Skip to main content


CS 5430: System Security
Spring 2015
4 credits

This course sits at the intersection of computer security and software engineering. It is designed to give students practical experience with building a software system and securing it. Students will engage in a significant group programming project to develop a novel piece of software. Emphasis will be placed on the correctness and robustness of software, and on security as part of the software engineering process.

This course is not about the pragmatics of attacking computer systems. If you're looking for black hat training, look elsewhere.

Course Administration


Class meetings

Monday, Wednesday, Friday, 10:10–11:25 am
Thurston 205

Attendance is required. All students are responsible for knowing everything that is covered during class meetings, including announcements. If you must be absent from a class meeting, make arrangements with another student to find out what you missed.

Online Q&A

Piazza will be used for announcements and online discussion. Rather than emailing questions to the teaching staff, you should post your questions on Piazza. Note that you can post public questions (which your classmates will see) or private questions (which only the teaching staff will see). If you email questions directly to the teaching staff, we are likely to ask you to post them on Piazza before we answer. One significant feature of Piazza is that you can answer your classmates' questions. We strongly encourage you to do so. Just avoid giving away any hints on the homework or posting any part of a solution.

Sign up for Piazza at this URL:

Staff List

Michael Clarkson Instructor
Eleanor Birrell TA
Laure Thompson TA
Steven Frink TA
Tom Magrino TA

Email policy: We enjoy talking with you, whether you have questions about course material or just want to explore an idea. But email rarely works well for those discussions; in-person communication is much better. Come to our office hours. Please note that email is not an appropriate channel for discussion of grades—such discussions should occur in person.

Office hours: These will be posted on Piazza.


The foremost prerequisite is that you need to be a competent programmer. Students who are not already accomplished programmers in a modern high level language will not be equipped to succeed in this course. In previous semesters, projects averaged about 5,000 lines of code, with individual students typically contributing around 2,000–2,500 lines of code.

Knowledge of operating systems, computer networks, and cryptography will also be helpful.

The course project must be programmed in Java. The course may also require the use of additional tools and languages such as Eclipse, C, assembler, Unix, web servers, and other standard technologies. You either need to be familiar with these technologies or to be committed to investing extra time to learn them as you go. (Part of becoming a professional computer scientist is learning to adapt quickly to new technologies.)


You are responsible for being aware of all announcements made in class as well as on Piazza.


There is no single textbook that covers all the material from this class. If you're looking to invest in books, the following optional textbooks have a large intersection with what we will cover:

  • Charles P. Pfleeger and Shari Lawrence Pfleeger. Analyzing Computer Security. Prentice Hall, Upper Saddle River, NJ, 2011. ISBN 978-0-13-278946-2.
  • Matt Bishop. Introduction to Computer Security. Addison-Wesley, Boston, 2005. ISBN 0-321-24744-2.
  • Niels Ferguson, Bruce Schneier, and Tadayoshi Kohno. Cryptography Engineering. Wiley, Indianapolis, 2010. ISBN 978-0-470-47424-2.


You are required to have an i>clicker and to bring it to class every day. You can buy an i>clicker at The Cornell Store. Cornell CIT provides technical support for i>clicker. You will need to register your i>clicker with CIT. i>clicker GO will not be enabled in this course.

Use of someone else's i>clicker, either because you forgot yours or because they cannot be there and asked you to click theirs, is a violation of the Code of Academic Integrity and will be prosecuted.

You will never be graded on whether the answers you submit by i>clicker are correct; it is part of your attendance grade.


Assignments in this course are deliberately underspecified, open-ended, and motivated by problems that arise in the real world—messy as it is—as is consistent with the upper-level, professional, and practical orientation of this course. You will have to think on your own, build tools, refine problem specifications, make reasonable and defensible assumptions, and be creative. Success in this course, as in life, depends heavily on you figuring out what's important and concentrating on that.


You will undertake a semester-long software development project. You should expect to put in a lot of work on the project. You should also expect to get a lot out of it.


There will be about five homework assignments. Each assignment may involve programming or written problems. You must work alone on homework assignments.


There will be no midterms or final exams.


You must submit your work online via CMS. Follow the online instructions for submitting files. Submissions by email will not be accepted.

If you are working with a group, you should coordinate with your partners well in advance of the due date and time. You must register the group in CMS for each problem set. See the CMS online help for details. Only one of the partners need submit the files.

Please include the names and NetIDs (not your Cornell student id!) of all partners in all submitted files.

Please be careful to submit the correct versions of your files. We will view the excuse "I accidentally submitted the wrong version" with extreme skepticism—we have heard it countless times. We typically apply a small to moderate penalty to the problems that involve corrected files.


Your final grade will be calculated as follows:

  • Project: 50%
  • Homework: 40%
  • Other factors: 10%

As a general rule of thumb, an A indicates "impressive" and could perhaps be posted as-is as a solution, a B is "adequate" though contains small technical errors or misunderstandings, and C indicates "many problems" and reflects significant errors or misunderstandings. Quality is what counts—not mere effort, nor how you compare to other students in the course.

Sometimes grades will be communicated numerically. The standard four-point system will be used: A=4, B=3, C=2, etc. The "+" modifier adds .3, and the "-" modifier subtracts .3. So A+ = 4.3, B- = 2.7, etc.


Your team's grade for the project will be based on the quality of your final submission at the end of the semester, the progress you demonstrate at each milestone, and the quality of your milestone submissions, including your in-progress system, any presentations, and any written reports. Your own individual grade for the project will further be influenced by the peer reviews written by your teammate.


Homeworks will be weighted equally. The lowest homework grade will be dropped. Grades will not only reflect technical content but also clarity of exposition (including usage, grammar, and spelling).

Other factors

These may include attendance, participation on Piazza, appearance at office hours, submission of course evaluations, and any means by which you have demonstrated mastery of course content. This portion of the grade typically affects only a handful of students, raising or lowering their final course grade by 1/3 letter grade.

Late Policy

Most assignments will have a soft deadline and a hard deadline. If you submit after the soft deadline and before the hard deadline, you will automatically receive a 25% late penalty on the assignment. (An equivalent way of understanding this policy is that submitting before the soft deadline earns a bonus.) We encourage you to use this policy as a way to deal with high workloads once or twice in the semester, rather than repeatedly submitting late assignments.

CMS enables you to upload as many times as you wish before the hard deadline. Only the latest version will be graded. Note that if you upload both before and after the soft deadline, the one after the deadline will be taken, so you will be subject to the late penalty. You will not be able to submit after the hard deadline.

It is therefore critical that you submit your assignments on time. CMS tends to lag right near the deadline because so many submissions are made at the last minute, so we recommend submitting at least 15 minutes before the deadline. In this course, CMS will be configured with no grace period, so that you can best predict exactly when the deadline occurs.

Extensions will be granted only in exceptional circumstances, such as documented illness, and are handled exclusively by the instructor. Extensions will not be granted for job interviews or large workloads in other courses.


We recommend that you double check with the original grader before submitting a regrade request. The grader can typically clarify the grading for you more quickly than a regrade request would.

Regrade requests may be made only with CMS. Do not submit paper regrade requests to the Gates Hall homework handback room.

Regrade requests should be submitted only when you believe that an error was made in the grading. The burden is on you to demonstrate that error. Requests of the form "we think we should get more points for the work we did" are not valid.

There is a deadline for submitting regrade requests, normally one week after grades have been posted. The course staff typically does not begin processing those requests until after the submission deadline has passed, and regrades receive lower priority than any other active grading, so please be patient.

Academic Integrity

Absolute integrity is expected of every Cornell student in all academic undertakings. The instructor will prosecute violations aggressively. The course staff may use automated tools to detect plagiarism. You have been warned.

You are responsible for understanding every word of these policies:

The protocol for prosecution of violations is described here: Explanation of AI Proceedings.

Under no circumstances may you hand in work done with or by someone else under your own name or share solutions with anyone else except your partners. (You would be amazed at how easy it is to tell when code has been shared.) You may discuss general questions or the requirements of assignments with other students, but it must never go down to the level of writing, design, or coding.

You may not give away any hints or post any code that might be part of a solution on Piazza. Rough algorithms or non-solution-specific code fragments are ok if you need them to illustrate a point.

If you are unsure about what is permissible and what is not, please ask.

Special Needs

We provide appropriate academic accommodations for students with special needs and/or disabilities. Requests for academic accommodations are to be made during the first three weeks of the semester and must be accompanied by official documentation. Please register with Student Disability Services in 420 CCC to document your eligibility.