Computer Security

CSE 40567/60567 is an undergraduate and graduate level Computer Science and Engineering course at the University of Notre Dame that introduces students to the fundamentals of computer security. Is computer security getting better, or is it getting worse? With each passing day, we hear reports of new security breaches targeting major government, corporate and university networks — in spite of decades of effort to harden the hardware and software that runs the Internet. Part of the problem has been a profound disconnect between academic researchers and security practitioners, underpinned by a fundamental misunderstanding of the role the human element plays in circumventing supposedly secure systems. To help bridge this gap, this course introduces students to the major concepts of practical security engineering, with an emphasis on risk mitigation as opposed to imperfect risk prevention. With this guiding philosophy, the course covers the core principles of cryptographic protocols, software security, and network security, which will serve as useful building blocks for application-specific security engineering endeavors. Special attention will be paid to current topics in the field, including cryptographic libraries, preemptive strategies for combating software bugs, wireless networks, and web security. Balance will be struck between theoretical analysis and real-world cases, giving students an appropriate background to pursue further work in security in an academic or professional setting.

Upon successful completion of this course, students will be able to:

Describe the principles of three core areas of computer security (cryptographic protocols, software security, and network security), and know how to apply them in real-world settings.
Engineer practical security systems with risk mitigation as a guiding philosophy.
Select current cryptographic algorithms with appropriate cryptographic primitive lengths that are not easily prone to attack.
Detect weaknesses in cryptographic implementations that can lead to data compromise.
Identify bugs and poor practices that can lead to vulnerabilities in hardware and software.
Develop and deploy custom software solutions for system and network attacks and defense.
Reverse engineer proprietary and obfuscated binary code for auditing purposes.
Understand the components of secure web app development.
Itemize the most up-to-date security threats propagating on the Internet, as well as the corresponding countermeasures.

Class Information

Lecture: T/R 2:00 PM - 3:15 PM
Location: Class Zoom Room (see link pinned in Slack)
Slack: #cse-40567-sp20
GitLab: cse-40567-sp20-assignments

Instructor

Instructor: Walter Scheirer (walter.scheirer@nd.edu)
Office Hours: T/R 12:00 PM - 1:45 PM, and by appointment
Office Location: Prof. Scheirer's Zoom Room (see link pinned in Slack)

Help Protocol

Think
Slack
Think
Email
Think
Office

Teaching Assistants

Graduate Teaching Assistant: Sophia Abraham (sabraha2@nd.edu)
Office Hours: F 11:30 AM - 1:30 PM
Office Location: Sophia's Zoom Room (see link pinned in Slack)

Graduate Teaching Assistant: Bill Theisen (wtheisen@nd.edu)
Office Hours: W 3:30 PM - 5:30 PM
Office Location: Bill's Zoom Room (see link pinned in Slack)

Unit	Date	Topics	Assignment
Security Basics	01/14	Introduction, Syllabus, Overview of the State of Security Slides
	01/16	Risk Mitigation, the Human Element, Vulnerability Disclosure Slides	A. Ch. 2, pp. 17-43
	01/21	Security Nomenclature, Auth. Mechanisms, Categories of Attacks and Defenses Slides	A. Ch. 2, pp. 43-62; Homework 01
Cryptography	01/23	Cryptographic Protocols Slides	A. Ch. 3
	01/28	Key Exchange, BAN Logic, Protocol Proofs Slides	A. Ch. 5, pp. 129-153
	01/30	One-Way Functions, Symmetric Key Encryption Slides	A. Ch. 5, pp. 153-184; Homework 02
	02/4	AES, Public Key Encryption, RSA Slides	Hankerson et al., Ch. 1
	02/6	RSA, Elliptic Curves, Digital Signatures Slides	Perrin and Marlinspike
	02/11	Current Applications, Zero Knowledge Proofs, PKI, Cryptanalysis Slides	SANS, PKI; Homework 03
Software Security	02/13	Advanced Persistent Threats, Password Cracking Slides	Oechslin
	02/18	User Roles, Group Roles, Fine-Grained Access Control Slides	A. Ch. 4, pp. 93-107
	02/20	File System Security, Memory Allocation, Buffer Overflows Slides	Cowan et al.; Homework 04
	02/25	Heap Overflows, Type Overflows, Midterm Review Slides	blexim
	02/27	Checklist 01 Midterm
	03/3	Film Screening: The Great Hack	Film Response
	03/5	Film Screening: The Great Hack
Spring Break
Software Security	03/24	Guest Lecture: Ariel Herbert-Voss, OpenAI Video
	03/26	Format Strings Bugs, Software Security Tools Slides Video	Serebryany et al.; Homework 05
	03/31	Memory Protection Mechanisms Slides Video	A. Ch. 4, pp. 110-117
Network Security	04/2	Introduction to TCP/IP Slides Video	A. Ch. 21, pp. 633-652
	04/7	Guest Lecture: RC Johnson, PayPal
	04/9	Network Eavesdropping, Wireless Eavesdropping, Countermeasures Against Eavesdropping Slides Video	A. Ch. 21, pp. 652-78; Homework 06
	04/14	Port Scanning, OS Fingerprinting, DNS Security Slides Video	Son and Shmatikov
	04/16	Covert Channels, Denial of Service Attacks Slides Video	Zargar et al.
	04/21	Firewalls, Intrusion Detection Slides Video	Paxson; Homework 07
	04/23	Guest Lecture: Stephen Watt, Farsight Security Video	Wired Article on Stephen
	04/28	Evading Intrusion Detection, Anomaly-Based Intrusion Detection Slides Video	Sommer and Paxson
Final Exam	5/7-5/8	Checklist 02 Final

Coursework

Component	Points
Participation Participation in class, film response, office hours, and slack chats.	100
Homeworks Homework assignments.	7 × 125
Midterm Exam Covering the first half of the course.	400
Final Exam Covering the second half of the course.	625
Total	2000

Grading

Grade	Points	Grade	Points	Grade	Points
		A	1860-2000	A-	1800-1859
B+	1734-1799	B	1666-1733	B-	1600-1665
C+	1534-1599	C	1466-1533	C-	1400-1465
D	1300-1399	F	0-1299

Due Dates

All Homeworks are to be submitted to your own private GitLab repository. Unless specified otherwise:

Homeworks are due by 11:59pm one week following the release of the assignment.

Policies

Participation

Students are expected to attend and contribute regularly in class. This means answering questions in class, participating in discussions, and helping other students.

Foreseeable absences should be discussed with the instructor ahead of time.

Students with Disabilities

Any student who has a documented disability and is registered with Disability Services should speak with the professor as soon as possible regarding accommodations. Students who are not registered should contact the Office of Disabilities.

Academic Honesty

Any academic misconduct in this course is considered a serious offense, and the strongest possible academic penalties will be pursued for such behavior. Students may discuss high-level ideas with other students, but at the time of implementation (i.e., programming), each person must do his/her own work. Use of the Internet as a reference is allowed but directly copying code or other information is cheating. It is cheating to copy, to allow another person to copy, all or part of an exam or a assignment, or to fake program output. It is also a violation of the Undergraduate Academic Code of Honor to observe and then fail to report academic dishonesty. You are responsible for the security and integrity of your own work.

Late Work

In the case of a serious illness or other excused absence, as defined by university policies, coursework submissions will be accepted late by the same number of days as the excused absence.

Otherwise, a late penalty, as determined by the instructor, will be assessed to any late submission of an assignment. In general, the late penalty is -10 points off for each day after the assigned deadline. The instructor reserves the right to refuse any unexcused late work.

Classroom Recording

Notre Dame has implemented a classroom recording system. This system allows us to record and distribute lectures to you in a secure environment. You can watch these recordings on your computer, tablet, or smartphone. The recordings can be accessed within Sakai.

Because we will be recording in the classroom on select occasions, your questions and comments may be recorded. (Video recordings typically only capture the front of the classroom.) If you have any concerns about your voice or image being recorded, please speak to me to determine an alternative means of participating. No content will be shared with individuals outside of your course without your permission except for faculty and staff that need access for support or specific academic purposes.

These recordings are jointly copyrighted by the University of Notre Dame and your instructor. Posting them to other websites, including YouTube, Facebook, Vimeo, or elsewhere without express, written permission may result in disciplinary action and possible civil prosecution.

CSE Guide to the Honor Code

For the assignments in this class, you may discuss with other students and consult printed and online resources. You may quote from books and online sources as long as you cite them properly. However, you may not look at another student's solution, and you may not copy solutions.

For further guidance please refer to the CSE Honor Code or ask the instructor.

Textbook

Security Engineering: Second Edition

Ross Anderson

Git Tutorials

Network Security Packages

nmap: network discovery and security auditing tool.
netcat: very handy network socket program.
Snort: lightweight network intrusion detection system for UNIX and Windows.
Wireshark: easy to use packet analyzer.
Kismet: console based 802.11 layer-2 wireless network detector, sniffer, and intrusion detection system
Aircrack-ng: 802.11 WEP and WPA-PSK keys cracking program.

Secure OSs

OpenBSD: Free, functional and secure OS.
Kali Linux: Linux distribution designed for penetration testing.
SELinux: kernel module for Linux providing additional access control security policies.
Tails: Live system for privacy protection.

Practical Crypto Tools

The GNU Privacy Guard: implementation of the OpenPGP standard
OpenSSL: open source crypto library
Signal Private Messenger: secure messaging and group chat for iPhone and Android
Keybase: maps your identity to your public keys, and vice versa

Software Security Packages:

Nessus: vulnerability scanner (free for personal use).
Metasploit: penetration testing software.
ophcrack: Windows password cracker based on rainbow tables.
John the Ripper: fast password cracker.
HashCat: advanced password recovery.
Hopper: OS X and Linux disassembler.

Notable Projects and Orgs.:

The Honeynet Project: "to learn the tools, tactics and motives involved in computer and network attacks, and share the lessons learned".
Crypto-Gram Newsletter: Crypto-Gram is a free monthly e-mail digest of posts from Bruce Schneier's Schneier on Security blog.
DEF CON: premier hacker convention (videos of talks from recent editions available online).

Web Security Packages

WPScan: black box WordPress vulnerability scanner.
BeEF: browser exploitation framework.
w3af: web application attack and audit framework.

Supporting Security Texts

William R. Cheswick, Steven M. Bellovin, and Aviel D. Rubin. Firewalls and Internet Security, Second Edition, Addison-Wesley, 2003.
Bruce Schneier. Applied Cryptography, Second Edition, Wiley, 1996.
Niels Ferguson and Bruce Schneier. Practical Cryptography, Wiley, 2003.
Niels Ferguson, Bruce Schneier, and Tadayoshi Kohno. Cryptography Engineering: Design Principles and Practical Applications, Wiley, 2010.
Mark Down, John McDonald, and Justin Schuh. The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities, Addison-Wesley, 2006.
Matt Bishop. Introduction to Computer Security, Addison-Wesley, 2004.
Andrew Tanenbaum. Modern Operating Systems, Fourth Edition, Pearson, 2014.
Andrew Tanenbaum and David Wetherall. Computer Networks, Fifth Edition, Pearson, 2010.
Steven M. Bellovin. Thinking Security, Addison-Wesley, 2015.