Introduction to Computer Security (18487/15487)

Fall 2016

Prof: Vyas Sekar
TAs: Tiffany Bao, Zachary Newman, Cortney Padua
Where:SH 125
When:M/W 2:30pm-4:20pm
Note the first day of classes will be on Wed, Aug 31. No class on Mon, Aug 29


This course will introduce students to the fundamentals of computer security. We will focus on software security, applied cryptography, network security, OS security, and privacy. A recurring theme will be security definitions, what kinds of security vulnerabilities may arise, and how to spot and fix vulnerabilities.

Office Hours and Locations

Vyas: Th 15:30--17:00 or by appointment, CIC 2122

Zach: Mon 17:00--18:00, CIC 2214

Tiffany: Tu 16:00--17:00, CIC 2214

Cortney: Wed 13:00--14:00, CIC 2214

Grading and Policies

We shift total points with respect to the highest cumulative score achieved by a single student (not considering extra credit). In more detail, let the highest cumulative score by a student be highest, and the total possible points be max. Define delta = max - highest. If you have cumulative points z, then your score is calculated as z + delta, and your percentage as (z + delta)/max. We then translate a percentage into a letter grade as follows:

  • 89.5 – 100: A
  • 79.5 – 89.4: B
  • 69.5 – 79.4: C
  • 59.5 – 69.4: D
  • < 59.5: F

The total points possible are allocated as follows:

  • 35% Homework
  • 30% Exam 1
  • 30% Exam 2
  • 5% Class Participation

Note that there are three exams: we will drop your lowest exam score.

Late Days

Late days interfere with the ability of course staff to quickly turn around assignment grades and solutions. The problem is we cannot give out solutions or graded assignments until everyone has turned in their work. Therefore, we only offer late days in emergency or exceptional circumstances, such as hospitalization. We do not offer late days for personal scheduling issues such as interviews, class load, etc.

Policies, Ethics, and Cheating

The course staff will treat all students ethically and fairly. We, in turn, expect the same from all students.

Any lapse in ethical behavior will immediately result in −1,000,000 points, as well as be immediately reported to the appropriate university disciplinary unit. Really. No matter what. The course staff looks at students who cheat or plagiarize as far beneath someone who fails the course.

This course will follow CMU’s policy on cheating and plagiarism. Note that the policy gives several examples of what constitutes cheating and plagiarism. If you have any questions, you should contact the instructors.

Students should behave ethically. This means obeying the law, but that is not enough. Behaving ethically means you avoid activities that do harm or may do harm to people, the environment, or other computers. In short, don't be a nuisance.

Note just because you can do something (or you read about others doing it) does not make it ok. For example, scanning a network may not be illegal (I am not a lawyer, so I shy away from definitive statements). However, scanning can crash computers. For example, we know of several very popular commodity-grade IP cameras that crash when you scan them. Sure, the camera software is buggy. But is there any reason for you, not being a professional, to crash a camera monitoring a baby? Launching exploits, “testing” the security of a system without explicit permission from all necessary parties, and so on are all unethical for the purpose of this course.

Collaboration. Students are encouraged to talk to each other, to the course staff, or to anyone else about any of the assignments. Assistance should be limited to discussion of the problem and sketching general approaches to a solution. Each student must turn in his or her own solution, derived from his or her own thoughts. Course staff may verify a student did the prescribed work by asking for a verbal explanation, and failure to correctly re-explain a submitted solution is considered a strong indication of cheating.


No class. First day of class will be Wed, Aug 31

29 Aug 2016

Course Overview

31 Aug 2016 | 01-introduction.pptx

This lecture will give a high-level overview of the course, including topics covered, learning goals, and course mechanics.

Reading: On Trusting Trust

No Class

05 Sep 2016

University holiday: Labor day. Enjoy the day off!

Compilation and Execution Semantics

07 Sep 2016 | 02-compilation.pptx

This lecture will review the material up through Chapter 3 of CS:APP from 15-213. We will cover the parts of the compilation tool chain and operations at the assembly level, including control flow, the memory model, and stack frames.

Reading: Chapter 3 of Computer Systems: A Programmers Perspective Volume 2.

Control Flow Attacks

12 Sep 2016 | 03-controlflow-attacks.pptx

In this lecture we will present control flow hijack attacks that gain control of the instruction pointer. We focus on buffer overflows and format string exploits.


Thinking Up Exploits

14 Sep 2016

We will do an in-class activity where the goal is to think through vulnerable code and develop an exploit. To make it even more fun, we will be doing it all without the help of a computer!

Control Flow Hijack Defenses

19 Sep 2016 | 05-controlflow-defense.pptx

This lecture will focus on control flow hijack defenses found in practice today, including canaries, DEP, and randomization (ASLR). We will also discuss methods for bypassing these defenses.


No Class

21 Sep 2016

No class (Vyas travel). Use this time to work on Assignment 1 :) The TAs will be available in class to answer any questions you may have about Assignment 1

Control Flow Integrity

28 Sep 2016 | 07-CFI.pptx

Control Flow Integrity (CFI) is a security property that specifies real executions should follow the static CFG. We will explore CFI, focusing on what “the” CFG is.

Reading: Control Flow Integrity: Principles, Implementations, and Applications

Optional Reading: Software Fault Isolation, Native Client

To learn more:

Software Security Review

03 Oct 2016 | 08-Software-Security-Review.pptx

This class will be a review period. We will provide approximately a 30 minute review, and then will open up the class for questions. Please think ahead of class what would be good questions; we are happy to answer anything. If there are no questions, it will be a short class.

Software Security Exam

05 Oct 2016

We will have the first exam of the course. It will cover all information covered to date. This will be a closed book, closed note, closed neighbor exam.

Introduction to Cryptography

10 Oct 2016 | 09-crypto-intro.pptx

In this lecture we will provide a high-level introduction to cryptography, including an overview of primitives and security models.

Reading: Handbook of Applied Cryptography Chapter 1

To learn more: Watch the Coursera Course on Cryptography

Pseudorandom functions

12 Oct 2016 | vyas | 10-prf-prp-hash-prng.pptx

We will cover the principles of pseudorandom functions, permutations, and introduce the notion of adversarial games to prove security properties of cryptographic constructions.

Secrecy and Symmetric Key Ciphers

17 Oct 2016 | 11-crypto-block-ciphers.pptx

We will cover the principle of secrecy (sometimes called privacy), stream ciphers, block ciphers, and block cipher modes.

Integrity, Hashes, and MACS

19 Oct 2016 | vyas | 12-crypto-mac-authenc.pptx

This lecture will look at the property of integrity, and the crypto primitives hashes and macs. We will also cover basics of authenticated encryption, which is a commonly used operation.

Public Key Cryptography and TLS

24 Oct 2016 | 13-crypto-public-key.pptx

In this lecture we will cover the fundamentals of public key cryptography, focusing on RSA and Diffie-Hellman as examples. We will also provide an overview of all the primitives in action, using TLS as an example.


Introduction to Network Security

26 Oct 2016 | 14-netsec-intro.pptx

This lecture will give a broad overview of network security.

Optional Reading:

Crypto Review

31 Oct 2016 | vyas | 15-crypto-review.pptx

This will be a review session for all lectures on cryptography. Please think ahead of time what questions you may have.

Crypto Exam

02 Nov 2016

We will have the second exam of the course. It will cover all information covered to date. This will be a closed book, closed note, closed neighbor exam.

IDS and Detection Theory

07 Nov 2016 | 17-netsec-firewalls-ids.pptx

This lecture will discuss intrusion detection (and prevention) systems. We will cover design considerations in stateful vs stateless detection systems. Finally, we will cover some basic detection theory, focusing on the base rate fallacy.


Web Security Part 1

09 Nov 2016 | vyas | 17-web-security.pptx

This lecture will cover web security, including vulnerabilities such as injection attacks, XSS, and CSRF.

Web Security Part 2

14 Nov 2016 | vyas | 17-web-security.pptx

This lecture will cover web security, including vulnerabilities such as injection attacks, XSS, and CSRF.

BGP and DDoS

16 Nov 2016 | 18-routing-ddos.pptx

This lecture will cover BGP and DDoS.

Optional Readings: Beware of BGP Attacks

A Taxonomy of DDoS Attacks and Defenses

OS Security and The Gold Standard

21 Nov 2016 | vyas | 21-system-security.pptx

This lecture will focus on OS security and the three “AU”’s: authentication, authorization, and audit.

Optional Readings:

Computer Security in the Real World

Protection of Information


23 Nov 2016

Today is a University holiday. Enjoy the day off!

Introduction to Mobile Security

28 Nov 2016 | 20-wireless-mobile.pptx

This lecture will discuss issues on wireless and mobile security.

Network and OS Review Day

30 Nov 2016 | vyas | 22-course-review.pptx

We will have about a 30 minute review of all material in the third part of this class. The rest of the time will be devoted to questions and answers, so make sure you bring good questions.

Exam 3

05 Dec 2016

This will be our third and final exam. Like previous exams it will be closed book, closed note, closed neighbor. The exam will focus on the last third of the course, but any material over the entire semester is game.

Course Special Topics

07 Dec 2016

We will have an end-of-course special topics session. Vote on piazza for the topics you want to see covered!


Assignment 1 Released: September 16, 2016; Due: September 23, 2016
Assignment 2 Released: October 22, 2016; Due: October 29, 2016
Assignment 3 Released: November 14, 2016; Due: November 23, 2016. No Piazza support after November 21st.