CSC 481/681 - Fall 2020

The following gives a day-by-day breakdown of topics covered, readings assigned, and assignment handouts/due dates. Each topic includes several required readings that students should read before the topic is discussed in class – always look ahead a few days to see what readings you should be doing. Some topics also have supplemental (non-required) readings that students can look into if they want to delve more deeply into that topic.

The schedule in this class is flexible, and past dates will be updated to reflect what was actually covered. Future dates are always tentative and subject to change.

Day 1: Wednesday, August 19

Topics: Class overview and syllabus review; introduction to security: threats, vulnerabilities, and controls [Slides]
Handout: Syllabus

Day 2: Monday, August 24

Reading: Textbook sections 1.1 and 1.4
Topics: Overview of computer security – basic goals and terminology – day 1 [Slides]
Optional reading on usability in security: Alma Whitten and J. D. Tygar. Why Johnny can’t encrypt: a usability evaluation of PGP 5.0. In Proceedings of the 8th USENIX Security Symposium, 1999, pp. 169–183.

Day 3: Wednesday, August 26

Topics: Overview of computer security – basic goals and terminology – day 2

Day 4: Monday, August 31

Reading: Textbook, sections 1.2, 9.1–9.2
Topics: Security (access control) models – day 1 [Slides]

Day 5: Wednesday, September 2

Topics: Security (access control) models – day 2

Note: No class on Monday, September 7 (Labor Day Holiday)

Day 6: Wednesday, September 9

Due: Assignment 1
Graduate/Honors students: Research Reading Summary 1 due
Reading: Textbook section 1.3 and supplied reading
Topics: Cryptography: Basic cryptographic threat model, key sizes, brute force attacks, and estimation techniques [Slides]

Day 7: Monday, September 14

Reading: Textbook, sections 8.1–8.2
Topics: Randomization, probability theory review, entropy, and effect on brute force search (slides continued from last time)

Day 8: Wednesday, September 16

Topics: Fundamental cryptographic protections - encryption (symmetric and public key) and hash functions [Slides]

Day 9: Monday, September 21

Graduate/Honors students: Research Reading Summary 2 due
Reading: Textbook, sections 8.3–8.4
Topics: Cryptography for integrity - MACs, digital signatures, certificates (slides continued – more slides as time allows)

Day 10: Wednesday, September 23

Due: Assignment 2
Reading: Handouts
Topics: Cryptography: Theory and Practice (models, breakdowns in practice, and programming) [Slides]

Day 11: Monday, September 28

Reading: Textbook, sections 2.1–2.5
Topics: Physical security [Slides]

Day 12: Wednesday, September 30

Reading: Textbook Sections 3.1–3.3
Topics: Operating System Security – Basics and Linux demos - day 1 [Slides]

Day 13: Monday, October 5

Graduate/Honors students: Research Reading Summary 3 due
Topics: Operating System Security – Basics and Linux demos - day 2

Day 14: Wednesday, October 7

Due: Assignment 3
Topics: Midterm Information/Review; Advanced OS Security (sandboxes, chroot, and containers) [Slides]

Required reading: Linux Virtualization – Chroot Jail, from the “GeeksforGeeks” website.
Required reading: What is a Container?, from the Docker web site.
Required reading: The Evolution of Linux Containers and Their Future, from the DZone web site.

Day 15: Monday, October 12

Midterm Exam 1

Day 16: Wednesday, October 14

Reading: Textbook, Section 3.4
Topics: Software security and vulnerabilities, Part 1 – Day 1 [Slides]

Day 17: Monday, October 19

Topics: Software security and vulnerabilities, Part 1 – Day 2 (slides continued from before)

Day 18: Wednesday, October 21

Final Project: Overview and discussion
Topics: Software security and vulnerabilities, Part 2 – Day 1 [Slides]
Required reading:

Return-oriented programming. Yes, this is a Wikipedia page, but it gives a good high-level overview of return-oriented programming.
Static analysis for security, by Gary McGraw. This is a little old (written in 2004), but it’s one of the best high-level “what is static analysis?” write-ups I could find.
Fuzzing. Wikipedia again. This is pretty light, but gives a good overview. For more information on fuzz testing, see the last item in the supplemental reading list below.

Supplemental reading: Good information for students who want to dig deeper.

StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks, by Crispin Cowan. This is the original (1998) paper on StackGuard, the canary technique for detecting stack-smashing buffer overflow attacks. In addition to the content being relevant, this is a really good example of an applied security research paper.
What is soundness (in static analysis)?, by Michael Hicks. A very nice writeup about trade-offs that have to be considered in creating a static analysis tool, and measures or concepts of “goodness” such as soundness, completeness, precision, and recall.
Lessons from Building Static Analysis Tools at Google, by Sadowski, Aftandilian, Eagle, Miller-Cushon, and Jaspan (Communications of the ACM, April 2018). Experience with static analysis in a really large software organization is very different from examples in a classroom. This article talks about experiences with static analysis at Google.
SAGE: Whitebox Fuzzing for Security Testing by Godefroid, Levin, and Molnar. Really nice article talking about fuzz testing.
Evaluating Empirical Evaluations (for Fuzz Testing), by Michael Hicks. This is a blog post about research that the author did on the (ahem) fuzziness of evaluating fuzz testing (no, he didn’t put it that way, I did – sorry).

Day 19: Monday, October 26

Final Project: Project topic selection due
Topics: Software security and vulnerabilities, Part 2 – Day 2 (slides continued from before)

Day 20: Wednesday, October 28

Due: Assignment 4
Reading: Textbook, Chapter 4
Topics: Malware [Slides]

Day 21: Monday, November 2

Reading: Textbook, Chapter 7 and OWASP Top 10
Topics: Web Application Security – day 1 [Slides]

Day 22: Wednesday, November 4

Topics: Web Security – day 2 – guest lecturer!

Day 23: Monday, November 9

Reading: Textbook, Chapter 5
Topics: Network Security I – day 1 [Slides]

Day 24: Wednesday, November 11

Topics: Network Security I – day 2

Day 25: Monday, November 16

Final Project: Progress report due
Reading: Textbook, Sections 6.1–6.4
Topics: Network Security II – day 1 [Slides]

Day 26: Wednesday, November 18

Due: Assignment 5
Topics: Network Security II – day 2

Day 27: Monday, November 23

Topics: Class wrap-up and review

Note that per the UNCG Fall schedule, Tuesday, November 24 will follow the “Monday schedule,” so we will have a meeting on Tuesday.

Day 28: Tuesday, November 24

Midterm Exam 2

Final Exam

This class will have a final project in lieu of a final exam. The project is due at the university-scheduled final exam time, which is:

Friday, December 4, 2020, 3:30 PM
Final Project: Final report due