18-487 Fall 2013
              Instructor: David Brumley
            
| Course Time: | Monday, Wednesday 2:30pm-4:20pm | 
| Course Location: | PH A20 | 
| Course Instructor: | David Brumley. Office Hours: Wednesday immediate after class until 5pm | 
| Teaching Assistants: | Ed Schwartz. Office Hours: Monday immediately after class until 5:30pm. | 
| Greg Nazario. Office Hours: Thursday 3:30-5:30pm. Location: HH 1300 Wing | |
| Jonathan Burket. Office Hours: Tuesday 3:30-5:30pm. Location: CIC 2315B | |
| Academic Assistant: | Chelsea Mastilak, 1112 Hamerschlag Hall | 
| Prerequisites: | 15-213 and 15-214, or permission of instructor | 
| Number of units: | 12 | 
| Undergraduate course designation: | Depth, Coverage | 
| Undergraduate Course Area: | Computer Software | 
| Required Textbook: | None | 
Security is now a core requirement when creating systems and software. This course will introduce students to the fundamentals of computer security and applied cryptography. Topics include software vulnerability analysis, defense, and exploitation, reverse engineering, networking and wireless security, and applied cryptography. Students will also learn the fundamental methodology for how to design and analyze security critical systems.
This course covers three basic areas in computer security:
Grading
I will guarantee at least the following grades:
I may lower the points necessary to achieve a grade, but I will not raise them.
Breakdown
I will use the following breakdown:
Late Days
Late days interfere with the ability of course staff to quickly turn around assignment grades and solutions. The problem is we cannot give out solutions or graded assignments until everyone has turned in their work. Therefore, we only offer late days in emergency or exceptional circumstances, such as hospitalization. We do not offer late days for personal scheduling issues such as interviews, class load, etc.
Policies
The course staff will treat all students ethically and fairly. We, in turn, expect the same from all students.
Any lapse in ethical behavior will immediately result in -1,000,000 points, as well as be immediately reported to the appropriate university disciplinary unit. Really. Even if you just have to pass the class, even if you didn't know it was cheating or plagiarism, and even if it will never happen again. Prof. Brumley is very, very tough and intolerant of cheating, plagiarism, or unethical behavior.
This course will follow CMU's policy on cheating and plagiarism. Note that the policy gives several examples of what constitutes cheating and plagiarism. If you have any questions, you should contact the instructor. We have one additional rule: don't be a nuisance. Even if something is legal, that doesn't mean it is necessarily ok.
Please ask the course staff if you have any questions regarding whether a particular behavior is OK or not. In particular:
The schedule below is subject to changes. Please check back regularly.
| Num | Date | Subject and Slides | Reading/Materials | 
|---|---|---|---|
| 01 | 08/26/2013 | Introduction [PDF] | Trusting Trust | 
| 02 | 08/28/2013 | Compilation and basic executions semantics [PDF] | CS:APP Chapter 3 | 
| N/A | 09/02/2013 | No Class | |
| 03 | 09/04/2013 | Control flow attacks [PDF] | |
| 04 | 09/09/2013 | Thinking up exploits | From Class: 
 | 
| 05 | 09/11/2013 | Control flow attack defenses [PDF] | Homework 1 Out | 
| 06 | 09/16/2013 | Return-oriented programming [PDF] | 
 | 
| 07 | 09/18/2013 | CFI and Reference Monitors [PDF] | Control Flow Integrity: Principles, Implementations, and Applications (Note: I have here the conference version. There is also a longer, more complete journal version.) Homework 1 Due | 
| 08 | 09/23/2013 | Review [PDF] | |
| N/A | 09/25/2013 | Exam 1 | |
| 09 | 09/30/2013 | Introduction to cryptography [PDF] | Mihir Bellare's Introduction to Modern Cryptography: | 
| 10 | 10/02/2013 | OTPs, PRNGs, and proving security [PDF] | |
| 11 | 10/07/2013 | Block ciphers (Ed Schwartz) [PDF] | |
| 12 | 10/09/2013 | MACs and hashes [PDF] | |
| 13 | 10/14/2013 | Authenticated encryption [PDF] | Homework 2 Out | 
| 14 | 10/16/2013 | Public key crypto [PDF] | |
| 15 | 10/21/2013 | Review | Homework 2 Due | 
| N/A | 10/23/2013 | Exam 2 | |
| 16 | 10/28/2013 | Canceled | |
| 17 | 10/30/2013 | Online Crime (Nicolas Christin) | Measuring and Analyzing Search-Redirection Attacks in the Illicit Online Prescription Drug Trade, except section 5 | 
| 18 | 11/04/2013 | Web Security 1 (Jonathan) [PDF] | |
| 19 | 11/06/2013 | Web Security 2 (Jonathan) | |
| 20 | 11/11/2013 | Mobile Security [PDF] | |
| 21 | 11/13/2013 | No Class | |
| 22 | 11/18/2013 | IDS and Detection Theory [PDF] | The base-rate fallacy and its implications for the difficulty of intrusion detection Homework 3 Out | 
| 23 | 11/20/2013 | Cancelled | A Survey of BGP Security, up through and including section IV.A | 
| 24 | 11/25/2013 | The Coolest Bug Contest | Homework 3 Due | 
| N/A | 11/27/2013 | No Class - Thanksgiving | |
| 25 | 12/02/2013 | Review [PDF] | |
| N/A | 12/04/2013 | Exam 3 | 
I am the faculty advisor for PPP, the CMU hacking team. Please visit their website for information. I recommend signing up for their mailing list, and regularly attending meetings.