CSI 424/524: Information Security (Fall 2018)

Time/Location

Friday 2:45pm–5:35pm (ED 125)

Instructor

Amir Masoumzadeh (amasoumzadeh@albany.edu)

Office Hours: Tuesday 3pm–5pm (UAB 422), or by appointment

Teaching Assistant

Muralidhar Gopinath (mgopinath@albany.edu)

Ask questions on GitHub
Email for appointments

Course Overview

This course covers fundamental issues surrounding computer security. You will learn about security policies, models, and mechanisms. You will also learn about details of several system and web attacks by implementing them yourselves.

Learning Goals for Students

Students who successfully complete this course will be able to

understand the threats and countermeasure techniques at network and system levels
analyze and inspect security and privacy requirements for systems
apply basic cryptographic and network security techniques to achieve basic security goals of a system
employ mechanisms and technologies to design and build secure systems

Prerequisites

The prerequisite course for CSI 424 is CSI/CEN 400 or CSI 402. The prerequisite course for CSI 524 is CSI 500.

You are expected to have a good understanding of operating systems and systems programming. You need to be familiar with Linux command line interface and be able to code in C. Also, general knowledge of discrete math and networking can be helpful.

Readings

Required Textbook: Wenliang Du, “Computer Security: A Hands-on Approach,” ISBN: 978-1548367947, 2017.

We also rely on multiple other references (book chapters, articles, and tutorials) which are available publicly or via the University’s network.

You are required to read each session’s readings listed on the schedule before attending the class.

Communications and Submissions

The course syllabus and schedule is available on the course webpage. Most of the tasks in this class will be handled via GitHub including distribution of notes and homework assignments, assignment submission, and feedback. We will also use Blackboard for announcements and your grades.

Assessment and Grading

Lab Assignments: These will be 11 take-home lab assignments (the lowest grade will be dropped).
In-Class Activities and Performance: A major component of your participation in the course will be involvement in class activities and discussions (both individually and in teams.) There will be also occasional quizzes on materials covered in the previous class session.
Exam: There will be a midterm and a final exam. Final exam is cumulative.
Final Grade: It will be a weighted combination depending on which section of the class you are taking:

Course	Labs	Project	In-Class	Midterm Exam	Final Exam
CSI 424	45%	Optional (+5%)	5%	15%	35%
CSI 524	30%	15%	5%	15%	35%

Schedule

The following schedule is tentative and will be regularly updated. It is your responsibility to check the schedule regularly.

means required reading. means optional reading.

Date	Topic/Reading	Assignment Due
Module #1: Introduction
Aug 31	- Course Overview - Basic Security Concepts - Access Control The Linux Command Line: ch9 Samarati, de Vimercati, and Capitani, “Access Control: Policies, Models, and Mechanisms,” in Foundations of Security Analysis and Design, vol. 2171, Springer, 2001, pp. 137–196. Saltzer and Schroeder, “The protection of information in computer systems,” Proceedings of the IEEE 63(9), pp. 1278–1308, 1975
Module #2: Software/System Security
Sep 07	SET-UID Programs Textbook: ch1	lab00 (setup)
Sep 14	Environment Variables & Attacks Textbook: ch2
Sep 21	Buffer Overflow Attack Textbook: ch4	lab01 (setuid)
Sep 28	Return-to-libc Attack Textbook: ch5	lab02 (buffer-overflow)
Oct 05	Race Condition Vulnerability Textbook: ch7	lab03 (return-to-libc)
Oct 12	Shellshock Attack Textbook: ch3	lab04 (race)
Module #3: Web Security
Oct 19	- Midterm exam - Cross Site Request Forgery Attack Textbook: ch9	lab05 (shellshock)
Oct 26	Cross Site Scripting Attack Textbook: ch10	lab06 (csrf)
Nov 02	SQL Injection Attack Textbook: ch11	lab07 (xss)
Module #4: Network Security
Nov 09	Packet Sniffing and Spoofing Textbook: ch12 Beej’s Guide to Network Programming: sec3–sec5 Programming with pcap A Guide to Using Raw Sockets	lab08 (sqli)
Nov 16	Attacks on TCP Protocol Textbook: ch13	lab09 (sniff)
Nov 23	Thanksgiving Break (No Class)
Nov 30	Firewalls Textbook: ch14	lab10 (tcp)
Module #5: Misc./Advanced Topics
Dec 07	Information Privacy	lab11 (firewall)
Dec 14	Final Exam (5:45pm-7:45pm in same classroom)

Policies

Assignments: Assignments are due at 2pm before the class. Submissions after due time will receive no points. But your lowest assignment grade will be dropped from calculation. This means you can choose not to submit one of your assignments and you are still able to receive full mark on your assignment total.
Academic Integrity: It is every student’s responsibility to become familiar with the standards of academic integrity at the University. Claims of ignorance, of unintentional error, or of academic or personal pressures are not sufficient reasons for violations of academic integrity. Any incident of academic dishonesty can result in (i) no credit for the affected assignment, (ii) report to the appropriate University authorities (e.g., Dean of Undergraduate Education or Graduate Studies), and/or (iii) a failing grade (E) for the course.
For all assignments and papers, make sure to do your own work, except where collaboration is explicitly permitted or required. Also, make sure that you properly cite any resource from which you borrow ideas and that you clearly distinguish them from your contributions.
Use of Electronic Devices: Computers or other electronic devices may be only used during class for note-taking or other class-related activities. You are not allowed to perform any unrelated task during class.
Students with Disabilities: Reasonable accommodation will be provided for students with documented disabilities. If you believe you have a disability requiring accommodation in this class, please notify the Disability Resource Center (Campus Center 130, 518-442-5490). That office will provide me with verification of your disability, and will recommend appropriate accommodations. In general, it is your responsibility to contact me at least one week before the relevant activity to make arrangements.