CSE 509 Computer System Security

Spring 2020

Piazza Grading Instructor and TA Texts
Lectures Schedule Course Description Special needs

Course Description

In the class, we will discuss the principles and practice of computer system security, with particular emphasis on:

One of the main objectives of this course is adversarial thinking: students should be able to quickly zoom in on the weakest link in any security technology, or system design. Students should be able to imagine how an attacker might break their system, and build in protection and mitigation measures to ward off such attacks.

This is a hands-on course, where students learn by carrying out programming assignments. Some assignments will be aimed at in-depth understanding of software vulnerabilities by developing exploits. Others will be aimed at mitigation techniques to block exploits, or more generally, enforce policies that contain damage. Some of these assignments give students a sense of hands-on work that security professionals perform. Most will be designed to provide a taste of research in software and systems security. Most assignments are best carried out by teams of two. Please find a suitable project partner right at the beginning of the course in order to avoid problems later. You can do the projects alone, but that obviously will mean more effort.

Course Topics

The topics covered in the course can be divided into two parts: foundations, and applications. Although the two parts are presented in sequence below, in reality, the lectures will alternate between the two.


Contemporary Threats, Vulnerabilities and Defenses


An outline of the entire course is available. Also available is a single PDF file containing all the slides covered in class.

Text notes (last column in the table) included were put together by students in a past offering of the course. They are being provided for your benefit, but please keep in mind that they may not be complete, and may not have been updated to match the slides.

For topics marked with an asterisk, the lectures were recorded outside of normal class hours.

Topics and Lecture Recordings Slides Notes
1 Introduction PDF  
2a Memory Corruption Vulnerabilities I Reading: Smashing the stack for fun and profit PDF TXT
2b Homework I Discussion    
2c Memory Corruption Vulnerabilities II PDF  
3 More Software Vulnerabilities PDF
4 Malware
  • Types and goals of malware: 24 mins, 18 mins
  • Stealth, Obfuscation and Challenges of malware defense: 24 mins
5 Defenses for Untrusted Code and Malware PDF PDF
5a Midterm review discussion    
5b Homework II Discussion   25 min PDF  
6 Binary analysis and instrumentation PDF PDF
7 Cryptography Basics*
  • Introduction: 14 mins
  • Symmetric (Secret Key) Cryptography: Overview 5 mins, Ciphers and algorithms 8 mins
  • Asymmetric (Public Key) Cryptography: 16 mins
  • Public vs Secret key encryption: 5 mins
  • Cryptographic random numbers: 10 mins
  • Digital signatures and message digests: 8 mins
  • Digital certificates: 5 mins
8 Identification and Authentication   1h 11m   1h 6m
Reading: Password Security: A Case History
Reading: Lamport's One-Time Password Scheme
9 OS Security and Access Control Reading: Revisiting "Setuid Demystified"
Reading: Confining Root Programs with Domain and Type Enforcement
10 Virtual Machines   1hr 6 mins PDF
10a Midterm II review and Assignment 3 discussion 57 mins    
11 Web security
  • Web overview: HTTP, Cookies, Javascript and DOM: 48 mins 14 mins*
  • Authentication*: 7 mins
  • Same Origin Policy*: 22 mins
  • CSRF and Clickjacking*: 28 mins
  • XSS and related attacks*: 41 mins (Access Password: b2!@*6af)
  • Network based attacks*: 13 mins (Access Password: R3@!&AWy)
  • Client-side attacks and summary*: 12 mins
12 Vulnerability analysis: Fuzzing and Symbolic Execution   1:12 PDF
13 Side-channel attacks   0:51
Reading: Metdown and Spectre attacks
14 Intrusion Detection   0:48 PDF
15 Advanced Topics: Sampling of Research at seclab@SBU   0:27 0:50 PDF
16 Course Summary   0:10 PDF  

Class Place and Time:

Dates for assignments and mid-term exams are subject to change.

Lectures: Mon, Wed 4:00pm to 5:20pm     Room Old CS Rm 2311
First Lecture: Jan 27
Assignment 1: Feb 10 to 26
Mid term I: Mar 9, Room 2120
Assignment 2: Mar 11 to 25
Spring Break: Mar 16 to Mar 22
Mid term II: April 22
Last Lecture: May 6
Final Exam: May 12 (Tuesday) 8:30pm to 11:00pm


R. Sekar
Office: Rm 364 New Computer Science
Office Hours: Mon/Wed 3pm to 4pm


Rohit Aich
Office: Rm 346 New Computer Science
Office Hours: By Appointment
Email: raich at cs dot stonybrook dot edu


There is no textbook for this course. We will rely primarily on class notes.


You will be handed homework problems sets in order to help you prepare for the exams. You will not have to submit solutions to these problem sets, but in order to encourage you to actually work out the problems, we will hold short quizzes in the class that test you on problems very similar to those in the problem sets. In order to reduce the stress involved in these quizzes, we automatically scale up quiz scores by a factor of 4/3, up to a maximum of 100%.

Your final grades will be computed as follows. You should expect some changes to the weightings over the semester.

Copying homework solutions or programming assignments from a fellow student or from the Internet, and all other forms of academic dishonesty, are considered serious offenses. They will be prosecuted to the maximum extent permitted by university policies.

Special Needs

If you have a physical, psychological, medical or learning disability that may impact on your ability to carry out assigned course work, I would urge that you contact the staff in the Disabled Student Services office (DSS), in the ECC building, 632-6748v/TDD. DSS will review your concerns and determine, with you, what accommodations are necessary and appropriate. All information and documentation of disability is confidential.