Course Overview

This course introduces students to the fundamental and technical problems surrounding computer security. The course reviews basic security concepts, design principles, and mechanisms. Throughout the course and based on hands-on exercises, students will develop an in-depth understanding of several vulnerabilities and corresponding countermeasures in system security, web security, and network security areas. Topics include privilege escalation, buffer overflow, race condition, SQL injection, cross-site scripting, packet spoofing, TCP attacks, and firewalls.

Student Learning Objectives / Outcomes

Students who successfully complete this course will be able to

understand the threats and countermeasure techniques at network and system levels
analyze and inspect security and privacy requirements for systems
apply basic cryptographic and network security techniques to achieve basic security goals of a system
employ mechanisms and technologies to design and build secure systems

Prerequisites

For CSI 424: CSI 333 or I ECE 233 (formerly ECE 333)
For CSI 524: C or above in CSI 521 or passing the departmental examination in discrete math.

Additional Notes: You are expected to have a good understanding of operating systems and systems programming. You need to be familiar with Linux command line interface and be able to code in C. Also, general knowledge of discrete math and networking can be helpful.

Readings

Required Textbook: Wenliang Du, “Computer & Internet Security: A Hands-on Approach” (2nd/3rd Edition).

The chapter numbers in the schedule are based on the 2nd edition (ISBN-13: 978-1733003933, 2019) of the textbook. However, you can also use the 3rd edition (ISBN-13: 978-1733003940, 2022). The 3rd edition is slightly different (misses a few chapters and adds some new chapters).

Communication and Submissions

The course syllabus and schedule is available on the course webpage. Most of the tasks in this class will be handled via course GitHub organization including the distribution of notes, assignments, assignment submission, and feedback. You will be invited to join the organization in the first week of classes. We will also use Brightspace for announcements and for your grades.

Assessment and Grading

You will be assessed based on the following:

In-Class Exercises: You will work on small in-class exercises either individually or in teams. Submissions are only accepted at the designated time during class. Missing submissions (including due to absence) will result in not receiving the grade for the associated exercises. Up to 10% of exercises will be dropped from your grade calculation to accommodate unforeseen situations.
Lab Assignments: You will work on take-home virtual lab assignments that provides you hands-on experience with the theoretical concepts discussed in lectures. Completing the labs are essential to your success in this class. Some of the exam questions will be based on the lab assignments. Others may need your deep understanding of the concepts, which can be achieved by your lab exercises. Your lowest lab grade will be dropped from your grade calculation.
Exams: You will take a midterm exam (during the regular class sessions) and a final exam (during the final exam period).
Project: Students taking CSI 524 are required to work on a final project. The final project is optional for students taking CSI 424. The requirements for the final project will be described in its corresponding GitHub repository.
Final Numerical Grade: Your final numerical grade will be a weighted combination depending on which section of the class you are taking:

Course	In-Class	Labs	Project	Exam 1	Exam 2
CSI 424	5%	40%	Optional (+10%)	25%	30%
CSI 524	5%	20%	20%	25%	30%

The course is A-E graded. Conversion from the final numerical grade to the letter grade is based on cutoffs determined according to the grade distribution in the class. This results in more flexible and favorable grades compared to using a fixed conversion scale.

Schedule

The following schedule is tentative and will be regularly updated. It is your responsibility to check the schedule regularly. The plus sign (+) means optional reading.

Day	Topic/Readings/Assignment
Module 1: Security Basics
Aug26	Course Overview, Setup Assignment: lab01 (setup) due Sep04
Aug28	Basic Security Concepts Readings: Computer Security: Art and Science (2ed, Matt Bishop) - Chapter 1, Sections 1.1-1.3 Computer Security: Art and Science (2ed, Matt Bishop) - Chapter 14 (Direct links to sample chapters made available by the author – book website)
Sep02	Security Policies Readings: The Linux Command Line: Chapter 9 Samarati, de Vimercati, and Capitani, “Access Control: Policies, Models, and Mechanisms,” in Foundations of Security Analysis and Design, vol. 2171, Springer, 2001, pp. 137–196. Saltzer and Schroeder, “The protection of information in computer systems,” Proceedings of the IEEE 63(9), pp. 1278–1308, 1975 Assignment: lab02 (permissions) due Sep11
Sep04	Security Policies (cont.)
Module 2: Software Security
Sep09	SET-UID Programs Readings: Textbook: Chapter 1
Sep11	SET-UID Programs (cont.) Assignment: lab03 (setuid) due Sep18
Sep16	Environment Variables & Attacks Readings: Textbook: Chapter 2 Assignment: lab03 (setuid) due Sep23
Sep18	Environment Variables & Attacks (cont.) Readings: Tutorial of gcc and gdb Beej’s Quick Guide to GDB
Sep23	Buffer Overflow Attack Readings: Textbook: Chapter 4
Sep25	Buffer Overflow Attack (cont.) Assignment: lab04 (bof) due Oct02
Sep30	Return-to-libc Attack Readings: Textbook: Chapter 5
Oct02	Return-to-libc Attack (cont.) Assignment: lab05 (ret2libc) due Oct09
Oct07	Race Condition Vulnerability Readings: Textbook: Chapter 7
Oct09	Pre-midterm Review
Oct14	No Class (Fall Break)
Oct16	Midterm Exam
Module 3: Web Security
Oct21	Race Condition Vulnerability (cont.) Assignment: lab06 (race) due Oct28
Oct23	Cryptography Basics Readings: Textbook: Chapters 21.1-21.3, 23.1-23.3
Oct28	Cross Site Request Forgery Attack Readings: Textbook: Chapter 10 Assignment: lab07 (csrf) due Nov06
Oct30	Cross Site Request Forgery Attack (cont.)
Nov04	Cross Site Scripting Attack Readings: Textbook: Chapter 11 Assignment: lab08 (xss) due Nov11
Nov06	SQL Injection Attack Readings: Textbook: Chapter 12 Assignment: lab09 (sqli) due Nov13
Module 4: Network Security
Nov11	Packet Sniffing and Spoofing Readings: Textbook: Chapter 15 Beej’s Guide to Network Programming: sec3–sec5 Programming with pcap A Guide to Using Raw Sockets Assignment: lab10 (packets) due Nov18
Nov13	Attacks on TCP Protocol Readings: Textbook: Chapter 16
Nov18	Attacks on TCP Protocol (cont.) Assignment: lab11 (tcp) due Nov25
Nov20	Domain Name System (DNS) Readings: Textbook: Chapter 18 Assignment: lab12 (DNS) due Dec02
Nov25	Domain Name System (DNS) (cont.)
Nov27	No Class (Thanksgiving Break)
Projects and Final Review
Dec02	Final Review
Dec04	Project Presentations
Dec11	Final Exam (Thursday, Dec11, 3:30pm-5:30pm)

Policies

No Late Submission (Except One Assignment): Assignments will be released at least two weeks before their due date. You are highly recommended to study an assignment as soon as it becomes available. There will be ample opportunities to benefit from office hours and communication with the instructional team before the due date. Assignments are due at 11:59pm on the day of their deadline. Submissions after due time will receive no points. However, in order to account for unforeseen situations, you can request to submit only one assignment late. In order for your late assignment to be graded, you must email the instructor to request a late submission before the deadline. You should note that a late-submission request may not be always accepted (e.g., when the solutions need to be discussed in class immediately after a submission). Therefore, you are recommended to submit a version of your solution before the deadline if your request has not been reviewed yet. You have up to 3 days to submit after the deadline if your late-submission request is approved. Note that you only have one such opportunity during the semester. Therefore, it is advised to leave that option for truly critical situations. In the case of a team assignment, a late submission is considered for all team members.
Review of Grades: Any issue regarding your graded materials must be communicated to us no later than 5 business days after the posting day of the grades. There will be no re-grading after the 5-day period has passed.
Attending Classes: Class attendance is required for successful completion of this course.
Attending Exams: The midterm exam is given in regular hours of the class. The final exam will be during the final exam period. Tentative exam dates are given in the course schedule. Makeup exams will be given only for valid and verifiable extenuating circumstances (e.g., a major medical situation). It is the student’s responsibility to contact the instructor at least a week ahead of the exam date and arrange to take a makeup exam at an alternate date/time. If an absence in exam is expected due to religious observance, the student is responsible to notify the instructor at least 30 days before the exam date. Otherwise, their request may not be granted. Makeup exams are not guaranteed and will be generally harder than the regular exams.
Academic Integrity: It is every student’s responsibility to become familiar with the standards of academic integrity at the University. Claims of ignorance, of unintentional error, or of academic or personal pressures are not sufficient reasons for violations of academic integrity. Any incident of academic dishonesty can result in a zero grade for the affected course component and a report sent to the appropriate University authorities (e.g., Dean of Undergraduate Education or Graduate Studies). Repeated violations will result in a failing grade for the course.
For all assignments, you must submit your own work, except where collaboration is explicitly permitted or required. Providing your solutions to others or copying even parts of a solution is considered plagiarism. In projects/papers, you must properly cite any resources from which you borrow ideas and clearly distinguish them from your contributions.
Use of Electronic Devices: Computers or other electronic devices may be only used during class for note-taking, in-class exercises, or other class-related activities. You are not allowed to perform any unrelated tasks during class.
Students with Disabilities: Reasonable accommodation will be provided for students with documented disabilities. If you believe you have a disability requiring accommodation in this class, please notify the Disability Access and Inclusion Student Services (DAISS) (Campus Center 130, 518-442-5501). That office will provide me with verification of your disability, and will recommend appropriate accommodations. In general, it is your responsibility to contact me at least one week before the relevant activity to make arrangements.
Health and Well-Being: Your physical and mental health is very important. The university has several health services when you need them. In particular, Counseling and Psychological Services (CAPS) provides free, confidential services including psychological counseling and evaluation for emotional, social, and academic concerns.
If your life or someone else’s life is in danger, please call 911. If you are in a crisis and need help right away, please call the National Suicide Prevention Lifeline at 1-800-273-TALK (8255). Students dealing with heightened feelings of sadness or hopelessness, increased anxiety, or thoughts of suicide may also text “GOT5” to 741741 (Crisis Text Line).