| Instructor: | Prateek Saxena (prateeks at comp dot nus dot edu dot sg) | |
| TAs | Aashish Kolluri (cs3235.ta at gmail.com) | |
| Room & Timings: | RMI-SR1, Wednesday 8:00 - 10:00 am | |
| IVLE Page: | CS3235 | |
| Semester: | AY 2018/2019 Semester 2 |
* End-term Exam will be in-class
Computers are instruments to improve efficiency. Often, their design is not robust against an intellegent adversary. Computer security is the science of studying why our computing techniques and systems fail, and ultimately to build them robustly. This is an undergraduate-level module on foundations of secure systems, covering the fundamental principles behind "adversarial thinking" and robust design of computer algorithms/systems. The course will highlight real-world designs, machine code exploitation, and Internet protocols.
The goal of this class is to enable students to:
The table below lists the schedule of topics.
| Week | Date | Topic | (Optional) Additional Readings | Announcements |
|---|---|---|---|---|
| 1 | 16 Jan | Introduction and Network Security | Book G & T -- Chapter 5, 6.1, 7.1 | |
| 2 | 23 Jan | Symmetric Key Cryptography |
Book G & T -- Chapter 2.1, Book D & K -- Chapter 3.1, 3.2., 3.3, 3.4 |
A1 out |
| 3 | 30 Jan | Asymmetric Crypto & Key Exchange Protocols | Book D & K -- Chapter 2.1.1, 2.1.2, 2.1.5, Book D & K -- Chapter 4.1 |
|
| 4 | 4 Feb | HTTPS & Limitations | Book G & T -- Chapter 5, 6.1, 7.1 | |
| - | 6 Feb | No lecture -- Public Holiday |
||
| 5 | 13 Feb | No lecture -- Instructor out out town (Tutorials are still running) |
GDB Tutorial (IVLE) | |
| 6 | 20 Feb | Memory Safety Vulnerabilities |
Smashing The Stack For Fun And Profit Exploiting Format String Vulnerabilities Understanding Integer Overflow in C/C++ (Section 1- 3 suffice) Book G & T -- Chapter 3.4 |
A2 out |
| 7 | 27 Feb | Recess Week | ||
| 8 | 6 Mar | Defenses for Memory Safety | ||
| 9 | 13 Mar | OS Security | Improving Host Security with System Call Policies Preventing Privilege Escalation Book G & T -- Chapter 1.3, 3.1, 3.3, 4.3, 4.5 |
|
| 10 | 20 Mar |
Web Injection Attacks & Defenses |
||
| 11 | 27 Mar |
Program Analysis | A2 due date | |
| 12 | 3 Apr | Availability & Trust Through Decentralization |
|
A3 out |
| 13 | 10 Apr |
Outsourced Computing |
|
|
| 14 | 17 Apr |
End-term Exam |
|
A3 due date |
There are no mandatory textbooks for this course. The lecture slides, indicated papers, and the tutorial content will constitute the main reading material.
You are expected to take your own notes, and interpret / extrapolate the findings beyond the reading material for homeworks and exams.
Optional textbook(s):
This class requires some hands-on programming and experimentation. I will explain the detailed logistics of the course in the first lecture. There will no final exam. Attending tutorials is optional, but recommended. All material covered in lectures and tutorials is part of the syllabus.
Grade distribution is as follows:
All assignments are to be done in groups of two, or individually if you prefer. The end-term exam is likely to be open-book (subject to change!) and will be during the lecture timings.
Each student is expected to have access to his/her own laptop / desktop.
All experimental assignments are distributed as VirtualBox VMs; you are expected to be able to setup and run these VMs.
If you do not have access to your own laptop / desktop, you should approach the instructor within the first week of the course. Note that there are student labs on campus for those who do not have access to personal computers.
This is a foundations course interested in computer security. As pre-requisite, we assume basic familiarity with mathematical proofs, elementary number theory (e.g. the concept of groups), OS concepts (processes, virtual memory), basics of theory of computation (finite state machines, computability, and complexity), basics of discrete probability, the C programming language, and PHP/JS.
The class is designed to be somewhat self-paced and self-taught; all graded assignments are done at home.
The IVLE forum is your best friend --- if you get stuck, ask questions and exchange ideas freely on the forum or consult the web. The instructor and TAs will *not* help debug your code, or tell you how to overcome technical difficulties.
In this class, you will be exposed to several powerful attack techniques. This class is not an invitation exploit vulnerabilities in the wild without informed consent of all involved parties. Attacking someone else's computer system is an offence; you are expected to use your knowledge with discretion.
There is no restriction on your communication with other students. We follow an honor code: You are expected to do your homeworks in discussion with your group members, but each student is expected to understand all solutions submitted in the end. Exams are to be taken individually. Violations of the honor code tantamounts to academic dishonestly, which are dealt with in accordance with NUS academic policies.