Instructor

Course Overview

"Security requires a particular mindset. Security professionals -- at least the good ones -- see the world differently. They can't walk into a store without noticing how they might shoplift. They can't use a computer without wondering about the security vulnerabilities. They can't vote without trying to figure out how to vote twice. They just can't help it." -Bruce Schneier

The course will be offered online. There will be four problem sets/programming projects due every other week (to be done in groups), a midterm, and the research project (with deliverables on weeks without a project due).

Coursework and Grading

• problem sets/projects: 4x10%
• research proposal = 20%
• midterm = 15%
• final = 15%
• participation (including online discussion) = 10%

Discussions and Online Participation

Assignments

• Project 1. Exploit writing. Due July 17. Project 1 and 2 instructions, box.tar.bz2, cs645-pp1.tar.bz, gdb example, gdb reference.
• Project 2 due July 31.
• Project 3 due August 14. ciphertexts.tar.gz Instructions in the README.
• Research Proposals due August 31. guidelines here
• Project 4 due August 31 (Extra Credit). Project 4 instructions, Project 4 code. Project 4 slides

Schedule

June 26 : Introduction: Computer and Network (In)Security

• Lecture 1
• Reading
  • David Dittrich, Michael Bailey, Sven Dietrich. Towards Community Standards for Ethical Behavior in Computer Security Research. Stevens CS Technical Report 2009-1, 20 April 2009.
  • Is there a security problem in computing?, Security in Computing, 4th edition, Pfleeger and Pfleeger.
  • Stuart Staniford, Vern Paxson, and Nicholas Weaver, How to 0wn the Internet in Your Spare Time, in the Proceedings of the 11th USENIX Security Symposium (Security '02).

July 3 : Software Security: Attacks

• Lecture 2
• Readings (Very Important for Project 1)
  • Aleph One, Smashing the Stack for Fun and Profit
  • blexim - Basic Integer overflows
  • Once upon a free()
  • c0ntex - How to hijack the Global Offset Table with pointers for root shells
  • scut / team teso, Exploiting Format String Vulnerabilities
  • Chien and Szor, Blended Attacks
  • Intel - Intel Architecture Guide for Software Developers

July 10 : Software Security: Defenses

• Lecture 3
• Readings
  ALSR Smack and Laugh Reference. This may be useful for project 2.
  • Hovav Schacham, The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86) ACM CCS 2007.
  • Elliotte Harold, Fuzz testing

July 17 : Software Security: Defenses Part 2

• Lecture 4
• Readings
  • Malware slides
  • James E. Smith, An Overview of Virtual Machine Architectures,October 2001.
  • The Honeynet Project, Know your Enemy: Tracking Botnets

July 24 : Cryptography

• Lecture 5
• Handbook of Applied Cryptography, Chapter 7 (Block Ciphers)
• Wikipedia Entry on AES
• New Directions in Cryptography
• Bellare: OAEP: How to encrypt with RSA

July 31 : Online Midterm

August 7 : Authentication and Hashing

• Lecture 6
• Reading
• Handbook of Applied Cryptography, Chapter 9 (Hash Functions and Data Integrity)

August 14 : Privacy and Anonymity

• Guest Lecture from Roger Dingledine of The Tor Project : Slides1 Slides2
• Video talk - Internet Days Tor Overview
• Video talk - Internet Censorship

August 21 : Network and Web Security

• Lecture 9
• Project 4 slides

August 28 : Research Presentations / wrapup