Computer Security: Attacks and Defenses
(CMSC 311 at Haverford College)
Note that–especially since this is the first offering of 311–parts of this syllabus are subject to change with adequate notice.
Prerequisites:
- Experience in C programming:
- E.g., CMSC245 at Haverford or CMSC246 at Bryn Mawr
- Experience with or willingness to learn learn new languages (Python, SQL, JavaScript, etc..)
Workload:
- 3 lecture hours per week
- 1 lab hour per week
- This will be a lab / project intensive class. Approximately 6-10 hours per week outside of class will be expected from students. I recommend against taking this course concurrent with other project-heavy courses.
Cap: 25 (may be lifted to 35)
Course Overview
This course will serve as a broad introduction to the field of computer security, from two concurrent perspectives: attacks on systems, and defenses against those attacks. The goal of this course will be to help build intuition so that–when designing your own systems–you can intelligently assess and mitigate security risks.
To understand how attackers think, we will learn about the attacks they employ. We will dissect a number of real-world attacks (such as Heartbleed or WannaCry) and reflect upon what could have been done to prevent them. But understanding a collection of attacks is not alone sufficient for helping us understand how to build secure systems. So alongside attacks, we will also learn the theoretical underpinnings of security, and use it to build defenses into our systems.
Labs will transition theory into practice. We will conclude with a group project exploring advanced topics relevant to the state of the art in computer security. The course will begin with a discussion on ethical application of techniques we learn.
Topics
We will cover parts of the following topics, adjusted for time and pace of the course, along with student interest in each area.
- Low-level memory attacks and defenses
- Buffer overflows
- Stack canaries
- Access space randomization / derandomization
- Return to libc / return-oriented-programming
- Cryptography
- Symmetric and asymmetric-key cryptography
- Certificates, CAs, and PKI
- SSL/TLS
- Web security
- SQL injections
- Cross-site scripting
- Cross-site request forgery
- Social engineering and security ethics
- UI design for security
- App permissions design
- Best practices for security UI
- Permission lifetime and revocation
- Case study in privacy controls:
- Facebook privacy controls
- Android permissions
- Information flow control in web apps
- Reverse engineering
- Theoretical underpinnings of security
- Full abstraction
- Information flow
Projects and Labs
Projects will be started in labs, and then continued individually. Some labs are structured so that they begin with a concrete assignment to work on as an individual in the first week, and then move on to a group assignment to complete a larger task.
Project 1: Memory attacks (Weeks 1-5 inclusive) (Uses C programming)
This project will cover low-level memory attacks using the C programming language. The students will begin by executing an attack from starter code provided. They will then implement their own buffer overflow attack, and demonstrate a way to prevent the attack by intelligent programming, and also facilities provided by the compiler. After completing this task, students will form groups to complete a more advanced attack studying ASLR or ROP. 1.5 weeks will be allocated for independent programming, and 1.5 weeks will be allocated for group work.
Project 2: Cryptography (weeks 6-8 incl.) (Uses Python programming)
This project will involve creating a public / private key pair and manually exchanging keys to collaborate secretly communicate with group members. The next week, students will either implement a secure chat using cryptographic primitives provided, or explore an attack on an insecure cryptographic hash.
Project 3: Web security (weeks 9-12 incl.) (Uses Python programming)
Students will be given an insecure web app written in Python and JS. This app will be vulnerable certain attacks (e.g., SQL injection, XSRF). They will then craft an input which causes the app to leak secret information (e.g.,, student grades from a synthetic gradebook consisting of fictitious students). They will then fix this attack in the app. Finally, students will attempt to break other students’ fixes.
Final project (weeks 13-14): Build it, Break it, Fix it
This will be a final project where groups break each other’s projects. Points will be allocated for both individual work and group work. Individuals must work to find bugs in other projects, and groups must work to fix to find bugs in their projects.
Grading
- Labs and projects: 70%
- Individual component: 42%
- Group component: 28%
- Two midterm exams: 30% (take home and open note)
- Given 1/3rd and 2/3rd of the way through the course
Evaluation for group projects will be based on mutual student feedback and may include oral exam with individual group members.
Books
I don’t want you to spend any money on textbooks for this course.
Online resources will be distributed throughout the course. These include blog articles (e.g., by the Facebook privacy group), academic papers, and websites (e.g., the Android security internals). These will all be freely available.
Optional
- Security Engineering, Second Editing, by Ross Anderson
- This book is freely available online from the author
- The Web Application Hacker’s Handbook, by Dafydd Stuttard & Marcus Pinto
- Applied Cryptography, Second Edition, by Bruce Schneier