CSci 454 - Computer and Network Security

CSci 454: Computer and Network Security, Spring 2018

General Information

Prerequisites

CSci 303 and CSci 304. Students are expected to have a good understanding of the basic computer organization and design. Knowledge about computer architecture, networks and programming will be useful.

Course Materials

Recommended Book: Security in Computing (5th Edition) by Charles P. Pfleeger et al.

Other useful books:

Slides will be uploaded to Piazza.

We will use research papers posted on this page. Student must read papers before the class

Course Description

An introduction to the principles and practices of building secure systems. Covered topics include: software attacks (buffer overflow, integer overflow, etc.), malware, systems security, hardware attacks, operating system security, authentication and authorization, basics of cryptography, public key infrastructures, SSL/TLS, web security, IP security, and Denial of Service (DoS) attacks.

Grade Distribution

Optional Undergraduate Research Project: Bonus 10pt will be awarded if and only if a successful project is completed by the end of the semester (a final report will be due in the finals week). Talk to the instructor if you are interested.

Final letter grades will be given based on the standard scale used in WM. Grades may be curved at the instructor’s discretion.

General Information

Homework Assignments

There will be around 5 homework assignments. Some of the assignments are written and some are programming. For programming assignment you might need to have root access on a unix system. It is recommended that students perform programming assignments in a VirtualBox running linux. Recommended distribution is Ubuntu 16.04 LTS.

Submissions, Grading, and Deadlines

Homework Assignments and Reports should be submitted electronically (no hard copies) on Blackboard by midnight on the due date in the PDF format. You may use MS-word or Latex to typeset your answers, however, final submission has to be in the PDF format. If assignment requires you to submit code, place code and your report file in a directory, compress and upload the archive.

Some homeworks may carry more points than others.

Submission deadlines are hard. However, we do have a late/miss policy:

Late HWs are accepted with 20% penalty for each day they are late by.

If you miss an exam or quiz, you will get zero on that. The lowest score on the quizzes will be dropped.

Exceptions will be handled case by case and will only be considered under a university-approved condition with written proof.

If you have any grading-related questions, please contact the TA first. If issues are not resolved, then you can escalate the matter to the instructor. The instructor will make the final decision.

You are encouraged to discuss the assignments and homeworks with your fellow students, especially on Piazza, but must write your own reports.

Exams & Quizzes

Exams & Quizzes are closed book. However, you will be allowed to bring a single page handwritten cheat sheet (two-sided). Midterm exams are 50 minutes long. The final exam is 3 hours. No collaboration is allowed on exams and quizzes.

Semester Schedule (This is a tentative schedule watch for updates!)

Week Lecture Date Topic Reading Notes
1 1 Wed, Jan 17, 18 Introductions & Administrativa    
  2 Fri, Jan 19, 18 Confidentiality, Integrity, Availability, Threat Models Chapter 1.2  
2 3 Mon, Jan 22, 18 Authentication, Passwords Chapter 2.1  
  4 Wed, Jan 24, 18 Access Control Chapter 2.2  
  5 Fri, Jan 26, 18 Trust and Trustworthiness, Multi-level Attacks Reflections on trusting trust by Ken Thomson  
3 6 Mon, Jan 29, 18 Multi-level Attacks 2    
  7 Wed, Jan 31, 18 Memory Organization, Stack, ABI Chapter 3.1 “Buffer Overflow”, Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade by Cowan  
  8 Fri, Feb 2, 18 Buffer Overflow Attacks, Protections Recommended: SoK: Eternal War in Memory by Szekeres  
4 9 Mon, Feb 5, 18 Buffer Overflow Attacks, Protections On the Effectiveness of Address-Space Randomization by Shacham  
  10 Wed, Feb 7, 18 Code Reuse Attacks and Protections The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86)  
  11 Fri, Feb 9, 18 Integer Overflow Chapter 3.1 “Integer Overflow”  
5 12 Mon, Feb 12, 18 Format String Attacks Recommended: Exploiting Format String Vulnerabilities  
  13 Wed, Feb 14, 18 Malware Chapter 3.2  
  14 Fri, Feb 16, 18 Isolation and Confinement Chapter 3.3  
6 15 Mon, Feb 19, 18 Timing and Side Channel Attacks Cache Missing for Fun and Profit by Colin Percival  
  16 Wed, Feb 21, 18 Covert Channels On the Privacy and Security of the Ultrasound Ecosystem  
    Fri, Feb 23, 18 Midterm Review    
7   Mon, Feb 26, 18 Midterm 1 Lecture Slides, Quizzes, Your notes, Homeworks  
  17 Wed, Feb 28, 18 Cryptography and Cryptoanalysis, Basics Capter 2.3  
  18 Fri, Mar 2, 18 Old Ciphers, One Time Pad    
8   Mon, Mar 5, 18 Spring Break    
    Wed, Mar 7, 18 Spring Break    
    Fri, Mar 9, 18 Spring Break    
9 19 Mon, Mar 12, 18 Hash Functions (Guest Lecture) <Cryptography: Theory and Practice, Third Edition> chapter 4 (e-copy of that book is available in the library), Chapter 12.4 from  
  20 Wed, Mar 14, 18 One Time Pad, Stream Ciphers Chapter 12.1  
  21 Fri, Mar 16, 18 Block Ciphers Chapter 12.2  
10 22 Mon, Mar 19, 18 Diffie Hellman Key Exchange Chapter 12.3  
    Wed, Mar 21, 18 Midterm Review    
    Fri, Mar 23, 18 Midterm 2    
11 23 Mon, Mar 26, 18 Digital Signatures, RSA Chapter 12.3  
    Wed, Mar 28, 18 Cancelled    
  24 Fri, Mar 30, 18 Digital Signatures, RSA    
12 25 Mon, Apr 2, 18 Web Application Basics Chapter 4.1, HTTP Basics  
  26 Wed, Apr 4, 18 Web Application Security Chapter 4.2, 4.3, OWASP Top 10,SQL Injections  
  27 Fri, Apr 6, 18 Web Application Security    
13 28 Mon, Apr 9, 18 User Authentication and Session Management OWASP Cookies Cheatsheet  
    Wed, Apr 11, 18 Guest Lecture    
  29 Fri, Apr 13, 18 TLS/SSL, HTTPS Chapter 6.6  
14 30 Mon, Apr 16, 18 TLS/SSL, HTTPS    
  31 Wed, Apr 18, 18 Network security: IP, TCP, DNS, Routing, Defenses    
  32 Fri, Apr 20, 18 Network security: IP, TCP, DNS, Routing, Defenses    
15 33 Mon, Apr 23, 18 Denial of Service Attack (DoS) and defenses    
  34 Wed, Apr 25, 18 Meltdown & Spectre: Speculative Execution Attacks    
    Fri, Apr 27, 18 Final Exam Review    
Finals   Fri, May 4, 18 Final Exam    

CSci 554

Graduate students enrolled in CSci 554 are required to complete a semester long research project. Please contact the instructor to select your project topic. All project must be approved by instructor. The project consists of 3 phases:

Phase 1 – Project determination:

Please send an email to the instructor by the deadline (Feb 20) containing:

  1. Project Name (think of this as your paper/report title)
  2. Problem Statement
  3. Expected Steps (setting up infrastructure, implementation, performing experiment, data analyses, etc.)
  4. Expected/possible outcome and contribution

Phase 2 – Project discussion with instructor

Please meet the instructor during office hours at least two times during the semester to discuss the status of your project. Explain any observed obstacles, plans, further expectations. Your project’s proposal can be adjusted at this phase.

Phase 3 – Final report

Please submit your final report via email your final project report in PDF format. Please use the ACM sigconf format. The expected length of your project is 4-8 pages. Your report should have following sections:

  1. Problem Statement
  2. Introduction (with problem statement)
  3. Threat model (clearly explain all your assumptions)
  4. Background and Related Work
  5. Implementation Details
  6. If you are proposing some security solution, also include a security analyses section
  7. Results
  8. Conclusions

If you need any help with the project or have any questions, contact the instructor during office hours. If you require access to computational resources or hardware, talk to the instructor.

Grade Distribution for CSci 554

Final letter grades will be given based on the standard scale used in WM. Grades may be curved at the instructor’s discretion.

Helpful Services

Students wanting to improve their academic writing or teaching/presenting skills should consider taking GRAD 520: ACADEMIC WRITING and GRAD 550: COLLEGE TEACHING. The courses are offered through the Reves Center and are aimed at non-native English speakers, specifically. If interested please contact Glosson, Sarah G at sgglos@wm.edu.

The Writing Resources Center (WRC) can help when students have questions about how to construct an argument, deliver a presentation, use and cite sources, and more. Please visit the WRC website to request a class visit, tour, or brochures. The Writing Resources Center, located on the first floor of Swem Library, is a free service provided to W&M students. Trained consultants offer individual assistance with writing, presentation, and other communication assignments across disciplines and at any stage, from generating ideas to polishing a final product.

Academic Accommodations

It is the policy of The College of William and Mary to accommodate students with disabilities and qualifying diagnosed conditions in accordance with federal and state laws. Any student who feels s/he may need an accommodation based on the impact of a learning, psychiatric, physical, or chronic health diagnosis should contact Student Accessibility Services staff at 757-221-2509 or at sas@wm.edu to determine if accommodations are warranted and to obtain an official letter of accommodation. For more information, please click here.

Honor Code

Students are required to follow the Honor System of the College of William and Mary.