Course Description Class Logistics & Grading Topics Important Dates
Instructor: Prateek Saxena (prateeks at comp dot nus dot edu dot sg)
TAs Loi Luu, Yaoqi Jia, Shiqi Shen (cs3235.ta at gmail.com)
Room & Timings: LT15, Thursdays 9:00 - 11:00 am
IVLE Page: CS3235
Semester: AY 2016/2017 Semester 1

Announcements

TBA

Course Description

Security breaches cost billions of dollars worth of damage to the computing industry. Today, cybercriminals control armies consisting of several millions of compromised machines. Attacks are increasingly being perpetrated towards enterprises, individuals, critical infrastructure and even governments. At the same time, our computer systems and platforms are fast evolving to meet the demands of the industry. Increasing use of personalized devices, and our growing dependence on legacy computer systems that weren't designed with security in mind is a challenge ahead. Have you thought about how computer systems can be designed to secure against the practical challenges for the next 10 years and beyond?

In this course, we will study the design of existing and next-generation systems software from a security perspective.This course introduces you to the field of systems security: that is, how to analyze and develop secure systems. The course covers fundamental concepts of systems design, low-level vulnerability exploitation, design flaws in design of operating systems and languages, and a few advanced research topics.

The goal of this class is to enable students to:

  • Audit systems code for security flaws.
  • Design and implement exploits for real security bugs.
  • Develop secure applications.
  • Be able to design defenses & outline their limitations.

Schedule & Syllabus

The table below lists the schedule of topics.

WeekDateTopic ReadingsAnnouncements
1 11 Aug Introduction to Computer Security Book G & T -- Chapter 1.1, Chapter 3.1, and Book D & K - Appendix A.1, A.2  
2 18 Aug

Memory Safety & Secure Coding

Smashing The Stack For Fun And Profit

Exploiting Format String Vulnerabilities

Book G & T -- Chapter 3.4

Assgt. 0 out
3 25 Aug Privilege Separation & Sandboxing

Improving Host Security with System Call Policies

Preventing Privilege Escalation

Book G & T -- Chapter 1.3, 3.1, 3.3, 4.3, 4.5

Optional (Advanced):

Mimicry Attacks on Host-Based Intrusion Detection Systems

The Security Architecture of the Chromium Browser

Assgt 1 out
4 1 Sep

Network Security & HTTPS

Book G & T -- Chapter 5, 6.1, 7.1
5 8 Sep

Web Security I: SOP, XSS

Book G & T -- Chapter 7.2

 
6 15 Sep Web Security II: SQLI, CSRF

Robust Defenses for Cross-Site Request Forgery

Book G & T -- Chapter 7.3

Assgt 2 out
7 29 Sep

Intro to Cryptography

Book G & T -- Chapter 2.1

8 6 Oct

Secure Channels (I): Symmetric Key Crypto

Book D & K -- Chapter 2.1.1, 2.1.2, 2.1.5  
9 13 Oct Secure Channels (II): Public Key Crypto

Book D & K -- Chapter 3.1, 3.2., 3.3, 3.4

Assgt 3 out
10

20 Oct

Integrity & Authenticity: MACs & Digital Signatures

Book D & K --Chapter 2.2.3, 3.3.4

 
11

27 Oct

No lecture --- Prepare for end-term exam

 

 
12 3 Nov

Authentication & Key Exchange

Book D & K -- Chapter 4.1

 
13

10 Nov

Crypto in the Real World :- HTTPS Failures, UI Security, Side Channels & Bitcoin

Lecture Videos

 
14

17 Nov

End-term Exam: In-class

Full Syllabus, but with more emphasis on Week 10 - 13

 

 

Textbooks & Readings

There are no mandatory textbooks for this course. The lecture slides, indicated papers, and the tutorial content will constitute the main reading material. You are expected to take your own notes, and interpret / extrapolate the findings beyond the reading material for homeworks and exams.
Optional reading:

  • Introduction to Cryptography - Principles and Applications / By Hans Delfs, Helmut Knebl. (referred to as "D & K")
    ( Available via the NUS online library).
  • Introduction to computer security / By Michael T. Goodrich, Roberto Tamassia (referred to as "G & T").
    (Available on loan from the NUS library)

Class Logistics & Grading

This class is relatively heavy and requires hands-on programming and experimentation. I will explain the detailed logistics of the course in the first lecture. There will be no final exam or labs. Tutorials will be optional, though you may find them useful for discussions and gaining breadth.

Grade distribution is as follows:

  • Assignment 0 (10%)
  • End-term exam (30%)
  • Assignment 1 - 3 (20% each)

All assignments are individual. The end-term is in-class and open-book.

Each student is expected to have access to his own laptop / desktop. All project assignments are distributed as VirtualBox VMs; you are expected to be able to setup and run these VMs. If you do not have access to your own laptop / desktop, you should approach the instructor within the first week of the course.

 

Who should take this class?

Students interested in computer security. We assume basic familiarity with mathematical proofs, elementary number theory (e.g. the concept of groups), OS concepts (processes, virtual memory), C and web programming languages.

The class is designed to be somewhat self-paced and self-taught; all graded assignments are done at home.

The IVLE forum is your best friend --- if you get stuck, ask questions and exchange ideas freely on the forum or consult the web. The instructor and TAs will *not* help debug your code, or tell you how to overcome technical difficulties. There is no restriction on your communication with your colleagues, so be prepared to ask around and pick things up on your own.

Prerequisites

Please see IVLE. All waiver requests are handled solely by CS curriculum committee (email cs-curriculum the-at-symbol comp.nus.edu.sg).

Note on Ethics

In this class, you will be exposed to several powerful attack techniques. This class is not an invitation exploit vulnerabilities in the wild without informed consent of all involved parties. Attacking someone else's computer system is an offence; you are expected to use your knowledge with discretion.

For all readings and assignments, please feel free to discuss with your peers and use the Internet. All students must comply with NUS academic honesty policies.