Time/Location

Tuesday/Thursday 12:00pm - 1:20pm (Online)

Instructor

Amir Masoumzadeh (amasoumzadeh@albany.edu)

• Office Hours: Friday 10am–12pm, or by appointment (Online)

Teaching Assistant

Ayse Arslan (aarslan@albany.edu)

• Office Hours: By appointment (Online)

Course Overview

This course introduces students to the fundamental and technical problems surrounding computer security. The course reviews basic security concepts, design principles, and mechanisms. Throughout the course and based on hands-on exercises, students will develop an in-depth understanding of several vulnerabilities and corresponding countermeasures in system security, web security, and network security areas. Topics include privilege escalation, buffer overflow, race condition, SQL injection, cross-site scripting, packet spoofing, TCP attacks, and firewalls.

Learning Goals for Students

Students who successfully complete this course will be able to

• understand the threats and countermeasure techniques at network and system levels
• analyze and inspect security and privacy requirements for systems
• apply basic cryptographic and network security techniques to achieve basic security goals of a system
• employ mechanisms and technologies to design and build secure systems

Prerequisites

CSI 333 or ECE 233 (formerly ECE 333).

Additional Notes: You are expected to have a good understanding of operating systems and systems programming. You need to be familiar with Linux command line interface and be able to code in C. Also, general knowledge of discrete math and networking can be helpful.

Textbook

Required Textbook: Wenliang Du, “Computer & Internet Security: A Hands-on Approach (2nd Edition),” ISBN-13: 978-1733003933, 2019.

Communication and Submissions

The course syllabus and schedule is available on the course webpage. Most of the tasks in this class will be handled via course GitHub organization including the distribution of notes and homework assignments, assignment submission, and feedback. You will be invited to join the organization in the first week of classes. We will also use Blackboard for communication and for your grades.

Lectures

will be delivered online at the scheduled class time via Zoom. Instructions to connect to the class Zoom meeting will be available on Blackboard. Lectures will be also recorded and posted (only accessible to class).

Lecture Slides/Notes

will be posted in the lectures repository in the course GitHub organization.

Assignment Questions/Submission/Feedback

will be handled via the course GitHub organization. If you have general questions about an assignment, you should post it as an issue in the repository corresponding to the assignment. If you have a question about your current solution and want us to take a look, you should create an issue in your individual assignment repository instead. Include a screenshot of your runtime environment as well as references to places in your code that you want us to check. Your assignments will be automatically collected from your GitHub repositories at the time of the deadline. This helps you keep working and improving your submissions up until the deadline. Just make sure that you continuously keep your GitHub repository synced with your local version.

Announcements/Grades

will be posted on Blackboard.

Exams

will be delivered and submitted via Blackboard.

Assessment and Grading

You will be assessed based on the following categories:

Homework/Lab Assignments

There will be about 11 take-home lab assignments (the lowest grade will be dropped).

Exams

There will be two exams taken during regular class sessions.

Final Project

A final project is required for students taking CSI 524 and optional for students taking CSI 424. The requirements for the final project will be described in the corresponding GitHub repository.

Final Numerical Grade

It will be a weighted combination depending on which section of the class you are taking:

Course	Labs	Project	Exam 1	Exam 2
CSI 424	50%	Optional (+10%)	25%	25%
CSI 524	30%	20%	25%	25%

The course is A-E graded. Conversion from the final numerical grade to the letter grade is based on cutoffs determined according to the grade distribution in the class. This results in more flexible and favorable grades compared to using a fixed conversion scale.

Schedule

The following schedule is tentative and will be regularly updated. It is your responsibility to check the schedule regularly.

Date	Topic/Reading	Assignment
Module 1: Introduction
Aug25	Course Overview, Setup	lab00 due Aug31
Aug27	Basic Security Concepts
Sep01	Security Policies The Linux Command Line: Chapter 9 Samarati, de Vimercati, and Capitani, “Access Control: Policies, Models, and Mechanisms,” in Foundations of Security Analysis and Design, vol. 2171, Springer, 2001, pp. 137–196. Saltzer and Schroeder, “The protection of information in computer systems,” Proceedings of the IEEE 63(9), pp. 1278–1308, 1975
Sep03	Security Policies (cont.)
Sep08	Cryptography Basics Textbook: Chapters 21.1-21.3, 23.1-23.3
Module 2: Software Security
Sep10	SET-UID Programs Textbook: Chapter 1	lab01 due Sep18
Sep15	SET-UID Programs (cont.), Environment Variables & Attacks Textbook: Chapters 1 & 2
Sep17	Environment Variables & Attacks Textbook: Chapter 2
Sep22	Buffer Overflow Attack Textbook: Chapter 4 Tutorial of gcc and gdb Beej’s Quick Guide to GDB	lab02 due Sep30
Sep24	Buffer Overflow Attack (cont.) Textbook: Chapters 4	lab03 due Oct02
Sep29	Return-to-libc Attack Textbook: Chapter 5
Oct01	Race Condition Vulnerability Textbook: Chapter 7	lab04 due Oct15
Oct06	Reverse Shell Attack Textbook: Chapter 9
Oct08	Exam 1 (Modules 1 & 2)
Module 3: Web Security
Oct13	Web Systems & Policies
Oct15	Cross Site Request Forgery Attack Textbook: Chapter 10	lab05 due Oct23
Oct20	Cross Site Scripting Attack Textbook: Chapter 11	lab06 due Oct26
Oct22	SQL Injection Attack Textbook: Chapter 12	lab07 due Oct30
Oct27	SQL Injection Attack (cont.), and review
Module 4: Network Security
Oct29	Packet Sniffing and Spoofing Textbook: Chapter 15 Beej’s Guide to Network Programming: sec3–sec5 Programming with pcap A Guide to Using Raw Sockets	lab08 due Nov09
Nov03	Packet Sniffing and Spoofing (cont.)
Nov05	Attacks on TCP Protocol Textbook: Chapter 16	lab09 due Nov13
Nov10	Attacks on TCP Protocol (cont.), Firewalls Textbook: Chapter 17	lab10 due Nov20
Nov12	Domain Name System (DNS) and Attacks Textbook: Chapter 18
Nov17	Domain Name System (DNS) and Attacks (cont.); Review	lab11 due Nov23
Module 5: Misc. Topics
Nov19	Exam 2 (Modules 3 & 4)
Nov24	Project Presentations

Policies

No Late Submission

Assignments will be released about a week before their due date. You are highly recommended to study an assignment as soon as it becomes available. There will be ample opportunities to benefit from office hours and communication with me and the TA before the due date. Assignments are due 11:59pm on the day specified in the homework. Submissions after due time will receive no points.

Review of Grades

Any issue regarding your grade in a specific assignment must be communicated to us no later than 5 business days after the posting day of the grades. There will be no re-grading after the 5-day period has passed.

Academic Integrity

It is every student’s responsibility to become familiar with the standards of academic integrity at the University. Claims of ignorance, of unintentional error, or of academic or personal pressures are not sufficient reasons for violations of academic integrity. Any incident of academic dishonesty can result in (i) no credit for the affected assignment, (ii) report to the appropriate University authorities (e.g., Dean of Undergraduate Education or Graduate Studies), and/or (iii) a failing grade for the course.

For all assignments and papers, you must submit your own work, except where collaboration is explicitly permitted or required. Also, you must properly cite any resources from which you borrow ideas and clearly distinguish them from your contributions.

Use of Electronic Devices

Computers or other electronic devices may be only used during class for note-taking, in-class exercises, or other class-related activities. You are not allowed to perform any unrelated tasks during class.

Students with Disabilities

Reasonable accommodation will be provided for students with documented disabilities. If you believe you have a disability requiring accommodation in this class, please notify the Disability Resource Center (Campus Center 130, 518-442-5490). That office will provide me with verification of your disability, and will recommend appropriate accommodations. In general, it is your responsibility to contact me at least one week before the relevant activity to make arrangements.