Entropy and the underlying characteristics of text. Encryption-basic techniques based on confusion and diffusion and modern day encryption. Access, information flow and inference control. Program threats and intrusion detection. Network and Internet security. Firewalls, trusted systems, network authentication.
prereq: 2511, 2521, (2531 or 3512 or MATH 3355) or instructor consent; a grade of C- or better is required in all prerequisite courses
Please note: This class is dual-listed as both 4332 and 5332. Graduate students taking 5332 are required to perform additional work (also listed in this syllabus).
Peter A. H. Peterson
Office: Heller Hall 329 or 334 (across the hall)
Office Hours (in HH 329):
|Lecture (001)||MWF||12:00-12:50||Humanities 314|
|Lab (002)||Th||6:00-6:50||MWAH 187|
|Lab (003)||Th||7:00-7:50||MWAH 187|
We will use Canvas for the schedule, reading list, grading, submissions, communication, and most other class-related activities.
We will use a Slack channel for class discussion. Please sign up for Slack, and consider installing the app for your smartphone; you'll get more out of the class Slack that way, because you'll get notifications about announcements, etc.
A grade of C- or better is required for prerequisites.
Security in Computing, 5th Edition (a.k.a, SIC)
Charles P. Pfleeger, Shari Lawrence Pfleeger and Jonathan Margulies ISBN 0-13-408504-3
Pearson Education, 2015
24 Deadly Sins of Software Security -- Programming Flaws and How to Fix Them (a.k.a, 24DS)
Michael Howard, David LeBlanc and John Viega
McGraw Hill, 2010
SIC is an excellent overview of Computer Security topics and issues and will be the primary "text" for the course. 24DS is an exploration of 24 different common types of mistakes that often lead to security vulnerabilities. Readings will be assigned from both books throughout the semester.
Crypto-Gram is a monthly email newsletter that summarizes some of the best information on noted security expert Bruce Schneier's blog. This is an excellent source of information for what's happening in the security world, from both technological and political angles. We will discuss topics raised in new issues in class as time permits.
Subscribe at https://lists.schneier.com/cgi-bin/mailman/listinfo/crypto-gram
You will be subscribed to the Information Security News list. This is a list for security news items and commentary that might relate to the class or to current events. This list will persist after the course is over. You should stay subscribed during the semester, but may unsubscribe after the class is over, if you wish.
Other readings (paper handouts or online resources) may be assigned and used during class. We will send an email to the class, and add the resource to the course site when this occurs.
This course addresses UMD campus student learning outcomes (SLOs) , and outcomes in computer science education specified by the UMD Department of Computer Science and aligned with the standards put forth by the ABET accrediting board.
Through taking this course, students will:
This class is dual-listed; the graduate version of this course (5332) addresses UMD's Graduate Program Goal Categories 1 (Knowledge and Scholarly Formation), 3 (Communication Skills), and 5 (Cultural Competence and Global Context Formation of the Field). In particular, it covers the following Student Learning Outcomes (SLO):
Grading is broken down as follows:
Extra Credit (3-6%) -- There will be extra credit opportunities throughout the semester (providing 3-6% extra points) composed of a mix of moderately difficult questions/projects and much more difficult "challenge problems" to encourage you to dig deeper. Extra credit points will be added to your earned percentage of required deliverables. For example, if you have an 89% based on all required tasks and you also earned 3% of extra credit, your final grade percentage would be 92%.
At least once per semester, you will write a summary of an important current or historical computer security issue, that will be sent out as part of our Information Security News mailing list. The summary needs to be in your own words, and link to sources, but it only needs to be 1-2 paragraphs long. You will coordinate with the TA and instructor on this, and your summary must be approved to receive full credit.
You are required to attend your lab section each week, unless officially excused. Sometimes lab will include a live demo or discussion. Often, it will be unstructured so you can watch the video, read documentation, start work, or ask your TA or instructor questions.
While the weight of each category will stay the same for students in 4332 and 5332, students taking 5332 will be assigned additional homework and projects (including some listed below).
Final grades will be assigned as follows:
We will make every effort to post grades in a timely fashion.
This course will include two midterms and a written final, the time and location of which are:
The final will be approximately double the time and twice as long as the midterms.
Computer Security happens in the real world, using real systems, facing real adversaries. While theory and intellectual knowledge (i.e., "book larnin'") are essential, being able to use that knowledge effectively in the real world is just as (if not more) important.
As a result, in addition to reading and written work, this Computer Security class includes a significant amount of hands-on coding, debugging, experimentation, etc., in live, realistic, networked environments. Required projects will involve programming and debugging in C, Perl, PHP, Bash, MySQL and perhaps other languages. You do not need to be a coding wizard to succeed and no specific expertise with these languages is expected. However, basic programming literacy and proficiency in at least one language such as Python, Java or C/C++/C# and the understanding that all computer languages are fundamentally similar is critical. Likewise, a previous networking class and experience working at the Linux/Unix command-line will be helpful but is not strictly necessary.
However, in all three areas -- programming new languages, networking and the Linux/Unix command-line, the critical prerequisite is a willingness to learn, experiment, push yourself and do things.
A number of projects will take place on the DETER testbed, a large public testbed used for cyber-security research and education .
You do not need to purchase any hardware or software for this class. However, you do need to bring a refundable deposit of $35 to Kelsey in the CS Department office (320 HH). In exchange, you'll get a key to a locker in MWAH 187 containing a hard drive you will use throughout the semester. Get your deposit back by returning the hard drive and key at the end of class.
You will also have 24/7 access to MWAH 187 via your RFID key fob, ensuring that you will have a supported and fully customizable environment for homework projects throughout the semester. If you have an RFID key, you should already have access to MWAH 187 by virtue of being enrolled in 4821. If you don't have a key, see Kelsey in HH 320. (There is no charge for the RFID key.)
Linux, in MWAH 187 and on the DETER testbed, are the only supported work environments for this class. That said, you may be able to complete certain projects on other lab machines at UMD or on a personal computer. These methods include running Linux on your laptop, Linux in a VM on your computer on top of a different operating system, using the Linux Subsystem in modern versions of Windows, or using the UNIX underpinning Apple's OS X. However, these other methods are strictly unsupported due to the time cost of debugging issues with non-standard environments.
More importantly, while you may be able to program or create written materials on other computers, performing certain sensitive activities (like network eavesdropping or exploiting vulnerabilities) are strictly forbidden on machines other than in MWAH 187 or your own computer. (See Security Code of Conduct, below.)
If you have any questions about whether it is acceptable to use some machine for a particular purpose, ask the instructor.
Class will include discussion and quizzes in addition to lectures on assigned reading. Students are expected to attend all scheduled class meetings. It is the responsibility of students to plan their schedules to avoid excessive conflict with course requirements. However, there are legitimate and verifiable circumstances that lead to excused student absence from the classroom. These are subpoenas, jury duty, military duty, religious observances, illness, bereavement for immediate family, and NCAA varsity intercollegiate athletics. For complete information, please see: https://www.d.umn.edu/vcaa/ExcusedAbsence.html
If you miss class for whatever reason, it is your responsibility to obtain the information covered in class from a classmate, instructor or TA.
Late work will not be accepted because we may do "post-mortems" on the projects in class and interactively discuss the answers. However, most projects consist of multiple components and partial credit is given! Therefore, turn in your work, even if it is not completely finished.
Early or "make up" exams and quizzes will not be given (see "Late Work," above), excepting in extreme emergencies (and with the instructors consent).
I will not give incompletes except for very extreme circumstances (e.g., a major health crisis accompanied by a doctor's note). The last day to turn in extra credit tasks is the last day of Finals Week.
Academic dishonesty tarnishes UMD's reputation and discredits the accomplishments of students. Academic dishonesty is regarded as a serious offense by all members of the academic community. UMD's Student Academic Integrity Policy can be found at: https://www.d.umn.edu/vcaa/StudentAcademicIntegrity.html
UMD is committed to providing a positive, safe, and inclusive place for all who study and work here. Instructors and students have mutual responsibility to insure that the environment ... supports teaching and learning, is respectful of the rights and freedoms of all members, and promotes a civil and open exchange of ideas. Making hostile, threatening, discriminatory or disparaging remarks toward or about the instructor, other members of the class or groups of people will not be tolerated. To reference the full policy please see: https://www.d.umn.edu/vcaa/TeachingLearning.html
Appropriate classroom conduct promotes an environment of academic achievement and integrity. Disruptive classroom behavior that substantially or repeatedly interrupts either the instructor's ability to teach, or student learning, is prohibited. Disruptive behavior includes inappropriate use of technology in the classroom. Examples include ringing cell phones, text-messaging, watching videos, playing computer games, email, or surfing the Internet on your computer instead of note-taking or other instructor-sanctioned activities.
Students are expected adhere to Board of Regents Policy: https://www.d.umn.edu/vcaa/documents/Student_Conduct_Code.pdf
We cover sensitive security topics in this class (e.g., software exploits, network vulnerabilities, etc.) because it is impossible to write secure code or be well-informed about security issues without understanding vulnerabilities and how you can defend against them.
However, because this knowledge can be used for destructive purposes, you will be required to sign a statement indicating that you will only perform sensitive security-related course tasks in approved ways and acknowledging that you understand that using computer systems in unauthorized ways can have serious academic and legal consequences. If signing this document is a problem for you, please come talk to me.
I will not tolerate plagiarism.
Not sure what constitutes plagiarism? Dr. Ted Pedersen of the UMD CS department has written a nice case study on the subject.
Solo (non-group) project assignments must be your own work. You may discuss general, high-level, or conceptual issues with other students, but should not share actual code or answers with others. Cheating is considered to be sharing code either by copying, retyping, looking at, or supplying a copy of a file, and applies to information from both current and previous versions of this class (i.e., looking at answers from a previous semester is considered cheating). For group projects, these rules apply between groups instead of individuals.
Sometimes, students feel compelled to cheat on homework because they are afraid of admitting that they do not understand the material or do not know how to complete some task or overcome some technical hurdle. Nobody understands everything -- you should never be afraid of asking questions you have made a reasonable effort to answer. If you are struggling with any material in the class, please come talk to the TA or the instructor early enough to get the help you need -- that is the reason we are here.
While getting answers from current or previous students is considerd cheating, in this class it is acceptable to find and use existing code snippets, libraries, tutorials, HOWTO's, Stack Exchange information and other similar resources, provided that the information used is from a legitimate source (i.e., not a cheating website) and you cite the resource used.
Please note that this policy may not apply to other classes at UMD (or elsewhere). It makes sense in this course because, rather than demonstrating your understanding by designing and programming discrete, standalone solutions, most projects involve solving large, system-level problems using a synthesis of many smaller solutions (some original and some found elsewhere). In many cases, we have intentionally left critical information out of course materials explicitly so that you will need to go online to find resources with the answers.
That said, it is up to you to ensure that any source you use is sufficiently attributed; this should -- at the very least -- include a comment(in your source code or writeup) identifying:
In the case of libraries or programs provided by us for the class (e.g., tcpdump or ettercap) or widely available pre-packaged applications (such as tools available in the standard Ubuntu distribution), it is sufficient to refer to the software by name. For example, "I installed the chaosreader package from the Ubuntu repository and used it to extract data from the network trace" or "I got this command line from the tcpdump manpage."
Finally, it is also your responsibility to understand any material you use -- its purpose or functionality may be included in later assignments or tests.
If you have any questions about this policy or how to make proper attribution, please contact your instructor/TA.
Taking notes is a means of recording information but more importantly of personally absorbing and integrating the educational experience. However, broadly disseminating class notes beyond the classroom community or accepting compensation for taking and distributing classroom notes undermines instructor interests in their intellectual work product while not substantially furthering instructor and student interests in effective learning.
Students may not distribute, via the Internet or other means, lecture notes or instructor-provided materials, except to other members of the same class or with the express written consent of the instructor.
This includes the solutions to homework, quizzes, exams and course projects.
For additional information, please see: https://www.d.umn.edu/vcaa/ClassNotesAppropriateUseof.html
If you use Duo Security to sign in to University applications, YOU ARE STRONGLY ENCOURAGED to set up back-up devices in Duo Security so that you are prepared in the event that your primary Duo device is unavailable (you forgot it, it was stolen, it’s broken, the battery is dead, etc.). Learn about back up devices at z.umn.edu/backupdevices.
As a Duo user, it is your responsibility to come prepared to sign in to applications necessary for class activities, including exams and quizzes. If you are unable to sign in, you may lose points for the class activity. Failure to bring your Duo device or a back-up is not an excused absence or a valid reason for make up work.
Learn more about Duo Security at z.umn.edu/duosecurity.
Canvas integrates a tool, NameCoach, that helps people learn how others' names are pronounced. I encourage everyone to use this tool so that we may learn and speak your name correctly.
I also encourage you to let me know your preferred pronouns so that I may refer to you correctly.
As instructor I shall make every attempt to treat all students equally, without regard to race, religion, color, sex, handicap, age, veteran status, gender identity or sexual orientation. Furthermore, I will not tolerate behavior that excludes or marginalizes anyone. I strongly encourage you to talk to me if you have any concerns regarding equal opportunity in the classroom. To inquire further about the University's policy on equal opportunity, contact the Office of Equal Opportunity (6827), 269-273 DAdB.
It is my policy, and the policy and practice of the University of Minnesota Duluth to create inclusive learning environments for all students, including students with disabilities. If there are aspects of this course that result in barriers to your inclusion or your ability to meet course requirements -- such as time limited exams, inaccessible web content, or the use of non-captioned videos -- please notify the instructor as soon as possible. You are also encouraged to contact the Office of Disability Resources to discuss and arrange reasonable accommodations.
Please call 218-726-6130 or visit the DR website at https://www.d.umn.edu/access for more information.
As a student you may experience a range of issues that can cause barriers to learning, such as strained relationships, increased anxiety, alcohol/drug problems, feeling down, difficulty concentrating and/or lack of motivation. These mental health concerns or stressful events may lead to diminished academic performance or reduce a student's ability to participate in daily activities. University of Minnesota services are available to assist you with addressing these and other concerns you may be experiencing. You can learn more about the broad range of confidential mental health services available on campus via the UMD Health Service Counseling website at https://www.d.umn.edu/hlthserv/counseling/
If you think these services might help you, I urge you to take advantage of them as soon as possible.
If you have difficulty writing, please consider visiting the Writers' Workshop at UMD. They can help you with any writing project you might have.
Some policy text used or adapted from the following sources (with permission):