My new cybersecurity course at Haverford (Spring 2017)
You can also download this syllabus as a PDF.
Computer Security: Attacks and Defenses
(CMSC 323 at Haverford)
Prerequisites:
- Experience in C programming:
- E.g., CMSC245 at Haverford or CMSC246 at Bryn Mawr
- Experience with or willingness to learn learn new languages (Python, SQL, JavaScript, etc..)
Workload:
- 3 lecture hours per week
- 1 lab hour per week
- This will be a lab / project intensive class. Approximately 6-10 hours per week outside of class will be expected from students. I recommend against taking this course concurrent with other project-heavy courses.
Cap: 25 (may be lifted to 35)
Course Overview
This course will serve as a broad introduction to the field of computer security, from two concurrent perspectives: attacks on systems, and defenses against those attacks. The goal of this course will be to help build intuition so that–when designing your own systems–you can intelligently assess and mitigate security risks.
To understand how attackers think, we will learn about the attacks they employ. We will dissect a number of real-world attacks (such as Heartbleed or WannaCry) and reflect upon what could have been done to prevent them. But understanding a collection of attacks is not alone sufficient for helping us understand how to build secure systems. So alongside attacks, we will also learn the theoretical underpinnings of security, and use it to build defenses into our systems.
Labs will transition theory into practice. We will conclude with a group project exploring advanced topics relevant to the state of the art in computer security. The course will begin with a discussion on ethical application of techniques we learn.
Topics
We will cover parts of the following topics, adjusted for time and pace of the course, along with student interest in each area.
- Low-level memory attacks and defenses
- Buffer overflows
- Stack canaries
- Access space randomization / derandomization
- Return to libc / return-oriented-programming
- Cryptography
- Symmetric and asymmetric-key cryptography
- Certificates, CAs, and PKI
- SSL/TLS
- Web security
- SQL injections
- Cross-site scripting
- Cross-site request forgery
- Social engineering and security ethics
- UI design for security
- App permissions design
- Best practices for security UI
- Permission lifetime and revocation
- Case study in privacy controls:
- Facebook privacy controls
- Android permissions
- Information flow control in web apps
- Reverse engineering
- Theoretical underpinnings of security
- Full abstraction
- Information flow
Projects and Labs
Projects will be started in labs, and then continued individually. Some labs are structured so that they begin with a concrete assignment to work on as an individual in the first week, and then move on to a group assignment to complete a larger task.
Project 1: Memory attacks (Weeks 1-4 inclusive) (Uses C programming)
This project will cover low-level memory attacks using the C programming language. The students will begin by executing an attack from starter code provided. They will then implement their own buffer overflow attack, and demonstrate a way to prevent the attack by intelligent programming, and also facilities provided by the compiler. After completing this task, students will form groups to complete a more advanced attack studying ASLR or ROP. 1.5 weeks will be allocated for independent programming, and 1.5 weeks will be allocated for group work.
Project 2: Cryptography (weeks 4-7 incl.) (Uses Python programming)
This project will involve creating a public / private key pair and manually exchanging keys to collaborate secretly communicate with group members. The next week, students will either implement a secure chat using cryptographic primitives provided, or explore an attack on an insecure cryptographic hash.
Project 3: Web security (weeks 7-9 incl.) (Uses Python programming)
Students will be given an insecure web app written in Python which is vulnerable to an SQL injection attack. They will then craft an input which causes the app to leak secret information (in this case, student grades from a synthetic gradebook consisting of fictitious students). They will then fix this attack in the app. Finally, students will attempt to break other students’ fixes.
Final project (weeks 10-14):
This will be a final project, either in a group or alone. Students requesting to work alone need prior approval for a topic and expectations will be calibrated accordingly. Students will select one of the following projects, or propose their own project:
-
Information flow specification (uses Python/Jeeves)
Implement privacy policies for a secure student grades database using Jeeves, an extension to the Python programming language.
-
Designing a privacy UI (uses Python / Javascript / etc..)
Use best practices to propose and implement a new UI for some privacy-related mechanism, and perform a mock implementation.
-
Malware reverse engineering
Use reverse engineering tools to understand and discuss how a particular piece of malware works.
-
Implement signature-based antivirus
Students will read about and implement a variant of signature-based antivirus detection for a small sample of malware.
Students will check in with the professor regularly, and collaboration will occur via Github.
Grading
- Labs and projects: 50%
- Individual component: 30%
- Group component: 20%
- Two midterm exams: 30% (take home and open note)
- Given 1/3rd and 2/3rd of the way through the course
- Final project: 20%
Evaluation for group projects will be based on mutual student feedback and oral exam with individual group members.
Books
Required
- Security Engineering, Second Editing, by Ross Anderson
- This book is freely available online from the author
- Online resources will be distributed throughout the course. These include blog articles (e.g., by the Facebook privacy group), academic papers, and websites (e.g., the Android security internals). These will all be freely available.
Optional
- The Web Application Hacker’s Handbook, by Dafydd Stuttard & Marcus Pinto
- Applied Cryptography, Second Edition, by Bruce Schneier