Lectures
(Note this is a rough schedule and things are subject to change.)
-
Security Principles: Introduction, Ethics, and Course Overview
(Instructor: Bryan)
|
[Notes]
This lecture will give a high-level overview of the course, including topics covered, learning goals, and course mechanics. We will also discuss ethical challenges associated with computer security. Reading: -
Security Principles: Threat Models and Trusted Computing Bases
(Instructor: Bryan)
|
[Notes]
This lecture will present techniques to reason systematically about an attacker's capabilities and a system's security dependencies. Reading: -
Security Principles: Recitation: Designing Secure Systems
(Instructor: Bryan)
|
[Notes]
This lecture will focus on principles of secure system design, and the three “AU”’s: authentication, authorization, and audit. Reading: Optional Reading: -
: No Class
University holiday: Labor day. Enjoy the day off! -
Software Security: Execution Semantics and Buffer Overflows
(Instructor: Bryan)
|
[Notes]
This lecture will review the material up through Chapter 3 of CS:APP from 15-213. Consider reviewing the course notes linked below as well. We will cover the parts of the compilation tool chain and operations at the assembly level, including control flow, the memory model, and stack frames. We will also present control-flow-hijacking attacks that gain control of the instruction pointer, with a focus on buffer overflows. Reading: Optional Reading: -
Software Security: Recitation: Thinking Up Exploits - Part 1
(Instructor: Bryan)
-
Software Security: Control-Flow Attacks and Defenses
(Instructor: Bryan)
|
[Notes]
In this lecture we will present additional control-flow-hijacking attacks that gain control of the instruction pointer, e.g., format-string exploits, and integer overflows. We will then introduce control flow hijack defenses found in practice today, including canaries, DEP, and randomization (ASLR). We will also discuss methods for bypassing these defenses. Reading: Optional Reading: -
Software Security: Return Oriented Programming
(Instructor: Bryan)
|
[Notes]
This lecture will review Return Oriented Programming attacks. Reading: Optional Reading: -
Software Security: Recitation: Thinking Up Exploits - Part 2
(Instructor: Bryan)
-
Software Security: Retrofitting Memory Safety
(Instructor: Bryan)
|
[Notes]
This lecture will cover techniques to retrofit memory safety on legacy C code, including Control Flow Integrity (CFI). CFI is a security property that specifies real executions should follow the static CFG. We will explore CFI, focusing on what "the" CFG is. Reading: -
Software Security: Type Systems and Verification
(Instructor: Bryan)
|
[Notes]
We will cover programming language techniques to eliminate entire classes of vulnerabilities and even prove strong properties about software. Reading: -
Software Security: Recitation: Provably Correct Software
(Instructor: Bryan)
-
Software Security: Code Analysis and Isolation Techniques
(Instructor: Bryan)
|
[Notes]
This lecture will cover techniques to analyze code for memory vulnerabilities. To mitigate vulnerabilities we cannot or do not find, we will cover various system mechanisms for achieving isolation: sandboxing, Software Fault Isolation (SFI), program partitioning, and airgaps. Reading: Optional Reading: -
Systems Security: Modern OS Security and Authorization Logic
(Instructor: Bryan)
|
[Notes]
This lecture will focus on modern OS security, covering topics such as access control and capabilities, as well as a logical framework for reasoning about authorization. Reading: -
Review: Software & Systems Security
(Instructor: Bryan)
This slot will be a review period. We will provide approximately a 30 minute review, and then will open up the floor for questions. Please think ahead of time what would be good questions; we are happy to answer anything. If there are no questions, it will be a short meeting. -
Systems Security: Trusted Computing
(Instructor: Bryan)
|
[Notes]
This lecture will cover techniques for bootstrapping trust in systems. Reading: -
Exam: Software & Systems Security
(Instructor: Bryan)
We will have the first exam of the course. It will cover all information covered to date except Trusted Computing. This will be a closed book, closed notes, closed neighbor exam. -
Crypto: Recitation: Crypto Background
(Instructor: Bryan)
We will review the mathematics needed to understand modern cryptographic algorithms and discuss the basics of writing rigorous proofs. Reading: -
Crypto: Introduction to Cryptography
(Instructor: Bryan)
|
[Notes]
|
[Details]
In this lecture we will provide a high-level introduction to cryptography, including an overview of primitives and security models. We will touch on the rich power offered by modern cryptographic tools. Finally, we will discuss (in)secure sources of randomness. Reading: Optional Reading: -
Crypto: (Pseudo)Randomness
(Instructor: Lujo Bauer)
|
[Notes]
|
[Details]
We will cover the principles of pseudorandom functions, permutations, and introduce the notion of adversarial games to prove security properties of cryptographic constructions. Reading: -
Crypto: Recitation: Proof by Reduction
(Instructor: Nick)
We will review game-based definitions of security and practice determining whether a scheme is secure, either by demonstrating an adversary with non-trivial advantage or by proving that no such adversaries exist. -
Crypto: Secrecy and Symmetric Key Ciphers
(Instructor: Bryan)
|
[Notes]
|
[Details]
We will cover definitions of computations secrecy, block ciphers, and block cipher modes. Reading: -
Crypto: Integrity, Hashes, and MACS
(Instructor: Bryan)
|
[Notes]
|
[Details]
This lecture will look at the property of integrity, and the crypto primitives hashes and macs. We will also cover basics of authenticated encryption, which is a commonly used operation. Reading: Optional Reading: -
: No Recitation
Mid-semester break -
Crypto: Public Key Cryptography
(Instructor: Bryan)
|
[Notes]
|
[Details]
In this lecture we will cover the fundamentals of public key cryptography, focusing on RSA and Diffie-Hellman as examples. Reading: Optional Reading: -
Crypto: Blockchains, Cryptocurrencies, and Smart contracts
(Instructor: Bryan)
|
[Notes]
We will cover the basics of blockchains (what they are, what they are and are not good for), cryptocurrencies and, time permitting, smart contracts Reading: Optional Reading: -
: No Recitation
Community Engagement Day -
Network Security: Introduction to Network Security
(Instructor: Bryan)
|
[Notes]
This lecture will give a broad overview of network security, including general principles, denial-of-service attacks, and intrusion detection (and prevention) systems. The latter will cover some basic detection theory, focusing on the base rate fallacy. Reading: Optional Reading: -
Network Security: Protocol Design and Analysis
(Instructor: Bryan)
|
[Notes]
This lecture will cover design principles for secure protocols, common failures and defenses, and tools for analyzing protocol security. TLS will be used as a detailed case study. Reading: Optional Reading: -
Review: Crypto
(Instructor: Bryan)
This will be a review session for all lectures on cryptography plus Trusted Computing. Please think ahead of time what questions you may have. -
Exam: Crypto
(Instructor: Bryan)
We will have the second exam of the course. It will cover all information covered to date, but it will focus on Trusted Computing and Crypto. This will be a closed book, closed note, closed neighbor exam. -
Web Security: Attacks
(Instructor: Bryan)
|
[Notes]
This lecture will cover web security, including vulnerabilities such as injection attacks, XSS, and CSRF. Reading: Optional Reading: -
Web Security: Recitation: Web Hacking
(Instructor: Bryan)
-
Web Security: Defenses
(Instructor: Bryan)
|
[Notes]
This lecture will cover web security with a focus on principles, such as authentication vs. authorization, and best practices for establishing security on the web. Optional Reading: -
Human Factors: Making Security Usable
(Instructor: Bryan)
|
[Notes]
The most secure system in the world can be subverted if users can't employ it correctly (or if they themselves are subverted!). This lecture will cover usable design, with case studies drawn from security warnings, authentication, and phishing. We will also cover attacks and defenses based on social engineering. Reading: Optional Reading: -
Web: Recitation: Homework 3 office hours
(Instructor: TAs)
Come work on homework 3 with a gaggle of TAs stationed nearby to assist. -
Human Factors: Privacy
(Instructor: Bryan)
|
[Notes]
This lecture will cover general concepts and various mathematical definitions of privacy as well as how to achive them. Reading: Optional Reading: -
Human Factors: Law and Public Policy
(Instructor: Bryan)
|
[Notes]
This lecture will cover legal frameworks and policies that govern security and privacy in practice. Reading: -
Research: Recitation: State-of-the-Art Security Research
(Instructor: Bryan)
-
Human Factors: Economics
(Instructor: Bryan)
|
[Notes]
Many attackers are economically rational. Can we leverage this observation when designing our defenses? Many users are economically rational. What impact does that have on how we design our defenses? Reading: Optional Reading: -
: No Class
Thanksgiving! Enjoy the break! -
: No Recitation
Thanksgiving! Enjoy the break! -
Review: Network, Web, and Human Factors
(Instructor: Bryan)
We will have about a 30 minute review of all material in the third part of this class. The rest of the time will be devoted to questions and answers, so make sure you bring good questions. -
Exam: Network, Web, and Human Factors
(Instructor: Bryan)
This will be our third and final exam. Like previous exams it will be closed book, closed note, closed neighbor. The exam will focus on the last third of the course, but any material over the entire semester is game.