Syllabus

CS 5431: Practicum in System Security
Spring 2011
2 credits, graded

Course description

CS 5431, the practicum in system security, is designed to offer students practical experience with the design and construction of secure computing systems. The course focuses on two main themes: (i) practical defenses for real-world attacks, and (ii) security as part of the software engineering process. Students will engage in a significant group programming project, including the use of software analysis tools.

Topics may include a selection from the following: malware, honeypots, bot nets, buffer overflows, heap attacks, return-oriented programming, format string vulnerabilities, stack canaries, address-space randomization, patch exploits, static analysis, fuzz testing, lint-like and bug-finding tools, SQL injection, cross-site scripting, input validation, taint analysis, same-origin policy, isolation in web browsers, cryptosystems, digital signatures, message authentication codes, hashes, password handling, password cracking, encrypted key exchange, identity-based encryption, SSL/TLS, IPSEC, DNSSEC, S-BGP, WEP/WPA, VPNs, firewalls, packet filtering, intrusion detection, network trace forensics, side channel attacks (timing, cache, power, EM, reflection, acoustic), TPMs, denial of service, flooding, client puzzles, CAPTCHAs.

Website

http://www.cs.cornell.edu/courses/cs5431/2011sp

Class meetings

Friday, 10:10–11:25 am, Thurston 203

Attendance is required. All students are responsible for knowing everything that is covered during class meetings, including announcements. If you must be absent from a class meeting, make arrangements with another student to find out what you missed.

Class meetings will incorporate lecture, small group problem-solving exercises, and workshops. Each meeting will usually devote time to the course material as well as the course project.

You will also need to attend your team's project presentations, which will occur roughly every three weeks on Friday. On those days, the regular class meeting will usually be canceled. Students will sign up for a block of time to present their project status to me. Presentations will be scheduled throughout the day, not just during the normal class meeting time.

Instructor

Dr. Michael Clarkson
Office: Upson 4124
Office phone: 254-6507

Office hours: I am easily available with a prior appointment, which you can schedule via email. Most afternoons I'm in my office, Upson 4124, and I encourage you to drop by even without an appointment. I'll also keep Thursday, 1:30–2:30 pm, open as a regular office hour.

Email: clarkson@cs.cornell.edu. I enjoy talking with you, whether you have questions about course material or just want to explore an idea. But email rarely works well for those discussions; in-person communication is much better. So the best way to use email is to make an appointment to meet with me. In your meeting request, propose days and times that you are available, and I'll be happy to make time for you.

Teaching assistants

CS 5431 shares the CS 5430 teaching assistants. Details are on the CS 5430 website.

Prerequisites

This course assumes that you have mastered the material in CS 4410 (Operating Systems). You must be registered in CS 5430 (System Security) to take CS 5431.

The course project must be programmed in Java. The course may also require the use of additional tools, such as Eclipse, Eclipse plugins, C, assembler, Unix, web servers, and other standard technologies. You either need to be familiar with these technologies or to be committed to investing extra time to learn them as you go. (Part of becoming a professional computer scientist or engineer is learning to adapt quickly to new technologies.) Necessary software will be installed on CSUG and MEng lab machines. If you elect to install it on your own machine, you're on your own.

Objectives

As a result of this course, students will be able to:

Announcements

You are responsible for being aware of all announcements made in class as well as made in the Announcements section of the course website.

Textbooks

There is no single textbook that covers the material from this class, nor is there even a small set of textbooks that I can recommend.

Since this is the first time the class has been taught, there are also no online lecture notes. I might be able to make scribe notes available online after lectures, but I cannot promise that they will be authoritative, timely, or complete.

Such is the price you pay to learn cutting-edge material...

Assignments

Project: You will undertake a semester-long software development project with a team of your classmates. Roughly every three weeks, your team will deliver a milestone, which will comprise a new increment of functionality for your software, a written report, and a spoken presentation. Each milestone will emphasize a new security concern for your project. You will submit peer reviews of your teammates at each milestone. You should expect to put in a lot of work on the project.

Homework: There will be a small number (probably three) of homework assignments. Each assignment may involve programming or written problems. You must work with a partner on each assignment, though you are free to change partners between assignments. (These might more accurately be called "mini-projects," but I won't use that term because it risks confusion with the main project.)

Reading: Although there are no textbooks for this course, there are many relevant research papers, websites, etc. I will sometimes post these items as supplementary readings for lectures. You might need the context of a day's lecture to help you make sense of that day's readings, so I recommend doing readings after class meetings rather than before. Some readings will be identified as "required," and those are fair game for quizzes. Readings that are identified as "optional" will not be covered by quizzes but will provide you the opportunity to dig deeper into class material.

Public display of student work: I will gather outstanding examples of student work throughout the semester to make available on the course website. The purpose of this is to provide a resource for current and future students, as well as to provide some public recognition for authors of superb work. If chosen, you will be invited to sign a release form. Of course, you aren't required to release your work for posting on the internet. But if you don't, you miss your chance for glory.

Tests

Quizzes: In-class quizzes will be given from time to time and may occur with no warning. (That is, they may be "pop quizzes.") Quizzes will usually be given at the beginning of class meetings to encourage you to arrive on time. Quizzes may cover material from any previous class meetings and their associated required readings, homeworks, project milestones, or class handouts such as this syllabus.

Exams: There will be no prelims. In lieu of a final exam, that time slot will be used for a final presentation of your project, which you will need to attend. The University Registrar will issue a final exam schedule in February, and I will announce our final exam time as soon as possible. Update: the University has scheduled our final exam for Friday, May 13, 2–4:30 pm.

Karma

Various activities may include the opportunity to earn karma—for example, by solving bonus problems, being the first student to successfully mount an attack, etc. Karma exists to provide extra challenge to those who want it. If you earn karma, you will be noticed, and your success may be taken into account when I assign your final grade. However, spending your time on regular course work is almost always a more effective way to improve your final grade.

Grading

Your final grade will be computed as follows:

60%Project
25%Homework
10%Quizzes
5%Subjective factors

As a general rule of thumb, an A indicates "impressive", a B is just "adequate" and C indicates "many problems."

Project: Your team's grade for the project will be based on the quality of your final submission at the end of the semester, the progress you demonstrate at each milestone, and the quality of your presentations and written reports. Your own individual grade for the project will further be influenced by the peer reviews written by your teammates.

Homework: Grading criteria will differ for each homework and will be detailed with each assignment.

Quizzes: Your lowest quiz score will be dropped.

Subjective factors: These may include attendance, class participation, appearance at office hours, karma, and any means by which you have demonstrated mastery of course content.

Grading policies

Late work: Late submissions will not be accepted without my prior approval. I am not likely to give that approval except in documented cases of medical emergency, of campus computing infrastructure failure, etc.

Regrades: For all graded assignments, you may request a regrade if you believe I have made an error in the grading or if you simply want a clarification. There will be a limited window of time (usually about one week after the assignment is returned to you) during which you may request a regrade.

Use CMS to request regrades. You must explain (via CMS) what you believe is wrong or what you don't understand. Be clear and succinct. "I think I deserve a better grade" does not constitute a valid explanation. I reserve the right to regrade your entire assignment. As a result, your grade might go up or down.

I recognize that regrade requests are very important to you. In return, I ask you to recognize that regrade requests can become an enormous drain of my time, especially when they are specious. I am happy to chat with you about your (re)grades if you make an appointment in advance.

Academic integrity

Absolute integrity is expected of every Cornell student in all academic undertakings. You are responsible for knowing and adhering to the Cornell Code of Academic Integrity.

You may work only with your partner on homeworks. Do not collaborate with anyone else. But on the project, you are free (and even encouraged) to discuss your work with other teams.

I may use automated tools to detect plagiarism. You have been warned.

Statements

On disabilities: If you have a disability-related need for reasonable academic adjustments in this course, provide me with an accommodation letter from Student Disability Services. You are expected to give two weeks notice of the need for accommodation. If you need immediate accommodation, please arrange to meet with me as soon as possible.

On wellness: If you are experiencing undue personal or academic stress at any time during the semester or need to talk to someone who can help, contact me or one of the following resources: