cs3740 Introduction to Security
CS 3740 is an undergraduate introduction to the principles of computer security. The goals of the course are the following:
- Introduce the fundamental principles of designing and implementing secure programs and systems
- Present and analyze prevalent classes of attacks against systems
- Discuss techniques for identifying the presence of vulnerabilities in system design and implementation, preventing the introduction of or successful completion of attacks, limiting the damage incurred by attacks, and recovering from system compromises
- Present the ethical considerations of security research and practice
This course offers opportunities for hands-on practice of real-world attack and defense in several domains, including systems administration, the Web, and mobile devices.
Students should be comfortable with, or be able to quickly come up to speed, on the following topics:
- Computer architecture
- OS design
- C and/or C++
Class meets Tuesdays 11:45 – 1:25pm, Thursdays 2:50 – 4:30pm in 210 Shillman.
Grades will be assigned based on completion of problem sets, quizzes, and exams. Additionally, points will also be awarded for class participation (e.g., asking questions, participating in discussions).
- Problem Sets
- Midterm Exam
- Final Exam
Late assignments will not be accepted unless an agreement is reached with the professor prior to the assigned due date. Grades may be subject to a curve.
Additionally, due to the sensitive nature of the material covered in this course, a few words on scope are in order. Attack-oriented experiments performed as part of the course projects must be restricted to the computing resources provided for completion of these projects. Alternatively, students can perform these projects using personal resources so long as the experiments are solely executed on personal equipment. “Personal resources” includes attacking systems, target systems, and all intermediary systems and networks.
In particular, attacks performed against University resources or the Internet at large are expressly prohibited.
There is no official textbook for this course. Instead, we will be relying mainly on lectures and readings.
|Thu 04 Sep||Introduction||Introduction and Motivation|
|Tue 09 Sep||Foundations||Principles and Security Models|
|Thu 11 Sep||UNIX||Users and Privilege|
|Tue 16 Sep||UNIX||Passwords, Files, Shells|
|Thu 18 Sep||UNIX||Race Conditions, Sandboxes|
|Thu 25 Sep||UNIX||Rootkits|
|Tue 30 Sep||UNIX||Firewalls, Intrusion Detection|
|Thu 02 Oct||Memory Corruption||Assembly Review|
|Tue 07 Oct||Memory Corruption||Stack-based Overflows|
|Thu 09 Oct||Memory Corruption||Heap-based Overflows|
|Tue 14 Oct||Memory Corruption||Integer Overflows, Format Strings, Function Pointers|
|Thu 16 Oct||Memory Corruption||ASLR, Non-Executable Data, CFI|
|Tue 21 Oct||Memory Corruption||Malware Analysis|
|Thu 23 Oct||Midterm Exam||Foundations, UNIX Security, and Memory Corruption I
(Introduction, Heap-based Overflows]
|Tue 28 Oct||Web||Web Platform and Security Model|
|Thu 30 Oct||Web||TLS, HTTPS|
|Tue 04 Nov||Web||Cross-Site Scripting and Request Forgery|
|Thu 06 Nov||Web||SQL Injection, Response Splitting, Clickjacking|
|Sat 08 Nov||Web||HTML5, CSP, CORS|
|Tue 18 Nov||Web||Extensions, Plugins, Browser Separation|
|Thu 20 Nov||Web||User Privacy|
|Tue 25 Nov||Mobile||Mobile Platform Security|
|Tue 02 Dec||Mobile||Android Permissions|
|Tue 02 Dec||Mobile||Mobile Malware|
|Tue 02 Dec||Conclusions||Semester Review|