CSE 127: Intro to Computer Security Winter 2025
Lectures:
Tuesday/Thursday 8am-9:20am
Discussion:
Wednesday 4:00pm (Attendance Graded)
Instructor:
Imani Munyaka Office hours: Check Canvas
TAs:
Check Canvas & Gradescope for TA information
Tutors:
Check Canvas & Gradescope for Tutor information
Class Resources:
- Zoom links and gradebook on Canvas
- Q&A on Piazza
- Informal discussion and community on Discord (Developed and monitored by students)
- Assignment submission on Gradescope
- Lecture schedule, readings, and course policies on this web page
Grading:
30%: Homework assignments
10%: Attendance (From Discussion and webclicker Only)
20%: Midterm exam
40%: Final exam
Course Overview
This course focuses on computer security, covering a wide range of topics on both the defensive and offensive side of this field. Among these will be systems security and exploitation (e.g., buffer overflows and return-oriented programming), sandboxing and isolation, side channels, network security, cryptography, privacy and anonymity, and legal and ethical issues. The goal of the course is to provide an appreciation of how to think adversarially with respect to computer systems as well as an appreciation of how to reason about attacks and defenses.
To complete the projects in this course, you will need to be able to write code in Python, C, and (some) C++, and have some understanding of x86 assembly, JavaScript, PHP, and SQL. We will not teach these in lecture; you are expected to learn them on your own or ask for help in section or office hours. If you don't know C, K&R's The C Programming Language is a go to, but the Hacking book is probably enough and covers x86 assembly and many of the topics in this class.
Course Modality
This is an in person class. Lectures will be in person and podcasted, except for those marked on the schedule, which will be over Zoom and recorded to the cloud. Discussions will be in person and podcasted, except for those marked on the schedule, which will be over Zoom and recorded to the cloud. Attendance is recorded for every discussion session. Exams are in person only. Please do not come to class or exams if you are sick.
Schedule
| Date | Topic | References | Assignments |
| 1/7 | Introduction and threat modeling Lecture slides |
Scribe Notes This World of Ours by James Mickens Usenix Security '18 Keynote by James Mickens Optional further reading: The Security Mindset by Bruce Schneier The Security Mindset and "Harmless Failures" by Ed Felten How to think like a security professional by Yoshi Kohno |
Assignment 1 available |
| 1/8 | Discussion Cancelled | ||
| 1/9 | Threat modeling continued/ C Refresher Lecture Slides (Updated!) Basics of Pointers and Arrays in C – Dennis Kubes x86 Assembly Cheat Sheet - Remzi Arpaci-Dusseau @ UW-Madison |
Trusting Trust by Ken Thompson | |
| 1/14 | Buffer overflow attacks Lecture slides |
Scribe Notes Smashing the stack for fun and profit by Aleph One Optional further reading: 0x200-0x270, 0x300-0x320 from Hacking Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade by Crispin Cowan, Perry Wagle, Calton Pu, Steve Beattie, and Jonathan Walpole |
|
| 1/15 | Discussion - Assignment 1 Work Session | ||
| 1/16 | Buffer overflow defenses Lecture slides Updated Lecture slides |
Scribe Notes Optional further reading: Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade by Crispin Cowan, Perry Wagle, Calton Pu, Steve Beattie, and Jonathan Walpole ASLR NOEXEC |
Assignment 1 due 8:30am Fri Assignment 2 available |
| 1/21 | Memory safety Lecture slides |
Scribe Notes Low-level Software Security by Example by Ulfar Erlingsson, Yves Younan, and Frank Piessen Understanding glibc malloc Optional further reading: Return-Oriented Programming: Systems, Languages, and Applications by Ryan Roemer, Erik Buchanan, Hovav Shacham, and Stefan Savage Hacking Blind by Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazieres, Dan Boneh Control-Flow Integrity by Martin Abadi, Mihai Budiu, Ulfar Erlingsson, and Jay Ligatti |
|
| 1/22 | Discussion - Assignment 2 Intro | ||
| 1/23 | Isolation Lecture slides |
Scribe notes The Road to Less Trusted Code: Lowering the Barrier to In-process Sandboxing by Tal Garfinkel, Shravan Narayan, Craig Disselkoen, Hovav Shacham, and Deian Stefan Optional further reading: Operating System Security by Trent Jaeger Android System and kernel security iOS Security Guide |
|
| 1/28 | Side channels Lecture slides |
Scribe notes |
|
| 1/22 | Discussion - Assignment 2 Work Session | ||
| 1/30 | Web intro Lecture slides |
Scribe notes CSRF, XSS, SQLi notes SQL Injection Optional further reading: Web technology for developers Browser Security Handbook: Basic concepts behind web browsers |
Assignment 2 due 11:59pm Fri Assignment 3 available |
| 2/4 | Web attacks and defenses Lecture slides |
Scribe notes Robust defenses for cross-site request forgery by Adam Barth, Collin Jackson, and John C. Mitchell |
|
| 2/5 | Discussion - Midterm Review | ||
| 2/6 | Midterm Exam | One double-sided sheet allowed | |
| 2/11 | Network intro Lecture slides |
Scribe notes Optional further reading: Wikipedia: Autonomous System Wikipedia: OSPF routing Wikipedia: Border Gateway Protocol Wikipedia: User Datagram Protocol Wikipedia: Transmission Control Protocol Wikipedia: Domain Name System |
|
| 2/12 | Discussion - Assignment 3 | ||
| 2/13 | Network attacks Lecture slides |
Scribe notes Security problems in the TCP/IP protocol suite by Steven Bellovin A Look Back at "Security Problems in the TCP/IP Protocol Suite" by Steven Bellovin SAD DNS Explained by Marek Vavrusa and Nick Sullivan Optional further reading: |
|
| 2/18 | Network defenses Lecture slides |
Scribe notes NAT Slipstreaming by Samy Kamkar |
|
| 2/19 | Discussion - Assignment 3 Work Session | ||
| 2/20 | Symmetric cryptography Lecture slides |
Scribe notes Ch. 5 of Security Engineering by Ross Anderson Optional further reading: Communication Theory of Secrecy Systems by Shannon |
Assignment 3 due 8:30am Fri Assignment 4 Available |
| 2/25 | Public-key cryptography Lecture slides |
Scribe notes Ch. 5 of Security Engineering by Ross Anderson Optional further reading: Modular arithmetic lecture notes from Berkeley CS 70 Basic number theory lecture notes from Boaz Barak New Directions in Cryptography by Whitfield Diffie and Martin E. Hellman |
|
| 2/26 | Discussion - Assignment 5 | ||
| 2/27 | TLS and secure channels Lecture slides |
The Illustrated TLS 1.2 Connection The Illustrated TLS 1.3 Connection |
Assignment 5 available |
| 3/4 | Authentication and passwords Lecture slides |
||
| 3/5 | Discussion - Assignment 5 | ||
| 3/6 | Privacy and anonymity Lecture slides |
Ch. 25 of Security
Engineering by Ross Anderson Optional further reading: Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0 by Alma Whitten and Doug Tygar Tor: The Second-Generation Onion Router by Roger Dingledine, Nick Mathewson, and Paul Syverson Bernstein v. United States Off-the-Record Communication, or, Why Not To Use PGP by Nikita Borisov, Ian Goldberg, and Eric Brewer Forward Secrecy for Asynchronous Messages by Moxie Marlinspike Robust De-anonymization of Large Sparse Datasets by Arvind Narayanan and Vitaly Shmatikov |
|
| 3/11 | Conclusion and special topics Class slides |
|
|
| 3/5 | Discussion - Final Exam Review | ||
| 3/13 | Content Review (Based on Piazza Request) Class slides |
|
Assignment 4 & 5 due 1pm Fri (deadline extended) |
| 3/TBD | Final Exam | Location:TBD , One double-sided sheet allowed. Time: TBD |
Assignments
We will have five programming assignments. These assignments are meant to both reinforce your knowledge of the concepts covered in lecture and get you to think about security in more depth, beyond what is covered lecture.
You may work on the assignments in groups of one or two. You may discuss the assignments with other students from the course in general but not any specific solution. You will have two late days you can use to turn in assignments late for any reason. Late days will be deducted from both group members, and both group members must have late days in order to use them. No other extensions will be given. If you have an unforeseen long-term emergency that affects all of your classes (hospitalized, death of immediate family member etc.), please reach out to us and the student affairs office to coordinate alternate arrangements.
If you consult anything (books, academic papers, internet resources, people) when working on the assignments, note this in your submission. We encourage outside learning but expect you to not seek out specific details about a solution—anything submitted should be considered your own work. Similarly, you are expected to not publish or otherwise share your solutions at any point (even after the class is over). If you are unsure about what is allowed, please ask the course staff.
By taking this course, you implicitly agree to abide by the UCSD policies on Integrity of Scholarship and Student Conduct. See the Academic Integrity Support for Remote Learning. University rules on integrity of scholarship and code of conduct are taken seriously and will be enforced.
Additional Resources
No textbook is required, but if you would like additional resources the following may be useful:- Security Engineering by Ross Anderson
- Hacking: The Art of Exploitation by Jon Erickson