Lectures
(Note this is a rough schedule and things are subject to change.)
-
Security Principles: Introduction, Ethics, and Course Overview
(Instructor: Bauer)
|
[Guide]
This lecture will give a high-level overview of the course, including topics covered, learning goals, and course mechanics. We will also discuss ethical challenges associated with computer security. Optional Reading: -
Security Principles: Threat Models and Trusted Computing Bases
(Instructor: Bauer)
|
[Guide]
This lecture will present techniques to reason systematically about an attacker's capabilities and a system's security dependencies. Reading: Optional Reading: -
Security Principles: Recitation: Designing Secure Systems
(Instructor: Bauer)
|
[Guide]
This lecture will focus on principles of secure system design, and the three “AU”’s: authentication, authorization, and audit. Reading: Optional Reading: -
Software Security: Execution Semantics and Buffer Overflows
(Instructor: Bauer)
|
[Guide]
This lecture will review the material up through Chapter 3 of CS:APP from 15-213. Consider reviewing the course notes linked below as well. We will cover the parts of the compilation tool chain and operations at the assembly level, including control flow, the memory model, and stack frames. We will also present control-flow-hijacking attacks that gain control of the instruction pointer, with a focus on buffer overflows. Optional Reading: -
Software Security: Control-Flow Attacks and Defenses
(Instructor: Bauer)
|
[Guide]
|
[Notes]
In this lecture we will present additional control-flow-hijacking attacks that gain control of the instruction pointer, e.g., format-string exploits, and integer overflows. We will then introduce control flow hijack defenses found in practice today, including canaries, DEP, and randomization (ASLR). We will also discuss methods for bypassing these defenses. Optional Reading: -
Software Security: Recitation: Thinking Up Exploits - Part 1
(Instructor: Bauer)
-
Software Security: Return Oriented Programming
(Instructor: Bauer)
|
[Guide]
This lecture will review Return Oriented Programming attacks. Reading: Optional Reading: -
Software Security: Retrofitting Memory Safety
(Instructor: Bauer)
|
[Guide]
This lecture will cover techniques to retrofit memory safety on legacy C code, including Control Flow Integrity (CFI). CFI is a security property that specifies real executions should follow the static CFG. We will explore CFI, focusing on what "the" CFG is. Reading: Optional Reading: -
Software Security: Recitation: Thinking Up Exploits - Part 2
(Instructor: Bauer)
-
No class. University holiday.
: No Class
-
Software Security: Type Systems and Verification
(Instructor: Bauer)
|
[Guide]
We will cover programming language techniques to eliminate entire classes of vulnerabilities and even prove strong properties about software. Reading: -
Software Security: Recitation: Provably Correct Software
(Instructor: Bauer)
-
Software Security: Code Analysis and Isolation Techniques
(Instructor: Bauer)
|
[Guide]
This lecture will cover techniques to analyze code for memory vulnerabilities. To mitigate vulnerabilities we cannot or do not find, we will cover various system mechanisms for achieving isolation: sandboxing, Software Fault Isolation (SFI), program partitioning, and airgaps. Reading: Optional Reading: -
Exam: Software & Systems Security
(Instructor: Bauer)
We will have the first exam of the course. It will cover all information covered to date except Trusted Computing. This will be a closed book, closed notes, closed neighbor exam. -
: No Recitation
-
Systems Security: Modern OS Security and Authorization Logic
(Instructor: Bauer)
|
[Guide]
This lecture will focus on modern OS security, covering topics such as access control and capabilities, as well as a logical framework for reasoning about authorization. Reading: -
Systems Security: Trusted Computing
(Instructor: Bauer)
|
[Guide]
This lecture will cover techniques for bootstrapping trust in systems. Reading: -
Crypto: Recitation: Crypto Background
(Instructor: Bauer)
We will review the mathematics needed to understand modern cryptographic algorithms and discuss the basics of writing rigorous proofs. Reading: -
Crypto: Introduction to Cryptography
(Instructor: Bauer)
|
[Guide]
|
[Notes]
In this lecture we will provide a high-level introduction to cryptography, including an overview of primitives and security models. We will touch on the rich power offered by modern cryptographic tools. Finally, we will discuss (in)secure sources of randomness. Reading: Optional Reading: -
Crypto: (Pseudo)Randomness, Reductions, Secrecy, and Symmetric Key Ciphers
(Instructor: Bauer)
We will cover the principles of pseudorandom functions, permutations, and introduce the notion of adversarial games to prove security properties of cryptographic constructions; also definitions of computational secrecy, block ciphers, and block cipher modes. Reading: -
No class. University holiday.
: No Recitation
-
Crypto: Public Key Cryptography
(Instructor: Bauer)
|
[Guide]
|
[Notes]
In this lecture we will cover the fundamentals of public key cryptography, focusing on RSA and Diffie-Hellman as examples. Reading: Optional Reading: -
Crypto: Blockchains, Cryptocurrencies, and Smart contracts
(Instructor: Bauer)
|
[Guide]
We will cover the basics of blockchains (what they are, what they are and are not good for), cryptocurrencies and, time permitting, smart contracts Reading: Optional Reading: -
Crypto: Recitation: Cryptocurrencies
(Instructor: Bauer)
We will spend some virtual cash and write some smart contracts -
Network Security: Introduction to Network Security
(Instructor: Bauer)
|
[Guide]
This lecture will give a broad overview of network security, including general principles, denial-of-service attacks, and intrusion detection (and prevention) systems. The latter will cover some basic detection theory, focusing on the base rate fallacy. Reading: Optional Reading: -
Network Security: Protocol Design and Analysis
(Instructor: Bauer)
|
[Guide]
This lecture will cover design principles for secure protocols, common failures and defenses, and tools for analyzing protocol security. TLS will be used as a detailed case study. Reading: Optional Reading: -
Review: Crypto
(Instructor: Bauer)
This will be a review session for all lectures on cryptography plus Trusted Computing. Please think ahead of time what questions you may have. -
Exam: Crypto
(Instructor: Bauer)
We will have the second exam of the course. It will cover all information covered to date, but it will focus on Trusted Computing and Crypto. This will be a closed book, closed note, closed neighbor exam. -
Web Security: Attacks
(Instructor: Bauer)
|
[Guide]
This lecture will cover web security, including vulnerabilities such as injection attacks, XSS, and CSRF. Reading: Optional Reading: -
Web Security: Recitation: Web Hacking
(Instructor: Bauer)
-
Web Security: Defenses
(Instructor: Bauer)
|
[Guide]
This lecture will cover web security with a focus on principles, such as authentication vs. authorization, and best practices for establishing security on the web. Optional Reading: -
No class. University holiday.
: No Class
-
No class. University holiday.
: No Class
-
Human Factors: Making Security Usable
(Instructor: Bauer)
|
[Guide]
The most secure system in the world can be subverted if users can't employ it correctly (or if they themselves are subverted!). This lecture will cover usable design, with case studies drawn from security warnings, authentication, and phishing. We will also cover attacks and defenses based on social engineering. Reading: Optional Reading: -
Human Factors: Privacy
(Instructor: Bauer)
|
[Guide]
This lecture will cover general concepts and various mathematical definitions of privacy as well as how to achive them. Reading: Optional Reading: -
Human Factors: Recitation: Privacy Tools
(Instructor: Bauer)
We will discuss and experiment with practical tools used to provide privacy today -
Human Factors: Law and Public Policy
(Instructor: Bauer)
|
[Guide]
This lecture will cover legal frameworks and policies that govern security and privacy in practice. Reading: -
Human Factors: Economics
(Instructor: Bauer)
|
[Guide]
Many attackers are economically rational. Can we leverage this observation when designing our defenses? Many users are economically rational. What impact does that have on how we design our defenses? Reading: Optional Reading: -
Research: Recitation: State-of-the-Art Security Research
(Instructor: Bauer)
-
Review: Network, Web, and Human Factors
(Instructor: Bauer)
We will have about a 30 minute review of all material in the third part of this class. The rest of the time will be devoted to questions and answers, so make sure you bring good questions. -
Exam: Web and Human Factors
(Instructor: Bauer)
This will be our third and final exam. Like previous exams it will be closed book, closed note, closed neighbor. The exam will focus on the last third of the course, but any material over the entire semester is game.