CS 161: Computer Security (original) (raw)
Lectures:
Tuesday/Thursday 5:00-6:30, 155 Dwinelle
Lectures:
The lecture schedule is subject to change and will be revised as the course progresses.
Data | Topic | Readings | Slides |
---|---|---|---|
Thu 8/25 | Introduction & Philosophy | [optional: G&T § 1.1, Craft § 1-1.1, 1.3] | slides 1 |
Tue 8/30 | Memory Vulnerabilities 1 | Notes from Dave Wagner from Sp16. [G&T § 3.4, Craft § 6.1-6.3] | slides 2 |
Thu 9/1 | Memory Vulnerabilities 2 | David Wagner's Notes on Reasoning About Code and Secure Software Development. [Craft § 6.5-6.7] Eevee's guide for Testing for People Who Hate Testing | slides 3 |
Tue 9/6 | OS Security 1 | David Wagner's Notes on Design Patterns and Security Principles Optional reading: Apple iOS Security Guide | slides 4 |
Thu 9/8 | OS Security 2 | The Chromium SandboxWhy Do Smartphones Make Great Bugs" by Lesley Carhart (aka @hacks4pancakes)The ThingLearning from the Enemy: the GUNMAN Project (Optional, but super cool!)Man pages: fork, clone, chroot, seccomp, shm_overview | slides 5 |
Tue 9/13 | Cryptography 1: Symmetric-key encryption | [G&T § 8.1.0, 8.1.1, 8.1.3, Craft § 7.1, 7.3.2, 7.3.3]Symmetric-Key Cryptography | slides 6 |
Thu 9/15 | Cryptography 2: Block ciphers, start on asymmetric-key cryptography | [G&T § 8.1.6, 8.1.7] | slides 7 |
Tue 9/20 | Cryptography 3: Key exchange, public-key encryptionProject 1 due | [G&T § 8.2.1, 8.2.4, , Craft § 7.5] [G&T § 8.2.1, 8.2.3, Craft § 7.5]Asymmetric Cryptography Notes | slides 8 |
Thu 9/22 | Cryptography 4: Integrity (hashes, MACs) | [G&T § 8.2.3, 8.4.1, 8.4.3, Craft § 7.4.2]Integrity Notes | whiteboard |
Wed 9/28 | Midterm 1, 8:30-10:00 PM | ||
Thu 9/29 | Applied Craptography: Bitcoin | How To Make Money With Bitcoin in 10 Easy StepsThe DAO Hack pt1 and pt 2 | slides 9 |
Tue 10/4 | Cryptography 5: Key management and password hashing | [G&T § 8.3] Passwords Notes | slides 10 and whiteboard |
Thu 10/6 | Cryptography and Craptography: HMAC, Random Numbers, and Crypto Fails Proj 2 pt 1 due | [Craft § 8.1] | slides 11 |
Tue 10/11 | Network Security 1: Ethernet | Two pieces on Packet Injection.Wikipedia of note: Ethernet, Network Switches, DHCP, ARP [G&T 5.1, 5.2.1, 5.2.2, 5.3.1, 5.4.0, 5.4.1, 5.4.2, Craft 5.1, 5.4.1] | Slides 12 |
Thu 10/13 | Network Security 2: DNS | Wikipedia DNS. DNS Packet Format. [G&T - 6.1.1-6.1.3] Kaminsky attack on DNS, Illustrated guide to the Kaminsky attack | Slides 13 |
Tue 10/18 | Network Security 3: IP and TCP | Border Gateway Protocol Transmission Control Protocol [G&T 5.2.3, 5.3.3, 5.3.4, 5.4.4, Craft 5.3.1] | Slides 14 |
Thu 10/20 | Network Security 4: TLS Project 2 pt 2 due | The WoSign SagaTLS Wikipedia (also links to Certiciates and certificate authorities [G&T &sec 8.3] | Slides 15 |
Tue 10/25 | Network Security 5: DOS and FirewallsHomework 2 due | [G&T 5.5.0, 5.5.1, 5.5.2, 5.5.4] , [G&T 6.2, Craft - 5.3.2] Dave Wagner's Notes of Firewalls | Slides 16 |
Wed 10/26 | Midterm 2, 8:30-10:00 PM | ||
Thu 10/27 | Network Security 6: DNSSEC | Slides 17 | |
Tue 11/1 | Web Security 1: Intro to web security, same-origin policy | [G&T 7.1.1, 7.1.3, Craft 12.1.1, 12.1.2, 12.1.3] | Slides 18 |
Thu 11/3 | Web Security 2: Injection vulnerabilities | [G&T 7.2.6, 7.3.1, 7.3.2, 7.3.3, 7.3.6] | Slides 19 |
Tue 11/8 | Web Security 3: XSS, Cookies | [G&T 7.1.4, 7.2.1, 7.2.6, 7.2.7, 7.3.6 Craft 12.1.4] | Slides 20 |
Thu 11/10 | Web Security 4: Session managment, CSRF | [G&T 7.1.4, 7.2.1, 7.2.6, 7.2.7, 7.3.6 Craft 12.1.4] | Slides 21 |
Tue 11/15 | Web Security 5: UI Attacks and Tracking | [G&T 7.2.3] | Slides 22 |
Thu 11/17 | Network Monitoring 1: Defense | Slides 23 | |
Tue 11/22 | Network Monitoring 2: Welcome to the Panopticon(s) | Slides 24 | |
Thu 11/24 | Thanksgiving | ||
Tue 11/29 | Secure messaging | Optional reading | Slides 25 (with projector notes) |
Thu 12/1 | Tor and attcks on Tor | Slides 26 | |
Fri 12/2 | Homework 3 due | ||
Tue 12/6 | Review | ||
Thu 12/8 | Review | ||
Th 12/15 | Final time 11:30-2:30 |
Staff
Apoorva Dornadula | Rebecca Portnoff | Warren He |
Mitar | Rohan Mathuria | Rohit Sinha |
Calvin Li | Kevin Chen |
Office hours:
M 12P-1P Warren | 283H Soda
M 1P-2P Rohan | 283E Soda
M 5P-6P Mitar | 341A Soda
T 3P-4P Warren | 283H Soda
T 3:30P-4:45P Nick | 329 Soda
W 2P-3P Rohit | 529 Cory
W 3P-4P Calvin | 341B Soda
W 4P-5P Apoorva | 341B Soda
R 1P-2P Rebecca | 341A Soda
R 3:30P-4:45P Nick | 329 Soda
R 4P-5P Apoorva | 283E Soda
F 12P-1P Mitar | 651 Soda
F 2P-3P Rohan | 341B Soda
F 4P-5P Calvin | 341B Soda
F 5P-6P Kevin | 283E Soda
Discussion section handouts:
N/A
Discussion section times:
DIS 101W 12:00P-12:59P | 3109 Etcheverry -- Warren
DIS 102 W 1:00P-1:59P | 3109 Etcheverry -- Calvin
DIS 103 W 2:00P-2:59P | 3 Evans -- Rohan
DIS 104 W 3:00P-3:59P | 3 Evans -- Mitar Send feedback
DIS 105 W 4:00P-4:59P | 3105 Etcheverry -- Mitar Send feedback
DIS 106 W 5:00P-5:59P | 9 Evans -- Apoorva
DIS 107 Th 10:00A-10:59A | 3113 Etcheverry -- Rohit
DIS 108 Th 11:00A-11:59A | 3113 Etcheverry -- Rebecca
DIS 109 W 1:00P-1:59P | 107 Genetics & Plant Bio -- Apoorva
DIS 110 Tu 7:00P-7:59P | 405 Soda -- Calvin
DIS 111 W 5:00P-5:59P | 320 Soda -- Kevin
DIS 112 W 6:00P-6:59P | 320 Soda -- Rohan
Homeworks:
Homeworks will be submitted electronically via GradeScope. Homework solutions must be legible; we may mark off for difficult-to-read solutions, or even refrain from grading them entirely.
No late homeworks accepted.
Schedule for homeworks:
There will be approximately 3-4 homeworks.
Projects
There will be 3 course projects. We will penalize late project submissions as follows: less than 24 hours late, you lose 10%; less than 48 hours late, you lose 20%; less than 72 hours late, you lose 40%; at or after 72 hours, late submissions no longer accepted. (There are no "slip days".)
Note that this late policy applies only to projects, not homeworks (homeworks cannot be turned in late).
Schedule for projects:
- Project 1 is due September 20th at 11:59pm PST
- Project 2 (student framework)
- Part 1 is due October 6th at 11:59pm PST
- Part 2 is due October 18th at 11:59pm PST
- Project 3 (VM) is due November 17th at 11:59pm PST
In Spring 2014, the CSUA held a review session on C programming; the slides are available inpdf andPowerpoint format.
Exams
There will be two midterms and one final exam.
All exams are mandatory. If you will be unable to attend any of these dates, you must contact the instructors (via a private message on Piazza) at some point during the first week of classes.
Grading
We will compute grades from a weighted average, as follows:
- Homeworks: 16%
- Projects: 24%
- Midterms: 30%
- Final exam: 30%
Course Policies
**Contact information:**If you have a question, the best way to contact us is viathe class Piazza site. The staff (instructors and TAs) will check the site regularly, and if you use it, other students will be able to help you too.Please avoid posting answers or hints on homework/project questions before the homework/project is due.
If your question is personal or not of interest to other students, you are encouraged to mark the question as private on Piazza: select "Post to: Individual Student(s)/Instructor(s)" at the top and then type "Instructors" in the field underneath it. If you wish to talk with one of us individually in person, you are welcome to come to any of our office hours. We prefer that use these methods instead of sending us email; email regrettably does not scale well to a class of this size.
**Announcements:**The instructors and TAs will periodically post announcements, clarifications, etc. to the Piazza site. Hence it is important that you check it reguarly throughout the semester.
**Prerequisites:**The prerequisites for CS 161 are CS 61B, CS61C, and CS70.**We assume basic knowledge of Java, C, and Python.**You will need to have a basic familiarity using Unix systems.
Your secret password for HW0 Q3 is:l33tskillz
(Don't share it with anyone.)
**Collaboration:**Homeworks will specify whether they must be done on your own or may be done in groups. Either way, you must write up your solutions entirely on your own. For homeworks, you must never read, see, or copy the solutions of other students, and you must not allow other students to see your solutions. For projects, you must never read, see, or copy the code or solutions of other students (except for your project partner, for group projects), and you must not allow other students (except for your project partner) to see your solutions or code.
You may use books or online resources to help solve homework problems, but you must always credit all such sources in your writeup and you must never copy material verbatim. Not only is this good scholarly conduct, it also protects you from accusations of theft of your colleagues' ideas. You must not ask for homework/project solutions on Stack Overflow or other online sites; you may ask for help with conceptual questions, but you must credit your sources. You must not receive help on homeworks or projects from students who have taken the course in previous years, and you must not review homework or project solutions from previous years.
You must ensure that your solutions will not be visible to other students. If you use Github or another source control system to store your solutions electronically, you must ensure your account is configured so your solutions are not publicly visible. If you use Github, Github offersfree student accountsthat allow you to keep your solutions private; please use one.
We believe that most students can distinguish between helping other students understand course material and cheating. Explaining a subtle point from lecture or discussing course topics is an interaction that we encourage, but you should never read another student's homework/project solution or partial solution, nor have it in your possession, either electronically or on paper (except for your project partner, for group projects). You must never share your solutions, or partial solutions, with another student (other than your project partner, for group projects), not even with the explicit understanding that it will not be copied -- not even with students in your homework group. You must write your homework solution strictly by yourself.
Warning: Your attention is drawn to the Department'sPolicy on Academic Dishonesty. In particular, you should be aware that copying or sharing solutions, in whole or in part, from other students in the class or any other source without acknowledgment constitutes cheating. Any student found to be cheating risks automatically failing the class and referral to the Office of Student Conduct.
**Ethics:**We will be discussing attacks in this class, some of them quite nasty.None of this is in any way an invitation to undertake these attacks in any fashion other than with informed consent of all involved and affected parties. The existence of a security hole is no excuse. These issues concern not only professional ethics, but also UCB policy and state and federal law. If there is any question in your mind about what conduct is allowable, contact the instructors first.
**Computer accounts:**We will use 'class' accounts this semester. You can get your account atwebacct. When you first log into your account, you will be prompted to enter information about yourself; that will register you with our grading software. If you want to check that you are registered correctly with our grading software, you can run check-register
at any time.
**Textbook:**The class does not have a required textbook. We want to help you save money, so please don't feel obligated to buy a textbook. However, we know that some students appreciate additional reading to supplement lectures; for them, we recommendIntroduction to Computer Securityby Michael Goodrich & Roberto Tamassia (ISBN-10: 0321512944, ISBN-13: 9780321512949). We also recommendThe Craft of System Securityby Sean Smith and John Marchesini. We will list optional readings from these textbooks which you can use to help learn the course topics, but all readings from these books are entirely optional.
**Lecture notes:**We will provide lecture notes and/or slides for many of the lectures. Lecture notes and slides are _not_a substitute for attending class, as our discussion in class may deviate from the written material. You are ultimately resposible for material as presented in lecture and section. Attendance during the first two weeks of class is mandatory.
**Discussion sections:**Attendance at discussion sections is expected, and sections may cover important material not covered in lecture. Outside of your discussion section, you should feel free to attend any of the staff office hours (not just your section TA's office hours) and ask any of us for help.
**Re-grading policies:**Any requests for grade changes or re-grading must be made within one week of when the work was returned. To ask for a re-grade for material graded on GradeScope, submit a regrade request on GradeScope. Procedures to request a re-grade for other coursework will be provided shortly.We will not accept verbal re-grade requests. Don't expect us to re-grade your homework on the spot: we normally take the time to read your appeal at some point after it is submitted.
Bear in mind that a primary aim in grading is consistency, so that all students are treated the same. For this reason, we are unlikely to adjust the score of individual students on an issue of partial credit if the score allocated is consistent with the grading policy we adopted for that problem.
**More on homeworks:**If a problem can be interpreted in more than one way, clearly state the assumptions under which you solve the problem. In writing up your homework you are allowed to consult any book, paper, or published material, except solutions from previous classes or elsewhere, as stated under the Collaboration section. If you consult external sources, you must cite your source(s). We will make model solutions available after the due date, and feedback will be available via glookup
or GradeScope.
**Late homework policy:**We will give no credit for homework turned in after the deadline. Please don't ask for extensions. We don't mean to be harsh, but we prefer to make model solutions available shortly after the due date, which makes it impossible to accept late homeworks.
**Don't be afraid to ask for help!**Are you struggling? We'd much rather you approached us for help than gradually fall behind over the semester until things become untenable. Sometimes this happens when students fear a possibly unpleasant conversation with a professor if they admit to not understanding something. We would much rather resolve/remedy your misunderstanding early than have it expand into further problems later. Even if you are convinced that you are the only person in the class that doesn't understand the material, and think it must be entirely your fault for falling behind, please overcome this concern and ask for help as soon as you need it. Remember, helping you learn the material is in fact what we're paid to do, after all!
**Advice:**The following tips are offered based on our experience with CS 161:
**1. Don't wait until the last minute to start projects!**The projects can be time-consuming. Pace yourself. Students who procrastinate generally suffer.
2. Make use of office hours! The instructors and TAs hold office hours expressly to help you. It is often surprising how many students do not take advantage of this service. You are free to attend as many office hours as you wish. You are not constrained just to use the office hours of your section TA. You will likely get more out of an office hour visit if you have spent some time in advance thinking about the questions you have, and formulating them precisely. (In fact, this process can often lead you to a solution yourself!)
3. Participate actively in discussion sections!Discussion sections arenot auxiliary lectures. They are an opportunity for interactive learning. The success of a discussion section depends largely on the willingness of students to participate actively in it. As with office hours, the better prepared you are for the discussion, the more you are likely to get out of it.