Time and room: 01:00-02:15PM Mondays and Wednesdays, Mechanical Engineering Room 212
Computer Science 5271 is an introductory graduate-level course on computer security. It covers a broad variety of basic topics in security, focusing on the scientific principles behind attacks and defenses, rather than the specifics of particular technologies. For example, we will discuss firewalls in this course: after this course, you will probably not know which commercial firewall to pick or the exact details of how to configure it; but you will know what a firewall can do (in general) to protect a computer system and also the inherent limitations of firewalls. The primary emphasis of this course is on preparing students for research in security, and teaching how to apply security principles to research in other CS areas. However, students interested in practicing security will learn important principles that a more applied course might not teach.
Goals and Objectives
"Think like an adversary" is the most important aspect of working and doing research in computer security. Different from other subfields of computer science, there typically lacks a uniform or utimate solution in computer security, and thus "build it, break it, and fix it" is a common theme in the course. At the end of the course you should be able to:
- Use computer systems and the Internet in a secure manner.
- Recognize common vulnerabilities in protocols, designs, and programs.
- Eliminate or minimize the impact of these vulnerabilities.
- Apply the principal security standards in use today to design and build secure applications.
- Apply principles, concepts, and tools from security to your own research.
The listed prerequisite for this course is an undergraduate course in operating systems, and an undergraduate course in networking is also recommended. At UMN, these courses are CSci 4061 and CSci 4211, respectively. More generally, we expect students to have the skills that are mostly covered in an undergraduate computer science major. In particular, students should be able to write and debug programs in C and Java by themselves. Note that it is not a proper use of the instructor or TA's time to help get your code running. Students should also feel comfortable understanding and modifying programs written in other languages such as scripting languages (e.g. Perl, PHP, Python), Unix shells, and SQL. We expect students to put in time outside of class to master the concepts presented in class, and we expect students to be resourceful: if a topic is mentioned in lecture along with a name, you can probably learn more from textbooks, online articles, etc.
The course website will have a schedule of the topics that will be covered in each lecture, along with readings for each topic. Students are responsible for reading the appropriate materials before coming to the lecture. Note that some points that are not covered in lectures may appear on homeworks and exams. Lecture slides will be linked from the schedule within a week after the corresponding lecture, but reviewing the slides is intended to supplement, not replace, attending lecture.
Because the area of computer security is changing quickly, it is hard to produce a good textbook that covers all materials in our class. Therefore, there is no required textbook for this course, and all assigned readings will be provided through links on this course web page. Nonetheless, there are still some optional textbooks that are useful for this course.
"Security Engineering - A Guide to Building Dependable Distributed Systems", Ross Anderson. This book will be the general reference for this class and is now available free online. You may download it here. This is a great book for understanding the adversarial perspective in security; it covers many of the course's main topics at a high level, as well as drawing on examples of security thinking outside strictly computer applications. It's also a lot more fun to read than the average CS textbook. However it doesn't go into as much technical detail as we will in many areas.
More recommended textbooks for reading:
- Computer Security: Principles and Practice, 2nd or 3rd Edition, William Stallings and Lawrie Brown.
- Hacking: The Art of Exploitation, 2nd Edition, Jon Erickson.
- 24 Deadly Sins of Software Security: Programming Flaws and How to Fix Them, Michael Howard, David LeBlanc, John Viega.
- Firewalls and Internet Security, 2nd Edition, William R. Cheswick, Steven M. Bellovin, Aviel D. Rubin.
- Cryptography Engineering: Design Principles and Practical Applications, Niels Ferguson, Bruce Schneier, Tadayoshi Kohno.
Grading for this course will be based on the following components:
Exercises: For each sub-topic area, we will have a set of exercises that you should complete before the due dates. There will be five sets of exercises which do not require much programming. The exercise questions and their due dates will be posted on the course web site. Students may work individually or in groups of 2 or 3 on the exercises, but be warned that even if you work in a group, you are still individually responsible for what the group turns in. That is, it's not an excuse that someone else in the group "was supposed to turn in the assignment" and didn't, or "didn't finish part C" of an exercise. Exercise solutions must be electronically typeset and submitted via moodle.
Lab Assignments: Corresponding to the two major-topic divisions (system security and network security), there will be two lab assignments that require programming effort. Similarly, details about the lab assignments and due dates will be posted on the web site. Students will turn in them via the Moodle. You may also work in groups of up to 3 students on the lab assignments, and the same warning about collective responsibility applies. Working alone on the homeworks is highly discouraged as they can be a lot of work. The lab assignments will particularly call on your skills in C programming and the Unix shell environment.
Exams: There will be an open-book, open-notes midterm exam held during class on 10/17/2018 (Wednesday), and an open-book, open-notes final exam held on TBD. Both exams will have a similar format: mixing multiple-choice, true-false, and short answer questions. Please notice that the exam dates are fixed, and there will be no makeup exams.
Course Project: Students will work in groups of 3-6 students over the course of the semester to complete an original research project related to computer security. Students can define research projects together with the instructor, or more likely extend or attack the results of another recently-published paper. More information on projects has been or will be included on the "Projects" page, and it is part of the course syllabus and students are expected to read and understand it. The course project will be graded based on a presentation (20%) and reports (80%) which include pre-proposal, three mandatory progress meetings and reports, and the final report.
Late submissions: All submissions are worth 50%, up to 24 hours after the submission deadline and 0 points after that.
Final scores will be computed as a weighted average of the exercises score (10%), lab assignments score (15%), midterm score (20%), final exam score (25%), and project score (30%). Grades will be assigned strictly on the following scale:
Grade Minimum Score
Collaboration and External Sources
We generally permit and sometimes encourage students to collaborate on the exercises, homeworks, and course projects for the best results and to maximize everyone's learning. We also ocassionally encourage the use of online resources for completing assignments in this course. However, it is never acceptable to use someone else's work without acknowledging it. Every source you use or modify for an exercise, homework or project must be explicitly acknowledged. Failure to do so will be considered plagiarism.
The University Student Conduct Code defines scholastic dishonesty as: submission of false records of academic achievement; cheating on assignments or examinations; plagiarizing; altering, forging, or misusing a University academic record; taking, acquiring, or using test materials without faculty permission; acting alone or in cooperation with another to falsify records or to obtain dishonestly grades, honors, awards, or professional endorsement. In this course, a student found responsible for scholastic dishonesty will at a minimum receive a grade of 0 for the assignment in question and be reported to the campus-wide Office for Community Standards (OCS). More serious offenses will receive a grade of F (or N) for the course and be subject to additional sanctions from the University. You should also read this page about academic conduct in computer science. Students are also required to abide by the Student Conduct Code. Please do read UMN's STUDENT CONDUCT CODE.
Other Applicable Policies: By the nature of this class, we will often discuss techniques that could be used to compromise the security of certain computer systems. However, it is very important that you never apply these techniques to a computer without the permission of the computer's owner. In particular you should never attempt to attack the security of computers that belong to CSE Labs, the department, the University, or an unsuspecting classmate. If we learn that a student has unethically exploited a vulnerability discussed in class, ** that student will fail**. This is in addition to any University-level, department-level or legal penalties such an action may be subject to.
(This syllabus is based on documents used in previous editions of CSci 5271 that were written by Professors Stephen McCamant and Nick Hopper.)