Course Description

This course introduces the principles and practical considerations of computer and network security. It covers the following:

• Basic concepts: threat models, security principles
• Software Attacks: buffer and integer overflow, format string vulnerabilities, stack smashing
• Software Defenses: stack canaries, DEP, ASLR, isolation, fuzz testing
• Applied cryptography: symmetric and asymmetric encryption, digital signatures, hash functions
• Basics of networks and the Web: TCP/IP, routing, DNS, HTTP, cookies
• Network and Web attacks: BGP Hijacking, DNS forgery, SQL injection, CSRF, XSS
• Network security: firewalls, packet filtering, certificates, TLS
• Broader issues: surveillance, censorship, anonymity, legal issues, ethics

Prerequisites

• CIS 1600: Mathematical Foundations of Computer Science
• CIS 2400: Introduction to Computer Systems

Even though NETS students are not required to take CIS 240, it is a prerequisite for this course. We will be enforcing these prerequisites.

Course Staff

Name	Office hours (location)
Ashwin Alaparthi	M/W 6–8 PM (Levine 6 bump space)
Serena Huang	Sunday 9:30–11:30 AM (Levine 6 bump space)
Rohan Moniz	Friday 12–2 PM (Levine 3 bump space)
Elizabeth Margolin	Thursday 1–3 PM (Levine 6 bump space)
Sahil Parekh	M/W 4–6 PM (Levine 6 bump space)
Ellen Yan	Tuesday 4–6PM (Levine 6 bump space)
Jess Woods (Head TA)	Sunday 4–6 PM (Levine 5 bump space)

Textbook

There is no required textbook for this course. The following books (available for free) are good extra sources:

• Operating Systems: Three Easy Pieces by Remzi and Andrea Arpaci-Dusseau
• Security Engineering by Ross Anderson
• A Graduate Course in Applied Cryptography by Dan Boneh and Victor Shoup
• Handbook of Applied Cryptography by Menezes, van Oorschot, and Vanstone

Assignments, quizzes, and exams

There will be 3 homework assignments to be completed individually, and 3 projects to be done in pairs. There are two non-cumulative exams.

There will be 1 short quizz each week to be completed online through Canvas. The purpose of these quizzes is to keep you on track throughout the semester and make sure that you are understanding the material. We will drop the lowest 4 quizzes.

Late days

You will have a budget of five late days (24-hour periods) over the course of the semester that you may use to turn homeworks and projects in late without penalty and without needing to ask for an extension. Late pair projects will be charged to both partners. Once your late days are used up, extensions will only be granted in extraordinary circumstances. Late days can be used for homeworks and projects, but not exams nor quizzes. To use a late day, just turn in your assignment late. There is no need to notify the course staff or justify your decision. If you have an extenuating circumstance, you must contact the course staff before the assignment is due.

Grading

• Projects: 40%
• Homeworks: 20%
• Exam 1: 15%
• Exam 2: 15%
• Quizzes: 10%

Academic Honesty

We encourage you to discuss the problems and your general approach with other students in the class. However, the answers you turn in must be your own original work, and you must adhere to Penn’s Code of Academic Integrity.

For more information, see the Office of Student Conduct.

Students with disabilities

The University of Pennsylvania provides reasonable accommodations to students with disabilities who have self-identified and received approval from the Office of Student Disabilities Services (SDS). If SDS has approved your request for accommodations, please make an appointment to meet with me as soon as possible in order to discuss the arrangements for your accommodations. SDS services are free and confidential.

Schedule

Date	Topic
8/30 Homework 1 out	Introduction course overview; threat models; defensive programming
9/4	Labor day
9/6 Project 1 out	Stack overflow the stack in detail; return value vs return address; stack overflow
9/11 Homework 1 due	Control hijacking attacks buffer overflows; integer overflow; format string vulnerability
9/13	Control hijacking defenses stack canaries; bounds checking; DEP
9/18	ROP and ASLR return oriented programming; address space layout randomization
9/20	OS Security priviledge separation; file and directory permissions; Setuid binaries
9/25	Authentication password storage; rainbow tables; password alternatives
9/27 Project 1 due Homework 2 out	Cryptography intro to cryptography; affine, substitution, and vigenere ciphers; frequency analysis
10/2	Symmetric encryption I probability review; one-time-pad; perfect secrecy; statistical test; indistinguishability; semantic security
10/4	Symmetric encryption II PRG; stream cipher; random oracle; PRF; PRP; block cipher
10/9 Project 2 out	Hash functions collision resistance; birthday paradox; compression functions; Merkle-Damgard
10/11	Fall break
10/16 Homework 2 due	MACs and authenticated encryption length extension attacks; MAC; HMAC; authenticated encryption
10/18	Public Key Encryption I Diffie-Hellman; Public key encryption; RSA trapdoor function; PKCS; oracle attacks; IND-CCA
10/23	Exam 1 Includes content up to MACs and authenticated encryption (10/16)
10/25	Public key Encryption II Digital signatures; RSA signatures; PKCS padding; MAC vs signatures
10/30 Project 2 due Project 3 out	TLS Certificates; PKI; TLS handshake; forward secrecy
11/1	Web overview threat model; HTTP; HTTPS; HTML; JavaScript
11/6	Web Attacks I SQL injection; Cookies; same origin policy
11/8	Web attacks II CSRF, XSS
11/13 Homework 3 out	Networking I TCP/IP, BGP, BGP Hijacking
11/15	Networking II DNS; DNS attacks; DNS defenses
11/20	Thanksgiving break
11/22	Thanksgiving break
11/27	Denial of service DOS; DDOS; SYN flooding; amplification attacks; client puzzles
11/29 Homework 3 due	Censorship Great firewall of china; VPNs
12/4	Privacy and anonymity End-to-end encrypted email; Private browsing; Tor
12/6	Review
12/11	Exam 2
12/13 Project 3 due	No class