CMSC 414: Computer and Network Security

Home Syllabus Schedule Projects Resources Piazza

SCHEDULE

Date Topic Readings & handouts
Jan 26 Introduction (slides) Required reading:
  • "Reflections On Trusting Trust", Ken Thompson, pdf)
  • Chapter 1 of [Anderson]
Software Security
Jan 31 Buffer overflow attacks Required reading:
  • "Smashing the Stack for Fun and Profit", Aleph One (pdf, phrak)
Optional:
  • Example used in class: "Analysis of an Electronic Voting System", Kohno et al. (pdf)
Feb 2 Buffer overflow attacks and defenses Required reading:
  • "StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks" (pdf)
  • GDB quick references
Optional but very useful:
  • GDB manual
  • "Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade" (pdf)
Feb 7 Memory safety: attacks and defenses Optional reading:
  • "Basic Integer Overflows" (phrack)
  • "Exploiting Format String Vulnerabilities" (pdf)
  • "The advanced return-into-lib(c) exploits: Pax case study" (phrack)
  • "Return-Oriented Programming" (paper) (slides)
Feb 9 Defensive programming Optional reading:
Feb 14 Malware: Viruses Required reading:
  • "Hunting for Metamorphic" (pdf)
Optional reading:
  • "A History of Computer Viruses - The Famous 'Trio'" (pdf)
Feb 16 Web Security: SQL Injection Required reading:
  • "OWASP SQL injection reference" (html)
Optional reading:
  • "SQL Injection Attacks by Example" (www)
Feb 17 Project 1 due (Buffer overflows)
Feb 21 Web security: XSS & CSRF Required reading:
  • "OWASP XSS reference" (html
  • "Web security: Are you part of the problem?" (www)
  • "Cross-Site Request Forgery: An Introduction..." (pdf)
Optional reading:
  • "OWASP CSRF reference" (html
Feb 23 XSS attacks See readings and slides from Feb 21
Feb 28 XSS attacks
Clickjacking
Required reading:
  • Clickjacking: Attacks and defenses (pdf)
  • Cursorjacking demo (also read the source)
Mar 2 Principles of secure software design Required reading (further defines the design principles in the slides):
  • "Secure Programming for Linux and Unix HOWTO", Chapters 7.1-7.10 (www)
Mar 7 Principles of secure software implementation: tcb, code safety Optional reading:
  • vsftpd's design (www)
Cryptography
Mar 9 Symmetric key crypto:
11-crypto slides from class
Required reading:
Mar 14 Midterm recap
Mar 16 Midterm 1: Software Security
Mar 17 Fri Project 2 due (Web security)
Mar 21 Spring break
Mar 23 Spring break
Mar 28 Symmetric key crypto:
MACs: 11-crypto slides from class
Required reading:
Mar 30 Symmetric key crypto:
Hash functions and authenticated encryption: 11-crypto slides from class
Required reading:
Apr 4 Asymmetric (public-key) crypto:
Encryption, signatures
Required reading: Suggested Reading:
  • Twenty Years of Attacks on the RSA Cryptosystem (pdf)
Apr 6 Asymmetric crypto continued Asymmetric crypto readings continued
Apr 11 Authentication Required reading:
Apr 13 Anonymity Required reading: Optional reading:
  • "The Dining Cryptographers Problem" (pdf)
  • "Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms" (pdf)
  • "Tor: The Second-Generation Onion Router" (pdf)
Apr 14 Fri Project 3 due (Symmetric and public key crypto)
Apr 18 Crypto misuse, side channels, ... Suggested reading:
  • "An Empirical Study of Cryptographic Misuse in Android Applications" (pdf)
  • "Why Johnny Can't Encrypt" (pdf)
  • "Differential Power Analysis" (pdf)
  • "Lest We Remember: Cold Boot Attacks on Encryption Keys" (pdf)
Apr 20 Midterm 2: Cryptography
Network Security
Apr 25 Internet: intro and network layer
Apr 27 Internet: transport Optional reading:
  • Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse (pdf)
May 2 Internet: naming and routing Highly suggested reading:
  • An Illustrated Guide to the Kaminsky DNS Vulnerability (www)
May 4 Internet: inter-domain routing Optional reading:
  • Goldberg, Why is it Taking So Long to Secure Internet Routing? [HTML]
  • Butler et al, A Survey of BGP Security Issues and Solutions [PDF]
May 9 App-level security; underground economy Optional reading:
  • Click Trajectories: End-to-end analysis of the spam value chain (pdf)
  • Show me the money: Characterizing spam-advertised revenue (pdf)
May 11 Last class
May 12 Fri Project 4 due (ATM build-it/break-it)
May 17 Final Exam for 0101 and 0201: Cumulative Wed May 17 6:30pm-8:30pm
Skinner 0200


 

Web Accessibility