CIS 331, Spring 2017
Introduction to Networks & Security


Instructor:
  Nadia Heninger (604 Levine)
  Office Hours Tuesdays 1:00-2:00pm 604 Levine

TAs:
Marcella Hastings Thu.  2:30-3:30pm
Richard Roberts Tue.  8:00-10:00pm
Josh Fried Mon. 4:00-5:00pm
Lauren Leung Mon. 12:30-1:30pm
Graham Mosley Wed. 4:30-5:30pm
Shaanan Cohney Fri. 10:00-11:00am
Office hours are held in the Moore 102 conference room. Moore 102 is to the left of Moore 100. The door will be propped open. The conference room is on the back right.

Lectures:
  Tuesday/Thursday 10:30am-12:00pm Skirkanich auditorium

Piazza

Canvas


Announcements

If you would like to take this class and are unable to enroll, please email Desirae Cesar (desirae@seas) and ask to be added to the waitlist.

Course Overview

This course introduces principles and practices of computer and network security.

Prerequisites: CIS 160, CIS 240. We will be enforcing these prerequisites.

Grading will be based on homework (20%), projects (30%), a midterm (23%), a final (25%), and class participation (2%).


Lecture and Tutorial Schedule

Topic Assignments Resources
1/12 Introduction
Threat modeling, thinking like an attacker
Homework 1 available Computer Fraud and Abuse Act
This World of Ours by James Mickens
Wikipedia: Aaron Swartz
Wikipedia: Weev
1/17 Symmetric encryption
Guest Lecture: Daniel Genkin
Pseudorandom functions, pseudorandom generators, stream ciphers, block ciphers
Communication Theory of Secrecy Systems by Shannon
Wikipedia: Vigenère cipher
1/19 Message integrity
Guest Lecture: Daniel Genkin
Block cipher modes of operation, message authentication codes
Homework 1 due at 10pm
Homework 2 available
1/24 Symmetric encryption and message integrity
1/26 Hash functions
Hash functions, birthday attacks, length extension attacks
1/31 Public-key cryptography
Diffie-Hellman key exchange, RSA encryption
Homework 2 due at 10pm
Project 1 available
Wikipedia: Modular Arithmetic
Modular arithmetic lecture notes from Berkeley CS 70
Basic number theory lecture notes from Boaz Barak New Directions in Cryptography by Whitfield Diffie and Martin E. Hellman
2/2 Digital Signatures
RSA signatures, PKCS padding, Bleichenbacher signature forgery attack

2/7 HTTPS and crypto in practice
HTTPS, RSA and DH key exchange, certificates, CAs, public-key infrastructure, trust model; PGP, the crypto wars, key management, web of trust
The First Few Milliseconds of an HTTPS Connection
Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0 by Alma Whitten and Doug Tygar
Bernstein v. United States
Off-the-Record Communication, or, Why Not To Use PGP by Nikita Borisov, Ian Goldberg, and Eric Brewer
2/9 Snow day Homework 3 available
2/14 Web overview, attacks and defenses
Web threat model, HTTP, HTML, Javascript, same-origin policy, session management, cookies
Project 1 due at 10pm
Web technology for developers
Browser Security Handbook: Basic concepts behind web browsers
2/16 Web attacks and defenses
SQL injection, CSRF, XSS and defenses
Project 2 available
SQL Injection cheat sheet
Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet
XSS Filter Evasion Cheat Sheet
2/21 Networking overview
OSI architecture, Ethernet, IP, ICMP, ARP, DHCP
Homework 3 due at 10pm
The Design Philosophy of the DARPA Internet Protocols by Clark
Brief History of the Internet
Wikipedia: OSI Model
Wikipedia: Ethernet
Wikipedia: Internet Protocol
Wikipedia: Address Resolution Protocol
Wikipedia: Dynamic Host Configuration Protocol
Computer Networks: A Systems Approach by Peterson and Davie
2/23 Networking overview
Routing basics, UDP, TCP, congestion control, DNS
Wikipedia: Autonomous System
Wikipedia: OSPF routing
Wikipedia: Border Gateway Protocol
Wikipedia: User Datagram Protocol
Wikipedia: Transmission Control Protocol
Wikipedia: Domain Name System
2/28 Midterm Exam
3/2 Guest Lecture: Mapping the Internet
Guest Lecturer: William Cheswick
3/7 Spring Break
3/9 Spring Break
3/14 Network attacks and defenses
eavesdropping, jamming, TCP injection, denial of service, SYN flooding, SYN cookies, CAPTCHA, client puzzles
Project 2 due at 10pm
Mark Klein Declaration in Heptig v. ATT/NSA
APCO P25 digital two-way radio system by Blaze, Clark, Goodspeed, Metzger, Wasserman, Xu
Security problems in the TCP/IP protocol suite by Bellovin
3/16 Network attacks and defenses
DNS hijacking, ARP spoofing, BGP routing issues
3/21 Network defenses
DNSSEC, IPsec, S-BGP, firewalls, packet filtering, application proxies, tunneling, VPNs, intrusion detection
3/23 Network defenses
Application proxies, tunneling, IPsec, VPNs
3/28 Control hijacking
Normal control flow, buffer overflow, integer overflows, format string vulnerabilities, DEP, ASLR
Smashing the stack for fun and profit by Aleph One
Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade by Crispin Cowan, Perry Wagle, Calton Pu, Steve Beattie, and Jonathan Walpole
Low-level Software Security by Example by Ulfar Erlingsson, Yves Younan, and Frank Piessen
Return-Oriented Programming: Systems, Languages, and Applications by Ryan Roemer, Erik Buchanan, Hovav Shacham, and Stefan Savage
3/30 Control hijacking, defenses, and malware
Stack canaries, heap spraying, malware
4/4 Access control and OS security
ACLs, capabilities, unix file privileges
Operating System Security by Trent Jaeger
4/6 OS security
Confinement, isolation, sandboxing, virtual machines
4/11 Anonymity
Anonymous remailers, Tor, Tor hidden services, data deanonymization
Tor: The Second-Generation Onion Router by Roger Dingledine, Nick Mathewson, and Paul Syverson
Robust De-anonymization of Large Sparse Datasets by Arvind Narayanan and Vitaly Shmatikov
4/13 The underground economy
Spam, phishing, botnets, measurement studies
Measuring the cost of cybercrime by Ross Anderson et al.
Spamalytics: An empirical analysis of spam marketing conversion by Chris Kanich et al.
PharmaLeaks: Understanding the business of online pharmaceutical affiliate programs by Damon McCoy et al.
4/18 Advanced threats
Government-sponsored malware, spearphishing, advanced persistent threats
W32.Stuxnet Dossier Symantec Report
APT1: Exposing one of China's cyber espionage units Mandiant Technical Report
Counter-cryptanalysis by Marc Stevens
4/20 Ethics, law, and policy
Privacy and the Limits of Law by Ruth Gavison
Cyber-security Research Ethics Dialog & Strategy Workshop (CREDS 2013)
Going Bright: Wiretapping without Weakening Communications Infrastructure by Steve Bellovin, Matt Blaze, Sandy Clark, and Susan Landau
4/25 Special requests
Bitcoin: A Peer-to-Peer Electronic Cash System by Satoshi Nakamoto
5/1 Final Exam 12pm-2pm

Assignments

There will be five homework assignments to be done individually and four projects to be done in teams of two.

Homework

Projects

Late Work: You will have a budget of five late days (24-hour periods) over the course of the semester that you can use to turn assignments in late without penalty and without needing to ask for an extension. You may use a maximum of two late days per assignment. Late pair projects will be charged to both partners. Once your late days are used up, extensions will only be granted in extraordinary circumstances.


Additional Resources

No textbook is required, but if you would like additional resources the following may be useful:

Course materials have been adapted from J. Alex Halderman and are available under a Creative Commons License.