Course schedule overview
The scheduling and selection of lecture topics is subject to
minor adjustment as the semester progresses, but the assignment
and exam dates are not expected to change.
Date | Lecture topic | Other assignments due |
Monday 9/2 | (No class, Labor Day holiday) |
Wednesday 9/4 | Introduction and logistics |
Monday 9/ 9 | Part 1 overview: security failures in action |
Wednesday 9/11 | Low-level vulnerabilities |
Monday 9/16 | Low-level attack techniques |
Wednesday 9/18 | Low-level defenses and counter-attacks 1 | Project pre-proposal |
Monday 9/23 | Low-level defenses and counter-attacks 2 |
Wednesday 9/25 | Defensive programming and design 1 |
Thursday 9/26 | | Exercise set 1 due |
Friday 9/27 | | Homework 1 early |
Monday 9/30 | Defensive programming and design 2 |
Wednesday 10/ 2 | Access control basics | Project progress report |
Friday 10/ 4 | | Homework 1 final |
Monday 10/ 7 | Information-flow and mandatory access control |
Wednesday 10/ 9 | Protection, isolation, and assurance |
Thursday 10/10 | | Exercise set 2 due |
Monday 10/14 | In-class midterm exam |
Wednesday 10/16 | Part 2 overview: protocols and attacks |
Monday 10/21 | Symmetric cryptography |
Wednesday 10/23 | Public-key cryptography |
Monday 10/28 | Crypto and protocol failures |
Wednesday 10/30 | "S" protocols for the Internet |
Thursday 10/31 | | Exercise set 3 due |
Monday 11/ 4 | Web security: server side | Project progress report |
Wednesday 11/ 6 | Web security: client side |
Monday 11/11 | Security middleboxes |
Wednesday 11/13 | Malware and network DoS |
Monday 11/18 | Privacy-enhancing network overlays |
Wednesday 11/20 | Usability of security |
Thursday 11/21 | | Exercise set 4 due |
Monday 11/25 | Application: electronic voting |
Tuesday 11/26 | | Homework 2 due (recommended) |
Wednesday 11/27 | Application: Bitcoin |
Sunday 12/ 1 | | Homework 2 due (final) |
Monday 12/ 2 | Project presentations 1 | Project progress report |
Wednesday 12/ 4 | Project presentations 2 |
Thursday 12/ 5 | | Exercise set 5 due |
Monday 12/ 9 | Project presentations 3 |
Wednesday 12/11 | Project presentations 4 | Project final report |
Monday 12/16 | Final exam 1:30-3:30pm ME-108 |
Detailed reading and lecture schedule
- Wednesday, September 4th (6-up slides): high level overview, roll call,
course assignments and grading logistics. No readings.
- Monday, September 9th (6-up slides): overview of course first half,
examples of software and OS-level vulnerabilities and attacks.
Readings: Anderson Chapter 1, "What Is Security Engineering?";
Anderson Chapter 25, "Managing the Development of Secure
Systems".
- Wednesday, September 11th (6-up slides): Low-level
vulnerabilities. Reading: Crispin Cowan, Perry Wagle, Calton Pu,
Steve Beattie, and Jonathan Walpole. Buffer
Overflows: Attacks and Defenses for the Vulnerability of the
Decade, DISCEX 2000. Mentioned in lecture: low-level gdb commands.
- Monday, September 16th (6-up slides): Low-level attack techniques. Reading: Tilo Müller, ASLR Smack & Laugh Reference (posted with permission of the author)
- Wednesday, September 18th (6-up slides):
Low-level defenses and counter-attacks, part 1. Reading:
Martín Abadi, Mihai Budiu, Úlfar Erlingsson, and
Jay Ligatti. “Control-flow
integrity”, ACM CCS 2005. (Campus download link)
- Monday, September 23rd (6-up slides):
Low-level defenses and counter-attacks, part 2. Reading: Hovav
Shacham. “The geometry of
innocent flesh on the bone: return-into-libc without function
calls (on the x86)”, ACM CCS 2007.(Campus download
link)
- Wednesday, September 25th (6-up slides): Defensive programming and design
1. Readings: Jerome H. Saltzer and Michael D. Schroeder, The
Protection of Information in Computer Systems. Part I: Basic
Principles Of Information Protection. David Wheeler, Secure
Programming for Linux and Unix HOWTO, chapter 6: Avoid Buffer
Overflow and chapter 7: Structure Program Internals and Approach.
- Monday, September 30th (6-up slides): Defensive programming and design
2. Reading: Daniel J. Bernstein, Some thoughts
on security after ten years of qmail 1.0, CSAW 2007.
- Wednesday, October 2nd (6-up slides): OS security: authentication and
basic access control. Readings: Anderson Chapter 2 Usability
and Psychology sections 2.4-2.5: "Passwords" and "System
Issues", and Chapter 15 Biometrics.
- Monday, October 7th (6-up slides): OS security: access control.
Readings: Anderson Chapter 4 Access
Control and Chapter 8 Multilevel
Security, and Mark S. Miller, Ka-Ping Yee, and Jonathan
Shapiro, "Capability
Myths Demolished" Technical Report SRL2003-02, Systems
Research Laboratory, Johns Hopkins University.
- Wednesday, October 9th (6-up slides): OS security: high assurance?
Readings: Anderson Chapter 9 Multilateral
Security sections 9.1-9.2 and Chapter 26, System
Evaluation and Assurance.
- Monday, October 14th: no lecture or readings, in-class midterm.
- Wednesday, October 16th (6-up slides):
Introduction to network security: protocols and attacks.
Readings: Firewalls and
Internet Security: Repelling the Wily Hacker. William
R. Cheswick, Steven M. Bellovin, and Aviel D. Rubin, Second
Edition. Chapter 2, A Security Review of
Protocols: Lower Layers and Chapter 3, Security Review: The
Upper Layers.
- Monday, October 21st (6-up slides): Symmetric cryptography. Readings:
Anderson Chapter 5, Crypography,
sections 5.1-5.6. Discussion of midterm solutions.
- Wednesday, October 23rd (6-up slides): Public-key cryptography. Readings:
Anderson Chapter 5 section 5.7. And Introduction to
Modern Cryptography, Jonathan Katz and Yehuda Lindell,
Chapter 1, Introduction,
sections 1.1, 1.2, and 1.4.
- Monday, October 28th: Crypto protocols and crypto
failures (6-up slides). Readings: Anderson Chapter 3, Protocols. Another
reference for the protocol parts is the paper "Programming
Satan's Computer", by Ross Anderson and Roger Needham,
Computer Science Today 1995. It provides even more examples of
broken protocols and design principles, but it's optional:
you're not responsible for anything from it beyond what was in
lecture.
- Wednesday, October 30th: "S" protocols for the Internet, and PKI (6-up slides). Reading: Christopher Meyer and Jörg Schwenk "Lessons Learned From Previous SSL/TLS Attacks - A Brief Chronology Of Attacks And Weaknesses."
- Monday, November 4th: Web security part 1 (6-up slides). Reading: OWASP
Top 10 - 2013: The Ten Most Critical Web Application Security
Risks.
- Wednesday, November 6th: Web security part 2 (6-up slides). No additional
reading.
- Monday, November 11th: Firewalls and intrusion
detection (6-up slides).
Readings: Anderson Chapter 11, Physical
Protection; Cheswick and Bellovin Chapter 3 (first edition),
Firewall
Gateways; David Wagner and Paolo Soto, "Mimicry Attacks
on Host-Based Intrusion Detection Systems", ACM CCS 2002
(campus download link).
- Wednesday, November 13th: Malware and network DoS (6-up slides). Readings:
David Moore, Colleen Shannon, Geoffrey M. Voelker, and Stefan
Savage, "Internet
Quarantine: Requirements for Containing Self-Propagating
Code", INFOCOM 2003; Marius Barat, Dumitru-Bogdan
Prelipcean, and Dragoș Teodor Gavriluț, "A
study on common malware families evolution in 2012" Journal
of Computer Virology and Hacking Techniques, November 2013
(campus download link).
- Monday, November 18th: Privacy-enhancing network
overlays (6-up slides). Readings: Anderson section 23.4, Privacy Technology
(part of chapter 23, The
Bleeding Edge); Roger Dingledine, Nick Mathewson, and Paul
Syverson, "Challenges
in deploying low-latency anonymity (draft)".
- Wednesday, November 20th: Usability of security (6-up slides). Readings:
Anderson Chapter 2, "Usability
and Psychology". Devdatta Akhawe and Adrienne Porter Felt,
"Alice
in Warningland: A Large-Scale Field Study of Browser Security
Warning Effectiveness". USENIX Security Symposium, August 2013.
- Monday, November 25th: Electronic voting (6-up slides). Readings: Anderson
section 23.5, Elections (part of chapter 23, The
Bleeding Edge); Joseph A. Calandrino, Ariel J. Feldman,
J. Alex Halderman, David Wagner, Harlan Yu, and William
P. Zeller. "Source
Code Review of the Diebold Voting System", Executive Summary
through Section 3: Major Attacks (pp. i-17); David Chaum,
Richard Carback, Jeremy Clark, Aleksander Essex, Stefan
Popoveniuc, Ronald L. Rivest, Peter Y. A. Ryan, Emily Shen, and
Alan T. Sherman. "Scantegrity
II: End-to-End Verifiability for Optical Scan Election Systems
using Invisible Ink Confirmation Codes", EVT 2008.
- Wednesday, November 27th: Bitcoin (6-up slides). Readings: Satoshi
Nakamoto, "Bitcoin: A
Peer-to-Peer Electronic Cash System"; Dorit Ron and Adi
Shamir. "Quantitative
Analysis of the Full Bitcoin Transaction Graph", Financial
Cryptography 2013.
- Monday, December 2nd: final project student presentations #1
(announcements 6-up
slides)
- Wednesday, December 4th: final project student presentations
#2
- Monday, December 9th: final project student presentations
#3 (announcements 6-up
slides)
- Wednesday, December 11th: final project student presentations
#4
- Monday, December 16th: final exam: 1:30pm-3:30pm in
Mechanical Engineering 108 (same room as lectures)