CSE 40567/60567 is an undergraduate and graduate level Computer Science and Engineering course at the University of Notre Dame that introduces students to the fundamentals of computer security. Is computer security getting better, or is it getting worse? With each passing day, we hear reports of new security breaches targeting major government, corporate and university networks — in spite of decades of effort to harden the hardware and software that runs the Internet. Part of the problem has been a profound disconnect between academic researchers and security practitioners, underpinned by a fundamental misunderstanding of the role the human element plays in circumventing supposedly secure systems. To help bridge this gap, this course introduces students to the major concepts of practical security engineering, with an emphasis on risk mitigation as opposed to imperfect risk prevention. With this guiding philosophy, the course covers the core principles of cryptographic protocols, software security, and network security, which will serve as useful building blocks for application-specific security engineering endeavors. Special attention will be paid to current topics in the field, including cryptographic libraries, preemptive strategies for combating software bugs, wireless networks, and web security. Balance will be struck between theoretical analysis and real-world cases, giving students an appropriate background to pursue further work in security in an academic or professional setting.
Upon successful completion of this course, students will be able to:
Describe the principles of three core areas of computer security (cryptographic protocols, software security, and network security), and know how to apply them in real-world settings.
Engineer practical security systems with risk mitigation as a guiding philosophy.
Select current cryptographic algorithms with appropriate cryptographic primitive lengths that are not easily prone to attack.
Detect weaknesses in cryptographic implementations that can lead to data compromise.
Identify bugs and poor practices that can lead to vulnerabilities in hardware and software.
Develop and deploy custom software solutions for system and network attacks and defense.
Reverse engineer proprietary and obfuscated binary code for auditing purposes.
Understand the components of secure web app development.
Itemize the most up-to-date security threats propagating on the Internet, as well as the corresponding countermeasures.
|Security Basics||01/15||Introduction, Syllabus, Overview of the State of Security Slides|
|01/17||Risk Mitigation, the Human Element, Vulnerability Disclosure Slides||A. Ch. 2, pp. 17-43|
|01/22||Security Nomenclature, Auth. Mechanisms, Categories of Attacks and Defenses Slides||A. Ch. 2, pp. 43-62; Homework 01|
|Cryptography||01/24||Cryptographic Protocols Slides||A. Ch. 3|
|01/29||Key Exchange, BAN Logic, Protocol Proofs Slides||A. Ch. 5, pp. 129-153|
|01/31||One-Way Functions, Symmetric Key Encryption Slides||A. Ch. 5, pp. 153-184; Homework 02|
|02/5||AES, Public Key Encryption, RSA Slides||Hankerson et al., Ch. 1|
|02/7||RSA, Elliptic Curves, Digital Signatures Slides||Perrin and Marlinspike|
|02/12||Film Screening: Zero Days||Homework 03 Film Response|
|02/14||Film Screening: Zero Days|
|02/19||Current Applications, Zero Knowledge Proofs, PKI, Cryptanalysis Slides||SANS, PKI|
|Software Security||02/21||Advanced Persistent Threats, Password Cracking Slides||Oechslin; Homework 04|
|02/26||User Roles, Group Roles, Fine-Grained Access Control Slides||A. Ch. 4, pp. 93-107|
|02/28||File System Security, Memory Allocation, Buffer Overflows Slides||Cowan et al.|
|03/5||Heap Overflows, Type Overflows, Midterm Review Slides||blexim|
|03/7||Checklist 01 Midterm|
|Software Security||03/19||Format Strings Bugs, Software Security Tools Slides||Serebryany et al.; Homework 05|
|03/21||Memory Protection Mechanisms Slides||A. Ch. 4, pp. 110-117|
|Network Security||03/26||Introduction to TCP/IP||A. Ch. 21, pp. 633-652|
|03/28||Network Eavesdropping, Wireless Eavesdropping, Countermeasures Against Eavesdropping||Homework 06|
|04/2||Port Scanning, OS Fingerprinting, DNS Security|
|04/4||Covert Channels, Denial of Service Attacks|
|04/9||Firewalls, Intrusion Detection||Homework 07|
|04/11||Guest Lecture: Mike Schiffman, Salesforce Threat Intelligence Team|
|04/16||Evading Intrusion Detection, Anomaly-Based Intrusion Detection|
|Web Security||04/18||Guest Lecture: David Thaw, University of Pittsburgh Schools of Law and Computing and Information|
|04/23||Anatomy of a Website Hack, SQL Injection||Homework 08|
|4/25||Cross-Site Scripting, Cross-Site Request Forgery, Cookies and User Privacy|
|4/30||Guest Lecture: Saiph Savage, Microsoft|
|Final Exam||5/8||Checklist 02 Final|
|Participation Participation in class, film response, office hours, and slack chats.||100|
|Homeworks Homework assignments.||8 × 125|
|Midterm Exam Covering the first half of the course.||400|
|Final Exam Covering the second half of the course.||500|
All Homeworks are to be submitted to your own private GitLab repository. Unless specified otherwise:
Students are expected to attend and contribute regularly in class. This means answering questions in class, participating in discussions, and helping other students.
Foreseeable absences should be discussed with the instructor ahead of time.
Any student who has a documented disability and is registered with Disability Services should speak with the professor as soon as possible regarding accommodations. Students who are not registered should contact the Office of Disabilities.
Any academic misconduct in this course is considered a serious offense, and the strongest possible academic penalties will be pursued for such behavior. Students may discuss high-level ideas with other students, but at the time of implementation (i.e., programming), each person must do his/her own work. Use of the Internet as a reference is allowed but directly copying code or other information is cheating. It is cheating to copy, to allow another person to copy, all or part of an exam or a assignment, or to fake program output. It is also a violation of the Undergraduate Academic Code of Honor to observe and then fail to report academic dishonesty. You are responsible for the security and integrity of your own work.
In the case of a serious illness or other excused absence, as defined by university policies, coursework submissions will be accepted late by the same number of days as the excused absence.
Otherwise, a late penalty, as determined by the instructor, will be assessed to any late submission of an assignment. In general, the late penalty is -10 points off for each day after the assigned deadline. The instructor reserves the right to refuse any unexcused late work.
Notre Dame has implemented a classroom recording system. This system allows us to record and distribute lectures to you in a secure environment. You can watch these recordings on your computer, tablet, or smartphone. The recordings can be accessed within Sakai.
Because we will be recording in the classroom on select occasions, your questions and comments may be recorded. (Video recordings typically only capture the front of the classroom.) If you have any concerns about your voice or image being recorded, please speak to me to determine an alternative means of participating. No content will be shared with individuals outside of your course without your permission except for faculty and staff that need access for support or specific academic purposes.
These recordings are jointly copyrighted by the University of Notre Dame and your instructor. Posting them to other websites, including YouTube, Facebook, Vimeo, or elsewhere without express, written permission may result in disciplinary action and possible civil prosecution.
For the assignments in this class, you may discuss with other students and consult printed and online resources. You may quote from books and online sources as long as you cite them properly. However, you may not look at another student's solution, and you may not copy solutions.
For further guidance please refer to the CSE Honor Code or ask the instructor.