Introduction to Computer Security

Course schedule overview

The scheduling and selection of lecture topics is subject to minor adjustment as the semester progresses, but the assignment and exam dates are not expected to change.

Date	Lecture topic	Other assignments due
Tuesday 9/2	Introduction and logistics
Thursday 9/4	Part 1 overview: security failures in action
Tuesday 9/9	Low-level vulnerabilities
Thursday 9/11	Low-level attack techniques
Friday 9/12		HA1 attack 1
Tuesday 9/16	Low-level defenses and counter-attacks 1
Wednesday 9/17		Project pre-proposal
Thursday 9/18	Low-level defenses and counter-attacks 2
Friday 9/19		HA1 attack 2
Tuesday 9/23	Defensive programming and design 1
Thursday 9/25	Defensive programming and design 2	Exercise set 1
Friday 9/26		HA1 attack 3
Tuesday 9/30	Access control basics
Wednesday 10/1		Project progress report
Thursday 10/2	Information-flow and mandatory access control
Friday 10/3		HA1 attack 4 and design
Tuesday 10/7	Protection, isolation, and assurance
Thursday 10/9	Application: electronic voting	Exercise set 2
Friday 10/10		HA1 attack 5
Tuesday 10/14	In-class midterm exam
Thursday 10/16	Guest lecture: SFI
Tuesday 10/21	Part 2 overview: protocols and attacks
Thursday 10/23	Symmetric cryptography
Tuesday 10/28	Public-key cryptography
Thursday 10/30	Crypto and protocol failures
Tuesday 11/4	"S" protocols for the Internet
Wednesday 11/5		Project progress report
Thursday 11/6	Web security: server side	Exercise set 3
Tuesday 11/11	Web security: client side
Thursday 11/13	Security middleboxes
Tuesday 11/18	Malware and network DoS
Thursday 11/20	Usability of security	Exercise set 4
Friday 11/21		Hands-on assignment 2 (all)
Tuesday 11/25	Application: electronic cash
Thursday 11/27	No class, Thanksgiving
Monday 12/1		Project progress report
Tuesday 12/2	Project presentations 1
Thursday 12/4	Project presentations 2	Exercise set 5
Tuesday 12/9	Project presentations 3, last class
Wednesday 12/10		Project final report
Thursday 12/18	Final exam 10:30am-12:30pm

Detailed reading and lecture schedule

Tuesday, September 2nd (6-up slides): High level overview, roll call, course assignments and grading logistics. No readings.
Thursday, September 4th (6-up slides): Overview of course first half, examples of software and OS-level vulnerabilities and attacks. Readings: Anderson Chapter 1, "What Is Security Engineering?"; Anderson Chapter 25, "Managing the Development of Secure Systems".
Tuesday, September 9th (6-up slides): Low-level vulnerabilities. Reading: Crispin Cowan, Perry Wagle, Calton Pu, Steve Beattie, and Jonathan Walpole. Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade, DISCEX 2000.
Thursday, September 11th (6-up slides): Low-level attack techniques. Reading: Tilo Müller, ASLR Smack & Laugh Reference (posted with permission of the author)
Tuesday, September 16th (6-up slides): Low-level defenses and counter-attacks, part 1. Reading: Martín Abadi, Mihai Budiu, Úlfar Erlingsson, and Jay Ligatti. “Control-flow integrity”, ACM CCS 2005. (Campus download link)
Thursday, September 18th (6-up slides, GDB commands): Low-level defenses and counter-attacks, part 2. Reading: Hovav Shacham. “The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86)”, ACM CCS 2007. (Campus download link)
Tuesday, September 23rd (6-up slides): Defensive programming and design 1. Readings: Jerome H. Saltzer and Michael D. Schroeder, The Protection of Information in Computer Systems. Part I: Basic Principles Of Information Protection. David Wheeler, Secure Programming for Linux and Unix HOWTO, chapter 6: Avoid Buffer Overflow and chapter 7: Structure Program Internals and Approach.
Thursday, September 25th (6-up slides): Defensive programming and design 2. Reading: Daniel J. Bernstein, Some thoughts on security after ten years of qmail 1.0, CSAW 2007.
Tuesday, September 30th (6-up slides): OS security: authentication and basic access control. Readings: Anderson Chapter 2 Usability and Psychology sections 2.4-2.5: "Passwords" and "System Issues", and Chapter 15 Biometrics.
Thursday, October 2nd (6-up slides): OS security: access control. Readings: Anderson Chapter 4 Access Control and Chapter 8 Multilevel Security, and Mark S. Miller, Ka-Ping Yee, and Jonathan Shapiro, "Capability Myths Demolished" Technical Report SRL2003-02, Systems Research Laboratory, Johns Hopkins University.
Tuesday, October 7th (6-up slides) OS security: high assurance? Readings: Anderson Chapter 9 Multilateral Security sections 9.1-9.2 and Chapter 26, System Evaluation and Assurance.
Thursday, October 9th: Electronic voting (6-up slides). Readings: Anderson section 23.5, Elections (part of chapter 23, The Bleeding Edge); Joseph A. Calandrino, Ariel J. Feldman, J. Alex Halderman, David Wagner, Harlan Yu, and William P. Zeller. "Source Code Review of the Diebold Voting System", Executive Summary through Section 3: Major Attacks (pp. i-17); David Chaum, Richard Carback, Jeremy Clark, Aleksander Essex, Stefan Popoveniuc, Ronald L. Rivest, Peter Y. A. Ryan, Emily Shen, and Alan T. Sherman. "Scantegrity II: End-to-End Verifiability for Optical Scan Election Systems using Invisible Ink Confirmation Codes", EVT 2008. This material will not be covered on the midterm, but it will be fair game for later exercise sets and the final exam.
Tuesday, October 14th: no lecture or readings, in-class midterm. Last year's midterm is here, and its solutions are here. This year's midterm is now available here with solutions here.
Thursday, October 16th: Software-based Fault Isolation (guest lecture by Navid Emamdoost) (8-up slides): Reading: Robert Wahbe, Steven Lucco, Thomas E. Anderson, and Susan L. Graham. "Efficient software-based fault isolation", SOSP 1993. (campus download link).
Tuesday, October 21st: Introduction to network security: protocols and attacks. (6-up slides): Optional (late) readings: Firewalls and Internet Security: Repelling the Wily Hacker. William R. Cheswick, Steven M. Bellovin, and Aviel D. Rubin, Second Edition. Chapter 2, A Security Review of Protocols: Lower Layers and Chapter 3, Security Review: The Upper Layers.
Thursday, October 23rd (6-up slides): Symmetric cryptography. Readings: Anderson Chapter 5, Crypography, sections 5.1-5.6.
Tuesday, October 28th: (6-up slides) Public-key cryptography. Readings: Anderson Chapter 5 section 5.7. And Introduction to Modern Cryptography, Jonathan Katz and Yehuda Lindell, Chapter 1, Introduction, sections 1.1, 1.2, and 1.4.
Thursday, October 30th: (6-up slides) Crypto protocols and crypto failures. Readings: Anderson Chapter 3, Protocols. Another reference for the protocol parts is the paper "Programming Satan's Computer", by Ross Anderson and Roger Needham, Computer Science Today 1995. It provides even more examples of broken protocols and design principles, but it's optional: you're not responsible for anything from it beyond what was in lecture.
Tuesday, November 4th: (6-up slides) "S" protocols for the Internet, and PKI. Reading: Christopher Meyer and Jörg Schwenk "Lessons Learned From Previous SSL/TLS Attacks - A Brief Chronology Of Attacks And Weaknesses."
Thursday, November 6th: (6-up slides) Web security part 1. Reading: OWASP Top 10 - 2013: The Ten Most Critical Web Application Security Risks.
Tuesday, November 11th: (6-up slides) Web security part 2. No additional reading.
Thursday, November 13th: (6-up slides) Firewalls and intrusion detection. Readings: Anderson Chapter 11, Physical Protection; Cheswick and Bellovin Chapter 3 (first edition), Firewall Gateways; David Wagner and Paolo Soto, "Mimicry Attacks on Host-Based Intrusion Detection Systems", ACM CCS 2002 (campus download link).
Tuesday, November 18th: (6-up slides) Malware and network DoS. Readings: David Moore, Colleen Shannon, Geoffrey M. Voelker, and Stefan Savage, "Internet Quarantine: Requirements for Containing Self-Propagating Code", INFOCOM 2003; Marius Barat, Dumitru-Bogdan Prelipcean, and Dragoș Teodor Gavriluț, "A study on common malware families evolution in 2012" Journal of Computer Virology and Hacking Techniques, November 2013 (campus download link).
Thursday, November 20th: (6-up slides) Usability of security. Readings: Anderson Chapter 2, "Usability and Psychology". Devdatta Akhawe and Adrienne Porter Felt, "Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness". USENIX Security Symposium, August 2013.
Tuesday, November 25th: (6-up slides) Bitcoin. Readings: Satoshi Nakamoto, "Bitcoin: A Peer-to-Peer Electronic Cash System"; Dorit Ron and Adi Shamir. "Quantitative Analysis of the Full Bitcoin Transaction Graph", Financial Cryptography 2013.
Tuesday, December 2nd: final project student presentations #1
Thursday, December 4th: final project student presentations #2 (announcements 6-up slides)
Tuesday, December 9th: final project student presentations #3 (announcements 6-up slides)
Thursday, December 18th: final exam, 10:30am-12:30pm in Mechanical Engineering 108 (same room as lectures)