CSC 481/681 - Fall 2019

The following gives a day-by-day breakdown of topics covered, readings assigned, and assignment handouts/due dates. Each topic includes several required readings that students should read before the topic is discussed in class – always look ahead a few days to see what readings you should be doing. Some topics also have supplemental (non-required) readings that students can look into if they want to delve more deeply into that topic.

The schedule in this class is flexible, and past dates will be updated to reflect what was actually covered. Future dates are always tentative and subject to change.

Day 1: Wednesday, August 21

Topics: Class overview and syllabus review; introduction to security: threats, vulnerabilities, and controls [Slides]
Handout: Syllabus

Day 2: Monday, August 26

Topics: Overview of computer security – basic goals and terminology – day 1 [Slides]

Required reading: Sections 1.1 and 1.4 from the textbook
Required reading: Hacked vs. Hackers: Game on, from the NY Times blog

Day 3: Wednesday, August 28

Topics: Overview of computer security – basic goals and terminology – day 2

Note: No class on Monday, September 2 (Labor Day Holiday)

Day 4: Wednesday, September 4

Reading: Textbook, section 1.3
Topics: High level view of cryptography [Slides]
Assigned: Assignment 1

Day 5: Monday, September 9

Reading: Textbook, sections 1.2, 9.1, and 9.2
Topics: Security (access control) models – day 1 [Slides]

Day 6: Wednesday, September 11

Topics: Security (access control) models – day 2

Day 7: Monday, September 16

Reading: Textbook, sections 2.1–2.5
Topics: Physical security [Slides]

Day 8: Wednesday, September 18

Reminder: Assignment 1 due!
Topics: Practical operating system and Linux overview
Assigned: Assignment 2

Day 9: Monday, September 23

Reading: Textbook Sections 3.1–3.3
Topics: Operating System Security – Basics [Slides]

Day 10: Wednesday, September 25

Topics: Operating System Security – Advanced (sandboxes, chroot, and containers) [Slides]

Required reading: Linux Virtualization – Chroot Jail, from the “GeeksforGeeks” website.
Required reading: What is a Container?, from the Docker web site.
Required reading: The Evolution of Linux Containers and Their Future, from the DZone web site.

Day 11: Monday, September 30

Topics: More on system separation (crypto devices, SGX, TrustZone) [Slides]

Required viewing: Intel SGX Introductory Overview (YouTube)
Required reading: F. McKeen et al., Innovative Instructions and Software Model for Isolated Execution, from the 2013 International Workshop on Hardware and Architectural Support for Security and Privacy.
Required reading: S. Thornton, Arm TrustZone explained (from the “Microcontroller Tips” web site)

Supplemental readings: The readings above are fairly light, and just designed to give you a brief overview of these two technologies. If you want to learn more, the following references are excellent (and very detailed – it will take a while to get through them!).

V. Costan and S. Devadas. Intel SGX Explained, IACR ePrint Archive. This is a detailed (118 pages!) overview and evaluation of SGX technology, by non-Intel researchers.
Arm TrustZone website This is the Arm developer web site, with links to full documentation and related information.
J. Van Bulk, et al. Foreshadow: Extracting the Keys to the Intel SGX Kingdon with Transient Out-of-Order Execution, USENIX Security Symposium, 2018. This paper shows how SGX is vulnerable to the recently-prominent class of attacks that take advantage of CPU speculative execution.

Day 12: Wednesday, October 2

Reminder: Assignment 2 due!
Topics: Review for midterm

Day 13: Monday, October 7

Midterm Exam!

Day 14: Wednesday, October 9

Reading: Textbook, Section 3.4
Topics: Software security and vulnerabilities – day 1 [Slides]
Assigned: Assignment 3

Note: No class on Monday, October 14 (Fall Break)

Day 15: Wednesday, October 16

Topics: Software security – day 2 [Slides]

Day 16: Monday, October 21

Topics: Software security and vulnerabilities – day 3

Required reading:
- Return-oriented programming. Yes, this is a Wikipedia page, but it gives a good high-level overview of return-oriented programming.
- Static analysis for security, by Gary McGraw. This is a little old (written in 2004), but it’s one of the best high-level “what is static analysis?” write-ups I could find.
- Fuzzing. Wikipedia again. This is pretty light, but gives a good overview. For more information on fuzz testing, see the last item in the supplemental reading list below.
Supplemental reading: Good information for students who want to dig deeper.
- StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks, by Crispin Cowan. This is the original (1998) paper on StackGuard, the canary technique for detecting stack-smashing buffer overflow attacks. In addition to the content being relevant, this is a really good example of an applied security research paper.
- What is soundness (in static analysis)?, by Michael Hicks. A very nice writeup about trade-offs that have to be considered in creating a static analysis tool, and measures or concepts of “goodness” such as soundness, completeness, precision, and recall.
- Lessons from Building Static Analysis Tools at Google, by Sadowski, Aftandilian, Eagle, Miller-Cushon, and Jaspan (Communications of the ACM, April 2018). Experience with static analysis in a really large software organization is very different from examples in a classroom. This article talks about experiences with static analysis at Google.
- SAGE: Whitebox Fuzzing for Security Testing by Godefroid, Levin, and Molnar. Really nice article talking about fuzz testing.
- Evaluating Empirical Evaluations (for Fuzz Testing), by Michael Hicks. This is a blog post about research that the author did on the (ahem) fuzziness of evaluating fuzz testing (no, he didn’t put it that way, I did – sorry).

Day 17: Wednesday, October 23

Reminder: Assignment 3 due!
Reading: Textbook, Chapter 4
Topics: Complete “Software Security”, and begin Malware [Slides]
Assigned: Assignment 4
Graduate/Honors students: Report 1 due

Day 18: Monday, October 28

Topics: Malware – day 2

Day 19: Wednesday, October 30

Reading: Textbook, Chapter 5
Topics: Network Security I – day 1 [Slides]

Day 20: Monday, November 4

Topics: Network Security I – day 2

Day 21: Wednesday, November 6

Reminder: Assignment 4 due!
Topics: Network Security I – day 3
Assigned: Assignment 5
Graduate/Honors students: Report 2 due

Day 22: Monday, November 11

Reading: Textbook, Sections 6.1–6.4
Topics: Network Security II – day 1 [Slides]
Graduate/Honors students: Project topic due

Day 23: Wednesday, November 13

Topics: Network Security II – day 2

Day 24: Monday, November 18

Reading: Textbook, Chapter 7
Topics: Finish Network Security II, and start Web Security [Slides]

Day 25: Wednesday, November 20

Reminder: Assignment 5 due!
Topics: Web Security – day 2
Assigned: Assignment 6 – Final Challenge!

Day 26: Monday, November 25

Topics: Web Security – day 3
Graduate/Honors students: Project progress report due

Note: No class on Wednesday, September 27 (Thanksgiving Holiday)

Day 27: Monday, December 2

Reading: Textbook, Sections 8.1–8.4
Topics: Cryptography – day 1 [Slides]
Notes: Due to delayed schedule, only Section 8.1 (Symmetric Cryptography) covered (slides 1-19)

Day 28: Wednesday, December 4

Reminder: Assignment 6 due!
Topics: Last day of class – review

Final Exam

Friday, December 6, 12:00-3:00
Graduate/Honors students: Project final report due