Synopsis

CS 3740 is an undergraduate introduction to the principles of computer security. The goals of the course are the following:

  • Introduce the fundamental principles of designing and implementing secure programs and systems
  • Present and analyze prevalent classes of attacks against systems
  • Discuss techniques for identifying the presence of vulnerabilities in system design and implementation, preventing the introduction of or successful completion of attacks, limiting the damage incurred by attacks, and recovering from system compromises
  • Present the ethical considerations of security research and practice

This course offers opportunities for hands-on practice of real-world attack and defense in several domains, including systems administration, the Web, and mobile devices.

Prerequisites

Students should be comfortable with, or be able to quickly come up to speed, on the following topics:

  • Computer architecture
  • OS design
  • Networking
  • C and/or C++
  • Web applications and JavaScript
  • Java

Meetings

Class meets Tuesdays 11:45 – 1:25pm, Thursdays 2:50 – 4:30pm in 210 Shillman.

Grading

Grades will be assigned based on completion of problem sets, quizzes, and exams. Additionally, points will also be awarded for class participation (e.g., asking questions, participating in discussions).

Problem Sets
40%
Quizzes
5%
Midterm Exam
25%
Final Exam
25%
Participation
5%

Late assignments will not be accepted unless an agreement is reached with the professor prior to the assigned due date. Grades may be subject to a curve.

Policies

Students should be familiar with the University Appropriate Use and Academic Integrity policies.

Additionally, due to the sensitive nature of the material covered in this course, a few words on scope are in order. Attack-oriented experiments performed as part of the course projects must be restricted to the computing resources provided for completion of these projects. Alternatively, students can perform these projects using personal resources so long as the experiments are solely executed on personal equipment. “Personal resources” includes attacking systems, target systems, and all intermediary systems and networks.

In particular, attacks performed against University resources or the Internet at large are expressly prohibited.

There is no official textbook for this course. Instead, we will be relying mainly on lectures and readings.

Schedule

Date Module Topic
Thu 04 Sep Introduction Introduction and Motivation
Tue 09 Sep Foundations Principles and Security Models
Thu 11 Sep UNIX Users and Privilege
Tue 16 Sep UNIX Passwords, Files, Shells
Thu 18 Sep UNIX Race Conditions, Sandboxes
Thu 25 Sep UNIX Rootkits
Tue 30 Sep UNIX Firewalls, Intrusion Detection
Thu 02 Oct Memory Corruption Assembly Review
Tue 07 Oct Memory Corruption Stack-based Overflows
Thu 09 Oct Memory Corruption Heap-based Overflows
Tue 14 Oct Memory Corruption Integer Overflows, Format Strings, Function Pointers
Thu 16 Oct Memory Corruption ASLR, Non-Executable Data, CFI
Tue 21 Oct Memory Corruption Malware Analysis
Thu 23 Oct Midterm Exam Foundations, UNIX Security, and Memory Corruption I
(Introduction, Heap-based Overflows]
Tue 28 Oct Web Web Platform and Security Model
Thu 30 Oct Web TLS, HTTPS
Tue 04 Nov Web Cross-Site Scripting and Request Forgery
Thu 06 Nov Web SQL Injection, Response Splitting, Clickjacking
Sat 08 Nov Web HTML5, CSP, CORS
Tue 18 Nov Web Extensions, Plugins, Browser Separation
Thu 20 Nov Web User Privacy
Tue 25 Nov Mobile Mobile Platform Security
Tue 02 Dec Mobile Android Permissions
Tue 02 Dec Mobile Mobile Malware
Tue 02 Dec Conclusions Semester Review