Course Description

This course introduces principles and practices of computer and network security. It covers the following:

• Basic concepts: threat models, security principles
• Software Attacks: buffer and integer overflow, format strings, stack smashing, side channels
• Software Defenses: stack canaries, ASLR, isolation, fuzz testing
• Applied cryptography: symmetric and asymmetric encryption, digital signatures, hash functions
• Basics of networks and the Web: TCP/IP, routing, DNS, network protocols, cookies
• Network and Web attacks: denial of service, DNS forgery, SQL injection, XSS
• Network security: firewalls, packet filtering, certificates, TLS
• Broader issues: surveillance, privacy, anonymity, legal issues, ethics

Prerequisites

• CIS 160: Mathematical Foundations of Computer Science
• CIS 240: Introduction to Computer Systems

Even though NETS students are not required to take CIS 240, it is a prerequisite for this course. We will be enforcing these prerequisites.

Course Staff

Name	Email (at seas.upenn.edu)	Office hours (location)
Lawrence Dunn	dunnla	Tuesday 12:15–2:15 PM (GRW 5th floor bump space)
Natasha Gedeon	nged	Wednesday 12:30–2:30 PM (GRW 5th floor bump space)
Amit Lohe	alohe	Wednesday 4–6 PM (Levine 6th floor bump space)
Michael Zhou	mizho	Friday 12:30 PM–2:30 PM (Levine 5th floor bump space)

Textbook

There is no required textbook for this course. The following three books (available for free) are good extra sources:

• Security Engineering by Ross Anderson
• Handbook of Applied Cryptography by Menezes, van Oorschot, and Vanstone
• A Graduate Course in Applied Cryptography by Dan Boneh and Victor Shoup

Assignments and exams

There will be 4 homework assignments to be completed individually, and 4 projects to be done in pairs. There are two exams: a midterm and a final.

Late Days. You will have a budget of five late days (24-hour periods) over the course of the semester that you may use to turn assignments in late without penalty and without needing to ask for an extension. Late pair projects will be charged to both partners. Once your late days are used up, extensions will only be granted in extraordinary circumstances. Late days can be used for homeworks and projects, but not exams. To use a late day, just turn in your assignment late. There is no need to notify the course staff. If you have an extenuating circumstance, you must contact the course staff before the assignment is due.

Grading

• Homeworks: 20%
• Projects: 35%
• Midterm exam: 20%
• Final exam: 25%

Academic Honesty

We encourage you to discuss the problems and your general approach with other students in the class. However, the answers you turn in must be your own original work, and you must adhere to Penn’s Code of Academic Integrity.

For more information, see the Office of Student Conduct.

Students with disabilities

The University of Pennsylvania provides reasonable accommodations to students with disabilities who have self-identified and received approval from the Office of Student Disabilities Services (SDS). If SDS has approved your request for accommodations, please make an appointment to meet with me as soon as possible in order to discuss the arrangements for your accommodations. SDS services are free and confidential.

Belonging, inclusion, and wellness

The CIS department and all of the faculty and staff are committed to making your studies here at Penn a safe and rewarding experience. This can only happen if we work together to create an inclusive environment that welcomes all students, regardless of their race, ethnicity, gender identity, sexuality, or socioeconomic status. Diversity, inclusion, and belonging are all core values of this course. All participants in this course deserve, and should expect, to be treated with respect by other members of the community. We encourage all students to visit the CIS Diversity site to learn about all avaialble resources.

A sense of belonging can also affect students’ mental health and wellness, which is of utmost importance to the course instruction staff, if not the University as a whole. All members of the instruction staff will be happy to chat or just to listen if you need someone to talk to, even if it’s not specifically about this course.

If you or someone you know is in distress and urgently needs to speak with someone, please do not hesitate to contact CAPS: 215-898-7021; 3624 Market St. If you are uncomfortable reaching out to CAPS, any member of the instruction staff will be happy to contact them on your behalf.

Tentative Schedule

Date	Topic	Reading
8/27	Introduction course overview, threat models, defensive programming	The Security Mindset by B. Schneier How to think like a security professional by T. Kohno This World of Ours by J. Mickens
8/29 Project 1 out	Control hijacking buffer and integer overflow, stack smashing, format string vulnerability	Memory Safety Attacks and Defenses by D. Wagner Smashing the stack for fun and profit by Aleph One errata for "Smashing the stack for fun and profit" by M. Walfish (optional) Low-level Software Security by Example by U. Erlingsson, Y. Younan, and F. Piessens (optional) Basic Integer Overflows by blexim
9/3 Homework 1 out	Control hijacking defenses stack canaries, NX bit, ASLR	Buffer Overflows: Attacks and Defenses by C. Cowan, P. Wagle, C. Pu, S. Beattie, and J. Walpole Smashing the stack in 2011 by P. Makowski
9/5	Return-oriented programming bypassing NX and ASLR	Return-to-libc attacks by c0ntex (optional) Return-Oriented Programming: Systems, Languages, and Applications by Roemer et al. (optional) Introduction to return-oriented programming by A. Reece
9/10 Homework 1 due	OS security privilege separation, isolation, setuid, chroot	Principles for Building Secure Systems by D. Wagner Design Patterns for Building Secure Systems by D. Wagner The Confused Deputy by N. Hardy
9/12	Passwords Password attacks, usability, hygiene, alternatives	The Tangled Web of Password Reuse by Das et al.
9/17	Cryptography introduction confidentiality, adversaries, classic ciphers	Historical ciphers by N. Smart Introduction to cryptography by B. Barak (Chapter 1.1–1.3)
9/19 Project 1 due Homework 2 out	Classic ciphers and symmetric encryption I Vigenere cipher, one-time pad, perfect secrecy	Information-theoretic security by N. Smart
9/24	Symmetric encryption II stream ciphers, PRGs, unpredictability	Historical stream ciphers by N. Smart Pseudorandomness by B. Barak
9/26 Project 2 out	Symmetric encryption III statistical tests, indistinguishability, negligible functions, semantic security	Negligible functions by D. Boneh and V. Shoup Computational security by B. Barak
10/1 Homework 2 due	Symmetric encryption IV and Hash functions block ciphers, PRPs, Merkle-Damgard construction	Block ciphers by N. Smart Hash functions by N. Smart. (optional) Hash functions and Bitcoin by B. Barak.
10/3	MACs and authenticated encryption length extension attacks, PRFs, ciphertext integrity	Pseudorandom Functions by M. Bellare and P. Rogaway Message authenticated Codes by N. Smart.
10/8	Public Key Encryption I Diffie-Hellman key exchange, trapdoor functions, public key encryption from trapdoor functions	Asymmetric Encryption by D. Wagner Public Key Tools by D. Boneh and V. Shoup
10/10	Fall break
10/15	Public key Encryption II RSA trapdoor permutation, RSA-KEM, RSA-OAEP, RSA digital signatures, RSA-FDH, PKCS#1 v1.5	Public key encryption by D. Boneh and V. Shoup MACs and Digital Signatures by R. Popa and D. Wagner
10/17 Project 2 due Homework 3 out	HTTPS and PKIs Certificates, PKI, TLS handshake, forward secrecy	TLS 1.2 (RFC 5246) TLS 1.3 (RFC 8446) Everything you Never Wanted to Know about PKI but were Forced to Find Out by P. Gutmann
10/22	Midterm Exam	Includes content up to Public Key Encryption I (10/8)
10/24 Project 3 out	Web overview threat model, HTTP, HTML, JavaScript	Web technology for developers by Mozilla
10/29	Web Attacks I (Guest lecture) Same origin policy, cookies, SQL injection	Secure Session Management With Cookies for Web Applications by Chris Palmer SQL injection prevention cheat sheet by OWASP
10/31	Web attacks II CSRF, XSS	Cross-Site request forgery prevention cheat sheet by OWASP Cross-site scripting prevention cheat sheet by OWASP
11/5 Homework 3 due	Networking I TCP/IP, BGP, DNS	Security problems in the TCP/IP protocol suite by S. Bellovin What is BGP by Cloudflare
11/7	Networking II Ethernet, ARP, DHCP, NAT
11/12 Project 3 due Project 4 out	Denial of service (Guest lecture) DOS, DDOS, SYN flooding, client puzzles	An analysis of China's "Great Cannon" by Marczak et al.
11/14	Network attacks and defenses DNS poisoning, BGP hijacking	DNS security threats and mitigations by Google A Study of Prefix Hijacking and Interception in the Internet by H. Ballani, P. Francis, and X. Zhang
11/19 Homework 4 out	Privacy End-to-end encrypted email, VPN, Private browsing	Deep dive on End-to-End encryption by the EFF An Analysis of Private Browsing Modes in Modern Browsers by Aggarwal et al.
11/21	Censorship The great firewall of China, decoy routing, domain fronting	The Great Firewall Revealed by Global Internet Freedom Consortium. Decoy Routing by Karlin et al. Blocking-resistant communication through domain fronting by Fifield et al.
11/26	Thanksgiving break
11/28	Thanksgiving break
12/3 Homework 4 due	Anonymity Tor	Tor: The Second-Generation Onion Router by R. Dingledine, N. Matthewson, and P. Syverson.
12/5	Underground economy Spam, phishing, botnets
12/7	Project 4 due
12/12	Final Exam: 9 AM–11 AM (Location: STIT B6)