CSE 127: Intro to Computer Security Winter 2023


Lectures:

  Tuesday/Thursday 2:00pm-3:20pm GH 242

Discussion:

  Wednesday 3:00pm-3:50pm FAH 1301
  Wednesday 4:00pm-4:50pm FAH 1301

Instructor:

  Nadia Heninger   Office hours: Thursday 3:30pm-4:30pm EBU3B 3138

TAs:

  Leo Cao Office Hours: Monday 2-3pm EBU3B B275.
  Christopher Cha Office Hours: Tuesday 4-5pm
  Karthik Mudda Office Hours: Wednesday 1-2pm EBU3B B270A
  Ethan Tan Office Hours: Wednesday 5-6pm EBU3B B240A
  Allison Turner Office Hours: Tuesday 12pm-1pm EBU3B B260A
  Satish Yerva Office Hours: Friday 4:30pm-5:30pm EBU3B B215

Tutors:

  Shubham Bhargava Office Hours: Monday 5:30-6:30pm EBU3B B275

Class Resources:
Grading:

  40%: Homework assignments
  20%: Midterm exam
  40%: Final exam


Course Overview

This course focuses on computer security, covering a wide range of topics on both the defensive and offensive side of this field. Among these will be systems security and exploitation (e.g., buffer overflows and return-oriented programming), sandboxing and isolation, side channels, network security, cryptography, privacy and anonymity, and legal and ethical issues. The goal of the course is to provide an appreciation of how to think adversarially with respect to computer systems as well as an appreciation of how to reason about attacks and defenses.

To complete the projects in this course, you will need to be able to write code in Python, C, and (some) C++, and have some understanding of x86 assembly, JavaScript, PHP, and SQL. We will not teach these in lecture; you are expected to learn them on your own or ask for help in section or office hours. If you don't know C, K&R's The C Programming Language is a go to, but the Hacking book is probably enough and covers x86 assembly and many of the topics in this class.


Pandemic Considerations

This is an in person class. Lectures will be in person and podcasted, except for those marked on the schedule, which will be over Zoom and recorded to the cloud. Exams are in person only. Please do not come to class or exams if you are sick.


Schedule

Date Topic References Assignments
1/10 Introduction and threat modeling

Lecture slides
Scribe Notes
This World of Ours by James Mickens
Usenix Security '18 Keynote by James Mickens

Optional further reading:
The Security Mindset by Bruce Schneier
The Security Mindset and "Harmless Failures" by Ed Felten
How to think like a security professional by Yoshi Kohno
Assignment 1 available
1/11 Discussion Week 1 Discussion Slides
1/12 Buffer overflow attacks

Lecture slides
Scribe Notes
Smashing the stack for fun and profit by Aleph One

Optional further reading:
0x200-0x270, 0x300-0x320 from Hacking
Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade by Crispin Cowan, Perry Wagle, Calton Pu, Steve Beattie, and Jonathan Walpole
1/17 Buffer overflow defenses

Lecture slides
Scribe Notes

Optional further reading:
Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade by Crispin Cowan, Perry Wagle, Calton Pu, Steve Beattie, and Jonathan Walpole
ASLR
NOEXEC
Assignment 1 due
Assignment 2 available
1/18 Discussion Week 2 Discussion Slides
1/19 Memory safety

Lecture slides
Scribe Notes
Low-level Software Security by Example by Ulfar Erlingsson, Yves Younan, and Frank Piessen
Understanding glibc malloc

Optional further reading:
Return-Oriented Programming: Systems, Languages, and Applications by Ryan Roemer, Erik Buchanan, Hovav Shacham, and Stefan Savage
Hacking Blind by Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazieres, Dan Boneh
Control-Flow Integrity by Martin Abadi, Mihai Budiu, Ulfar Erlingsson, and Jay Ligatti
1/24 Isolation
Lecture slides
Scribe notes
The Road to Less Trusted Code: Lowering the Barrier to In-process Sandboxing by Tal Garfinkel, Shravan Narayan, Craig Disselkoen, Hovav Shacham, and Deian Stefan

Optional further reading:
Operating System Security by Trent Jaeger
Android System and kernel security
iOS Security Guide
1/25 Discussion Week 3 Discussion Slides
1/26 Exploit development

Guest Lecture: Ben Hawkes

1/31 Web intro

Lecture slides
Scribe notes
CSRF, XSS, SQLi notes
SQL Injection

Optional further reading:
Web technology for developers
Browser Security Handbook: Basic concepts behind web browsers
Assignment 2 due
Assignment 3 available
2/1 Discussion
Week 4 Discussion Slides
2/2 Web attacks and defenses

Lecture slides
Scribe notes
Robust defenses for cross-site request forgery by Adam Barth, Collin Jackson, and John C. Mitchell
2/7 Web attacks and defenses, continued

Lecture slides
2/8 Discussion
Week 5 Discussion Slides
2/9 Midterm Exam In person during lecture time. One cheat sheet allowed.
2/14 Network intro

Lecture slides
Scribe notes
Optional further reading:
Wikipedia: Autonomous System
Wikipedia: OSPF routing
Wikipedia: Border Gateway Protocol
Wikipedia: User Datagram Protocol
Wikipedia: Transmission Control Protocol
Wikipedia: Domain Name System
Assignment 3 due
2/15 Discussion
Week 6 Discussion Slides
2/16 Network attacks

Lecture slides
Scribe notes
Security problems in the TCP/IP protocol suite by Steven Bellovin
A Look Back at "Security Problems in the TCP/IP Protocol Suite" by Steven Bellovin
SAD DNS Explained by Marek Vavrusa and Nick Sullivan
Optional further reading:
2/21
(Zoom)
Network defenses

Lecture slides
Scribe notes
NAT Slipstreaming by Samy Kamkar
2/22
(In person)
Discussion
2/23
(Zoom)
Symmetric cryptography

Lecture slides
Scribe notes
Ch. 5 of Security Engineering by Ross Anderson

Optional further reading:
Communication Theory of Secrecy Systems by Shannon
2/28
(Zoom)
Public-key cryptography

Lecture slides
Scribe notes
Ch. 5 of Security Engineering by Ross Anderson

Optional further reading:
Modular arithmetic lecture notes from Berkeley CS 70
Basic number theory lecture notes from Boaz Barak
New Directions in Cryptography by Whitfield Diffie and Martin E. Hellman
3/1
(In person)
Discussion
Week 8 Discussion Slides
3/2
(Zoom)
TLS and secure channels

Lecture slides
The Illustrated TLS 1.2 Connection
The Illustrated TLS 1.3 Connection
3/7
(In person)
Authentication and passwords

Lecture slides
3/8
(In person)
Discussion Week 9 Discussion Slides
3/9
Privacy and anonymity

Lecture slides
Ch. 25 of Security Engineering by Ross Anderson

Optional further reading:
Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0 by Alma Whitten and Doug Tygar
Tor: The Second-Generation Onion Router by Roger Dingledine, Nick Mathewson, and Paul Syverson
Bernstein v. United States
Off-the-Record Communication, or, Why Not To Use PGP by Nikita Borisov, Ian Goldberg, and Eric Brewer
Forward Secrecy for Asynchronous Messages by Moxie Marlinspike
Robust De-anonymization of Large Sparse Datasets by Arvind Narayanan and Vitaly Shmatikov
3/14
Ethics, law, and policy

Lecture slides
Optional further reading:
Privacy and the Limits of Law by Ruth Gavison
Cyber-security Research Ethics Dialog & Strategy Workshop (CREDS 2013)
Going Bright: Wiretapping without Weakening Communications Infrastructure by Steve Bellovin, Matt Blaze, Sandy Clark, and Susan Landau
3/15
Discussion
Week 10 Discussion Slides
3/16
Conclusion and special topics

Lecture slides
Security without identification: Transaction systems to make Big Brother obsolete by Chaum 1985
Risks of Cryptocurrencies by Nicholas Weaver
3/23 Final Exam 3:00pm - 6:00pm In person. One cheat sheet allowed.

Assignments

We will have five programming assignments. These assignments are meant to both reinforce your knowledge of the concepts covered in lecture and get you to think about security in more depth, beyond what is covered lecture.

You may work on the assignments in groups of one or two. You may discuss the assignments with other students from the course in general but not any specific solution. You will have two late days you can use to turn in assignments late for any reason. Late days will be deducted from both group members, and both group members must have late days in order to use them. No other extensions will be given. If you have an unforeseen long-term emergency that affects all of your classes (hospitalized, death of immediate family member etc.), please reach out to us and the student affairs office to coordinate alternate arrangements.

If you consult anything (books, academic papers, internet resources, people) when working on the assignments, note this in your submission. We encourage outside learning but expect you to not seek out specific details about a solution—anything submitted should be considered your own work. Similarly, you are expected to not publish or otherwise share your solutions at any point (even after the class is over). If you are unsure about what is allowed, please ask the course staff.

By taking this course, you implicitly agree to abide by the UCSD policies on Integrity of Scholarship and Student Conduct. See the Academic Integrity Support for Remote Learning. University rules on integrity of scholarship and code of conduct are taken seriously and will be enforced.


Additional Resources

No textbook is required, but if you would like additional resources the following may be useful: