition Chapter 3, "Psychology and Usability"; second edition equivalent Chapter 2, "Usability and Psychology". Devdatta Akhawe and Adrienne Porter Felt, "Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness". USENIX Security Symposium, August 2013.
Wednesday, December 1st: (8-up slides, now with announcements) Electronic cash and blockchains. Reading: Satoshi Nakamoto, "Bitcoin: A Peer-to-Peer Electronic Cash System".
Monday, December 6th: (8-up slides, now with announcements) Electronic voting. Readings: Anderson third edition section 25.5, Elections; second edition equivalent section 23.5, Elections (part of chapter 23, The Bleeding Edge); Joseph A. Calandrino, Ariel J. Feldman, J. Alex Halderman, David Wagner, Harlan Yu, and William P. Zeller. "Source Code Review of the Diebold Voting System", Executive Summary through Section 3: Major Attacks (pp. i-17); David Chaum, Richard Carback, Jeremy Clark, Aleksander Essex, Stefan Popoveniuc, Ronald L. Rivest, Peter Y. A. Ryan, Emily Shen, and Alan T. Sherman. "Scantegrity II: End-to-End Verifiability for Optical Scan Election Systems using Invisible Ink Confirmation Codes", EVT 2008.