Syllabus

Course description

CS 5430 discusses security for computers and networked information systems. It focuses on principles and techniques for implementing military as well as commercial-grade secure systems. The practicum, CS 5431, sits at the intersection of computer security and software engineering. It is designed to give students practical experience with building and securing a software system.

Staff

• Instructor: Michael Clarkson (PhD '10)
• Graduate teaching assistant for CS 5430: Elisavet Kozyri
• Graduate teaching assistant for CS 5431: Eleanor Birrell
• Undergraduate consultants: Paul Chesnais, Matthew Li, Justin Lu, Gur-Eyal Sela
• Administrative assistant: Amy Elser

Prof. Clarkson's office hours will be posted on Piazza. The rest of the staff's office hours will be hosted in a Google calendar. There are no office hours during official breaks. Office hours end on the last day of classes.

Communication

There are separate websites for the main course and practicum. They are http://www.cs.cornell.edu/courses/cs5430/ and http://www.cs.cornell.edu/courses/cs5431/.

We use CMS for submission of assignments and for grading. There are separate courses in CMS for CS 5430 and CS 5431. Make sure you can login to https://cms.csuglab.cornell.edu/ and see CS 5430 (and CS 5431, if you are in the practicum). We are on a new, high-performance version of CMS that is being rolled out this semester to select courses. If you cannot access the course, please verify with the Registrar that you are enrolled in the course. We will not add students to CMS until they are enrolled with the Registrar.

Communicating with course staff in CS 5430:

• The best way to communicate with the course staff is in office hours. We ask that you try to always use this option first.
• For questions regarding material in the course, Piazza is an option, but we use Piazza differently in this course than how you might be accustomed to using it in other courses. Please read the course Piazza Communication Policy before posting on Piazza.
• For matters related to you personally, please use cs5430-profs-L@list.cornell.edu. This email list reaches only the professor teaching the course. The best way to use it is to send informational messages, which need no reply, rather than sending queries that need a reply. Assume that it will take about five days to receive a reply. If you need a reply sooner, you always have the opportunity to ask questions after lecture and during office hours.

Please do not send email directly to the course staff, except for the purpose of coordinating meetings. Meetings with the professor can be coordinated through an online scheduling service called YouCanBook.me, instructions for which will be posted on Piazza.

Prerequisites

For CS 5430, you need to have a broad understanding of organization and programming of computer systems. Students who have taken a senior-level systems course, such as Cornell's CS 4410 and its transitive prerequisites, should be well positioned to take CS 5430. Knowledge of operating systems, computer networks, and cryptography will be helpful. Assignments might require the use of standard tools and languages such as C, Unix, web servers, etc. You either need to be familiar with these technologies or to be committed to investing extra time to learn them as you go. (Part of becoming a professional computer scientist is learning to adapt quickly to new technologies.)

For CS 5431, the foremost prerequisite is that you need to be a programmer. Students who are not already accomplished in a modern high level language will not be equipped to succeed in the practicum. In previous semesters, projects averaged about 5,000 lines of code, with individual students typically contributing around 2,000–2,500 lines of code. Knowledge of the material in CS 4410 is also a prerequisite for CS 5431.

Course materials

The following optional textbooks have a large intersection with what we will cover:

• Matt Bishop. Introduction to Computer Security. Addison-Wesley, Boston, MA, 2005. ISBN 0-321-24744-2.
• Niels Ferguson, Bruce Schneier, and Tadayoshi Kohno. Cryptography Engineering. Wiley, Indianapolis, IN, 2010. ISBN 978-0-470-47424-2.
• Charles P. Pfleeger and Shari Lawrence Pfleeger. Analyzing Computer Security. Prentice Hall, Upper Saddle River, NJ, 2011. ISBN 978-0-13-278946-2.

Exams

There will be no preliminary exams. There will be a final exam in CS 5430 as scheduled by the Registrar.

Assignments

There will be approximately six homework assignments in CS 5430. They may include written problems and programming problems. Assignments in this course are deliberately underspecified, open-ended, and motivated by problems that arise in the real world—messy as it is—as is consistent with the upper-level, professional, and practical orientation of this course. You will have to think on your own, build tools, refine problem specifications, make reasonable and defensible assumptions, and be creative. Success in this course, as in life, depends heavily on you figuring out what's important and concentrating on that.

Extensions and late policy

Extensions will be granted only in exceptional circumstances, such as documented illness, and are handled exclusively by the Graduate TA for the appropriate course in consultation with Prof. Clarkson. Your copy of a checkout sheet from a medical provider suffices as documentation. Extensions will not be granted for job interviews, large workloads in other courses, or extra-curriculars.

Unless otherwise specified, assignments may be turned in after the deadline with the following penalty applied to the score received:

• 1 day late (i.e., immediately after the deadline up to 24 hours later): −10%
• 2 days late: −25%
• 3 days late: −50%
• >3 days late: −100% (we won't grade it)

Weekends (Saturday and Sunday) count as a single day for the purpose of calculating late penalties. So turning your assignment in on Sunday night is no worse than turning it in on Saturday morning.

Here are a few words of caution about CMS and late submissions:

• The deadline for an assignment is not the time by which you must finish writing a solution; rather, the deadline is the time by which you must successfully upload your solution files to CMS and confirm that CMS has recorded the correct versions of those files. CMS might lag near the deadline as many students attempt to upload their submissions at the last minute, perhaps even causing your submission to be marked as late. That is your problem. Requests to have a penalty removed because CMS lagged near the deadline will be denied. We recommend that you upload your files at least one hour before the deadline.
• There will be a 20 minute grace period configured in CMS. Do not (re)submit after the deadline unless you are comfortable with the fact that you might receive a late penalty. The only purpose of the grace period is for you to resolve any last-minute upload issues—not to continue working past the deadline.
• You must submit your work through CMS; email submissions, whether late or on time, will be deleted without response.
• CMS enables you to upload as many times as you wish before submissions are closed. Only the most recent version, with the appropriate late penalty, will be graded. Requests to have the course staff grade earlier versions (with or without a penalty) will be denied.
• It is your responsibility to verify before the deadline that you have submitted the intended versions of your files. Requests to substitute another version (e.g., "I accidentally submitted the wrong files") will be denied.
• File system timestamps on your local hard drive are never acceptable as evidence of existence of a file prior to the deadline, because you are under complete control of that timestamp.

Regrades

Regrades are intended to correct serious errors in grading, not to dispute judgment calls made by graders. Graders do sometimes take off a little too much, but they just as often give a little too much. In our experience, exceptionally few regrade requests would actually make a difference in the final course grade. So rather than all of us obsessing over regrades, we'd prefer that you spend your time on doing well on the next assignment, and that we spend our time on developing course content.

Do feel free to meet with the course staff if you cannot understand the written comments the grader provided on your solution. But the grade on your solution and/or changes to the grade are "out of bounds" topics for discussion at that meeting, with one exception: grading mistakes of a purely arithmetic nature (e.g., the grader wrote that they were deducting 5 points but entered a deduction of 6 into CMS) can be fixed on the spot, without needing to follow the process below.

If you decide that a serious mistake was made in grading your assignment, then we would be happy to fix it. Here is the process:

1. Prepare a written regrade request by filling out this regrade request form. Attach hardcopies of your entire original solution and the entire grading comments. Your request needs to demonstrate that there was an error in grading, and that you understand the correct answer.
2. Submit that request to the homework handback room (Gates 216).
3. Be patient. Regrade requests receive lower priority than any other active grading.
4. The Graduate TA for the appropriate course, in consultation with Prof. Clarkson, will read your written request, consider its merits, and make a decision about a grade change. The grade on your assignment might increase, decrease, or remain unchanged as a result of the additional scrutiny the regrade request engenders.
5. The result of your request will be communicated back to you via CMS.

Note that this process is entirely written. We will not discuss regrades with you in person; for sake of consistency in grading (hence fairness), we prefer to handle all the regrades for a given assignment at one time.

The deadline for submitting a regrade request is one week after you receive the original grade. Requests submitted after that will be denied without consideration of their merits.

Resist the temptation to use regrade requests as a means to fish for a better grade. Here are two words of caution:

• Any regrade request that we perceive to be specious will inspire increased rigor in rechecking your submission, and that often leads to a grade reduction. The course staff will go to great lengths to help you understand the course content; we are considerably less enthusiastic about discussing how what you wrote could be stretched to mean the right answer.
• We track all regrade requests that are submitted throughout the semester. When we determine final course grades, we look carefully at students who are near the cutoffs between letter grades to see whether any extra consideration is warranted for adjusting their grade up or down. Abuse of regrade requests will factor heavily into this extra consideration.

Practicum

Students in the practicum (CS 5431) will gain additional practical knowledge of security through two activities:

• A semester-long team software development project.
• Weekly lectures on practical topics related to the content of the main course.

Students enrolled in CS 5431 must also be enrolled in CS 5430.

Academic integrity

Absolute integrity is expected of every Cornell student in all academic undertakings. If you are unsure about what is permissible and what is not, please ask.

You are responsible for understanding these university, departmental, and course policies:

• Cornell University Code of Academic Integrity
• Computer Science Department Code of Academic Integrity
• CS 1110 Explanation of Academic Integrity, to which CS 5430 + 5431 adheres.

Integrity includes you being honest about the sources of the work you submit. When you submit work in this course, you are representing it as the work of the stated authors (i.e., the members of the CMS group who submitted it) subject to any exceptions that are clearly stated in the submission itself. To avoid committing plagiarism, simply be sure always to accurately credit your sources. To do otherwise is to commit fraud by claiming credit for the ideas and efforts of others, and that is punishable under the Code of Academic Integrity.

Grades, on the other hand, are about the course staff assessing what you have learned. If you turn in someone else's work for course credit, and forthrightly acknowledge you are doing so, you are not acting dishonestly and are not violating academic integrity. But you also give us no basis for concluding that you have learned the course content. We recommend the following rule of thumb: Never look at any other students' solutions, or have their solutions in your possession, in any portion or form whatsoever. Also never share your solutions with other students.

Grades

We expect the breakdown for the overall course grade in CS 5430 to be as follows:

• Assignments: 66%
• Final exam: 32%
• Other factors: 2%

We expect the breakdown for the overall course grade in CS 5431 to be as follows:

• Project: 98%
• Other factors: 2%

Assignments in CS 5430 are weighted equally, and your lowest assignment score will be dropped. Other factors includes submission of course evaluations and participation in any CMS surveys we might hold.

Sometimes students ask whether the final grade is curved. The answer is that it depends on what you mean by "curved." Any mapping from numeric scores to a letter grade implicitly defines some kind of curve. But we do not give out a fixed percentage of A's, B's, etc. In fact, we'd be happy if everyone in the course learned the material well enough to get A's. Historically that has not happened, though, and the median grade in the course has been between B+ and A-.