Course schedule overview
The scheduling and selection of lecture topics is subject to
minor adjustment as the semester progresses, but the assignment
and exam dates are not expected to change.
Detailed reading and lecture schedule
- Tuesday, January 22nd
High level overview,
course assignments and grading logistics. No readings.
- Thursday, January 24th
Overview of course first half,
examples of software and OS-level vulnerabilities and attacks.
Readings: Anderson Chapter 1, "What Is Security Engineering?";
Anderson Chapter 25, "Managing the Development of Secure
- Tuesday, January 29th
vulnerabilities. Reading: Crispin Cowan, Perry Wagle, Calton Pu,
Steve Beattie, and Jonathan Walpole. Buffer
Overflows: Attacks and Defenses for the Vulnerability of the
Decade (IEEE version, some formatting issues) (local mirror of author's version), DISCEX 2000.
- Thursday, January 31st
as presented 2/5):
Low-level attack techniques. Reading: Tilo Müller, ASLR Smack & Laugh Reference (posted with permission of the author)
- Tuesday, February 5th
as presented 2/7):
Low-level defenses and counter-attacks, part 1. Reading:
Martín Abadi, Mihai Budiu, Úlfar Erlingsson, and
Jay Ligatti. “Control-flow
integrity”, ACM CCS 2005. (Campus download link)
- Thursday, February 7th
as presented 2/12):
Low-level defenses and counter-attacks, part 2. Reading: Hovav
Shacham. “The geometry of
innocent flesh on the bone: return-into-libc without function
calls (on the x86)”, ACM CCS 2007, and
Nicolas Carlini, Antonio Barresi, Mathias Payer, David Wagner, and Thomas R. Gross, “Control-Flow Bending: On the Effectiveness of Control-Flow Integrity”, USENIX Security 2015.
- Tuesday, February 12th
as presented 2/14):
Defensive programming and design
1. Readings: Jerome H. Saltzer and Michael D. Schroeder, The
Protection of Information in Computer Systems. Part I: Basic
Principles Of Information Protection. David Wheeler, Secure
Programming for Linux and Unix HOWTO, chapter 6: Avoid Buffer
Overflow and chapter 7: Structure Program Internals and Approach.
- Thursday, February 14th
as presented 2/19):
Defensive programming and design
2. Reading: Daniel J. Bernstein, Some thoughts
on security after ten years of qmail 1.0, CSAW 2007.
- Tuesday, February 19th
as presented 2/21):
OS security: authentication and
basic access control. Readings: Anderson Chapter 2 Usability
and Psychology sections 2.4-2.5: "Passwords" and "System
Issues", and Chapter 15 Biometrics.
- Thursday, February 21st
as presented 2/26):
OS security: access control.
Readings: Anderson Chapter 4 Access
Control and Chapter 8 Multilevel
Security, and Mark S. Miller, Ka-Ping Yee, and Jonathan
Myths Demolished" Technical Report SRL2003-02, Systems
Research Laboratory, Johns Hopkins University.
- Tuesday, February 26th
as presented 2/28):
OS security: high assurance?
Readings: Anderson Chapter 9 Multilateral
Security sections 9.1-9.2 and Chapter 26, System
Evaluation and Assurance.
- Thursday, February 28th (6-up slides):
Introduction to network security: protocols and attacks.
Readings: Firewalls and
Internet Security: Repelling the Wily Hacker. William
R. Cheswick, Steven M. Bellovin, and Aviel D. Rubin, Second
Edition. Chapter 2, A Security Review of
Protocols: Lower Layers and Chapter 3, Security Review: The
- Tuesday, March 5th: no lecture or readings, in-class midterm.
2017 midterms are available
Now also the
- Thursday, March 7th
Symmetric cryptography. Readings:
Anderson Chapter 5, Crypography,
- Tuesday, March 12th
as presented 3/26):
Public-key cryptography. Readings:
Anderson Chapter 5 section 5.7. And Introduction to
Modern Cryptography, Jonathan Katz and Yehuda Lindell,
Chapter 1, Introduction,
sections 1.1, 1.2, and 1.4.
- Thursday, March 14th
as presented 3/28):
Crypto protocols, "S" protocols for the Internet, and PKI.
Reading: David Kaloper-Meršinjak, Hannes Mehnert, Anil Madhavapeddy, and Peter Sewell, "Not-Quite-So-Broken TLS:
Lessons in Re-Engineering a Security Protocol
Specification and Implementation.", Sections 2-3.
- Tuesday, March 26th:
as presented 4/2)
Web security part 1. Reading: OWASP
Top 10 - 2017: The Ten Most Critical Web Application Security
- Thursday, March 28th:
as presented 4/4)
Web security part 2. No additional reading.
- Tuesday, April 2nd:
as presented 4/9)
More crypto protocols, and crypto failures.
Readings: Anderson Chapter 3, Protocols. Another
reference for the protocol parts is the paper "Programming
Satan's Computer", by Ross Anderson and Roger Needham,
Computer Science Today 1995. It provides even more examples of
broken protocols and design principles, but it's optional:
you're not responsible for anything from it beyond what was in
- Thursday, April 4th:
as presented 4/11)
Firewalls and intrusion detection.
Readings: Anderson Chapter 11, Physical
Protection; Cheswick and Bellovin Chapter 3 (first edition),
Gateways; David Wagner and Paolo Soto, "Mimicry Attacks
on Host-Based Intrusion Detection Systems", ACM CCS 2002
(campus download link).
- Tuesday, April 9th:
as presented 4/16)
Malware and network DoS. Readings:
David Moore, Colleen Shannon, Geoffrey M. Voelker, and Stefan
Quarantine: Requirements for Containing Self-Propagating
Code", INFOCOM 2003; Marius Barat, Dumitru-Bogdan
Prelipcean, and Dragoș Teodor Gavriluț, "A
study on common malware families evolution in 2012" Journal
of Computer Virology and Hacking Techniques, November 2013
(campus download link).
- Thursday, April 11th:
as presented 4/18)
Privacy-enhancing network overlays.
Readings: Anderson section 23.4, Privacy Technology
(part of chapter 23, The
Bleeding Edge); Roger Dingledine, Nick Mathewson, and Paul
in deploying low-latency anonymity (draft)".
- Tuesday, April 16th:
Usability of security. Readings:
Anderson Chapter 2, "Usability
and Psychology". Devdatta Akhawe and Adrienne Porter Felt,
in Warningland: A Large-Scale Field Study of Browser Security
Warning Effectiveness". USENIX Security Symposium, August
- Thursday, April 18th:
Readings: Anderson section 23.5, Elections (part of chapter 23,
Bleeding Edge); Joseph A. Calandrino, Ariel J. Feldman,
J. Alex Halderman, David Wagner, Harlan Yu, and William
P. Zeller. "Source
Code Review of the Diebold Voting System", Executive Summary
through Section 3: Major Attacks (pp. i-17); David Chaum,
Richard Carback, Jeremy Clark, Aleksander Essex, Stefan
Popoveniuc, Ronald L. Rivest, Peter Y. A. Ryan, Emily Shen, and
Alan T. Sherman. "Scantegrity
II: End-to-End Verifiability for Optical Scan Election Systems
using Invisible Ink Confirmation Codes", EVT 2008.
- Tuesday, April 23th:
Catch up lecture; no additional reading.
- Thursday, April 25th:
Final project student presentations #1
- Tuesday, April 30th: (6-up slides) Guest lecture:
quantitative information flow, presented by Seonmo Kim.
Reading: Andrew Myers, Sam Hopkins, and Jed Liu. Lecture notes
Information Flow, Cornell University CS 6113, fall 2013.
- Thursday, May 2nd:
Final project student presentations #2, last lecture period
- Thursday, May 9th: Final exam, 4:00-6:00pm in
Keller Hall 3-125 (same room as lectures)