CMSC 414: Computer and Network Security

Note All topics for future dates are tentative. Future classes have links to old slides; check back for updates.

Date	Topic	Readings/handouts
01/29	Introduction	Required reading: "The Security Mindset", Bruce Schneier, (www) Chapter 1 of [Anderson]
	Software Security
01/31	Buffer overflow attacks	Required reading: "Smashing the Stack for Fun and Profit" (pdf) Optional but very useful: GDB quick references and manual
02/05	Buffer overflow attacks and defenses	Required reading: "StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks" (pdf) Optional: "Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade" (pdf)
02/07	Memory safety: attacks and defenses	Optional: "Basic Integer Overflows" (phrack) "Exploiting Format String Vulnerabilities" (pdf) Original return-oriented programming paper (pdf)
02/12	Malware and Malware case studies	Optional: "Hunting for Metamorphic" (pdf) "A History of Computer Viruses - The Famous Trio" (pdf) "IoT Goes Nuclear..." (pdf)
02/14	Program analysis	Optional: "Tricorder: building a program analysis ecosystem" (pdf) "Fuzzing code with AFL" (pdf)
	Web Security
02/19	Web background and SQL injection	Required: "Web Security: Are You Part of the Problem?" (www) Optional: "SQL Injection Attacks by Example" (www)
02/21	XSS and CSRF	Required: "Cross Site Request Forgery: An introduction..." (pdf)
02/26	Principles of secure software design
02/28	Clickjacking and Phishing
03/05	Cryptography intro, symmetric	Required: Symmetric key notes
03/07	Midterm recap & open problems in software security
03/12	Midterm 1
	Applying Cryptography
03/14	Symmetric and public-key crypto	Required: Same notes as 03/05 Sam's slides: [1] and [2] Public key notes
03/19	Spring break
03/21	Spring break
03/26	Proving who you are: Key exchange and PKI
03/28	PKI in the wild (same slides as 03/26)
04/02	Secure computation	Required reading: "How to explain zero-knowledge proofs to your children (pdf) Optional reading: Yao, Protocols for Secure Computations (pdf) (mathy but interesting) Chaum, Security without identification (pdf) (not mathy, discusses cryptocurrency) Fagin et al., Comparing information without leaking it (pdf) (all physical-world examples of secure computation schemes, fun to read)
04/04	Hiding who you are: Anonymity	Required reading: Anonymity notes Optional reading: The Dining Cryptographers Problem Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms Tor: The Second-Generation Onion Router
04/09	Blockchain (no slides)	Required reading: Bitcoin: A Peer-to-Peer Electronic Cash System
04/11	Privacy	Optional reading: How to Break Anonymity of the Netflix Prize Dataset Differential Privacy for Everyone" Differential Privacy: A Primer for the Perplexed (mathy) Privacy-Preserving Data Analysis for the Federal Statistical Agencies
04/16	Midterm 2 recap
04/18	Midterm 2
	Network Security
04/23	Networking background
04/25	Networking attacks: TCP	Same slides as 04/23 Optional reading: Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse
04/30	Censorship resistance
05/02	Human behavior
05/07	Networking attacks: DNS	Same slides as 04/23 Highly suggested reading: An illustrated guide to the Kaminsky DNS vulnerability
05/09	Botnets & underground economies	Optional reading: Click Trajectories: End-to-end analysis of the spam value chain Show me the money: Characterizing spam-advertised revenue
05/14	Final recap
05/16	Final exam 4-6 pm, IRB 0324