Broad, active, hands-on and implementation-based approach to computer security. Fundamental cryptographic theory, advanced techniques and application. Complexity, cryptanalysis, and impact of technological change. Core security theory; confidentiality, integrity, availability. Security models. Risk assessment and decision-making. Issues for general-purpose, trusted and "cloud" operating system security including hardware requirements, authentication, access control, information flow and assurance. Program and network security fundamentals and best practices including coding principles, firewalls and network design. Exploits, defenses and remediation for multiple issues pertaining to software, hardware, databases and networks. Political, social and engineering issues relating to security and privacy.
This course addresses UMD's Graduate Program Goal Categories 1 (Knowledge and Scholarly Formation), 3 (Communication Skills), 4 (Leadership and Collaborative Skills) and 5 (Cultural Competence and Global Context Formation of the Field). In particular, it covers the following Student Learning Outcomes (SLO):
Peter A. H. Peterson
Office: Heller Hall 329 or 334
We will use Moodle for grading, submissions and other class-related activities.
We will use Google Groups for discussion and announcements.
This class is going to be a hands-on, dynamic exploration of advanced topics in Computer Security. My goal is that class time will be split approximately 50/50 with "lecture" (which will hopefully include a lot of discussion) and guided hands-on experimentation/research on open-ended topics where the answers are not clear. You will be expected to write a considerable amount (at least a page or two per week), and you will be graded (in part) on your writing. Projects will include software implementation, which must be managed using the UMN Github. Projects may include a presentation component and may involve a partner or partners. The course will also include an overview of basic Computer Security principles, issues and concepts (the type of material covered in CS 4821) sufficient to provide students with a foundation for more advanced application. However, unlike 4821, I will summarize but not be lecturing extensively on information security background material. Ultimately, I hope that the class is interesting and useful for you, helps develop your technical chops, and that it will serve as a good foundation for beginning graduate school.
Graduate student or CS4821 and instructor consent.
Computer Security happens in the real world, using real systems, facing real adversaries. While theory and intellectual knowledge (i.e., "book larnin'") are essential, being able to use that knowledge effectively in the real world is just as (if not more) important.
As a result, this Computer Security class includes a significant amount of hands-on coding, debugging, experimentation, etc., in live and realistic environments. Required projects will involve programming and debugging in C, Perl, PHP, Bash, MySQL and other languages. You do not need to be a coding wizard to succeed and no specific experience with these languages is necessary. However, basic programming literacy and proficiency in at least one language such as Python, Java or C/C++/C# and the understanding that all computer languages are fundamentally similar is critical. Similarly, previous coursework in networking or operating systems, and/or experience working at the Linux/Unix command-line will be helpful but is not strictly necessary.
However, in all three areas -- programming new languages, networking and the Linux/Unix command-line, the critical prerequisite is a willingness to learn, experiment, push yourself and do things.
SIC is an excellent overview of Computer Security topics and issues and will be the primary "text" for the course. Please note: Make sure you get the 5th edition. 24DS is an exploration of 24 different common types of mistakes that often lead to security vulnerabilities. Readings will be assigned from both books throughout the semester.
Throughout the course, students will be assigned research papers or articles related to the course material. These papers will be available online.
Crypto-Gram is a monthly email newsletter that summarizes some of the best information on noted security expert Bruce Schneier's blog. This is an excellent source of information for what's happening in the security world, from both technological and political angles. We will discuss topics raised in new issues in class as time permits.
Subscribe at https://lists.schneier.com/cgi-bin/mailman/listinfo/crypto-gram
Other readings (paper handouts or online resources) may be assigned and used during class. We will send an email to the class when this occurs.
A number of projects will take place on the DETER testbed, a large public testbed used for cyber-security research and education.
You do not need to purchase any hardware or software for this class. However, you do need to bring a refundable deposit of $35 to Clare Ford in the CS Department office (320 HH). In exchange, you'll get a key to a locker in MWAH 187 containing a hard drive you will use throughout the semester. We will install Linux on it during our first lab session. Get your deposit back by returning the hard drive and key at the end of class.
You will also have 24/7 access to MWAH 187 via your RFID key fob, ensuring that you will have a supported and fully customizable environment for homework projects throughout the semester. If you have a RFID key, you should already have access to MWAH 187. If you don't have a key, see Clare in HH 320. (There is no charge for the RFID key.)
Linux, in MWAH 187 and on the DETER testbed, are the only supported work environments for this class. That said, you may be able to complete certain projects on other lab machines at UMD or on a personal computer. (It should be easy if you are running Linux.) However, these other methods are strictly unsupported due to the potential complexity of debugging issues with non-standard environments.
More importantly, while you may be able to program or create written materials on other computers, performing certain sensitive activities (like network eavesdropping or exploiting vulnerabilities) are strictly forbidden on machines other than in MWAH 187 or your own computer. (See Security Code of Conduct, below.)
If you have any questions about whether it is acceptable to use some machine for a particular purpose, ask the instructor.
Moodle will be used to manage multiple aspects of the course, including homework submission, grading, announcements, discussions, etc.
Grading is broken down as follows:
Extra Credit (>=5%) -- There will be extra credit opportunities throughout the semester (providing at least 5% extra points) composed of a mix of moderately difficult questions/projects and much more difficult "challenge problems" to encourage you to dig deeper. Extra credit points will be added to your earned percentage of required deliverables. For example, if you have an 89% based on all required tasks and you also earned 3% of extra credit, your final grade percentage would be 92%.
Final grades will be assigned as follows:
We will make every effort to post grades to Moodle in a timely fashion.
This course will include a two written midterms and a final, the time and location of which will be:
The midterms and final will be composed of "choice questions", simple and open-ended short answer questions, questions about papers or other materials, etc. and will be of the general character of the homework questions. The final will be cumulative but will skew towards the material presented in the latter half of class.
Class will include discussion and quizzes in addition to lectures on assigned reading. Students are expected to attend all scheduled class meetings. It is the responsibility of students to plan their schedules to avoid excessive conflict with course requirements. However, there are legitimate and verifiable circumstances that lead to excused student absence from the classroom. These are subpoenas, jury duty, military duty, religious observances, illness, bereavement for immediate family, and NCAA varsity intercollegiate athletics. For complete information, please see: https://www.d.umn.edu/vcaa/ExcusedAbsence.html
If you miss class for whatever reason, it is your responsibility to obtain the information covered in class from a classmate, instructor or TA.
Late work will not be accepted (excepting certain extra credit problems) because we may do "post-mortems" on projects in class and interactively discuss the answers. However, most projects consist of multiple components and partial credit is given! Therefore, turn in your work, even if it is not completely finished.
Early or make up exams and quizzes will not be given (see "Late Work," above), except for extreme emergencies (and with the instructors consent).
I will not give incompletes except for very extreme circumstances (e.g., a major health crisis accompanied by a doctor's note). The last day to turn in extra credit tasks is the last day of Finals Week.
Academic dishonesty tarnishes UMD's reputation and discredits the accomplishments of students. Academic dishonesty is regarded as a serious offense by all members of the academic community. UMD's Student Academic Integrity Policy can be found at: https://www.d.umn.edu/vcaa/StudentAcademicIntegrity.html
UMD is committed to providing a positive, safe, and inclusive place for all who study and work here. Instructors and students have mutual responsibility to insure that the environment ... supports teaching and learning, is respectful of the rights and freedoms of all members, and promotes a civil and open exchange of ideas. Making hostile, threatening, discriminatory or disparaging remarks toward or about the instructor, other members of the class or groups of people will not be tolerated. To reference the full policy please see: https://www.d.umn.edu/vcaa/TeachingLearning.html
Appropriate classroom conduct promotes an environment of academic achievement and integrity. Disruptive classroom behavior that substantially or repeatedly interrupts either the instructor's ability to teach, or student learning, is prohibited. Disruptive behavior includes inappropriate use of technology in the classroom. Examples include ringing cell phones, text-messaging, watching videos, playing computer games, email, or surfing the Internet on your computer instead of note-taking or other instructor-sanctioned activities.
Students are expected adhere to Board of Regents Policy: https://www.d.umn.edu/vcaa/documents/Student_Conduct_Code.pdf
We cover sensitive security topics in this class (e.g., software exploits, network vulnerabilities, etc.) because it is impossible to write secure code or be well-informed about security issues without understanding vulnerabilities and how you can defend against them.
However, because this knowledge can be used for destructive purposes, you will be required to sign a statement indicating that you will only perform sensitive security-related course tasks in approved ways and acknowledging that you understand that using computer systems in unauthorized ways can have serious academic and legal consequences.
Solo (non-group) project assignments must be your own work. You may discuss general, high-level, or conceptual issues with other students, but should not share actual code or answers with others. Cheating is considered to be sharing code either by copying, retyping, looking at, or supplying a copy of a file, and applies to information from both current and previous versions of this class (i.e., looking at answers from a previous semester is considered cheating). For group projects, these rules apply between groups instead of individuals.
Sometimes, students feel compelled to cheat on homework because they are afraid of admitting that they do not understand the material or do not know how to complete some task or overcome some technical hurdle. Nobody understands everything -- you should never be afraid of asking questions you have made a reasonable effort to answer. If you are struggling with any material in the class, please come talk to the TA or the instructor early enough to get the help you need -- that is the reason we are here.
While getting answers from current or previous students is considerd cheating, in this class it is acceptable to find and use existing code snippets, libraries, tutorials, HOWTO's, Stack Exchange information and other similar resources, provided that the information used is from a legitimate source (i.e., not a cheating website) and you cite the resource used.
Please note that this policy may not apply to other classes at UMD (or elsewhere). It makes sense in this course because, rather than demonstrating your understanding by designing and programming discrete, standalone solutions, most projects involve solving large, system-level problems using a synthesis of many smaller solutions (some original and some found elsewhere). In many cases, we have intentionally left critical information out of course materials explicitly so that you will need to go online to find resources with the answers.
That said, it is up to you to ensure that any source you use is sufficiently attributed; this should -- at the very least -- include a comment(in your source code or writeup) identifying:
In the case of libraries or programs provided by us for the class (e.g., tcpdump or ettercap) or widely available pre-packaged applications (such as tools available in the standard Ubuntu distribution), it is sufficient to refer to the software by name. For example, "I installed the chaosreader package from the Ubuntu repository and used it to extract data from the network trace" or "I got this command line from the tcpdump manpage."
Finally, it is also your responsibility to understand any material you use -- its purpose or functionality may be included in later assignments or tests.
If you have any questions about this policy or how to make proper attribution, please contact your instructor/TA.
Taking notes is a means of recording information but more importantly of personally absorbing and integrating the educational experience. However, broadly disseminating class notes beyond the classroom community or accepting compensation for taking and distributing classroom notes undermines instructor interests in their intellectual work product while not substantially furthering instructor and student interests in effective learning.
Students may not distribute, via the Internet or other means, lecture notes or instructor-provided materials, except to other members of the same class or with the express written consent of the instructor.
This includes the solutions to homework, quizzes, exams and course projects.
For additional information, please see: https://www.d.umn.edu/vcaa/ClassNotesAppropriateUseof.html
If you use Duo Security to sign in to University applications, YOU ARE STRONGLY ENCOURAGED to set up back-up devices in Duo Security so that you are prepared in the event that your primary Duo device is unavailable (you forgot it, it was stolen, it’s broken, the battery is dead, etc.). Learn about back up devices at z.umn.edu/backupdevices.
As a Duo user, it is your responsibility to come prepared to sign in to applications necessary for class activities, including exams and quizzes. If you are unable to sign in, you may lose points for the class activity. Failure to bring your Duo device or a back-up is not an excused absence or a valid reason for make up work.
Learn more about Duo Security at z.umn.edu/duosecurity.
As instructor I shall make every attempt to treat all students equally, without regard to race, religion, color, sex, handicap, age, veteran status, gender identity or sexual orientation. Furthermore, I will not tolerate behavior that excludes or marginalizes anyone. I strongly encourage you to talk to me if you have any concerns regarding equal opportunity in the classroom. To inquire further about the University's policy on equal opportunity, contact the Office of Equal Opportunity (6827), 269-273 DAdB.
It is my policy, and the policy and practice of the University of Minnesota Duluth to create inclusive learning environments for all students, including students with disabilities. If there are aspects of this course that result in barriers to your inclusion or your ability to meet course requirements -- such as time limited exams, inaccessible web content, or the use of non-captioned videos -- please notify the instructor as soon as possible. You are also encouraged to contact the Office of Disability Resources to discuss and arrange reasonable accommodations.
Please call 218-726-6130 or visit the DR website at https://www.d.umn.edu/access for more information.
As a student you may experience a range of issues that can cause barriers to learning, such as strained relationships, increased anxiety, alcohol/drug problems, feeling down, difficulty concentrating and/or lack of motivation. These mental health concerns or stressful events may lead to diminished academic performance or reduce a student's ability to participate in daily activities. University of Minnesota services are available to assist you with addressing these and other concerns you may be experiencing. You can learn more about the broad range of confidential mental health services available on campus via the UMD Health Service Counseling website at https://www.d.umn.edu/hlthserv/counseling/
If you think these services might help you, I urge you to take advantage of them as soon as possible.
Some policy text used or adapted from the following sources (with permission):