CSE 127: Intro to Computer Security Winter 2022


Instructor:

  Nadia Heninger (nadiah at cs dot ucsd dot edu)
  Office hours: Tuesday 3:30pm-4:30pm

TAs:

  Christopher Liu Office Hours: Thursday 3:30pm-4:30pm
  Cameron Trando Office Hours: Tuesday 5pm-6pm
  Zijie Zhao Office Hours: Monday 10am-11am

Tutors:

  Isaac Bi Office Hours: Wednesday 1pm-2pm
  Jiazheng Liu Office Hours: Friday 12pm-1pm

Lectures:

  Tuesday/Thursday 2:00pm-3:20pm

Discussion:

  Tuesday 8:00pm-8:50pm

Class Resources:
Grading:

  40%: Homework assignments
  20%: Midterm exam
  40%: Final exam


Course Overview

This course focuses on computer security, covering a wide range of topics on both the defensive and offensive side of this field. Among these will be systems security and exploitation (e.g., buffer overflows and return-oriented programming), sandboxing and isolation, side channels, network security, cryptography, privacy and anonymity, and legal and ethical issues. The goal of the course is to provide an appreciation of how to think adversarially with respect to computer systems as well as an appreciation of how to reason about attacks and defenses.

To complete the projects in this course, you will need to be able to write code in Python, C, and (some) C++, and have some understanding of x86 assembly, JavaScript, PHP, and SQL. We will not teach these in lecture; you are expected to learn them on your own or ask for help in section or office hours. If you don't know C, K&R's The C Programming Language is a go to, but the Hacking book is probably enough and covers x86 assembly and many of the topics in this class.


Pandemic Considerations

We will be fully remote via Zoom for the first two weeks of the quarter (updated to the month of January), following university policy. Zoom links are in Canvas. We will return to fully in person instruction when the university allows. Midterm and final exams will be in person only unless the university is fully remote on those dates. Lectures will be recorded (on Zoom for remote and podcast for in person) but there won't be support for synchronous remote lecture attendance if we return to in person instruction.


Tentative Schedule

Date Topic References Assignments
1/4 (Zoom) Introduction and threat modeling

Lecture slides
Scribe Notes
This World of Ours by James Mickens
Usenix Security '18 Keynote by James Mickens

Optional further reading:
The Security Mindset by Bruce Schneier
The Security Mindset and "Harmless Failures" by Ed Felten
How to think like a security professional by Yoshi Kohno
1/4 No Discussion
1/6 (Zoom) Threat modeling continued

Lecture slides
1/11 (Zoom) Buffer overflow attacks

Lecture slides
Scribe Notes
Smashing the stack for fun and profit by Aleph One

Optional further reading:
0x200-0x270, 0x300-0x320 from Hacking
Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade by Crispin Cowan, Perry Wagle, Calton Pu, Steve Beattie, and Jonathan Walpole
Assignment 1 available
1/11 (Zoom) Discussion Week 2 Discussion Slides
1/13 (Zoom) Buffer overflow defenses

Lecture slides
Scribe Notes

Optional further reading:
Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade by Crispin Cowan, Perry Wagle, Calton Pu, Steve Beattie, and Jonathan Walpole
ASLR
NOEXEC
1/18 (Zoom) Memory safety

Lecture slides
Scribe Notes
Low-level Software Security by Example by Ulfar Erlingsson, Yves Younan, and Frank Piessen
Understanding glibc malloc

Optional further reading:
Return-Oriented Programming: Systems, Languages, and Applications by Ryan Roemer, Erik Buchanan, Hovav Shacham, and Stefan Savage
Hacking Blind by Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazieres, Dan Boneh
Control-Flow Integrity by Martin Abadi, Mihai Budiu, Ulfar Erlingsson, and Jay Ligatti
1/18 (Zoom) Discussion Week 3 Discussion Slides
1/20 (Zoom) Isolation
Lecture slides
Scribe notes
The Road to Less Trusted Code: Lowering the Barrier to In-process Sandboxing by Tal Garfinkel, Shravan Narayan, Craig Disselkoen, Hovav Shacham, and Deian Stefan

Optional further reading:
Operating System Security by Trent Jaeger
Android System and kernel security
iOS Security Guide
Assignment 1 due
1/25 (Zoom) Side channels
1/25 (Zoom) Discussion
1/27 (Zoom) Web intro

CSRF, XSS, SQLi notes
SQL Injection

Optional further reading:
Web technology for developers
Browser Security Handbook: Basic concepts behind web browsers
2/1 (In person) Web attacks and defenses
Robust defenses for cross-site request forgery by Adam Barth, Collin Jackson, and John C. Mitchell
2/1
(In person)
Discussion: Midterm Review
2/3
(In person)
Network intro
Optional further reading:
Wikipedia: Autonomous System
Wikipedia: OSPF routing
Wikipedia: Border Gateway Protocol
Wikipedia: User Datagram Protocol
Wikipedia: Transmission Control Protocol
Wikipedia: Domain Name System
2/8 Midterm Exam Midterm exam will be in person only unless UCSD is fully remote on this date.
2/8
(In person)
Discussion
2/10
(In person)
Network attacks
Security problems in the TCP/IP protocol suite by Steven Bellovin
A Look Back at "Security Problems in the TCP/IP Protocol Suite" by Steven Bellovin
SAD DNS Explained by Marek Vavrusa and Nick Sullivan
Optional further reading:
2/15
(In person)
Network defenses
NAT Slipstreaming by Samy Kamkar
2/15
(In person)
Discussion
2/17
(In person)
Symmetric cryptography
Ch. 5 of Security Engineering by Ross Anderson

Optional further reading:
Communication Theory of Secrecy Systems by Shannon
2/22
(In person)
Public-key cryptography
Ch. 5 of Security Engineering by Ross Anderson

Optional further reading:
Modular arithmetic lecture notes from Berkeley CS 70
Basic number theory lecture notes from Boaz Barak
New Directions in Cryptography by Whitfield Diffie and Martin E. Hellman
2/22
(In person)
Discussion
2/24
(In person)
TLS and secure channels
The Illustrated TLS 1.2 Connection
The Illustrated TLS 1.3 Connection
3/1
(In person)
Authentication and passwords
3/1
(In person)
Discussion
3/3
(In person)
Privacy and anonymity
Ch. 25 of Security Engineering by Ross Anderson

Optional further reading:
Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0 by Alma Whitten and Doug Tygar
Tor: The Second-Generation Onion Router by Roger Dingledine, Nick Mathewson, and Paul Syverson
Bernstein v. United States
Off-the-Record Communication, or, Why Not To Use PGP by Nikita Borisov, Ian Goldberg, and Eric Brewer
Forward Secrecy for Asynchronous Messages by Moxie Marlinspike
Robust De-anonymization of Large Sparse Datasets by Arvind Narayanan and Vitaly Shmatikov
3/8
(In person)
Ethics, law, and policy
Optional further reading:
Privacy and the Limits of Law by Ruth Gavison
Cyber-security Research Ethics Dialog & Strategy Workshop (CREDS 2013)
Going Bright: Wiretapping without Weakening Communications Infrastructure by Steve Bellovin, Matt Blaze, Sandy Clark, and Susan Landau
3/8
(In person)
Discussion: Final Review
3/10
(In person)
Conclusion and special topics
Security without identification: Transaction systems to make Big Brother obsolete by Chaum 1985
Risks of Cryptocurrencies by Nicholas Weaver
3/17 Final Exam 3:00pm - 6:00pm The final exam will be in person only unless the university is fully remote.

Assignments

We will have five programming assignments. These assignments are meant to both reinforce your knowledge of the concepts covered in lecture and get you to think about security in more depth, beyond what is covered lecture.

You may work on the assignments in groups of one or two. You may discuss the assignments with other students from the course in general but not any specific solution. You will have two late days you can use to turn in assignments late for any reason. Late days will be deducted from both group members, and both group members must have late days in order to use them. No other extensions will be given. If you have an unforeseen long-term emergency that affects all of your classes (hospitalized, death of immediate family member etc.), please reach out to us and the student affairs office to coordinate alternate arrangements.

If you consult anything (books, academic papers, internet resources, people) when working on the assignments, note this in your submission. We encourage outside learning but expect you to not seek out specific details about a solution—anything submitted should be considered your own work. Similarly, you are expected to not publish or otherwise share your solutions at any point (even after the class is over). If you are unsure about what is allowed, please ask the course staff.

By taking this course, you implicitly agree to abide by the UCSD policies on Integrity of Scholarship and Student Conduct. See the Academic Integrity Support for Remote Learning. University rules on integrity of scholarship and code of conduct are taken seriously and will be enforced.


Additional Resources

No textbook is required, but if you would like additional resources the following may be useful: