Synopsis

CS 4740/6740 is a mixed undergraduate and graduate-level course on network security covering a diverse range of topics at all layers of the networking stack, from physical to application-level security. The course focuses on the intersection between systems security principles and networking, from abstract models to their application in systems code, the Web, and mobile platforms. There is a pronounced emphasis on practical techniques for both defending and attacking systems in support of the high-level goal to impart the “attacker’s mindset.”

Prerequisites

The official prerequisite for this course is Fundamentals of Computer Networking, or an equivalent course. In addition, familiarity with (or the willingness to learn) UNIX systems, a scripting language such as Ruby or Python, C, and x86 assembly will be useful.

Meetings

Class meets Thursdays 6 – 9pm in 309 Kariotis.

Grading

Grades will be assigned based on points awarded for completion of projects, quizzes, and exams. There will be four projects assigned over the course of the semester, a midterm, and a final exam. In addition, quizzes will be given periodically, to be completed during class. Projects can be completed in groups, while the midterm, final, and quizzes must be completed individually. The tentative point distribution is as follows.

Projects
40% (4 x 10%)
Quizzes
10%
Midterm Exam
15%
Final Exam
30%
Participation
5%

Late assignments will not be accepted unless an agreement is reached with the professor. Separate scales for undergraduates and graduates will be used, and grades may be subject to a curve.

Policies

Students should be familiar with the University Appropriate Use and Academic Integrity policies.

Additionally, due to the sensitive nature of the material covered in this course, a few words on scope are in order. Attack-oriented experiments performed as part of the course projects must be restricted to the computing resources provided for completion of these projects. Alternatively, students can perform these projects using personal resources so long as the experiments are solely executed on personal equipment. “Personal resources” includes attacking systems, target systems, and all intermediary systems and networks.

In particular, attacks performed against University resources or the Internet at large are expressly prohibited.

There is no official textbook for this course. Instead, we will be relying mainly on lectures and readings.

Schedule

Date Module Topic
Thu 04 Sep Introduction Introduction and Principles
Thu 11 Sep TCP/IP Link Layer, TCP/IP
Thu 18 Sep TCP/IP Naming, Routing
Thu 25 Sep TCP/IP TLS, IPSEC, Kerberos
Thu 02 Oct Web Security Web Platform, TLS, HTTPS
Thu 09 Oct Web Security Cross-Site Scripting and Request Forgery
Thu 16 Oct Midterm Exam Foundations, TCP/IP, and Web Security I
(Foundations, HTTPS]
Thu 23 Oct Web Security HTML5, CSP, CORS
Thu 30 Oct Web Security Extension, Plugins, Browser Separation
Thu 06 Nov Systems Code Assembly Review
Thu 13 Nov Systems Code Memory (Un)safety
Thu 20 Nov Systems Code ASLR, Non-Executable Data, CFI
Thu 04 Dec Mobile Devices Mobile Platform Security