|Piazza||Grading||Instructor and TA||Texts|
|Lectures||Schedule||Course Description||Special needs|
In the class, we will discuss the principles and practice of computer system security, with particular emphasis on:
One of the main objectives of this course is adversarial thinking: students should be able to quickly zoom in on the weakest link in any security technology, or system design. Students should be able to imagine how an attacker might break their system, and build in protection and mitigation measures to ward off such attacks.
This is a hands-on course, where students learn by carrying out programming assignments. Some assignments will be aimed at in-depth understanding of software vulnerabilities by developing exploits. Others will be aimed at mitigation techniques to block exploits, or more generally, enforce policies that contain damage. Some of these assignments give students a sense of hands-on work that security professionals perform. Most will be designed to provide a taste of research in software and systems security. Most assignments are best carried out by teams of two. Please find a suitable project partner right at the beginning of the course in order to avoid problems later. You can do the projects alone, but that obviously will mean more effort.
The topics covered in the course can be divided into two parts: foundations, and applications. Although the two parts are presented in sequence below, in reality, the lectures will alternate between the two.
- Cryptographic foundations
- Identification and Authentication: passwords, biometrics, ...
- Authorization and Access control: ACLs, capabilities, MLS, DTE, RBAC, ...
- Operating system security
- Principles: memory protection, privilege separation, layering, isolation, sharing, ...
- Case studies: UNIX/Linux, SELinux
- Database security: encryption, views, delegation, statistical inference
- Principles and practices for secure system design
Contemporary Threats, Vulnerabilities and Defenses
- Software vulnerabilities
- Memory corruption: stack-smashing, heap overflows, integer overflows, ...
- Input validation errors: SQL and command injection, format-string attacks, ...
- Race conditions and other software vulnerabilities
- Web server and Browser vulnerabilities
- Malware and Untrusted software
- Viruses and worms, Rootkits, Botnets, ...
- Obfuscation and evasion
- Defenses for software threats
- Static analysis for vulnerability detection
- Code transformation for runtime policy checking
- Runtime policy enforcement and sandboxing
- Isolation and information-flow control
- Virtual machines, TPM, ...
- Network-layer threats: network probing, scanning, evasion, ...
- Defenses: Intrusion detection, ...
- Side-channel attacks: covert channels, timing attacks, power analysis, emanations, remanence and reuse
- Privacy and Anonymity
Text notes (last column in the table) included were put together by students in a past offering of the course. They are being provided for your benefit, but please keep in mind that they may not be complete, and may not have been updated to match the slides.
|Topics and Lecture Recordings||Slides||Notes|
Memory Corruption Vulnerabilities I
|2b||Homework I Discussion|| || |
Memory Corruption Vulnerabilities II
|3||More Software Vulnerabilities||4||Malware|
|5||Defenses for Untrusted Code and Malware||PDF
|5a||Midterm review discussion|| || |
|5b||Homework II Discussion 25 min|| |
|6||Binary analysis and instrumentation|
|8||Identification and Authentication 1h 11m 1h 6m
Reading: Password Security: A Case History
Reading: Lamport's One-Time Password Scheme
|9||OS Security and Access Control
Reading: Revisiting "Setuid Demystified"
Reading: Confining Root Programs with Domain and Type Enforcement
|12||Vulnerability analysis: Fuzzing and Symbolic Execution|
Reading: Metdown and Spectre attacks
Dates for assignments and mid-term exams are subject to change.
Lectures: Mon, Wed 4:00pm to 5:20pm Room Old CS Rm 2311 First Lecture: Jan 27 Assignment 1: Feb 10 to 26 Mid term I: Mar 9, Room 2120 Assignment 2: Mar 11 to 25 Spring Break: Mar 16 to Mar 22 Assignment 3: Mar 30 to April 8 Mid term II: April 17 (Friday) Last Lecture: May 6 Final Exam: May 12 (Tuesday) 8:30pm to 11:00pm Room TBD
Office: Rm 364 New Computer Science
Office Hours: Mon/Wed 3pm to 4pm
Office: Rm 346 New Computer Science
Office Hours: By Appointment
Email: raich at cs dot stonybrook dot edu
There is no textbook for this course. We will rely primarily on class notes.
Your final grades will be computed as follows. You should expect some changes to the weightings over the semester.
Copying homework solutions or programming assignments from a fellow student or from the Internet, and all other forms of academic dishonesty, are considered serious offenses. They will be prosecuted to the maximum extent permitted by university policies.
If you have a physical, psychological, medical or learning disability that may impact on your ability to carry out assigned course work, I would urge that you contact the staff in the Disabled Student Services office (DSS), in the ECC building, 632-6748v/TDD. DSS will review your concerns and determine, with you, what accommodations are necessary and appropriate. All information and documentation of disability is confidential.