CIS-331: Introduction to Networks and Security

Fall 2019

UPenn

Instructor: Sebastian Angel

Room: BENN 401

Time: Tu/Th 10:30 AM–12:00 PM

Email: sebastian.angel at cis.upenn.edu

Discussion: Piazza

Office hours: Thursday 4 PM–6 PM (Levine 604)

Course Description

This course introduces principles and practices of computer and network security. It covers the following:

Prerequisites

Even though NETS students are not required to take CIS 240, it is a prerequisite for this course. We will be enforcing these prerequisites.

Course Staff

Name Email (at seas.upenn.edu) Office hours (location)
Lawrence Dunn dunnla Tuesday 12:15–2:15 PM (GRW 5th floor bump space)
Natasha Gedeon nged Wednesday 12:30–2:30 PM (GRW 5th floor bump space)
Amit Lohe alohe Wednesday 4–6 PM (Levine 6th floor bump space)
Michael Zhou mizho Friday 12:30 PM–2:30 PM (Levine 5th floor bump space)

Textbook

There is no required textbook for this course. The following three books (available for free) are good extra sources:

Assignments and exams

There will be 4 homework assignments to be completed individually, and 4 projects to be done in pairs. There are two exams: a midterm and a final.

Late Days. You will have a budget of five late days (24-hour periods) over the course of the semester that you may use to turn assignments in late without penalty and without needing to ask for an extension. Late pair projects will be charged to both partners. Once your late days are used up, extensions will only be granted in extraordinary circumstances. Late days can be used for homeworks and projects, but not exams. To use a late day, just turn in your assignment late. There is no need to notify the course staff. If you have an extenuating circumstance, you must contact the course staff before the assignment is due.

Grading

Academic Honesty

We encourage you to discuss the problems and your general approach with other students in the class. However, the answers you turn in must be your own original work, and you must adhere to Penn’s Code of Academic Integrity.

For more information, see the Office of Student Conduct.

Students with disabilities

The University of Pennsylvania provides reasonable accommodations to students with disabilities who have self-identified and received approval from the Office of Student Disabilities Services (SDS). If SDS has approved your request for accommodations, please make an appointment to meet with me as soon as possible in order to discuss the arrangements for your accommodations. SDS services are free and confidential.

Belonging, inclusion, and wellness

The CIS department and all of the faculty and staff are committed to making your studies here at Penn a safe and rewarding experience. This can only happen if we work together to create an inclusive environment that welcomes all students, regardless of their race, ethnicity, gender identity, sexuality, or socioeconomic status. Diversity, inclusion, and belonging are all core values of this course. All participants in this course deserve, and should expect, to be treated with respect by other members of the community. We encourage all students to visit the CIS Diversity site to learn about all avaialble resources.

A sense of belonging can also affect students’ mental health and wellness, which is of utmost importance to the course instruction staff, if not the University as a whole. All members of the instruction staff will be happy to chat or just to listen if you need someone to talk to, even if it’s not specifically about this course.

If you or someone you know is in distress and urgently needs to speak with someone, please do not hesitate to contact CAPS: 215-898-7021; 3624 Market St. If you are uncomfortable reaching out to CAPS, any member of the instruction staff will be happy to contact them on your behalf.

Tentative Schedule

Date Topic Reading
8/27

Introduction

course overview, threat models, defensive programming

The Security Mindset by B. Schneier

How to think like a security professional by T. Kohno

This World of Ours by J. Mickens

8/29

Project 1 out

Control hijacking

buffer and integer overflow, stack smashing, format string vulnerability

Memory Safety Attacks and Defenses by D. Wagner

Smashing the stack for fun and profit by Aleph One

errata for "Smashing the stack for fun and profit" by M. Walfish

(optional) Low-level Software Security by Example by U. Erlingsson, Y. Younan, and F. Piessens

(optional) Basic Integer Overflows by blexim

9/3

Homework 1 out

Control hijacking defenses

stack canaries, NX bit, ASLR

Buffer Overflows: Attacks and Defenses by C. Cowan, P. Wagle, C. Pu, S. Beattie, and J. Walpole

Smashing the stack in 2011 by P. Makowski

9/5

Return-oriented programming

bypassing NX and ASLR

Return-to-libc attacks by c0ntex

(optional) Return-Oriented Programming: Systems, Languages, and Applications by Roemer et al.

(optional) Introduction to return-oriented programming by A. Reece

9/10

Homework 1 due

OS security

privilege separation, isolation, setuid, chroot

Principles for Building Secure Systems by D. Wagner

Design Patterns for Building Secure Systems by D. Wagner

The Confused Deputy by N. Hardy

9/12

Passwords

Password attacks, usability, hygiene, alternatives

The Tangled Web of Password Reuse by Das et al.

9/17

Cryptography introduction

confidentiality, adversaries, classic ciphers

Historical ciphers by N. Smart

Introduction to cryptography by B. Barak (Chapter 1.1–1.3)

9/19

Project 1 due

Homework 2 out

Symmetric encryption I

one-time pads, semantic security, negligible functions

Information-theoretic security by N. Smart

Computational security by B. Barak

Negligible functions by Boneh and Shoup

9/24

Symmetric encryption II

stream ciphers, PRNGs, block ciphers

Historical stream ciphers by N. Smart

Pseudorandomness by B. Barak

Block ciphers by N. Smart

9/26

Project 2 out

Hash functions

security definition, applications, attacks

Hash functions by N. Smart.

(optional) Hash functions and Bitcoin by B. Barak.

10/1

Homework 2 due

MACs and authenticated encryption

length extension attacks, PRFs, ciphertext integrity

Pseudorandom Functions by M. Bellare and P. Rogaway

Message authenticated Codes by N. Smart.

10/3

Public-key cryptography

Diffie-Hellman key exchange, RSA encryption

10/8

Digital signatures

RSA signatures, PKCS padding, forgery attacks

10/10 Fall break

10/15

HTTPS and PKIs

Certificates, public key infrastructure, SSH, IPSec, VPNs

10/17

Project 2 due

Homework 3 out

Networking I

Routing, TCP/IP, DNS

Principles of Computer System Design Ch. 7 by J. Saltzer and F. Kaashoek
10/22 Midterm Exam Includes content up to digital signatures (10/8)

10/24

Project 3 out

Networking II

Ethernet, ARP, DHCP, NAT

10/29

Network attacks I

Eavesdropping, jamming, TCP injection, DOS, SYN flooding

Security problems in the TCP/IP protocol suite by S. Bellovin

10/31

Network attacks II

DDOS, CAPTCHA, client puzzles, DNS hijacking

An analysis of China's "Great Cannon" by Marczak et al.

11/5

Homework 3 due

Network defenses

Firewalls, filtering, VPN, IDS

11/7

Web overview

threat model, HTTP, HTML, JavaScript

Web technology for developers by Mozilla

11/12

Project 3 due

Project 4 out

Web Attacks I

Same origin policy, cookies, SQL injection

SQL injection prevention cheat sheet by OWASP

11/14

Web attacks II

CSRF, XSS

Cross-Site request forgery prevention cheat sheet by OWASP

Cross-site scripting prevention cheat sheet by OWASP

11/19

Homework 4 out

Privacy and anonymity

PGP, key management, Tor

11/21

Underground economy

Spam, phishing, botnets

11/26 Thanksgiving break
11/28 Thanksgiving break

12/3

Homework 4 due

Advanced threats

Government-sponsored malware, spearphishing

12/5

Project 4 due

Ethics, law, policy

12/12 Final Exam: 9 AM–11 AM (location TBD)

Acknowledgements

Many of this course's materials have been adapted from J. Alex Halderman, and all materials are available under a Creative Commons License.