Introduction to Computer Security, Network Security, and Applied Cryptography

18-487 Fall 2013
Instructor: David Brumley

Course Time: Monday, Wednesday 2:30pm-4:20pm
Course Location: PH A20
Course Instructor: David Brumley. Office Hours: Wednesday immediate after class until 5pm
Teaching Assistants: Ed Schwartz. Office Hours: Monday immediately after class until 5:30pm.
Greg Nazario. Office Hours: Thursday 3:30-5:30pm. Location: HH 1300 Wing
Jonathan Burket. Office Hours: Tuesday 3:30-5:30pm. Location: CIC 2315B
Academic Assistant: Chelsea Mastilak, 1112 Hamerschlag Hall
Prerequisites: 15-213 and 15-214, or permission of instructor
Number of units: 12
Undergraduate course designation: Depth, Coverage
Undergraduate Course Area: Computer Software
Required Textbook: None

Security is now a core requirement when creating systems and software. This course will introduce students to the fundamentals of computer security and applied cryptography. Topics include software vulnerability analysis, defense, and exploitation, reverse engineering, networking and wireless security, and applied cryptography. Students will also learn the fundamental methodology for how to design and analyze security critical systems.

This course covers three basic areas in computer security:

  • Software security. In this portion of the course we will investigate common types of vulnerabilities ranging from buffer overflows to injection attacks. Students will become adept at reverse engineering, identifying flaws, and exploitation. The goal is for students to be able to i) recognize vulnerabilities, ii) understand the fundamental characteristics of the vulnerabilities, and iii) understand current defenses.
  • Network security.
  • Applied Cryptography.


I will guarantee at least the following grades:

  • 89.5 - 100: A
  • 79.5 - 89.4: B
  • 69.5 - 79.4: C
  • 59.5 - 69.4: D
  • < 59.5: F

I may lower the points necessary to achieve a grade, but I will not raise them.


I will use the following breakdown:

  • 35% Homework
  • 30% Exam 1
  • 30% Exam 2
  • 5% Participation and attendance

Late Days

Late days interfere with the ability of course staff to quickly turn around assignment grades and solutions. The problem is we cannot give out solutions or graded assignments until everyone has turned in their work. Therefore, we only offer late days in emergency or exceptional circumstances, such as hospitalization. We do not offer late days for personal scheduling issues such as interviews, class load, etc.


The course staff will treat all students ethically and fairly. We, in turn, expect the same from all students.

Any lapse in ethical behavior will immediately result in -1,000,000 points, as well as be immediately reported to the appropriate university disciplinary unit. Really. Even if you just have to pass the class, even if you didn't know it was cheating or plagiarism, and even if it will never happen again. Prof. Brumley is very, very tough and intolerant of cheating, plagiarism, or unethical behavior.

This course will follow CMU's policy on cheating and plagiarism. Note that the policy gives several examples of what constitutes cheating and plagiarism. If you have any questions, you should contact the instructor. We have one additional rule: don't be a nuisance. Even if something is legal, that doesn't mean it is necessarily ok.

Please ask the course staff if you have any questions regarding whether a particular behavior is OK or not. In particular:

  • Don't break laws or cause a nuisance. This course discussed security-related topics. As such, you will be exposed to ideas and techniques that could be used to break the law. This knowledge does not mean it is OK to break the law or cause a nuisance. Examples of prohibited activities include scanning networks, launching exploits, "testing" the security of a system without explicit permission from all necessary parties, and so on.
  • Collaboration. Students are encouraged to talk to each other, to the course staff, or to anyone else about any of the assignments. Assistance should be limited to discussion of the problem and sketching general approaches to a solution. Each student must turn in his or her own solution.

The schedule below is subject to changes. Please check back regularly.

Num Date Subject and Slides Reading/Materials
01 08/26/2013 Introduction [PDF] Trusting Trust
02 08/28/2013 Compilation and basic executions semantics [PDF] CS:APP Chapter 3
N/A 09/02/2013 No Class
03 09/04/2013 Control flow attacks [PDF]
04 09/09/2013 Thinking up exploits From Class:
05 09/11/2013 Control flow attack defenses [PDF] Homework 1 Out
06 09/16/2013 Return-oriented programming [PDF]
07 09/18/2013 CFI and Reference Monitors [PDF] Control Flow Integrity: Principles, Implementations, and Applications (Note: I have here the conference version. There is also a longer, more complete journal version.)

Homework 1 Due
08 09/23/2013 Review [PDF]
N/A 09/25/2013 Exam 1
09 09/30/2013 Introduction to cryptography [PDF] Mihir Bellare's Introduction to Modern Cryptography:
10 10/02/2013 OTPs, PRNGs, and proving security [PDF]
11 10/07/2013 Block ciphers (Ed Schwartz) [PDF]
12 10/09/2013 MACs and hashes [PDF]
13 10/14/2013 Authenticated encryption [PDF] Homework 2 Out
14 10/16/2013 Public key crypto [PDF]
15 10/21/2013 Review Homework 2 Due
N/A 10/23/2013 Exam 2
16 10/28/2013 Canceled
17 10/30/2013 Online Crime (Nicolas Christin) Measuring and Analyzing Search-Redirection Attacks in the Illicit Online Prescription Drug Trade, except section 5
18 11/04/2013 Web Security 1 (Jonathan) [PDF]
19 11/06/2013 Web Security 2 (Jonathan)
20 11/11/2013 Mobile Security [PDF]
21 11/13/2013 No Class
22 11/18/2013 IDS and Detection Theory [PDF] The base-rate fallacy and its implications for the difficulty of intrusion detection

Homework 3 Out
23 11/20/2013 Cancelled A Survey of BGP Security, up through and including section IV.A
24 11/25/2013 The Coolest Bug Contest Homework 3 Due
N/A 11/27/2013 No Class - Thanksgiving
25 12/02/2013 Review [PDF]
N/A 12/04/2013 Exam 3
Homework #1: Homework #2: Homework #3:

I am the faculty advisor for PPP, the CMU hacking team. Please visit their website for information. I recommend signing up for their mailing list, and regularly attending meetings.