18-487 Fall 2014
Instructor: David Brumley
| Course Time: | Monday, Wednesday 2:30pm-4:20pm |
| Course Location: | Hamerschlag Hall B103 |
| Course Instructor: | David Brumley Office Hours: Wednesday immediately after class, until 5pm |
| Teaching Assistants: | Peter Chapman peter@cmu.eduOffice Hours: Friday 10:00am–noon, CIC 2312 Zachary Weinberg zackw@cmu.eduOffice Hours: Monday 10:30am–noon, CIC 2312 |
| Academic Assistant: | Elizabeth Prelich-Knight, 1112 Hamerschlag Hall |
| Prerequisites: | 15-213, or permission of instructor |
| Number of units: | 12 |
| Undergraduate course designation: | Depth, Coverage |
| Undergraduate Course Area: | Computer Software |
| Required Textbook: | None |
Security is now a core requirement when creating systems and software. This course will introduce students to the fundamentals of computer security and applied cryptography. Topics include software vulnerability analysis, defense, and exploitation, reverse engineering, networking and wireless security, and applied cryptography. Students will also learn the fundamental methodology for how to design and analyze security critical systems.
This course covers three basic areas in computer security:
In this portion of the course we will investigate common types of vulnerabilities ranging from buffer overflows to injection attacks. Students will become adept at reverse engineering, identifying flaws, and exploitation. The goal is for students to be able to i) recognize vulnerabilities, ii) understand the fundamental characteristics of the vulnerabilities, and iii) understand current defenses.
I will guarantee at least the following grades:
I may lower the points necessary to achieve a grade, but I will not raise them.
I will use the following breakdown:
Although there are three exams, I will drop the lowest exam grade.
Late days interfere with the ability of course staff to quickly turn around assignment grades and solutions. The problem is we cannot give out solutions or graded assignments until everyone has turned in their work. Therefore, we only offer late days in emergency or exceptional circumstances, such as hospitalization. We do not offer late days for personal scheduling issues such as interviews, class load, etc.
The course staff will treat all students ethically and fairly. We, in turn, expect the same from all students.
Any lapse in ethical behavior will immediately result in −1,000,000 points, as well as be immediately reported to the appropriate university disciplinary unit. Really. Even if you just have to pass the class, even if you didn’t know it was cheating or plagiarism, and even if it will never happen again. Prof. Brumley is very, very tough and intolerant of cheating, plagiarism, or unethical behavior.
This course will follow CMU’s policy on cheating and plagiarism. Note that the policy gives several examples of what constitutes cheating and plagiarism. If you have any questions, you should contact the instructor. We have one additional rule: don’t be a nuisance. Even if something is legal, that doesn’t mean it is necessarily ok.
Please ask the course staff if you have any questions regarding whether a particular behavior is OK or not. In particular:
Don’t break laws or cause a nuisance. This course discusses security-related topics. As such, you will be exposed to ideas and techniques that could be used to break the law. This knowledge does not mean it is OK to break the law or cause a nuisance. Examples of prohibited activities include scanning networks, launching exploits, “testing” the security of a system without explicit permission from all necessary parties, and so on.
Collaboration. Students are encouraged to talk to each other, to the course staff, or to anyone else about any of the assignments. Assistance should be limited to discussion of the problem and sketching general approaches to a solution. Each student must turn in his or her own solution.
The schedule below is subject to changes. Please check back regularly.
| Num | Date | Subject and Slides | Reading/Materials |
|---|---|---|---|
| 08/25/2014 | Introduction | Trusting Trust | |
| 08/27/2014 | Compilation and basic executions semantics | CS:APP Chapter 3 | |
| 09/01/2014 | No Class. Official CMU Holiday | ||
| 09/03/2014 | Control flow attacks | ||
| 09/08/2014 | Thinking up exploits | ||
| 09/10/2014 | No Class. | ||
| 09/15/2014 | Control flow attack defenses | Homework 1 Out | |
| 09/17/2014 | Return-oriented programming |
|
|
| 09/22/2014 | CFI and Reference Monitors |
Control Flow Integrity: Principles, Implementations, and Applications (Note: I have here the conference version. There is also a longer, more complete journal version.) Homework 1 Due |
|
| 09/24/2014 | Review | ||
| 09/29/2014 | Exam 1 | ||
| 10/1/2014 | Class cancelled | ||
| 10/06/2014 | Introduction to cryptography | Mihir Bellare’s Introduction to Modern Cryptography: | |
| 10/08/2014 | |||
| 10/13/2014 | OTPs, PRNGs, and proving security | ||
| 10/15/2014 | OTPs, PRNGs, and proving security recap. Intro to block ciphers. | ||
| 10/20/2014 | Block ciphers continued. | ||
| 10/22/2014 | No Class. | ||
| 10/27/2014 | MACs and hashes | ||
| 10/29/2014 | Authenticated encryption | Homework 2 Out | |
| 11/03/2014 | Public key crypto | ||
| 11/05/2014 | Review | Homework 2 Due | |
| 11/10/2014 | Exam 2 | ||
| 11/12/2014 | Web Security 1: The Basics | ||
| 11/17/2014 | Web Security 2 | Homework 3 Out | |
| 11/19/2014 | Mobile Security [PDF] [ODP] | ||
| 11/24/2014 | IDS and Detection Theory | The base-rate fallacy and its implications for the difficulty of intrusion detection
Homework 3 Due |
|
| 11/26/2014 | No Class. Official CMU Holiday | ||
| 12/01/2014 | Review | ||
| 12/03/2014 | Exam 3 | You’re done! |
Do you want to become a skilled hacker? There is no substitute for practice. Luckily, CMU has one of the best competitive hacking teams in the world: PPP. I am the faculty advisor for PPP, the CMU hacking team. Please visit their website for information. I recommend signing up for their mailing list, and regularly attending meetings.