CIS-3310: Introduction to Networks and Security

Fall 2023

UPenn

Instructor: Sebastian Angel

Room: Berger Auditorium (in Skirkanich Hall)

Time: M/W 10:15 AM–11:30 AM

Email: sebastian.angel at cis.upenn.edu

Discussion: Ed

Office hours: Wednesday 1–2 PM (Levine 604)

Course Description

This course introduces the principles and practical considerations of computer and network security. It covers the following:

Prerequisites

Even though NETS students are not required to take CIS 240, it is a prerequisite for this course. We will be enforcing these prerequisites.

Course Staff

Name Office hours (location)
Ashwin Alaparthi M/W 6–8 PM (Levine 6 bump space)
Serena Huang Sunday 9:30–11:30 AM (Levine 6 bump space)
Rohan Moniz Monday 12–2 PM (Levine 3 bump space)
Elizabeth Margolin Thursday 1–3 PM (Levine 6 bump space)
Sahil Parekh M/W 4–6 PM (Levine 6 bump space)
Ellen Yan Tuesday 4–6PM (Levine 6 bump space)
Jess Woods (Head TA) Sunday 4–6 PM (Levine 5 bump space)

Textbook

There is no required textbook for this course. The following books (available for free) are good extra sources:

Assignments, quizzes, and exams

There will be 3 homework assignments to be completed individually, and 3 projects to be done in pairs. There are two non-cumulative exams.

There will be 1 short quizz each week to be completed online through Canvas. The purpose of these quizzes is to keep you on track throughout the semester and make sure that you are understanding the material. We will drop the lowest 4 quizzes.

Late days

You will have a budget of five late days (24-hour periods) over the course of the semester that you may use to turn homeworks and projects in late without penalty and without needing to ask for an extension. Late pair projects will be charged to both partners. Once your late days are used up, extensions will only be granted in extraordinary circumstances. Late days can be used for homeworks and projects, but not exams nor quizzes. To use a late day, just turn in your assignment late. There is no need to notify the course staff or justify your decision. If you have an extenuating circumstance, you must contact the course staff before the assignment is due.

Grading

Academic Honesty

We encourage you to discuss the problems and your general approach with other students in the class. However, the answers you turn in must be your own original work, and you must adhere to Penn’s Code of Academic Integrity.

For more information, see the Office of Student Conduct.

Students with disabilities

The University of Pennsylvania provides reasonable accommodations to students with disabilities who have self-identified and received approval from the Office of Student Disabilities Services (SDS). If SDS has approved your request for accommodations, please make an appointment to meet with me as soon as possible in order to discuss the arrangements for your accommodations. SDS services are free and confidential.

Belonging, inclusion, and wellness

The CIS department and all of the faculty and staff are committed to making your studies here at Penn a safe and rewarding experience. This can only happen if we work together to create an inclusive environment that welcomes all students, regardless of their race, ethnicity, gender identity, sexuality, or socioeconomic status. Diversity, inclusion, and belonging are all core values of this course. All participants in this course deserve, and should expect, to be treated with respect by other members of the community. We encourage all students to visit the CIS Diversity site to learn about all avaialble resources.

A sense of belonging can also affect students’ mental health and wellness, which is of utmost importance to the course instruction staff, if not the University as a whole. All members of the instruction staff will be happy to chat or just to listen if you need someone to talk to, even if it’s not specifically about this course.

If you or someone you know is in distress and urgently needs to speak with someone, please do not hesitate to contact CAPS: 215-898-7021; 3624 Market St. If you are uncomfortable reaching out to CAPS, any member of the instruction staff will be happy to contact them on your behalf.

Schedule

Date Topic

8/30

Homework 1 out

Introduction

course overview; threat models; defensive programming

9/4

Labor day

9/6

Project 1 out

Stack overflow

the stack in detail; return value vs return address; stack overflow

9/11

Homework 1 due

Control hijacking attacks

buffer overflows; integer overflow; format string vulnerability

9/13

Control hijacking defenses

stack canaries; bounds checking; DEP

9/18

ROP and ASLR

return oriented programming; address space layout randomization

9/20

OS Security

priviledge separation; file and directory permissions; Setuid binaries

9/25

Authentication

password storage; rainbow tables; password alternatives

9/27

Project 1 due

Homework 2 out

Cryptography

intro to cryptography; affine, substitution, and vigenere ciphers; frequency analysis

10/2

Symmetric encryption I

probability review; one-time-pad; perfect secrecy; statistical test; indistinguishability; semantic security

10/4

Symmetric encryption II

PRG; stream cipher; random oracle; PRF; PRP; block cipher

10/9

Project 2 out

Hash functions

collision resistance; birthday paradox; compression functions; Merkle-Damgard

10/11 Fall break

10/16

Homework 2 due

MACs and authenticated encryption

length extension attacks; MAC; HMAC; authenticated encryption

10/18

Public Key Encryption I

Diffie-Hellman; Public key encryption; RSA trapdoor function; PKCS; oracle attacks; IND-CCA

10/23

Exam 1

Includes content up to MACs and authenticated encryption (10/16)

10/25

Public key Encryption II

Digital signatures; RSA signatures; PKCS padding; MAC vs signatures

10/30

Project 2 due

Project 3 out

TLS

Certificates; PKI; TLS handshake; forward secrecy

11/1

Web overview

threat model; HTTP; HTTPS; HTML; JavaScript

11/6

Web Attacks I

SQL injection; Cookies; same origin policy

11/8

Web attacks II

CSRF, XSS

11/13

Homework 3 out

Networking I

TCP/IP, BGP, BGP Hijacking

11/15

Networking II

DNS; DNS attacks; DNS defenses

11/20 Thanksgiving break
11/22 Thanksgiving break

11/27

Denial of service

DOS; DDOS; SYN flooding; amplification attacks; client puzzles

11/29

Homework 3 due

Censorship

Great firewall of china; VPNs

12/4

Privacy and anonymity

End-to-end encrypted email; Private browsing; Tor

12/6

Review

12/11

Exam 2

12/13

Project 3 due

No class