CE 40-442: Network SecuritySaturday/Monday 1500-1630
Room: 201 CE Building
Office Hours: Sat 16:30 to 17:00
Quick Links: Description Acknowledgment Policies Announcements Homeworks CourseMaterial
Description:This is an introductory course to computer security. This course is primarily based on the Computer Security course taught by Dan Boneh at Stanford University.
Prerequisites: 40-443 Computer Networks
Acknowledgment: This course is primarily based on the Computer Security course taught by Dan Boneh at Stanford University.
- Grading policy is as follows. This is tentative.
- 10% Quiz
- 40% Homeworks
- 20% Midterm
- 30% Final
There will be no exceptions to the following rules:
- If you turn in your assignments one day late you will loose 25% of the grade, two days will cost you 50% and three days 75% of the grade. No submissions will be accepted after the third day. Penlaty may be calculted continusly and per hour of delay.
- There will be a zero tolerance policy for cheating/copying HWs. The first time you are caught, you will receive a zero for the task at hand. If you are caught for a second time, you will fail the course. Providing your assignment to someone else is considered cheating on your behalf.
- Each of you has a 3 day extension you could use over the individual assignments. The minimum you could use at each instance is a 1 day extension. So you can not extend HW1 by 12 hours and then HW2 by 60 hours. You could use the 3 days with one HW, or 1 day for each HW, or 2 days for hW1 and 1 day for HW2, or 1 day for HW1 and 2 days for HW2, or ... (I hope you get the idea!)
- The 3 day extension will be applied to HW0 and what ever remains would be carried over to HW1 and so on.
- There is a good probability that things go south (i.e. you get sick, network fails, your computer crashes, there is a bug in the HW, server fails, etc.) as the deadline approaches. Such issues will not result in an extension to the deadline. So keep that in mind and plan for Murphy's law in advance, don't leave things for the last minute.
- There will be a zero tolerance policy for any misuse of the course infrastructure (i.e. Judge, Tarasht, etc.), regardless of the intent
- If any of the class policies are unclear, they should be brought up and discussed in the first week of the semester at hand.
- Quiz 1 on 1397/8/5 from lectures 0, 1, 2, 3, 4, 5, and 6.
- Midterm will be on 1396/8/28 from Lectures 0 to 10, including 10.
- Q1+Q2+Midterm+Final Grades
- Quiz 2 on 1397/9/19 from lectures 11, 12, 13, and 14.
- HW 1: [PDF], Available: 1397/7/9, Deadline: 1397/7/26, 11:59PM.
- HW 2: [PDF], Available: 1397/8/5, Deadline: 1397/8/21, 11:59PM.
- HW 3: [PDF] Available: 1397/9/10, Deadline: 1397/9/26, 11:59PM.
Course Material: This is a tentative class schedule
- Lecture 0-Pre-Intro! [PDF]
- Lecture 1- Introduction [PDF]
- Lecture 2- Control hijacking attacks: exploits and defenses [PDF]
- Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade, Cowan, C., Wagle, F., Pu, C., Beattie, S., & Walpole, J., 2000
- Basic Integer Overflows, blexim, 2002
- Bypassing Browser Memory Protections, A. Sotirov,2008
- Lecture 2- Control hijacking attacks: exploits and defenses (con't)
- Lecture 3- Principle of least privilege, access control, and operating systems security [PDF]
- Lecture 3- Principle of least privilege, access control, and operating systems security (con't)
- Lecture 4- Dealing with legacy code: sandboxing and isolation [PDF]
- Lecture 4- Dealing with legacy code: sandboxing and isolationi (con't)
- Lecture 5- Tools for writing robust application code [PDF]
- Lecture 7- Basic web security model [PDF]
- Securing Browser Frame Communication, Adam Barth, Collin Jackson, and John C. Mitchell, 2008
- The Security Architecture of the Chromium Browser, Adam Barth, Collin Jackson, Charles Reis, and the Google Chrome Team, 2008
- Exposing private information by timing web applicationsi, A. Bortz, D. Boneh, and P. Nandy, 2007
- Lecture 8- Web application security [PDF]
- Lecture 8- Web application security (continued)
- Lecture 9- Session management and user authentication [PDF]
- Lecture 10- Overview of cryptography [PDF]
- Lecture 11- HTTPS: goals and pitfalls [PDF]
- Lecture 12- Content Security Policies (CSP), Web workers, and extensions [PDF]
- Lecture 13- Security issues in Internet protocols: TCP, DNS, and routing [PDF]
- Lecture 14- Network defense tools: Firewalls, VPNs, Intrusion Detection, and filters [PDF]
- Lecture 14- Network defense tools: Firewalls, VPNs, Intrusion Detection, and filters (continued)
- Lecture 15- Unwanted traffic: denial of service attacks [PDF]
- Lecture 16- Trusted Computing and SGX [PDF]
- Lecture 17- Mobile platform security models: Android and iOS [PDF]
- Lecture 18- Mobile threats and malware [PDF]
- FlowDroid: Precise Context, Flow, Field, Object-sensitive and Lifecycle-aware Taint Analysis for Android Apps, Arzt et al., 2014
- A Large-Scale Study of Mobile Web App Security, P. Mutchler, A. Doupe, J. Mitchell, C. Kruegel, and G. Vigna., 2015
- Target Fragmentation in Android Apps, Mutchler, P., Safaei, Y., Doupé, A. and Mitchell, J., 2016