CSE 509 Computer System Security

Spring 2020

Piazza Grading Instructor and TA Texts
Lectures Schedule Course Description Special needs

Course Description

In the class, we will discuss the principles and practice of computer system security, with particular emphasis on:

One of the main objectives of this course is adversarial thinking: students should be able to quickly zoom in on the weakest link in any security technology, or system design. Students should be able to imagine how an attacker might break their system, and build in protection and mitigation measures to ward off such attacks.

This is a hands-on course, where students learn by carrying out programming assignments. Some assignments will be aimed at in-depth understanding of software vulnerabilities by developing exploits. Others will be aimed at mitigation techniques to block exploits, or more generally, enforce policies that contain damage. Some of these assignments give students a sense of hands-on work that security professionals perform. Most will be designed to provide a taste of research in software and systems security. Most assignments are best carried out by teams of two. Please find a suitable project partner right at the beginning of the course in order to avoid problems later. You can do the projects alone, but that obviously will mean more effort.

Course Topics

The topics covered in the course can be divided into two parts: foundations, and applications. Although the two parts are presented in sequence below, in reality, the lectures will alternate between the two.

Foundations

Contemporary Threats, Vulnerabilities and Defenses

Lectures

Text notes (last column in the table) included were put together by students in a past offering of the course. They are being provided for your benefit, but please keep in mind that they may not be complete, and may not have been updated to match the slides.

Topic
#
Topics and Lecture Recordings Slides Notes
1 Introduction PDF  
2a Memory Corruption Vulnerabilities I Reading: Smashing the stack for fun and profit PDF TXT
TXT
PDF
2b Homework I Discussion    
2c Memory Corruption Vulnerabilities II PDF  
3 More Software Vulnerabilities PDF
4 Malware
  • Types and goals of malware: 24 mins, 18 mins
  • Stealth, Obfuscation and Challenges of malware defense: 24 mins
PDF PDF
5 Defenses for Untrusted Code and Malware PDF PDF
PDF
5a Midterm review discussion    
5b Homework II Discussion   25 min PDF  
6 Binary analysis and instrumentation PDF PDF
7 Cryptography Basics
  • Introduction: 14 mins
  • Symmetric (Secret Key) Cryptography: Overview 5 mins, Ciphers and algorithms 8 mins
  • Asymmetric (Public Key) Cryptography: 16 mins
  • Public vs Secret key encryption: 5 mins
  • Cryptographic random numbers: 10 mins
  • Digital signatures and message digests: 8 mins
  • Digital certificates: 5 mins
PDF PDF
8 Identification and Authentication   1h 11m   1h 6m
Reading: Password Security: A Case History
Reading: Lamport's One-Time Password Scheme
PDF PDF
9 OS Security and Access Control
Reading: Revisiting "Setuid Demystified"
Reading: Confining Root Programs with Domain and Type Enforcement
PDF PDF
10 Virtual Machines PDF
11 Web security PDF  
12 Vulnerability analysis: Fuzzing and Symbolic Execution PDF
13 Intrusion Detection PDF
14 Side-channel attacks
Reading: Metdown and Spectre attacks
PDF  
16 Course Summary PDF  


Class Place and Time:

Dates for assignments and mid-term exams are subject to change.

Lectures: Mon, Wed 4:00pm to 5:20pm     Room Old CS Rm 2311
First Lecture: Jan 27
Assignment 1: Feb 10 to 26
Mid term I: Mar 9, Room 2120
Assignment 2: Mar 11 to 25
Spring Break: Mar 16 to Mar 22
Assignment 3: Mar 30 to April 8
Mid term II: April 17 (Friday)
Last Lecture: May 6
Final Exam: May 12 (Tuesday) 8:30pm to 11:00pm     Room TBD

Instructor:

R. Sekar
Office: Rm 364 New Computer Science
Office Hours: Mon/Wed 3pm to 4pm

TA:

Rohit Aich
Office: Rm 346 New Computer Science
Office Hours: By Appointment
Email: raich at cs dot stonybrook dot edu


Texts:

There is no textbook for this course. We will rely primarily on class notes.


Grading

You will be handed homework problems sets in order to help you prepare for the exams. You will not have to submit solutions to these problem sets, but in order to encourage you to actually work out the problems, we will hold short quizzes in the class that test you on problems very similar to those in the problem sets. In order to reduce the stress involved in these quizzes, we automatically scale up quiz scores by a factor of 4/3, up to a maximum of 100%.

Your final grades will be computed as follows. You should expect some changes to the weightings over the semester.

Copying homework solutions or programming assignments from a fellow student or from the Internet, and all other forms of academic dishonesty, are considered serious offenses. They will be prosecuted to the maximum extent permitted by university policies.


Special Needs

If you have a physical, psychological, medical or learning disability that may impact on your ability to carry out assigned course work, I would urge that you contact the staff in the Disabled Student Services office (DSS), in the ECC building, 632-6748v/TDD. DSS will review your concerns and determine, with you, what accommodations are necessary and appropriate. All information and documentation of disability is confidential.


>