CE 40-441: Data & Network SecuritySaturday/Monday 1330-1500
Office Hours: Email me for a time slot
TAs: Mohammad Haddadian
Quick Links: Description Acknowledgment Policies Announcements Homeworks CourseMaterial
Description:This is an introductory course to computer security. This course is primarily based on the Computer Security course taught by Dan Boneh at Stanford University.
Prerequisites: 40-443 Computer Networks
Acknowledgment: This course is primarily based on the Computer Security course taught by Dan Boneh at Stanford University.
- Grading policy is as follows. This is tentative.
- 40% Homeworks
- 10% Parcham (Level 1 questions)
- 20% to 10% Parcham (Level 2 questions), this would be based on dynamic grading
- 10% Select CTFs
- 30% Final
There will be no exceptions to the following rules:
- If you turn in your assignments one day late you will loose 25% of the grade, two days will cost you 50% and three days 75% of the grade. No submissions will be accepted after the third day. Penlaty may be calculted continusly and per hour of delay.
- There will be a zero tolerance policy for cheating/copying HWs. The first time you are caught, you will receive a zero for the task at hand. If you are caught for a second time, you will fail the course. Providing your assignment to someone else is considered cheating on your behalf.
- Each of you has a 3 day extension you could use over the individual assignments. The minimum you could use at each instance is a 1 day extension. So you can not extend HW1 by 12 hours and then HW2 by 60 hours. You could use the 3 days with one HW, or 1 day for each HW, or 2 days for HW1 and 1 day for HW2, or 1 day for HW1 and 2 days for HW2, or ... (I hope you get the idea!)
- The 3 day extension will be applied to HW deadlines and what ever remains could be carried over to next HW deadline and so on. The 3 day extension can not be applied to the Parcham challenges.
- There is a good probability that things go south (i.e. you get sick, network fails, your computer crashes, there is a bug in the HW, server fails, etc.) as the deadline approaches. Such issues will not result in an extension to the deadline. So keep that in mind and plan for Murphy's law in advance, don't leave things for the last minute.
- There will be a zero tolerance policy for any misuse of the course infrastructure (i.e. Judge, Tarasht, etc.), regardless of the intent
- If any of the class policies are unclear, they should be brought up and discussed in the first week of the semester at hand.
- HW 1: [PDF], Available: 1400/7/6, Deadline -> Part 1&2: 1400/7/23, 11:59PM, Part 3: 1400/8/1, 11:59PM.
- HW 2: [PDF], Available: 1400/8/8, Deadline: 1400/8/27, 11:59PM.
- HW 3: [PDF], Available: 1400/9/8 , Deadline: 1400/9/22 , 11:59PM.
- Parcham 0 (Intro): Available [PDF] [File] Available: 1400/6/27, Deadline: 1400/7/10.
- Parcham 1(Exploit) -> Available: [PDF] 1400/7/15, Deadline: 1400/7/29.
- Parcham 2 (Web) -> Available: [PDF] 1400/8/14, Deadline: 1400/9/1.
- Parcham 3 (Crypto) -> Available: [PDF] 1400/9/5, Deadline: 1400/9/14.
- Parcham 4 (Forensics,Android or Misc.) -> Available: [PDF] 1400/9/20, Deadline: 1400/9/30.
Course Material: This is a tentative class schedule
- Lecture 0-Pre-Intro! [PDF]
- Lecture 2- Control hijacking attacks: exploits [PDF] - Supplement Slides [PDF]
- Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade, Cowan, C., Wagle, F., Pu, C., Beattie, S., & Walpole, J., 2000
- Basic Integer Overflows, blexim, 2002
- Bypassing Browser Memory Protections, A. Sotirov,2008
- Exploiting CVE-2014-0282, Katy Winterborn, NCC Group, 2015
- Lecture 3- Control hijacking attacks: defenses [PDF]
- Lecture 3- Control hijacking attacks: exploits and defenses (con't)
- Lecture 4- Principle of least privilege, access control, and operating systems security [PDF]
- Lecture 5- Isolation and Sandboxing [PDF]
- Lecture 6- Testing for vulnerabilities using fuzzing, static, and dynamic analysis [PDF]
- How hackers look for bugs, Dave Aitel
- An example: Exploiting Broadcom’s Wi-Fi Stack, by Gal Beniamini, Google project zero.
- Real world fuzzing, Charlie Miller, 2007
- Effective Bug Discoveryy, vf, 2006
- Using Programmer-Written Compiler Extensions to Catch Security Holes (Sections 1-2), Ashcraft and Engler
- Vulnerability Factors in New Web Applications, Bau, Wang, Bursztein, Mutchler and Mitchell
- Lecture 6- Testing for vulnerabilities (con't)
- Lecture 7- Basic web security model [PDF]
- Securing Browser Frame Communication, Adam Barth, Collin Jackson, and John C. Mitchell, 2008
- The Security Architecture of the Chromium Browser, Adam Barth, Collin Jackson, Charles Reis, and the Google Chrome Team, 2008
- Analyzing and Defending Against Web-based Malware, J. Chang et al.
- Exposing private information by timing web applicationsi, A. Bortz, D. Boneh, and P. Nandy, 2007
- Web workers
- Content Security Policies
- Sandboxed iFrames
- Lecture 8- Web application security [PDF]
- Lecture 8- Web application security (continued)
- Lecture 9- Brief overview of cryptography [PDF]
- Lecture 10- Web session management [PDF]
- Lecture 11- HTTPS: goals and pitfalls [PDF]
- Lecture 12- Internet protocol Security [PDF]
- Lecture 12- Internet protocol Security (Continued)
- Lecture 13- Internet Protocol Security Contd. and DDoS [PDF]
- Lecture 14- Unwanted traffic: denial of service attacks [PDF]
- DDoS amplification attack statistics, 2017
- The real cause of large DDoS - IP Spoofing, Marek Majkowski, 2018.
- Details of a recent large-scale DDoS event , 2013
- Practical network support for IP Traceback, S. Savage, et al., 2000
- A DoS-Limiting Network Architecture, Yang, Wetherall, and Anderson, 2005
- Lecture 14- Unwanted traffic: denial of service attacks (continued)
- Lecture 15- Android and iOS: mobile platform security architecture [PDF]
- Lecture 16- Android Security: Taming the complex ecosystem [PDF]
- Understanding Android Security, Enck, Ongtang, and McDaniel, 2009 (Security Enforcement section)
- The Android Platform Security Model, 2019
- A Large-Scale Study of Mobile Web App Security, P. Mutchler, A. Doupe, J. Mitchell, C. Kruegel, and G. Vigna., 2015
- Lecture 16- Android Security: Taming the complex ecosystem (continued)
- Lecture 17- Trusted Computing and SGX [PDF]