CSE 40567/60567 is an undergraduate and graduate level Computer Science and Engineering course at the University of Notre Dame that introduces students to the fundamentals of computer security. Is computer security getting better, or is it getting worse? With each passing day, we hear reports of new security breaches targeting major government, corporate and university networks — in spite of decades of effort to harden the hardware and software that runs the Internet. Part of the problem has been a profound disconnect between academic researchers and security practitioners, underpinned by a fundamental misunderstanding of the role the human element plays in circumventing supposedly secure systems. To help bridge this gap, this course introduces students to the major concepts of practical security engineering, with an emphasis on risk mitigation as opposed to imperfect risk prevention. With this guiding philosophy, the course covers the core principles of cryptographic protocols, software security, and network security, which will serve as useful building blocks for application-specific security engineering endeavors. Special attention will be paid to current topics in the field, including cryptographic libraries, preemptive strategies for combating software bugs, wireless networks, and web security. Balance will be struck between theoretical analysis and real-world cases, giving students an appropriate background to pursue further work in security in an academic or professional setting.

Upon successful completion of this course, students will be able to:

  1. Describe the principles of three core areas of computer security (cryptographic protocols, software security, and network security), and know how to apply them in real-world settings.

  2. Engineer practical security systems with risk mitigation as a guiding philosophy.

  3. Select current cryptographic algorithms with appropriate cryptographic primitive lengths that are not easily prone to attack.

  4. Detect weaknesses in cryptographic implementations that can lead to data compromise.

  5. Identify bugs and poor practices that can lead to vulnerabilities in hardware and software.

  6. Develop and deploy custom software solutions for system and network attacks and defense.

  7. Reverse engineer proprietary and obfuscated binary code for auditing purposes.

  8. Understand the components of secure web app development.

  9. Itemize the most up-to-date security threats propagating on the Internet, as well as the corresponding countermeasures.

Class Information

Lecture
T/R 2:00 PM - 3:15 PM
Location
126 DeBartolo Hall
Slack
#cse-40567-sp19
GitLab
cse-40567-sp19-assignments

Instructor

Instructor
Walter Scheirer (walter.scheirer@nd.edu)
Office Hours
T/R 12:00 PM - 1:45 PM, and by appointment
Office Location
321C Stinson-Remick Hall

Help Protocol

  1. Think
  2. Slack
  3. Think
  4. Email
  5. Think
  6. Office

Teaching Assistants

Graduate Teaching Assistant
Aidan Boyd (aboyd3@nd.edu)
Office Hours
W 3:00 PM - 5:00 PM
Office Location
212 Cushing Hall
Teaching Assistant
MacKenzie Cavanagh (mcavanag@nd.edu)
Teaching Assistant
Mike Eiseman (meiseman@nd.edu)
Teaching Assistant
Kelly Dodson (kdodson@nd.edu)
Teaching Assistant
Josefa Osorio (josorio2@nd.edu)
Unit Date Topics Assignment
Security Basics 01/15 Introduction, Syllabus, Overview of the State of Security Slides
01/17 Risk Mitigation, the Human Element, Vulnerability Disclosure Slides A. Chpt. 2, pp. 17-43
01/22 Security Nomenclature, Auth. Mechanisms, Categories of Attacks and Defenses A. Chpt. 2, pp. 43-62; Homework 01
Cryptography 01/24 Cryptographic Protocols
01/29 Key Exchange, BAN Logic
01/31 Protocol Proofs, One-Way Functions, Symmetric Key Encryption Homework 02
02/5 AES, Public Key Encryption, RSA
02/7 RSA, Elliptic Curves, Digital Signatures
02/12 Film Screening: Zero Days Homework 03 Film Response
02/14 Film Screening: Zero Days
02/19 Current Applications, Zero Knowledge Proofs, PKI, Cryptanalysis
Software Security 02/21 Advanced Persistent Threats, Password Cracking Homework 04
02/26 User Roles, Group Roles, Fine-Grained Access Control
02/28 File System Security, Memory Allocation, Buffer Overflows
03/5 Heap Overflows, Type Overflows, Format Strings Bugs; Midterm Review
03/7 Checklist 01 Midterm
Spring Break
Software Security 03/19 Software Security Tools Homework 05
03/21 Memory Protection Mechanisms
Network Security 03/26 Introduction to TCP/IP
03/28 Network Eavesdropping, Wireless Eavesdropping, Countermeasures Against Eavesdropping Homework 06
04/2 Port Scanning, OS Fingerprinting, DNS Security
04/4 Covert Channels, Denial of Service Attacks
04/9 Firewalls, Intrusion Detection Homework 07
04/11 Guest Lecture: Mike Schiffman, Farsight Security
04/16 Evading Intrusion Detection, Anomaly-Based Intrusion Detection
Web Security 04/18 Guest Lecture: David Thaw, University of Pittsburgh Schools of Law and Computing and Information
04/23 Anatomy of a Website Hack, SQL Injection Homework 08
4/25 Cross-Site Scripting, Cross-Site Request Forgery, Cookies and User Privacy
4/30 Guest Lecture: Saiph Savage, Microsoft
Final Exam 5/8 Checklist 02 Final

Coursework

Component Points
Participation Participation in class, film response, office hours, and slack chats. 100
Homeworks Homework assignments. 8 × 125
Midterm Exam Covering the first half of the course. 400
Final Exam Covering the second half of the course. 500
Total 2000

Grading

Grade Points Grade Points Grade Points
A 1860-2000 A- 1800-1859
B+ 1734-1799 B 1666-1733 B- 1600-1665
C+ 1534-1599 C 1466-1533 C- 1400-1465
D 1300-1399 F 0-1299

Due Dates

All Homeworks are to be submitted to your own private GitLab repository. Unless specified otherwise:

  • Homeworks are due by 11:59pm one week following the release of the assignment.

Policies

Participation

Students are expected to attend and contribute regularly in class. This means answering questions in class, participating in discussions, and helping other students.

Foreseeable absences should be discussed with the instructor ahead of time.

Students with Disabilities

Any student who has a documented disability and is registered with Disability Services should speak with the professor as soon as possible regarding accommodations. Students who are not registered should contact the Office of Disabilities.

Academic Honesty

Any academic misconduct in this course is considered a serious offense, and the strongest possible academic penalties will be pursued for such behavior. Students may discuss high-level ideas with other students, but at the time of implementation (i.e., programming), each person must do his/her own work. Use of the Internet as a reference is allowed but directly copying code or other information is cheating. It is cheating to copy, to allow another person to copy, all or part of an exam or a assignment, or to fake program output. It is also a violation of the Undergraduate Academic Code of Honor to observe and then fail to report academic dishonesty. You are responsible for the security and integrity of your own work.

Late Work

In the case of a serious illness or other excused absence, as defined by university policies, coursework submissions will be accepted late by the same number of days as the excused absence.

Otherwise, a late penalty, as determined by the instructor, will be assessed to any late submission of an assignment. In general, the late penalty is -10 points off for each day after the assigned deadline. The instructor reserves the right to refuse any unexcused late work.

Classroom Recording

Notre Dame has implemented a classroom recording system. This system allows us to record and distribute lectures to you in a secure environment. You can watch these recordings on your computer, tablet, or smartphone. The recordings can be accessed within Sakai.

Because we will be recording in the classroom on select occasions, your questions and comments may be recorded. (Video recordings typically only capture the front of the classroom.) If you have any concerns about your voice or image being recorded, please speak to me to determine an alternative means of participating. No content will be shared with individuals outside of your course without your permission except for faculty and staff that need access for support or specific academic purposes.

These recordings are jointly copyrighted by the University of Notre Dame and your instructor. Posting them to other websites, including YouTube, Facebook, Vimeo, or elsewhere without express, written permission may result in disciplinary action and possible civil prosecution.

CSE Guide to the Honor Code

For the assignments in this class, you may discuss with other students and consult printed and online resources. You may quote from books and online sources as long as you cite them properly. However, you may not look at another student's solution, and you may not copy solutions.

For further guidance please refer to the CSE Honor Code or ask the instructor.

Textbook

Security Engineering: Second Edition

Ross Anderson

Git Tutorials

Network Security Packages

  • nmap: network discovery and security auditing tool.
  • netcat: very handy network socket program.
  • Snort: lightweight network intrusion detection system for UNIX and Windows.
  • Wireshark: easy to use packet analyzer.
  • Kismet: console based 802.11 layer-2 wireless network detector, sniffer, and intrusion detection system
  • Aircrack-ng: 802.11 WEP and WPA-PSK keys cracking program.

Secure OSs

  • OpenBSD: Free, functional and secure OS.
  • Kali Linux: Linux distribution designed for penetration testing.
  • SELinux: kernel module for Linux providing additional access control security policies.
  • Tails: Live system for privacy protection.

Practical Crypto Tools

Software Security Packages:

  • Nessus: vulnerability scanner (free for personal use).
  • Metasploit: penetration testing software.
  • ophcrack: Windows password cracker based on rainbow tables.
  • John the Ripper: fast password cracker.
  • HashCat: advanced password recovery.
  • Hopper: OS X and Linux disassembler.

Notable Projects and Orgs.:

  • The Honeynet Project: "to learn the tools, tactics and motives involved in computer and network attacks, and share the lessons learned".
  • Crypto-Gram Newsletter: Crypto-Gram is a free monthly e-mail digest of posts from Bruce Schneier's Schneier on Security blog.
  • DEF CON: premier hacker convention (videos of talks from recent editions available online).

Web Security Packages

  • WPScan: black box WordPress vulnerability scanner.
  • BeEF: browser exploitation framework.
  • w3af: web application attack and audit framework.

Supporting Security Texts