CSE 127: Intro to Computer Security Spring 2022
Instructor:
George Obaido
Office hours: Wednesday 9:00am-10:00am
TAs:
Zijie Zhao Office Hours: Tuesday 4:00pm-5:00pm
Satish Yerva Office Hours: Wednesday 3:00pm-4:00pm
Karthik Mudda Office Hours: Monday 11:00am-12:00pm
Sumanth Rao Office Hours: Thursday 3:00pm-4:00pm
Lectures:
Tuesday/Thursday 6:30pm-7:50pm CENTR 101 in person/Zoom
Discussion:
Wednesday 5:00pm-5:50pm on Zoom
Class Resources:
- Zoom links and gradebook on Canvas
- Q&A on Piazza
- Informal discussion and community on Discord (sign-up link in Canvas)
- Assignment submission on Gradescope
- Lecture schedule, readings, and course policies on this web page
Grading:
40%: Homework assignments
20%: Midterm exam
40%: Final exam
Course Overview
This course focuses on computer security, covering a wide range
of topics on both the defensive and offensive side of this
field. Among these will be systems security and exploitation
(e.g., buffer overflows and return-oriented programming),
sandboxing and isolation, side channels, network security,
cryptography, privacy and anonymity, and legal and ethical
issues. The goal of the course is to provide an appreciation of
how to think adversarially with respect to computer systems as
well as an appreciation of how to reason about attacks and
defenses.
To complete the projects in this course, you will need to be
able to write code in Python, C, and (some) C++, and have some
understanding of x86 assembly, JavaScript, PHP, and SQL. We will
not teach these in lecture; you are expected to learn them on
your own or ask for help in section or office hours. If you
don't know C,
K&R's The
C Programming Language is a go to, but
the Hacking book
is probably enough and covers x86 assembly and many of the
topics in this class.
Pandemic Considerations
We will have an in person instruction but will have a recorded component (on Zoom and podcast).
Midterm and final exams will be on Canvas on those dates.
Tentative Schedule
| Date |
Topic |
References |
Assignments |
| 03/29 (In person) |
Introduction and threat modeling
Lecture slides
|
Scribe Notes
This World of Ours by
James Mickens
Usenix
Security '18 Keynote by James Mickens
Optional further reading:
The Security
Mindset by Bruce Schneier
The
Security Mindset and "Harmless Failures" by Ed Felten
How
to think like a security professional by Yoshi Kohno
|
|
| 03/30 |
No Discussion |
|
|
| 03/31 (In Person) |
Threat modeling continued
Lecture slides
|
|
Assignment 0 available
|
| 04/05 (In person) |
Buffer overflow attacks
Lecture slides
|
Smashing the stack for fun and profit
by Aleph One
Optional further reading:
0x200-0x270, 0x300-0x320 from Hacking
Buffer Overflows:
Attacks and Defenses for the Vulnerability of the Decade by Crispin Cowan, Perry Wagle,
Calton Pu, Steve Beattie, and Jonathan Walpole
|
|
| 04/06 (Zoom) |
Discussion |
Week 2 Discussion Slides
|
|
| 04/07 (In person) |
Buffer overflow defenses
Lecture slides
Resources
|
Optional further reading:
Buffer Overflows:
Attacks and Defenses for the Vulnerability of the Decade by Crispin Cowan, Perry Wagle,
Calton Pu, Steve Beattie, and Jonathan Walpole
ASLR
NOEXEC
|
Assignment 1 available
|
| 04/10 |
|
|
Assignment 0 due
|
| 04/12 (Zoom) |
Memory safety
Lecture slides
External Code Resource
|
Low-level
Software Security by Example by Ulfar Erlingsson, Yves Younan, and Frank Piessen
Understanding
glibc malloc
Optional further reading:
Return-Oriented Programming: Systems,
Languages, and Applications by Ryan Roemer, Erik Buchanan, Hovav Shacham, and Stefan
Savage
Hacking
Blind by Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazieres, Dan Boneh
Control-Flow
Integrity by Martin Abadi, Mihai Budiu, Ulfar Erlingsson, and Jay Ligatti
|
|
| 04/13 (Zoom) |
Discussion |
Week 3 Discussion Slides
|
|
| 04/14 (Zoom) |
Isolation
Lecture slides
|
The Road to Less Trusted Code:
Lowering the Barrier to In-process Sandboxing by Tal Garfinkel, Shravan Narayan, Craig
Disselkoen, Hovav Shacham, and Deian Stefan
Optional further reading:
Operating
System Security by Trent Jaeger
Android System and kernel
security
iOS Security Guide
|
|
| 04/19 (Zoom) |
Side channels
Lecture slides |
|
Assignment 1 due
Assignment 2 available
|
| 04/20 (Zoom) |
Discussion
|
Week 4 Discussion Slides
|
|
| 04/21 (Zoom) |
Web intro
Lecture slides
|
CSRF, XSS, SQLi
notes
SQL
Injection
Optional further reading:
Web technology for developers
Browser Security Handbook: Basic
concepts behind web browsers
|
|
| 04/26 (Zoom) |
Web attacks and defenses
Lecture slides
|
Scribe notes
Robust defenses for
cross-site request forgery by Adam Barth, Collin Jackson, and John C. Mitchell
|
|
04/27
(Zoom) |
Discussion: Midterm Review
|
Week 5 Discussion Slides
|
|
04/28
(Zoom) |
Network intro
Lecture slides
|
Optional further reading:
Wikipedia: Autonomous
System
Wikipedia: OSPF routing
Wikipedia: Border Gateway
Protocol
Wikipedia: User Datagram
Protocol
Wikipedia: Transmission
Control Protocol
Wikipedia: Domain Name System
|
Assignment 2 due
|
05/03
(Zoom) |
Network attacks and Defenses
Lecture slides
|
Security problems in the TCP/IP
protocol suite by Steven Bellovin
A Look Back at "Security
Problems in the TCP/IP Protocol Suite" by Steven Bellovin
SAD DNS Explained by Marek Vavrusa
and Nick Sullivan
NAT Slipstreaming by Samy Kamkar
Optional further reading:
|
|
05/04
(Zoom) |
Discussion
|
|
|
| 05/05 |
Midterm Exam (6:30pm - 7:50pm) |
Remote(Gradescope). |
Assignment 3 available (11:59 PM)
|
05/09
(Zoom) |
Discussion
|
Week 7 Discussion Slides
|
|
05/10
(Zoom) |
Network Defenses
Lecture slides
|
Security problems in the TCP/IP
protocol suite by Steven Bellovin
A Look Back at "Security
Problems in the TCP/IP Protocol Suite" by Steven Bellovin
SAD DNS Explained by Marek Vavrusa
and Nick Sullivan
NAT Slipstreaming by Samy Kamkar
Optional further reading:
|
|
05/12
(Zoom) |
Symmetric cryptography
Lecture slides
|
Ch. 5 of Security Engineering
by Ross Anderson
Optional further reading:
Communication Theory of
Secrecy Systems by Shannon
|
|
05/17
(Zoom) |
Public-key cryptography
Lecture slides
|
Ch. 5 of Security Engineering
by Ross Anderson
Optional further reading:
Modular arithmetic
lecture notes from Berkeley CS 70
Basic number
theory lecture notes from Boaz Barak
New
Directions in Cryptography by Whitfield Diffie and Martin E. Hellman
|
Assignment 4 available
|
05/18
(Zoom) |
Discussion
|
Week 8 Discussion Slides
|
|
05/19
(Zoom) |
TLS and secure channels
Lecture slides
|
The Illustrated TLS 1.2 Connection
The Illustrated TLS 1.3 Connection
WoSign gave SSL certificate for GitHub.com
Lavabit founder refused FBI order to hand over email encryption keys
|
|
05/24 and 26
(Zoom) |
Authentication and passwords
Lecture slides
|
IDN Phishing by Xudong Zheng
Hashcat Tutorial Beginners
Computer Security Memes
|
Assignment 4 due
Assignment 5 available
|
05/25
(Zoom) |
Discussion |
Week 9 Discussion Slides
|
|
05/26
(Zoom) |
Privacy and anonymity
Lecture slides
|
Ch. 25 of Security
Engineering by Ross Anderson
Optional further reading:
Why
Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0 by Alma Whitten and Doug
Tygar
Tor: The
Second-Generation Onion Router by Roger Dingledine, Nick Mathewson, and Paul
Syverson
Bernstein v. United States
Off-the-Record Communication, or, Why Not To
Use PGP by Nikita Borisov, Ian Goldberg, and Eric Brewer
Forward Secrecy for
Asynchronous Messages by Moxie Marlinspike
Robust De-anonymization of
Large Sparse Datasets by Arvind Narayanan and Vitaly Shmatikov
|
|
05/31
(Zoom) |
Ethics, law, and policy
Lecture slides
|
Optional further reading:
Privacy
and the Limits of Law by Ruth Gavison
Cyber-security Research Ethics Dialog &
Strategy Workshop (CREDS 2013)
Going Bright: Wiretapping
without Weakening Communications Infrastructure by Steve Bellovin, Matt Blaze, Sandy
Clark, and Susan Landau
|
|
06/01
(Zoom) |
Discussion
|
Week 10 Discussion Slides
|
Assignment 5 due
|
06/02
(Zoom) |
Conclusion and special topics (Cancelled)
|
Security without
identification: Transaction systems to make Big Brother obsolete by Chaum 1985
Risks of
Cryptocurrencies by Nicholas Weaver
|
|
| 06/01 |
|
|
|
| 06/06 |
Final Exam: 11:30am - 2:30pm |
Gradescope |
|
Assignments
We will have several programming assignments. These assignments are meant to both reinforce your knowledge of
the concepts covered in lecture and get you to think about security in more depth, beyond what is covered
lecture.
You may work on the assignments in groups of one or two. You may discuss the assignments with other students
from the course in general but not any specific solution. You will have two late days you can use to turn in
assignments late for any reason. Late days will be deducted from both group members, and both group members
must have late days in order to use them. No other extensions will be given. If you have an unforeseen
long-term emergency that affects all of your classes (hospitalized, death of immediate family member etc.),
please reach out to us and the student affairs office to coordinate alternate arrangements.
If you consult anything (books, academic papers, internet resources, people) when working on the assignments,
note this in your submission. We encourage outside learning but expect you to not seek out specific details
about a solution—anything submitted should be considered your own work. Similarly, you are expected to not
publish or otherwise share your solutions at any point (even after the class is over). If you are unsure
about what is allowed, please ask the course staff.
By taking this course, you implicitly agree to abide by the UCSD policies on Integrity of
Scholarship and Student Conduct.
See the Academic Integrity
Support for Remote Learning. University rules on integrity of scholarship and code of conduct are
taken seriously and will be enforced.
Additional Resources
No textbook is required, but if you would like additional resources the following may be useful: