Lecture Time/Location
Tuesday/Thursday 10:30am–11:50am, Earth Science 245
Instructor
Amir Masoumzadeh (amasoumzadeh@albany.edu)
  • Office Hours: Tuesday/Thursday 4pm–5pm (Zoom link on Blackboard), or by appointment
Teaching Assistant
Sahil Ghauri (sghauri@albany.edu)
  • Office Hours: Monday 4pm–5pm (UAB 412D), Wednesday 4pm–5pm (Zoom link on Blackboard), or by appointment

Course Overview

This course introduces students to the fundamental and technical problems surrounding computer security. The course reviews basic security concepts, design principles, and mechanisms. Throughout the course and based on hands-on exercises, students will develop an in-depth understanding of several vulnerabilities and corresponding countermeasures in system security, web security, and network security areas. Topics include privilege escalation, buffer overflow, race condition, SQL injection, cross-site scripting, packet spoofing, TCP attacks, and firewalls.

Student Learning Objectives / Outcomes

Students who successfully complete this course will be able to

Prerequisites

CSI 333 or ECE 233 (formerly ECE 333).

Additional Notes: You are expected to have a good understanding of operating systems and systems programming. You need to be familiar with Linux command line interface and be able to code in C. Also, general knowledge of discrete math and networking can be helpful.

Readings

Required Textbook: Wenliang Du, “Computer & Internet Security: A Hands-on Approach” (2nd/3rd Edition).

The chapter numbers in the schedule are based on the 2nd edition (ISBN-13: 978-1733003933, 2019) of the textbook. However, you can also use the 3rd edition (ISBN-13: 978-1733003940, 2022). The 3rd edition is slightly different (misses a few chapters and adds some new chapters).

Communication and Submissions

The course syllabus and schedule is available on the course webpage. Most of the tasks in this class will be handled via course GitHub organization including the distribution of notes, assignments, assignment submission, and feedback. You will be invited to join the organization in the first week of classes. We will also use Blackboard for communication and for your grades.

Assessment and Grading

You will be assessed based on the following:

In-Class Exercises
You will work on small in-class exercises either individually or in teams. Submissions are only accepted at the designated time during class. Missing submissions (including due to absence) will result in not receiving the grade for the associated exercises. Up to 10% of exercises will be dropped from your grade calculation to accommodate unforeseen situations.
Homework/Lab Assignments
You will work on about 12 take-home lab assignments. Your lowest lab grade will be dropped from your grade calculation.
Exams
You will take a midterm exam (taken during regular class sessions) and a final exam.
Final Project
Students taking CSI 524 are required to work on a final project. The final project is optional for students taking CSI 424. The requirements for the final project will be described in its corresponding GitHub repository.
Final Numerical Grade
Your final numerical grade will be a weighted combination depending on which section of the class you are taking:
Course In-Class Labs Project Exam 1 Exam 2
CSI 424 5% 45% Optional (+10%) 25% 25%
CSI 524 5% 25% 20% 25% 25%

The course is A-E graded. Conversion from the final numerical grade to the letter grade is based on cutoffs determined according to the grade distribution in the class. This results in more flexible and favorable grades compared to using a fixed conversion scale.

Schedule

The following schedule is tentative and will be regularly updated. It is your responsibility to check the schedule regularly. The plus sign (+) means optional reading.

Day Topic/Reading Assignment
Module 1: Introduction
Aug23 Course Overview, Setup
Aug25 Basic Security Concepts lab01 (setup) due Sep01
Aug30 Basic Security Concepts (cont.), Security Policies
Sep01 Security Policies (cont.)
Sep06 Security Policies (cont.)
Module 2: Software Security
Sep08 SET-UID Programs lab02 (setuid) due Sep16
Sep13 SET-UID Programs (cont.)
Sep15 Environment Variables & Attacks
Sep20 Environment Variables & Attacks (cont.) lab03 (bof) due Sep30
Sep22 Buffer Overflow Attack
Sep27 Buffer Overflow Attack (cont.)
Sep29 Return-to-libc Attack lab04 (ret2libc) due Oct04
Oct04 Race Condition Vulnerability lab05 (race) due Oct14
Oct06 Midterm Exam
Oct11 No Class (Fall Break)
Module 3: Web Security
Oct13 Cryptography Basics
  • Textbook: Chapters 21.1-21.3, 23.1-23.3
Oct18 Web Systems & Policies
Oct20 Cross Site Request Forgery Attack lab06
Oct25 Cross Site Scripting Attack lab07
Oct27 SQL Injection Attack lab08
Nov01 SQL Injection Attack (cont.)
Module 4: Network Security
Nov03 Packet Sniffing and Spoofing lab09
Nov08 Packet Sniffing and Spoofing (cont.)
Nov10 Attacks on TCP Protocol lab10
Nov15 Attacks on TCP Protocol (cont.), Firewalls lab11
Nov17 Domain Name System (DNS) and Attacks
Nov22 Domain Name System (DNS) and Attacks (cont.) lab12
Module 5: Misc. Topics
Nov24 No Class (Thanksgiving Break)
Nov29 TBA
Dec01 Project Presentations
Dec10 Final Exam (Dec10, 10:30am-12:30pm)

Policies

No Late Submission
Assignments will be released at least a week before their due date. You are highly recommended to study an assignment as soon as it becomes available. There will be ample opportunities to benefit from office hours and communication with me and the TAs before the due date. Assignments are due at 11:59pm on the day of their deadline. Submissions after due time will receive no points.
Review of Grades
Any issue regarding your grade in a specific assignment must be communicated to us no later than 5 business days after the posting day of the grades. There will be no re-grading after the 5-day period has passed.
Attending Classes
Class attendance is required for successful completion of this course.
Attending Exams
The midterm exam is given in regular hours of the class. The final exam will be during the final exam period. Tentative exam dates are given in the course schedule, and there will be usually reminders about them in the lectures. Makeup exams will be given only for valid and verifiable extenuating circumstances (e.g., a major medical situation). It is the student’s responsibility to contact the instructor at least a week ahead of the exam date and arrange to take a makeup exam at an alternate date/time. Makeup exams are not guaranteed and will be generally harder than the regular exams.
Academic Integrity
It is every student’s responsibility to become familiar with the standards of academic integrity at the University. Claims of ignorance, of unintentional error, or of academic or personal pressures are not sufficient reasons for violations of academic integrity. Any incident of academic dishonesty can result in (i) no credit for the affected assignment, (ii) report to the appropriate University authorities (e.g., Dean of Undergraduate Education or Graduate Studies), and/or (iii) a failing grade for the course.

For all assignments and papers, you must submit your own work, except where collaboration is explicitly permitted or required. Also, you must properly cite any resources from which you borrow ideas and clearly distinguish them from your contributions.

Use of Electronic Devices
Computers or other electronic devices may be only used during class for note-taking, in-class exercises, or other class-related activities. You are not allowed to perform any unrelated tasks during class.
Students with Disabilities
Reasonable accommodation will be provided for students with documented disabilities. If you believe you have a disability requiring accommodation in this class, please notify the Disability Access and Inclusion Student Services (DAISS) (Campus Center 130, 518-442-5501). That office will provide me with verification of your disability, and will recommend appropriate accommodations. In general, it is your responsibility to contact me at least one week before the relevant activity to make arrangements.
Mental Health
As a student, there may be times when personal stressors interfere with your academic performance and/or negatively impact your daily life. The University at Albany Counseling and Psychological Services (CAPS) provides free, confidential services including individual and group psychological counseling and evaluation for emotional, social, and academic concerns. Given the COVID pandemic, students may consult with CAPS staff remotely by telephone, email, or Zoom appointments regarding issues that impact them or someone they care about. For questions or to make an appointment, call (518) 442-5800 or email consultation@albany.edu. Visit https://www.albany.edu/caps/ for hours of operation and additional information.

If your life or someone else’s life is in danger, please call 911. If you are in a crisis and need help right away, please call the National Suicide Prevention Lifeline at 1-800-273-TALK (8255). Students dealing with heightened feelings of sadness or hopelessness, increased anxiety, or thoughts of suicide may also text “GOT5” to 741741 (Crisis Text Line).

Health and Safety Protocols
The university health and safety protocols including face mask guidelines will be strictly followed. See the university’s basic safety protocols for details.