CMSC414-S17: Computer and Network Security

Date	Topic	Readings & handouts
Jan 26	Introduction (slides)	Required reading: "Reflections On Trusting Trust", Ken Thompson, pdf) Chapter 1 of [Anderson]
Software Security
Jan 31	Buffer overflow attacks 02 slides from class Optional: slides from sp 2016	Required reading: "Smashing the Stack for Fun and Profit", Aleph One (pdf, phrak) Optional: Example used in class: "Analysis of an Electronic Voting System", Kohno et al. (pdf)
Feb 2	Buffer overflow attacks and defenses 03 slides from class Optional: slides from sp 2016	Required reading: "StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks" (pdf) GDB quick references Optional but very useful: GDB manual "Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade" (pdf)
Feb 7	Memory safety: attacks and defenses 04 slides from class Optional: slides from sp 2016	Optional reading: "Basic Integer Overflows" (phrack) "Exploiting Format String Vulnerabilities" (pdf) "The advanced return-into-lib(c) exploits: Pax case study" (phrack) "Return-Oriented Programming" (paper) (slides)
Feb 9	Defensive programming 05 slides from class Optional: slides from sp 2016	Optional reading: Robust Programming
Feb 14	Malware: Viruses 06 slides from class Optiona: slides from sp 2016	Required reading: "Hunting for Metamorphic" (pdf) Optional reading: "A History of Computer Viruses - The Famous 'Trio'" (pdf)
Feb 16	Web Security: SQL Injection 07 slides from class Optional: slides from sp 2016	Required reading: "OWASP SQL injection reference" (html) Optional reading: "SQL Injection Attacks by Example" (www)
Feb 17	Project 1 due (Buffer overflows)
Feb 21	Web security: XSS & CSRF 08 slides from class Optional: slides from sp 2016	Required reading: "OWASP XSS reference" (html "Web security: Are you part of the problem?" (www) "Cross-Site Request Forgery: An Introduction..." (pdf) Optional reading: "OWASP CSRF reference" (html
Feb 23	XSS attacks	See readings and slides from Feb 21
Feb 28	XSS attacks Clickjacking ucb-cs161-popa-slides sp2017 Optional: slides from sp2016	Required reading: Clickjacking: Attacks and defenses (pdf) Cursorjacking demo (also read the source)
Mar 2	Principles of secure software design 09 slides from class Optional: slides from sp 2016	Required reading (further defines the design principles in the slides): "Secure Programming for Linux and Unix HOWTO", Chapters 7.1-7.10 (www)
Mar 7	Principles of secure software implementation: tcb, code safety 10 slides from class Optional: slides from sp 2016	Optional reading: vsftpd's design (www)
Cryptography
Mar 9	Symmetric key crypto: 11-crypto slides from class	Required reading: symmetric key notes sp 2016.
Mar 14	Midterm recap
Mar 16	Midterm 1: Software Security
Mar 17 Fri	Project 2 due (Web security)
Mar 21	Spring break
Mar 23	Spring break
Mar 28	Symmetric key crypto: MACs: 11-crypto slides from class	Required reading: symmetric key notes sp 2016
Mar 30	Symmetric key crypto: Hash functions and authenticated encryption: 11-crypto slides from class	Required reading: symmetric key notes sp 2016
Apr 4	Asymmetric (public-key) crypto: Encryption, signatures 11-crypto slides from class Optional: public-key slides from sp 2016	Required reading: public-key notes from sp 2016 Suggested Reading: Twenty Years of Attacks on the RSA Cryptosystem (pdf)
Apr 6	Asymmetric crypto continued	Asymmetric crypto readings continued
Apr 11	Authentication 12 authentication slides 12 passwords-in-the-wild slides 12 certificates-in-the-wild slides Optional: proving-who-you-are slides from sp 2016	Required reading: user authentication notes sp 2016
Apr 13	Anonymity 13 anonymity slides	Required reading: anonymity notes from sp 2016 Optional reading: "The Dining Cryptographers Problem" (pdf) "Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms" (pdf) "Tor: The Second-Generation Onion Router" (pdf)
Apr 14 Fri	Project 3 due (Symmetric and public key crypto)
Apr 18	Crypto misuse, side channels, ... 13-crypto tidbits	Suggested reading: "An Empirical Study of Cryptographic Misuse in Android Applications" (pdf) "Why Johnny Can't Encrypt" (pdf) "Differential Power Analysis" (pdf) "Lest We Remember: Cold Boot Attacks on Encryption Keys" (pdf)
Apr 20	Midterm 2: Cryptography
Network Security
Apr 25	Internet: intro and network layer 14-internet: intro 14-internet: network layer (IP)
Apr 27	Internet: transport 14-internet: transport (TCP)	Optional reading: Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse (pdf)
May 2	Internet: naming and routing 14-internet: naming (DNS)	Highly suggested reading: An Illustrated Guide to the Kaminsky DNS Vulnerability (www)
May 4	Internet: inter-domain routing 14-internet: routing (BGP)	Optional reading: Goldberg, Why is it Taking So Long to Secure Internet Routing? [HTML] Butler et al, A Survey of BGP Security Issues and Solutions [PDF]
May 9	App-level security; underground economy 15-app-underground slides	Optional reading: Click Trajectories: End-to-end analysis of the spam value chain (pdf) Show me the money: Characterizing spam-advertised revenue (pdf)
May 11	Last class
May 12 Fri	Project 4 due (ATM build-it/break-it)
May 17	Final Exam for 0101 and 0201: Cumulative	Wed May 17 6:30pm-8:30pm Skinner 0200

CMSC 414: Computer and Network Security

SCHEDULE