Course Description

This course covers the principles of computer and network security. It covers:

• Basic concepts: threat models, security principles
• Software Attacks: buffer and integer overflow, format strings, stack smashing, side channels
• Software Defenses: stack canaries, ASLR, isolation, fuzz testing
• Applied cryptography: symmetric and asymmetric encryption, digital signatures, hash functions
• Basics of networks and the Web: TCP/IP, routing, DNS, network protocols, cookies
• Network and Web attacks: denial of service, DNS forgery, SQL injection, XSS
• Network security: firewalls, packet filtering, certificates, TLS
• Broader issues: surveillance, privacy, anonymity, legal issues, ethics

Prerequisites

• CIS 160: Mathematical Foundations of Computer Science
• CIS 240: Introduction to Computer Systems
• CIS 380: Operating systems (recommended)

Even though NETS students are not required to take CIS 240, it is a prerequisite for this course. In particular, we expect all students to be familiar with the C programming language, some simple assembly, and the use of the command line.

Course Staff

Name	Email (at seas.upenn.edu)	Office hours (Remote, see Canvas)
Weichen Zheng	zweichen	Monday 4–6 PM
Daniel Stekol	dstekol	Tuesday 4–6 PM
Abdullah Zaini	azaini	Wednesday 8:30–10:30 AM
Liangcheng Yu	leoyu	Wednesday 7–9 PM
Andrew Beams	abeams	Friday 10 AM–12 PM
Makarios Chung	chungma	Saturday 8–10 PM

Textbook

There is no required textbook for this course. The following three books (available for free) are good extra sources:

• Building Secure & Reliable Systems by Adkins, Beyer, Blankinship, Lewandowski, Oprea, and Stubblefield
• Security Engineering by Ross Anderson
• Handbook of Applied Cryptography by Menezes, van Oorschot, and Vanstone
• A Graduate Course in Applied Cryptography by Dan Boneh and Victor Shoup

Assignments and exams

There will be 4 homework assignments and 4 projects. Each weekly module will have a quiz that must be completed before the end of the week. There will be two take-home exams: a midterm and a final.

Late Days. You will have a budget of six late days (24-hour periods) over the course of the semester that you may use to turn assignments in late without penalty and without needing to ask for an extension. Once your late days are used up, extensions will only be granted in extraordinary circumstances. Late days can be used for homeworks and projects, but not exams. To use a late day, just turn in your assignment late. There is no need to notify the course staff. If you have an extenuating circumstance, you must contact the course staff before the assignment is due.

Grading

• Homeworks: 20%
• Module quizzes: 10%
• Projects: 40%
• Midterm exam: 15%
• Final exam: 15%

Academic Honesty

We encourage you to discuss the problems and your general approach with other students in the class. However, the answers you turn in must be your own original work, and you must adhere to Penn’s Code of Academic Integrity.

For more information, see the Office of Student Conduct.

Students with disabilities

The University of Pennsylvania provides reasonable accommodations to students with disabilities who have self-identified and received approval from the Office of Student Disabilities Services (SDS). If SDS has approved your request for accommodations, please make an appointment to meet with me as soon as possible in order to discuss the arrangements for your accommodations. SDS services are free and confidential.

Schedule

Module	Topic
Module 1 (Sep 1) Homework 1 out	Introduction course overview, course format, grading Security mindset threat models, defensive programming
Module 2 (Sep 7) Project 1 out	Review of processes and address space processes, address space, ELF, x86 assembly Control Hijacking buffer and integer overflow, stack smashing, format string vulnerability
Module 3 (Sep 14) Homework 1 due	Control hijacking defenses stack canaries, NX bit, ASLR Return oriented programming bypassing NX and ASLR
Module 4 (Sep 21) Homework 2 out	User authentication Passwords, fuzzy extractors, two-factor, hardware tokens Privilege separation privilege separation, capabilities, setuid, chroot
Module 5 (Sep 28) Project 1 due	Cryptography introduction history, confidentiality, adversaries Classic ciphers substitution cipher, Vigenere cipher, frequency analysis
Module 6 (Oct 5) Homework 2 due Project 2 out	Information-theoretic security one-time pad, perfect secrecy Indistinguihsability PRGs, unpredictability, statistical tests, negligible functions
Module 7 (Oct 12)	Symmetric encryption PRGs, PRPs, stream ciphers, block ciphers
Module 8 (Oct 19)	Hash functions collision resistance, pre-image resistance, Merkle-Damgard construction MACs and authenticated encryption length extension attacks, PRFs, ciphertext integrity
Module 9 (Oct 26) Homework 3 out Exam 1	Public key encryption Diffie-Hellman key exchange, trapdoor function, public key encryption from trapdoor functions RSA encryption RSA trapdoor permutation, RSA-KEM, RSA-OAEP, RSA digital signatures, RSA-FDH, PKCS#1 v1.5
Module 10 (Nov 2) Project 2 due Project 3 out	TLS TLS handshake, TLS 1.3, 0-RTT HTTPS Certificates, PKI, forward secrecy
Module 11 (Nov 9) Homework 3 due	Web overview threat model, HTTP, HTML, JavaScript Web security same origin policy, cookies
Module 12 (Nov 16)	Web attacks SQL injection, CSRF, XSS Web assembly overview and attacks
Module 13 (Nov 23) Project 3 due Homework 4 out Project 4 out	Networking attacks TCP, IP, BGP, DNS, DNS poisoning, BGP hijacking Denial of service DDOS, SYN flooding, client puzzles
Module 14 (Nov 30)	Privacy and anonymity private browsing, VPN, Tor Censorship Great firewall of China, decoy routing, domain fronting
Module 15 (Dec 7) Homework 4 due	Underground economy spam, phishing, botnets Current research topics what are security researchers focusing on nowadays?
Final exams week (Dec 14) Project 4 due Exam 1	No content