Main navigation | Main content
Office: 4-225E Keller Hall
Home page: http://www.cs.umn.edu/~mccamant
Office hours: Mondays 10-11am, Tuesdays 2-3pm. Also by appointment, or available for a quick talk when my office door is open.
Lecture Schedule: Tuesdays and Thursdays, 4:00-5:15pm, Keller Hall room 3-125
Office hours: Fridays, 10-11AM in Keller Hall 2-246
|Regular schedule||New schedule||Comments|
|Monday 2/25 10-11am||Wednesday 2/27 3-4pm 4-225E||One-time change due to travel|
|Tuesday 4/23 2-3pm||Tuesday 4/23 5:15-6:15pm 4-225E||One-time change due to off-campus meeting|
|Monday 4/29 10-11am||cancelled||One-time change due to travel|
|Tuesday 4/30 2-3pm||Wednesday 5/1 3-4pm 4-225E||One-time change due to travel|
Computer Science 5271 is an introductory graduate-level course on computer security. It covers a broad variety of basic topics in security, focusing on the scientific principles behind attacks and defenses, rather than the specifics of particular technologies. For example, we will discuss firewalls in this course: after this course, you will probably not know which commercial firewall to pick or the exact details of how to configure it; but you will know what a firewall can do (in general) to protect a computer system and also the inherent limitations of firewalls. The primary emphasis of this course is on preparing students for research in security, and teaching how to apply security principles to research in other CS areas. However, students interested in practicing security will learn important principles that a more applied course might not teach.
Goals and Objectives:
A key difference of work and research in security, compared to other parts of computer science, is the need to "think like an adversary", and that will be a recurring theme in the course. Beyond that, at the end of the course you should be able to:
The official prerequisite for this course is an undergraduate-level course in operating systems: in the Minnesota undergraduate program, CSci 4061. We don't recommend trying to take 4061 during the same semester as 5271, because the most important connection is an application to the first half of 5271 of material that is not usually taught until near the end of 4061. An undergraduate course in networking, such as Minnesota's CSci 4211, is also helpful as background for the section of the course on network security. The portions of the course that deal with low-level attacks and defenses on software (buffer overflows, etc.), depend on some familiarity with assembly language and how C programs are compiled. These are covered in CSci 2021, which is transitively a prerequisite for 4061, but students sometimes find themselves a bit rusty when the topics return in 5271.
As in any graduate-level course, we also expect students to have a broad familiarity with standard topics in a computer science as you would get from an undergraduate CS major. You should be resourceful: if a topic comes up in lecture that you aren't familiar with, you should have enough of an orientation to know where to look for more information on your own (from a textbook, from a manual, from Wikipedia, etc.).
You also need to be comfortable writing and debugging medium-sized programs independently. The largest portion of the programming will be system-level programming in C for Unix-style systems (mostly Linux), which is another reason 4061 is an important prerequisite. You should also be able to write shell scripts and use a Unix-compatible scripting language such as Perl, Python, or Ruby. You don't have to already be an expert with all of these tools, but you need to be prepared to fill in gaps in your knowledge as you go.
The course web site will have a schedule of the topics that will be covered in each lecture, along with readings for each topic. You will get the most out of the lecture by reading the materials before coming to class. The material in the readings and the materials in lectures will not match exactly: while the most important material will appear in both, some points may appear only in the reading or only in the lecture, and they're all fair game to appear on exams. We'll post the slides from lectures on the web site after class, but reviewing the slides is intended to supplement, not replace, attending lecture.
Because the area of computer security is changing quickly, it is hard to produce a good textbook; there's no single book that covers all the material in our class.
The book we'll be making the most extensive use of is Ross Anderson's Security Engineering, Second Edition (John Wiley & Sons, 2008). This is a great book for understanding the adversarial perspective in security; it covers many of the course's main topics at a high level, as well as drawing on examples of security thinking outside strictly computer applications. It's also a lot more fun to read than the average CS textbook. However it doesn't go into as much technical detail as we will in many areas. It should be available to buy in the campus bookstore, or various places online. But if you don't want a physical book, all the chapters are also available online from the author's home page. Also, the campus libraries have acquired ebook access to an HTML edition of the book through Books24x7. You can find a link through the library's course reserves portal, or here. Note however that one reason to buy a paper copy of the textbook is that you can bring a paper copy to exams, but you're not allowed to use electronics during exams. The first edition is significantly different and the chapter numbering is different, so be careful about which edition you get.
Including chapters from Anderson's textbook as discussed in the previous paragraph, all the class readings are available to download and/or read online. Many are public downloads; a few, such as some academic papers, are licensed to the University via the libraries so you can access them directly if you're coming from a campus IP address, or from off campus you can use the library's proxy service and bookmarklet. Some other online resources will be mentioned in lecture notes, assignments, or on the class forum, and of course there's lots of information, some of it good, available online that you can find yourself.
If you're looking for more specific textbook-style information about security, here are some additional recommendations primarly from past years' course staff:
Grading for this course will be based on the following components:
Late submissions: exercises turned in between 1 second late and 23 hours, 59 minutes and 59 seconds late are worth up to 75% of their original value. Continuing with that pattern, 24:00:00 to 47:59:59 late is worth 50%, 48:00:00 to 71:59:59 is worth 25%, and 72 hours or more late receive no credit.
Late submissions: hands-on assignments turned in between 1 second late and 23 hours, 59 minutes and 59 seconds late are worth up to 75% of their original value. Continuing with that pattern, 24:00:00 to 47:59:59 late is worth 50%, 48:00:00 to 71:59:59 is worth 25%, and 72 hours or more late receive no credit.
Final scores will be computed as a weighted average of the exercises score (10%), hands-on assignments score (15%), midterm score (20%), final exam score (25%), and project score (30%). Letter grades will be assigned using the following scale:
Collaboration and External Sources:
Discussing the course content with other students can be a very useful part of your learning experience: that is part of why we encourage/require you to collaborate on the exercises, homeworks, and course project. However it is up to you to structure that collaboration for the best results and to maximize everyone's learning. For instance when working on an exercise set, if you split up the questions between the group members, you would still be advised to get together at the end and discuss your answers before turning them in. Of course this will help you in the situation where one group member didn't do their part, but you'll also want to understand the idea behind each answer in case, say, something similar were to show up on an exam. Hard questions, and in particular some parts of the homeworks that require creative attacks, will also benefit from closer collaborations and discussions.
On the other hand, we ask that you be more circumspect in discussing exercises and homeworks with students outside your group, so that every group has the chance to grapple with the challenges on their own. The class isn't graded on a curve, so you aren't competing with other groups: their failure will not improve your grade, and we'd like to maintain a generally friendly atmosphere. For instance it's okay to discuss ideas from the course at a general level that might apply to a homework (e.g., the concept of a buffer-overflow attack), or to help another group with a technical problem unrelated to the project itself ("I can't get my VM to boot"). But you should avoid giving specific suggestions that another group could use in place of figuring something out on their own ("you can overflow buffer foo by passing a 200-byte string to function bar"). And sharing code or prose that would be given as an answer to an assignment question is of course never okay.
Many assignments in the class will allow or even encourage the use of resources beyond the course readings and lecture notes, such as you might find in the library or on the Internet. However it is an important academic value, which we enforce rigorously in this class, that it is never acceptable to use another's work without properly acknowledging it. In exercises and homeworks, you should acknowledge any external sources of inspiration or code directly in your answer; in the course project report, you should acknowledge resources and related work in the same was as you would in an academic paper. Failure to do so constitutes plagiarism.
Academic Integrity Policies: By the nature of this class, we will often discuss techniques that could be used to compromise the security of certain computer systems. However, IT IS VERY IMPORTANT THAT YOU NEVER APPLY THESE TECHNIQUES TO A COMPUTER WITHOUT THE PERMISSION OF THE COMPUTER'S OWNER. In particular you should never attempt to attack the security of computers that belong to CSE Labs, the department, the University, or an unsuspecting classmate. If we learn that a student has unethically exploited a vulnerability discussed in class, THAT STUDENT WILL FAIL. This is in addition to any University-level, department-level or legal penalties such an action may be subject to.
More generally, you are expected to do your own academic work and cite sources as appropriate. Failing to do so is scholastic dishonesty. Scholastic dishonesty includes, but is not limited to: plagiarizing; cheating on assignments or examinations; engaging in unauthorized collaboration on academic work; taking, acquiring, or using test materials without faculty permission; submitting false or incomplete records of academic achievement; acting alone or in cooperation with another to falsify records or to obtain dishonestly grades, honors, awards, or professional endorsement; altering, forging, or misusing a University academic record; or fabricating or falsifying data, research procedures, or data analysis. A student found responsible for scholastic dishonesty will at a minimum receive a grade of 0 for the assignment in question and be reported to the campus-wide Office for Community Standards (OCS). More serious offenses will receive a grade of F (or N) for the course and be subject to additional sanctions from the University. You should also read this page about academic conduct in computer science.
Other Applicable Policies: There are a number of other University-wide policies that apply to this course which you should be familiar with. This list is an abridged summary of longer policies which you can find linked from a University-wide page:
(This syllabus is based in part on documents used in previous editions of 5271 and written by Prof. Nick Hopper.)