Description

This course will cover advanced topics in computer and network security, including: anonymity, privacy, memory safety, malware, denial of service attacks, trusted hardware, security design principles, and empirically measuring security "in the wild". This will be a largely paper-driven course (there is no textbook), preparing students for research in (or around) the broad area of security. Students will gain first-hand experience launching attacks in controlled environments. The bulk of the grade will be based on a final, semester-long group project.

Prerequisites

There are no official prerequisites for this course, but a familiarity with C will greatly help with some of the attacks. Having taken an undergraduate course in security is not necessary, but would help (we will go considerably deeper than what I cover in my my undergraduate security course). Please feel free to meet with me if you have any questions or concerns.

Legality and ethics

Throughout the semester, you will be learning (and implementing and launching) various attacks. This is not an invitation to perform these attacks without the express written consent of all parties involved. To do otherwise would risk a violating University of Maryland policies and Maryland and U.S. laws.

The goal is to foster discovery, experimentation, and exploration, but in a safe, ethical, and respectful fashion, always. If you have an idea and want a safe environment to try it out, then let me know, and I'll try to set something up. If you have any questions or concerns, then do not hesitate to contact me or your TAs directly.


List of topics (tentative)

This course covers a very broad range of topics within computer security, with the goal of instilling a security mindset, and teaching some of the core principles of security that will allow students to pursue research in the field upon completion.

The following list of tentative lecture topics will vary in terms of pace:

  • Security background and definitions
  • The ethics of security research
  • Systems security (attacks and defenses)
    • Memory safety (buffer overflows, ROP)
    • Malware (viruses, worms)
    • Web-based attacks (CSS, XSRF, clickjacking)
    • Isolation and lack thereof (side channels, rowhammer)
  • The human side of security
  • Economic incentives and underground economies
  • Applications and analysis of cryptography
    • Public key infrastructures (certificates, TLS/SSL)
    • Digital currency
    • Anonymous communication
    • Empirical measurements of cryptographic abuse
  • Network security
    • Attacks and defenses for TCP/IP and DNS
    • Network control (firewalls, VPNs)
    • Censorship and censorship resistance


Online resources

Website Various course materials will be made available on the class website, which can be accessed at http://www.cs.umd.edu/class/fall2017/cmsc818O/
Piazza Class help and details will also be posted on Piazza. This provides a forum for you to post questions (and answer those from others), as well as share insights and engage on all things security. Keep in mind, however, that even though this is a class-specific forum, cheating or facilitating cheating is not allowed there (or anywhere): do not post project code or pseudocode. The class Piazza page is available at https://piazza.com/umd/fall2017/cmsc818O/.

Computing resources

Most of your projects will be done within a Virtual Machine (VM) that we will provide. Your project submissions must work within the VM as provided: some of our projects will be architecture-specific, so it is critical that you test thoroughly within the VM provided. Thus we strongly recommend that if you develop any project on another system, you should complete it several days early to have time to address any compatibility problems.

Submission instructions will be provided with the projects.


Grading

Grades will be maintained on the CS Department grades server. You can always see your current grade here.

You are responsible for all material discussed in lecture and discussion section and posted on the class web page, including announcements, deadlines, policies, etc. During the semester we may provide ungraded practice homework exercises and solutions. While we will not collect these exercises, completing them is essential preparation for exams. You may work together on these ungraded homeworks, and you may of course come to office hours for additional help.

Your final course grade will be determined by the following tentative percentages:

Final course grades will be curved as necessary, based on each student's total numeric score for all coursework at the end of the semester.

Important

Completing the programming assignments is an essential part of the course. Therefore, we may fail any student who does not make a good-faith attempt on all course projects, regardless of the student's performance or scores on the other coursework.


Meet your professor

At least one time during the semester, you must come to office hours or another arranged time to meet me. This does not include for class/project help: we can chat about research, future plans, whatever you'd like!

Attack presentation

At the beginning of (almost) every class, a group of 1-2 students will present an attack they have implemented and launched that is relevant to that class's topic. For example, a class on web security might begin with a group demonstrating a website they created that launches a clickjacking attack against its visitors. Each student will present at least one attack during the semester.

Class participation and weekly readings

This class will be largely paper-driven; we will cover both classic and recent papers in security. Students will be expected to read the papers ahead of time and engage in the class discussion. Each week, you will be asked to write up a response based on what you have read.

The goal of this is both to gauge your understanding of the papers and to help polish your skills at identifying the critical insights (and methodological flaws) of the papers you read. I will provide feedback on these responses, and so it is critical that they be turned in by 4pm the day before to give me enough time to go through them carefully.

Exam scheduling

The class includes a midterm and a final exam. All of them are in the room where we normally hold class. Likely dates for the exams are:

Final: The official schedule has us scheduled for Wednesday December 13, 8:00am-10:00am, but the final exam will be a take-home.

Regrading

Any request for reconsideration of any grading on coursework must be submitted within two weeks of when it is returned. Exam regrading requests must be made in writing. Any coursework submitted for reconsideration may be regraded in its entirety, which could result in a lower score if warranted.

Project policies

All projects will be due 11:59:59pm EST of the day given in the project description for full credit.

Projects may be submitted up to 24 hours late for a 10% penalty. (For example, a project that would have earned 90 points for an on-time submission will earn 81, that is, 90 times 0.90.) If you submit both on-time & late, your project will received the maximum of the penalty-adjusted scores.

Project extensions will not be granted due to system problems, network problems, power outages, etc., so do not wait to submit a project until the night it is due. You may submit multiple times up to the deadline, and only your last on-time submission is graded. Similarly, if you submit late, only your last submission before the deadline will be graded. No consideration in grading will be made for errors made in transferring files or submitting the wrong version of your project. Having a working, unsubmitted version will not count; only submitted code will be be counted.

Finally, any "hard coding" in a project assignment may result in a score of zero for that project, and is considered a bad-faith effort. Hard coding refers to attempting to make a program appear as if it works correctly, when in fact it does not. One example of hard coding would be printing the desired output instead of computing it. This is only one example, and if you have any questions as to what constitutes hard coding, be sure to ask ahead of time.


Excused absences

You are not required to come to class. That said, there will be a lot of material taught in class, and I often write on the board (as opposed to using slides). So it is in everyone's best interest to attend and engage during lectures.

You are, however required to attend scheduled exams. There are several excused absences from an exam: illness, religious observation, participation in required university activities, or a family or personal emergency. We will work with you to make sure that you have a fair amount of time to make up for excused absences. The best way that we can help is if we know about absences as well in advance as possible.

  • Provide a request for absence in writing.
  • Provide appropriate documentation that shows the absence qualifies as excused.
  • Provide as much advance notice as is possible, safe, and appropriate.

Please note that, because exams are considered "Major Scheduled Grading Events," a self-signed note may not be sufficient: For medical absences, you must furnish documentation from the health care professional who treated you, which must verify the timeframe that the student was unable to meet academic responsibilities. In addition, it must contain the name and phone number of the medical service provider to be used if verification is needed. No diagnostic information will ever be requested.

It is the University's policy to provide accommodations for students with religious observances conflicting with exams. You must inform the instructor prior to the end of the first two weeks of the class if you have a religious observation that conflicts with an exam,

For missed exams due to excused absences, the instructor will arrange a makeup exam. If you might miss an exam for any other reason other than those above, you must contact the instructor in advance to discuss the circumstances. We are not obligated to offer a substitute assignment or to provide a makeup exam unless the failure to perform was due to an excused absence.

The policies for excused absences do not apply to project assignments. Projects will be assigned with sufficient time to be completed by students who have a reasonable understanding of the necessary material and begin promptly. In cases of extremely serious documented illness of lengthy duration or other protracted, severe emergency situations, the instructor may consider extensions on project assignments, depending upon the specific circumstances.

Besides the policies in this syllabus, the University's policies apply during the semester. Various policies that may be relevant appear in the Graduate Catalog.


Academic integrity

The Campus Senate has adopted a policy asking students to include the following statement on each examination or assignment in every course: "I pledge on my honor that I have not given or received any unauthorized assistance on this examination (or assignment)." Consequently, you will be requested to include this pledge on each exam and project. Please also carefully read the Office of Information Technology's policy regarding acceptable use of computer accounts.

Programming projects are to be written individually, therefore cooperation or use of unauthorized materials on projects is a violation of the University's Code of Academic Integrity. Any evidence of this, or of unacceptable use of computer accounts, use of unauthorized materials or cooperation on exams or quizzes, or other possible violations of the Honor Code, will be submitted to the Student Honor Council, which could result in an XF for the course, suspension, or expulsion.

For learning the course concepts, students are welcome to study together or to receive help from anyone else. You may discuss with others the project requirements, the natures of the attacks covered, what was discussed in class and in the class web forum, and general syntax errors.

When it comes to actually writing a project assignment, other than help from the instructional staff a project must solely and entirely be your own work. Working with another student or individual, or using anyone else's work in any way except as noted in this paragraph, is a violation of the code of academic integrity and will be reported to the Honor Council. You may not discuss design of any part of a project with anyone except the instructor or teaching assistants.

Examples of questions that would be allowed are "Does a Java class definition end in a semicolon?" or "What does a 'class not found' error indicate?", because they convey no information about the contents of a project.

Examples of questions you may not ask others might be "How did you implement this part of the project?" or "Please look at my code and help me find my stupid syntax error!".

You may not use any disallowed source of information in creating either their project design or code. When writing projects you are free to use ideas or short fragments of code from published textbooks or publicly available information, but the specific source must be cited in a comment in the relevant section of the program.

Violations of the Code of Academic Integrity may include, but are not limited to:

  1. Failing to do all or any of the work on a project by yourself, other than assistance from the instructional staff.
  2. Using any ideas or any part of another person's project, or copying any other individual's work in any way.
  3. Giving any parts or ideas from your project, including test data, to another student.
  4. Allowing any other students access to your program on any computer system.
  5. Transferring any part of a project to or from another student or individual by any means, electronic or otherwise.

If you have any question about a particular situation or source then consult with the instructors in advance. Should you have difficulty with a programming assignment you should see the instructional staff in office hours, and not solicit help from anyone else in violation of these rules.

It is the responsibility, under the honor policy, of anyone who suspects an incident of academic dishonesty has occurred to report it to their instructor, or directly to the Honor Council.

Every semester the department has discovered a number of students attempting to cheat on project assignments, in violation of academic integrity requirements. Students' academic careers have been significantly affected by a decision to cheat. Think about whether you want to join them before contemplating cheating, or before helping a friend to cheat.

Students are welcome and encouraged to study and compare or discuss their implementations of the programming projects with any others after they are graded, provided that all of the students in question have received nonzero scores for that project assignment, and if that project will not be extended upon in a later project assignment.


Students with disabilities

Students with disabilities who have been certified by Disability Support Services as needing any type of special accommodations should see the instructor as soon as possible during the schedule adjustment period (the first two weeks of class). Please provide DSS's letter of accommodation to the instructor at that time.

All arrangements for exam accommodations as a result of disability must be made and arranged with the instructor at least three business days prior to the exam date; later requests (including retroactive ones) will be refused.

Course evaluations

If you have a suggestion for improving this class, don't hesitate to tell me or TAs dring the semester! At the end of the semester, please don't forget to provide your feedback using the campus-wide CourseEvalUM system. Your comments will help make this class better. CourseEvalUM is generally open the first couple weeks of December, but this is subject to change by campus.

Right to change information

Although every effort has been made to be complete and accurate, unforeseen circumstances arising during the semester could require the adjustment of any material given here. Consequently, given due notice to students, the instructor reserves the right to change any information on this syllabus or in other course materials.

Web Accessibility