CIS-551: Computer and Network Security

Fall 2020

UPenn

Instructor: Sebastian Angel

Room: Online (Zoom link in Canvas)

Time: M/W 12:00 PM–1:30 PM

Email: sebastian.angel at cis.upenn.edu

Discussion: Piazza

Course Description

This course covers the principles of computer and network security. It covers:

Prerequisites

Even though NETS students are not required to take CIS 240, it is a prerequisite for this course. In particular, we expect all students to be familiar with the C programming language, some simple assembly, and the use of the command line.

Course Staff

Name Email (at seas.upenn.edu) Office hours (Remote, see Canvas)
Weichen Zheng zweichen Monday 4–6 PM
Daniel Stekol dstekol Tuesday 4–6 PM
Abdullah Zaini azaini Wednesday 8:30–10:30 AM
Liangcheng Yu leoyu Wednesday 7–9 PM
Andrew Beams abeams Friday 10 AM–12 PM
Makarios Chung chungma Saturday 8–10 PM

Textbook

There is no required textbook for this course. The following three books (available for free) are good extra sources:

Assignments and exams

There will be 4 homework assignments and 4 projects. Each weekly module will have a quiz that must be completed before the end of the week. There will be two take-home exams: a midterm and a final.

Late Days. You will have a budget of six late days (24-hour periods) over the course of the semester that you may use to turn assignments in late without penalty and without needing to ask for an extension. Once your late days are used up, extensions will only be granted in extraordinary circumstances. Late days can be used for homeworks and projects, but not exams. To use a late day, just turn in your assignment late. There is no need to notify the course staff. If you have an extenuating circumstance, you must contact the course staff before the assignment is due.

Grading

Academic Honesty

We encourage you to discuss the problems and your general approach with other students in the class. However, the answers you turn in must be your own original work, and you must adhere to Penn’s Code of Academic Integrity.

For more information, see the Office of Student Conduct.

Students with disabilities

The University of Pennsylvania provides reasonable accommodations to students with disabilities who have self-identified and received approval from the Office of Student Disabilities Services (SDS). If SDS has approved your request for accommodations, please make an appointment to meet with me as soon as possible in order to discuss the arrangements for your accommodations. SDS services are free and confidential.

Belonging, inclusion, and wellness

The CIS department and all of the faculty and staff are committed to making your studies here at Penn a safe and rewarding experience. This can only happen if we work together to create an inclusive environment that welcomes all students, regardless of their race, ethnicity, gender identity, sexuality, or socioeconomic status. Diversity, inclusion, and belonging are all core values of this course. All participants in this course deserve, and should expect, to be treated with respect by other members of the community. We encourage all students to visit the CIS Diversity site to learn about all avaialble resources.

A sense of belonging can also affect students’ mental health and wellness, which is of utmost importance to the course instruction staff, if not the University as a whole. All members of the instruction staff will be happy to chat or just to listen if you need someone to talk to, even if it’s not specifically about this course.

If you or someone you know is in distress and urgently needs to speak with someone, please do not hesitate to contact CAPS: 215-898-7021; 3624 Market St. If you are uncomfortable reaching out to CAPS, any member of the instruction staff will be happy to contact them on your behalf.

Schedule

Module Topic

Module 1 (Sep 1)

Homework 1 out

Introduction

course overview, course format, grading

Security mindset

threat models, defensive programming

Module 2 (Sep 7)

Project 1 out

Review of processes and address space

processes, address space, ELF, x86 assembly

Control Hijacking

buffer and integer overflow, stack smashing, format string vulnerability

Module 3 (Sep 14)

Homework 1 due

Control hijacking defenses

stack canaries, NX bit, ASLR

Return oriented programming

bypassing NX and ASLR

Module 4 (Sep 21)

Homework 2 out

User authentication

Passwords, fuzzy extractors, two-factor, hardware tokens

Privilege separation

privilege separation, capabilities, setuid, chroot

Module 5 (Sep 28)

Project 1 due

Cryptography introduction

history, confidentiality, adversaries

Classic ciphers

substitution cipher, Vigenere cipher, frequency analysis

Module 6 (Oct 5)

Homework 2 due

Project 2 out

Information-theoretic security

one-time pad, perfect secrecy

Indistinguihsability

PRGs, unpredictability, statistical tests, negligible functions

Module 7 (Oct 12)

Symmetric encryption

PRGs, PRPs, stream ciphers, block ciphers

Module 8 (Oct 19)

Hash functions

collision resistance, pre-image resistance, Merkle-Damgard construction

MACs and authenticated encryption

length extension attacks, PRFs, ciphertext integrity

Module 9 (Oct 26)

Homework 3 out

Exam 1

Public key encryption

Diffie-Hellman key exchange, trapdoor function, public key encryption from trapdoor functions

RSA encryption

RSA trapdoor permutation, RSA-KEM, RSA-OAEP, RSA digital signatures, RSA-FDH, PKCS#1 v1.5

Module 10 (Nov 2)

Project 2 due

Project 3 out

TLS

TLS handshake, TLS 1.3, 0-RTT

HTTPS

Certificates, PKI, forward secrecy

Module 11 (Nov 9)

Homework 3 due

Web overview

threat model, HTTP, HTML, JavaScript

Web security

same origin policy, cookies

Module 12 (Nov 16)

Web attacks

SQL injection, CSRF, XSS

Web assembly

overview and attacks

Module 13 (Nov 23)

Project 3 due

Homework 4 out

Project 4 out

Networking attacks

TCP, IP, BGP, DNS, DNS poisoning, BGP hijacking

Denial of service

DDOS, SYN flooding, client puzzles

Module 14 (Nov 30)

Privacy and anonymity

private browsing, VPN, Tor

Censorship

Great firewall of China, decoy routing, domain fronting

Module 15 (Dec 7)

Homework 4 due

Underground economy

spam, phishing, botnets

Current research topics

what are security researchers focusing on nowadays?

Final exams week (Dec 14)

Project 4 due

Exam 1

No content