CSE 127: Intro to Computer Security Winter 2023
Lectures:
Tuesday/Thursday 2:00pm-3:20pm GH 242
Discussion:
Wednesday 3:00pm-3:50pm FAH 1301
Wednesday 4:00pm-4:50pm FAH 1301
Instructor:
Nadia Heninger
Office hours: Thursday 3:30pm-4:30pm EBU3B 3138
TAs:
Leo Cao Office Hours: Monday 2-3pm EBU3B B275.
Christopher Cha Office Hours: Tuesday 4-5pm
Karthik Mudda Office Hours: Wednesday 1-2pm EBU3B B270A
Ethan Tan Office Hours: Wednesday 5-6pm EBU3B B240A
Allison Turner Office Hours: Tuesday 12pm-1pm EBU3B B260A
Satish Yerva Office Hours: Friday 4:30pm-5:30pm EBU3B B215
Tutors:
Shubham Bhargava Office Hours: Monday 5:30-6:30pm EBU3B B275
Class Resources:
- Zoom links and gradebook on Canvas
- Q&A on Piazza
- Informal discussion and community on Discord (sign-up link in Canvas)
- Assignment submission on Gradescope
- Lecture schedule, readings, and course policies on this web page
Grading:
40%: Homework assignments
20%: Midterm exam
40%: Final exam
Course Overview
This course focuses on computer security, covering a wide range
of topics on both the defensive and offensive side of this
field. Among these will be systems security and exploitation
(e.g., buffer overflows and return-oriented programming),
sandboxing and isolation, side channels, network security,
cryptography, privacy and anonymity, and legal and ethical
issues. The goal of the course is to provide an appreciation of
how to think adversarially with respect to computer systems as
well as an appreciation of how to reason about attacks and
defenses.
To complete the projects in this course, you will need to be
able to write code in Python, C, and (some) C++, and have some
understanding of x86 assembly, JavaScript, PHP, and SQL. We will
not teach these in lecture; you are expected to learn them on
your own or ask for help in section or office hours. If you
don't know C,
K&R's The
C Programming Language is a go to, but
the Hacking book
is probably enough and covers x86 assembly and many of the
topics in this class.
Pandemic Considerations
This is an in person class. Lectures will be in person and
podcasted, except for those marked on the schedule, which will be
over Zoom and recorded to the cloud. Exams are in person only.
Please do not come to class or exams if you are sick.
Schedule
| Date |
Topic |
References |
Assignments |
| 1/10 |
Introduction and threat modeling
Lecture slides
|
Scribe Notes
This World of Ours by
James Mickens
Usenix
Security '18 Keynote by James Mickens
Optional further reading:
The Security
Mindset by Bruce Schneier
The
Security Mindset and "Harmless Failures" by Ed Felten
How
to think like a security professional by Yoshi Kohno
|
Assignment 1 available
|
| 1/11 |
Discussion |
Week 1 Discussion Slides
|
|
| 1/12 |
Buffer overflow attacks
Lecture slides
|
Scribe Notes
Smashing the stack for fun and profit
by Aleph One
Optional further reading:
0x200-0x270, 0x300-0x320 from Hacking
Buffer Overflows:
Attacks and Defenses for the Vulnerability of the Decade by Crispin Cowan, Perry Wagle,
Calton Pu, Steve Beattie, and Jonathan Walpole
|
|
| 1/17 |
Buffer overflow defenses
Lecture slides
|
Scribe Notes
Optional further reading:
Buffer Overflows:
Attacks and Defenses for the Vulnerability of the Decade by Crispin Cowan, Perry Wagle,
Calton Pu, Steve Beattie, and Jonathan Walpole
ASLR
NOEXEC
|
Assignment 1 due
Assignment 2 available
|
| 1/18 |
Discussion |
Week 2 Discussion Slides
|
|
| 1/19 |
Memory safety
Lecture slides
|
Scribe Notes
Low-level
Software Security by Example by Ulfar Erlingsson, Yves Younan, and Frank Piessen
Understanding
glibc malloc
Optional further reading:
Return-Oriented Programming: Systems,
Languages, and Applications by Ryan Roemer, Erik Buchanan, Hovav Shacham, and Stefan
Savage
Hacking
Blind by Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazieres, Dan Boneh
Control-Flow
Integrity by Martin Abadi, Mihai Budiu, Ulfar Erlingsson, and Jay Ligatti
|
|
| 1/24 |
Isolation
Lecture slides
|
Scribe notes
The Road to Less Trusted Code:
Lowering the Barrier to In-process Sandboxing by Tal Garfinkel, Shravan Narayan, Craig
Disselkoen, Hovav Shacham, and Deian Stefan
Optional further reading:
Operating
System Security by Trent Jaeger
Android System and kernel
security
iOS Security Guide
|
|
| 1/25 |
Discussion |
Week 3 Discussion Slides
|
|
| 1/26 |
Exploit development
Guest Lecture: Ben Hawkes |
|
|
| 1/31 |
Web intro
Lecture slides
|
Scribe notes
CSRF, XSS, SQLi
notes
SQL
Injection
Optional further reading:
Web technology for developers
Browser Security Handbook: Basic
concepts behind web browsers
|
Assignment 2 due
Assignment 3 available
|
| 2/1 |
Discussion
|
Week 4 Discussion Slides
|
|
| 2/2 |
Web attacks and defenses
Lecture slides
|
Scribe notes
Robust defenses for
cross-site request forgery by Adam Barth, Collin Jackson, and John C. Mitchell
|
|
| 2/7 |
Web attacks and defenses, continued
Lecture slides |
|
|
| 2/8 |
Discussion
|
Week 5 Discussion Slides
|
|
| 2/9 |
Midterm Exam |
In person during lecture time. One cheat sheet allowed. |
|
| 2/14 |
Network intro
Lecture slides
|
Scribe notes
Optional further reading:
Wikipedia: Autonomous
System
Wikipedia: OSPF routing
Wikipedia: Border Gateway
Protocol
Wikipedia: User Datagram
Protocol
Wikipedia: Transmission
Control Protocol
Wikipedia: Domain Name System
|
Assignment 3 due
Assignment 4 available
|
| 2/15 |
Discussion
|
Week 6 Discussion Slides
|
|
| 2/16 |
Network attacks
Lecture slides
|
Scribe notes
Security problems in the TCP/IP
protocol suite by Steven Bellovin
A Look Back at "Security
Problems in the TCP/IP Protocol Suite" by Steven Bellovin
SAD DNS Explained by Marek Vavrusa
and Nick Sullivan
Optional further reading:
|
|
2/21
(Zoom) |
Network defenses
Lecture slides |
Scribe notes
NAT Slipstreaming by Samy Kamkar
|
|
2/22
(In person) |
Discussion
|
|
|
2/23
(Zoom) |
Symmetric cryptography
Lecture slides
|
Scribe notes
Ch. 5 of Security Engineering
by Ross Anderson
Optional further reading:
Communication Theory of
Secrecy Systems by Shannon
|
|
2/28
(Zoom) |
Public-key cryptography
Lecture slides
|
Scribe notes
Ch. 5 of Security Engineering
by Ross Anderson
Optional further reading:
Modular arithmetic
lecture notes from Berkeley CS 70
Basic number
theory lecture notes from Boaz Barak
New
Directions in Cryptography by Whitfield Diffie and Martin E. Hellman
|
Assignment 4 due
Assignment 5 available
|
3/1
(In person) |
Discussion
|
Week 8 Discussion Slides
|
|
3/2
(Zoom) |
TLS and secure channels
Lecture slides
|
The Illustrated TLS 1.2 Connection
The Illustrated TLS 1.3 Connection
|
|
3/7
(In person) |
TLS continued |
|
|
3/8
(In person) |
Discussion |
Week 9 Discussion Slides
|
|
3/9
(In person) |
Authentication and passwords
Lecture slides
|
|
|
3/14
|
Privacy and anonymity
Lecture slides
|
Ch. 25 of Security
Engineering by Ross Anderson
Optional further reading:
Why
Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0 by Alma Whitten and Doug
Tygar
Tor: The
Second-Generation Onion Router by Roger Dingledine, Nick Mathewson, and Paul
Syverson
Bernstein v. United States
Off-the-Record Communication, or, Why Not To
Use PGP by Nikita Borisov, Ian Goldberg, and Eric Brewer
Forward Secrecy for
Asynchronous Messages by Moxie Marlinspike
Robust De-anonymization of
Large Sparse Datasets by Arvind Narayanan and Vitaly Shmatikov
|
Assignment 5 due
|
3/15
|
Discussion
|
Week 10 Discussion Slides
|
|
3/16
|
Ethics, vulnerability disclosure, personal hygiene, and cryptocurrencies
Lecture slides
|
Optional further reading:
Privacy
and the Limits of Law by Ruth Gavison
Cyber-security Research Ethics Dialog &
Strategy Workshop (CREDS 2013)
Going Bright: Wiretapping
without Weakening Communications Infrastructure by Steve Bellovin, Matt Blaze, Sandy
Clark, and Susan Landau
Security without
identification: Transaction systems to make Big Brother obsolete by Chaum 1985
Risks of
Cryptocurrencies by Nicholas Weaver
|
|
| 3/23 |
Final Exam 3:00pm - 6:00pm |
In person. One cheat sheet allowed. |
|
Assignments
We will have five programming assignments. These assignments are meant to both reinforce your knowledge of
the concepts covered in lecture and get you to think about security in more depth, beyond what is covered
lecture.
You may work on the assignments in groups of one or two. You may discuss the assignments with other students
from the course in general but not any specific solution. You will have two late days you can use to turn in
assignments late for any reason. Late days will be deducted from both group members, and both group members
must have late days in order to use them. No other extensions will be given. If you have an unforeseen
long-term emergency that affects all of your classes (hospitalized, death of immediate family member etc.),
please reach out to us and the student affairs office to coordinate alternate arrangements.
If you consult anything (books, academic papers, internet resources, people) when working on the assignments,
note this in your submission. We encourage outside learning but expect you to not seek out specific details
about a solution—anything submitted should be considered your own work. Similarly, you are expected to not
publish or otherwise share your solutions at any point (even after the class is over). If you are unsure
about what is allowed, please ask the course staff.
By taking this course, you implicitly agree to abide by the UCSD policies on Integrity of
Scholarship and Student Conduct.
See the Academic Integrity
Support for Remote Learning. University rules on integrity of scholarship and code of conduct are
taken seriously and will be enforced.
Additional Resources
No textbook is required, but if you would like additional resources the following may be useful: