Course description

CS 5430 discusses security for computers and networked information systems. It focuses on principles and techniques for implementing military as well as commercial-grade secure systems. The practicum, CS 5431, sits at the intersection of computer security and software engineering. It is designed to give students practical experience with building a software system and securing it.

This course is not about the pragmatics of attacking computer systems. If you're looking for black hat training, look elsewhere.


  • Instructor: Michael Clarkson (PhD '10)
  • Teaching assistant: Kevin Sekniqi
  • Consultants: Laura Herrle, Tania Tocalini, Sandeep Vanka, Richard Zhang
  • Administrative assistant: Randy Hess

The schedule of consulting hours and instructor office hours will be posted on Piazza. There are no consulting or office hours during official breaks. Consulting and office hours end on the last day of classes.


The course website for both CS 5430 and CS 5431 is

We use Piazza for announcements and Q&A in both CS 5430 and CS 5431. There is a single Piazza forum (under the CS 5430 course number) for both CS 5430 and CS 5431. You can sign up at You are responsible for familiarizing yourself with all announcements made on Piazza. The course staff continuously monitor the forum and will respond to questions in a timely manner. This is the most efficient method of getting help and has the added advantage that others can benefit from your question. If you know the answer to a question, feel free to post a reply yourself. Avoid giving away any hints on the homework or posting any part of a solution; this will be considered a violation of Academic Integrity.

We use CMS for submission of assignments and for grading. There are separate courses in CMS for CS 5430 and CS 5431. Make sure you can login to and see CS 5430 (and CS 5431, if you are in the practicum). If you cannot access the course, please verify with the Registrar that you are enrolled in the course. We will not add students to CMS until they are enrolled with the Registrar.

Refrain from emailing the course staff directly. Instead, post either a public or a private question to Piazza. This is the most effective way for the course staff to manage communication in a large course. Please refrain from making posts that are private only to the professor, and note that neither email nor Piazza is an appropriate channel for discussion of grades—such discussions should occur in person.


For CS 5430, you need to have a broad understanding of organization and programming of computer systems. Students who have taken a senior-level systems course, such as Cornell's CS 4410 and its transitive prerequisites, should be well positioned to take CS 5430. Knowledge of operating systems, computer networks, and cryptography will be helpful. Assignments might require the use of standard tools and languages such as C, Unix, web servers, etc. You either need to be familiar with these technologies or to be committed to investing extra time to learn them as you go. (Part of becoming a professional computer scientist is learning to adapt quickly to new technologies.)

For CS 5431, the foremost prerequisite is that you need to be a programmer. Students who are not already accomplished in a modern high level language will not be equipped to succeed in the practicum. In previous semesters, projects averaged about 5,000 lines of code, with individual students typically contributing around 2,000–2,500 lines of code.

Course materials

The following optional textbooks have a large intersection with what we will cover in CS 5430:

  • Matt Bishop. Introduction to Computer Security. Addison-Wesley, Boston, MA, 2005. ISBN 0-321-24744-2.
  • Niels Ferguson, Bruce Schneier, and Tadayoshi Kohno. Cryptography Engineering. Wiley, Indianapolis, IN, 2010. ISBN 978-0-470-47424-2.

The following textbook is required for CS 5431 and optional for CS 5430:

  • Charles P. Pfleeger and Shari Lawrence Pfleeger. Analyzing Computer Security. Prentice Hall, Upper Saddle River, NJ, 2011. ISBN 978-0-13-278946-2.


There will be no preliminary exams. There will be a final exam as scheduled by the Registrar.


Assignments in this course are deliberately underspecified, open-ended, and motivated by problems that arise in the real world—messy as it is—as is consistent with the upper-level, professional, and practical orientation of this course. You will have to think on your own, build tools, refine problem specifications, make reasonable and defensible assumptions, and be creative. Success in this course, as in life, depends heavily on you figuring out what's important and concentrating on that.

There will be approximately seven homework assignments, which may include written problems, programming problems, and optional karma problems. Unless otherwise specified, assignments may be turned in after the deadline with the following penalty applied to the score received:

  • 1 day late (i.e., immediately after the deadline up to 24 hours later): −10%
  • 2 days late: −25%
  • 3 days late: −50%
  • >3 days late: −100% (we won't grade it)

Extensions will be granted only in exceptional circumstances, such as documented illness, and are handled exclusively by the instructor. Extensions will not be granted for job interviews or large workloads in other courses.

Here are a few words of caution about CMS and late submissions:

  • The deadline for an assignment is not the time by which you must finish writing a solution; rather, it is the time by which you must successfully upload your solution files to CMS and confirm that CMS has recorded the correct versions of those files. CMS might lag near the deadline as many students attempt to upload their submissions at the last minute, perhaps even causing your submission to be marked as late. That is your problem. Requests to have a penalty removed because CMS lagged near the deadline will be denied. We recommend that you upload your files at least one hour before the deadline.
  • In this course, CMS will be configured with no grace period, so that you can best predict exactly when deadlines occur.
  • You must submit your work through CMS; email submissions, whether late or on time, will be deleted.
  • CMS enables you to upload as many times as you wish before submissions are closed. Only the most recent version, with the appropriate late penalty, will be graded. Requests to have the course staff grade earlier versions (with or without a penalty) will be denied.
  • It is your responsibility to verify before the deadline that you have submitted the intended versions of your files. Requests to substitute another version (e.g., "I accidentally submitted the wrong files") will be denied.

We sincerely regret having to enforce these policies, but the administrative overhead associated with late submissions has become too great. And sorting out whether students are unfairly trying to work past the deadline (while unjustly blaming CMS) is not feasible.


Regrades are intended to correct serious errors in grading, not to dispute judgment calls made by graders. Graders do sometimes take off a couple extra points too many, but they just as often give a couple extra points too many. In our experience, exceptionally few regrades requests would actually make a difference in the final course grade. So rather than all of us obsessing over regrades, we'd prefer that you spend your time on doing well on the next assignment, and that we spend our time on developing the next assignment.

Do feel free to meet with the course staff if you cannot understand the written comments the grader provided on your solution. But the grade on your solution and/or changes to the grade are "out of bounds" topics for discussion at that meeting, with one exception: grading mistakes of a purely arithmetic nature (e.g., the grader wrote that they were deducting 5 points but entered a deduction of 6 into CMS) can be fixed on the spot, without needing to follow the process below.

If you decide that a serious mistake was made in grading your assignment, then we would be happy to fix it. Here is the process:

  1. Prepare a written regrade request by filling out this regrade request form. Attach hardcopies of your entire original solution and the entire grading comments. Your request needs to demonstrate that there was an error in grading, and that you understand the correct answer.
  2. Submit that request to Professor Clarkson or to his administrative assistant (Randy Hess).
  3. Be patient. Regrade requests receive lower priority than any other active grading.
  4. Professor Clarkson will read your written request, consider its merits, and make a decision about a grade change. The grade on your assignment might increase, decrease, or remain unchanged as a result of the additional scrutiny the regrade request engenders.

Note that this process is entirely written. We will not discuss regrades with you in person; for sake of consistency in grading (hence fairness), we prefer to handle all the regrades for a given assignment at one time.

The deadline for submitting a regrade request is one week after you receive the original grade. Requests submitted after that will be denied without consideration of their merits.

Resist the temptation to use regrade requests as a means to fish for a better grade. Here are two words of caution:

  • Any regrade request that we perceive to be specious will inspire increased rigor in rechecking your submission, and that often leads to a grade reduction. The course staff will go to great lengths to help you understand the course content; we are considerably less enthusiastic about discussing how what you wrote could be stretched to mean the right answer.
  • We track all regrade requests that are submitted throughout the semester. When we determine final course grades, we look carefully at students who are near the cutoffs between letter grades to see whether any extra consideration is warranted for adjusting their grade up or down. Abuse of regrade requests will factor heavily into this extra consideration.

We sincerely regret having to enforce this policy, but regrades have become an unjustifiable amount of work—both yours and ours—with little benefit to anyone.


Students in the practicum (CS 5431) will gain additional practical knowledge of security through two activities:

  • A semester-long team software development project.
  • Weekly discussions of recent real-world attacks as described in the Pfleeger & Pfleeger textbook. Each student will prepare and lead a discussion of one chapter from that book. All students are expected to attend and participate in the discussions.

Students enrolled in CS 5431 must also be enrolled in CS 5430.

Academic Integrity

Absolute integrity is expected of every Cornell student in all academic undertakings. If you are unsure about what is permissible and what is not, please ask.

You are responsible for understanding these university, departmental, and course policies:

Integrity includes you being honest about the sources of the work you submit. When you submit work in this course, you are representing it as the work of the stated authors (i.e., the members of the CMS group who submitted it) subject to any exceptions that are clearly stated in the submission itself. To avoid committing plagiarism, simply be sure always to accurately credit your sources. To do otherwise is to commit fraud by claiming credit for the ideas and efforts of others, and that is punishable under the Code of Academic Integrity.

Grades, on the other hand, are about the course staff assessing what you have learned. If you turn in someone else's work for course credit, and forthrightly acknowledge you are doing so, you are not acting dishonestly and are not violating academic integrity. But you also give us no basis for concluding that you have learned the course content. We recommend the following rule of thumb: Never look at any other students' solutions, or have their solutions in your possession, in any portion or form whatsoever. Also never share your solutions with other students.


We expect the breakdown for the overall course grade in CS 5430 to be as follows:

  • Assignments: 60%
  • Final exam: 30%
  • Other factors: 10%

We expect the breakdown for the overall course grade in CS 5431 to be as follows:

  • Project: 65%
  • Attendance at 5431 events: 15%
  • Leading one discussion: 10%
  • Other factors: 10%

Assignments in CS 5430 are weighted equally, and your lowest assignment score will be dropped. Other factors include participation on Piazza, appearance at office hours, submission of course evaluations, and any means by which you have demonstrated mastery of course content. This portion of the grade typically affects only a handful of students, raising or lowering their final course grade by 1/3 letter grade.