Welcome to CS 526 (Information Security)!
Instructor: Christina Garman (clg@purdue.edu)
TA: Farzad Zafarani (farzad@purdue.edu)
OVERVIEW
Course catalog: Basic notions of confidentiality, integrity, availability; authentication models; protection models; security kernels; secure programming; audit; intrusion detection and response; operational security issues; physical security issues; personnel security; policy formation and enforcement; access controls; information flow; legal and social issues; identification and authentication in local and distributed systems; classification and trust modeling; and risk assessment.
You should hopefully come out of this course with a broad understanding of information security, focusing on software security, network security, cryptography, mobile platform security, and privacy technologies, as well as how these security issues can impact real world systems.
Time: Tu/Th 10:30am-11:45am
Location: Wang, 2599
Syllabus
Prerequisites:
CS 503 - Operating Systems: I will assume that you have had this course, and you will be responsible for knowing the material even if you have not.
Programming experience: Some of the assignments will require programming knowledge, so you should be comfortable programming.
OFFICE HOURS
Farzad's office hours will be on Wednesdays from 2-3pm in Haas G75.
My office hours will be on Thursdays from 3-4pm in my office (Lawson 3154G).
I will be available by appointment as well.
GRADING
The exact mix of projects, homeworks, etc. is yet to be determined. However, expect there to be approximately four large projects with a few small assignments mixed in and two exams (a midterm and a final), with the approximate weights as follow. Part of your grade will include a participation component, so I do expect you to attend class. If you cannot make class for any reason (such as job interviews, etc.), please let me know as you will not be penalized for this.
Projects: 55%
Assignments: 10%
Exam 1: 15%
Exam 2: 15%
Class participation: 5%
Assignments are due at the beginning of class at 10:30am on the stated due date. Late assignments will be penalized 5 percentage points per day. There is no collaboration allowed on exams. You must do only your own work. There are no textbooks, notes, or computers allowed during exams.
Final grades will be assigned on a curve at the end of the course.
SCHEDULE
This schedule is subject to change.
| Date | Topics | Readings | |
|---|---|---|---|
| 8/21/18 | Introduction, Threat Modeling | Reflections on Trusting Trust The Security Mindset How to Think Like a Security Professional |
|
| 8/23/18 | Software Security | Smashing the Stack for Fun and Profit |
|
| 8/28/18 | Software Security | Basic Integer Overflows Exploiting Format String Vulnerabilities Optional: Memory Safety Attacks and Defenses |
|
| 8/30/18 | Malware | Optional: How to 0wn the Internet in Your Spare Time Optional: A Report on the Internet Worm |
Project 1 Assigned |
| 9/4/18 | OS Security | Optional: Android System and Kernel Security Optional: iOS Security Guide |
|
| 9/6/18 | OS Security, Access Control | Access Control: Principles and Practice | |
| 9/11/18 | Intro to Networking, TCP/IP | Brief History of the Internet Optional: A Look Back at "Security Problems in the TCP/IP Protocol Suite" |
|
| 9/13/18 | Network Security (TCP/IP) | SYN Flood Attack | |
| 9/18/18 | Network Security (DoS, Firewalls) | ||
| 9/20/18 | Network Security Wrap-Up (Firewalls, DNS) | An Illustrated Guide to the Kaminsky DNS Vulnerability | Project 1 Due |
| 9/25/18 | Web Security (SQL Injections) | Web Security: Are You Part of the Problem? SQL Injection |
Project 2 Assigned |
| 9/27/18 | Web Security (CSRF) | Cross-Site Request Forgery Optional: Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet |
|
| 10/2/18 | Web Security (XSS) | Optional: XSS Filter Evasion Cheat Sheet | |
| 10/2/18 | MIDTERM | 8-10pm, HAAS G66 | MIDTERM |
| 10/4/18 | Passwords and Authentication | User Authentication Notes | |
| 10/9/18 | OCTOBER BREAK | ||
| 10/11/18 | Basics of Cryptography | Project 2 Due | |
| 10/16/18 | Basics of Cryptography | Project 3 Assigned | |
| 10/18/18 | Symmetric Cryptography | Symmetric Key Cryptography Notes | |
| 10/23/18 | Symmetric Cryptography | ||
| 10/25/18 | Symmetric Cryptography | ||
| 10/30/18 | Symmetric Cryptography, Public Key Cryptography | ||
| 11/1/18 | Public Key Cryptography | Public Key Cryptography Notes | |
| 11/6/18 | Public Key Cryptography | ||
| 11/8/18 | PKI, SSL/TLS | Optional: Lessons Learned in Implementing and Deploying Crypto Software | |
| 11/13/18 | Blockchains (Guest Lecture from Professor Aniket Kate) | Bitcoin: A Peer-to-Peer Electronic Cash System | Project 3 Due |
| 11/15/18 | NO CLASS | ||
| 11/20/18 | SSL/TLS and Attacks [Protocols] | Project 4 Assigned | |
| 11/22/18 | THANKSGIVING BREAK | ||
| 11/27/18 | SSL/TLS and Attacks [Protocols] | ||
| 11/29/18 | Ethics, Policy, and Law | Vulnerability Disclosure Cheat Sheet Optional: Coders' Rights Project Vulnerability Reporting FAQ |
|
| 12/2/18 | Project 4 Due | ||
| 12/4/18 | Side-Channels, Covert Channels | Optional: Lest We Remember: Cold Boot Attacks on Encryption Keys | |
| 12/6/18 | Security Fails, Course Wrap-Up | ||
| 12/13/18 | FINAL EXAM | 1-3pm, EE 117 | FINAL EXAM |
PROJECTS
All projects will be submitted on Blackboard unless otherwise noted.
Project 1: Due Thursday September 20th, 2018 at 10:30am
Project 2: Due Thursday October 11th, 2018 at 10:30am
Project 3: Due Tuesday November 13th, 2018 at 10:30am
Project 4: Due Sunday December 2nd, 2018 at 11:59pm
ASSIGNMENTS
All assignments will be submitted on Blackboard unless otherwise noted.
Assignment 0: Due Thursday December 6th, 2018 at 11:59pm
Assignment 1: Due Tuesday August 28th, 2018 at 10:30am
ADDITIONAL RESOURCES
There will be readings listed for each day of class pertaining to the material we will cover, and I will expect that you have at least tried to read them (though it is okay if you do not understand everything right away!).
No textbook is required, but if you would like additional resources the following may be useful:Security Engineering by Ross Anderson
Computer Security: Principles and Practice, Prentice Hall, 2007. By William Stallings and Lawrie Brown.
COMPUTER SCIENCE DEPARTMENT ACADEMIC INTEGRITY POLICY
The Department of Computer Science expects and enforces the highest standards of academic integrity and ethics. The Department takes severe action against academic dishonesty, which may include failing grades on an assignment or in a course, up to a recommendation for dismissal from the University.
Academic dishonesty is defined as any action or practice that provides the potential for an unfair advantage to one individual or one group. Academic dishonesty includes misrepresenting facts, fabricating or doctoring data or results, representing another's work or knowledge as one's own, disrupting or destroying the work of others, or abetting anyone who engages in such practices.
Academic dishonesty is not absolute because the expectations for collaboration vary. In some courses, for example, students are assigned to work on team projects. In others, students are given permission to collaborate on homework projects or to have written materials present during an examination. Unless otherwise specified, however, the CS Department requires all work to be the result of individual effort, performed without the help of other individuals or outside sources. If a question arises about the type of external materials that may be used or the amount of collaboration that is permitted for a given task, each individual involved is responsible for verifying the rules with the appropriate authority before engaging in collaborative activities, using external materials, or accepting help from others.
A student accused of academic dishonesty must be afforded due process as defined by Purdue University procedures. The Dean of Students Office may be notified concerning an academic dishonesty incident as provided by Purdue University procedures.
Last modified Tue 13 Nov 2018.