CMSC 414-0301
CMSC 414-0301Please read Expectations for CMSC414 and make sure you review the necessary concepts. We will assume that you know the material listed here.
The course material is available on ELMS.
We will cover the following topics this semester:
There are also two "bonus" modules that we will not be covering, but you might find interesting: Digital Currencies, and Fault Tolerance.
This is a flipped classroom course. That means the lectures are all pre-recorded, and class time is used for Q&A, demonstrations, exercises, and time to work on assignments.
All assessed work has a deadline, but you can request additional time for anything aside from Build-it and Break-it using the Extension Requests quiz. When your request has been processed, the score will be changed to a 1/0. If you find that you have more than one piece of work that requires additional time, I strongly recommend that you contact me, so that you don't fall too far behind. Class time will focus primarily on the current material, but there should be ample time on most days for questions regarding material from any point during the course.
This course employs Standards-Based Grading, rather than traditional points-based grading. Rather than accumulating points that are then used to determine the cut-offs for various letter grades, there are specific learning objectives for students to demonstrate mastery of. A final grade in the course is determined by how many of these objectives were met, and at what level.
There are three types of learning objectives:
Each module is divided into a number of distinct learning objectives, of which there are 20 in total. An objective is assessed as Completed, Sufficient, or Not Completed. As an example, within the Programming Errors module, one objective would be Stack Vulnerabilities and another would be SQL Injection.
For each basic learning objective, there is a quiz containing a set of 5 questions, randomly selected from a question bank. A student must get 4 correct to successfully complete the objective at the C level (Sufficient), and all 5 correct to complete the objective at the B or A level (Completed). Multiple attempts are permitted.
Once a threshold of basic objectives have been met for a module, that module's challenge problems become available. These are more in-depth questions about the material, that allow a student to show an understanding of the material. Most of these are free-response questions.
If you use external sources, you must cite them. Anything you quote must be appropriately indicated (with quotation marks or block quotes), with citations. Your submission must not be substantially quotations — you must demonstrate independent thought. We do not specify a citation format, as long as it is clear. Please note that LLMs provide unreliable information, regardless of how convincingly they do so. If you are going to use an LLM as a research tool in your response, you must ensure that the information is correct and addresses the actual question asked. The LLM response must be treated as any other external reference: indicate what you are quoting or paraphrasing, and cite the LLM, including the prompt or prompts used. An LLM cannot be the sole source of information: If you are going to use an LLM, you must also include supporting citations. If you are using an LLM to improve your writing, after your submission you must add your initial text and any prompts to and responses from the LLM.
There are also additional challenge problems, associated with the team project and the final exam. These will be discussed separately. In total, there are 21 challenge problems (including project and exam problems).
Each challenge problem is graded on a four-point scale:
Because learning is a process, students may resubmit challenge problems as they gain mastery of a topic.
There are three individual projects in the course. For each, there is a deadline, at which point students' submissions will be scored, and feedback provided. You may also submit projects before the deadline to receive feedback. You may resubmit these as many times as you need to. In order to pass the course with at least a C-, all of the individual projects must receive perfect scores, except for Cryptography. While this might sound intimidating, experience shows that most students have either minor errors or did not grasp a key concept of the project. By revisiting the project until it works, you solidify your understanding of the material. Due to the added complexity of the Cryptography project, there is a lower requirement for that one to receive a C (but not a B or higher).
When resubmitting a project, you must also include a brief discussion of what enabled you to make progress. This can range from "I was unable to devote sufficient time to the project before the initial deadline" to "I fundamentally misunderstood how X behaved, and have since learned..." No excuse needs to be given, merely an acknowledgement that more time was needed.
There is also a two-phase team project, structured as a build-it/break-it. In the first phase, teams design and implement a system. In the second phase, students individually attack other teams' phase-one implementations, looking for vulnerabilities.
The build-it phase is scored in two parts:
The break-it phase is an evaluation of the build-it submission for some team the student was not a member of. It is assessed as a Challenge Problem. The targets for the break-it phase will be those build-it submissions made at the nominal deadline that reach a predetermined threshold on the basic functionality tests.
The project challenges are assessed on the same scale as the module challenges.
You may not use Generative AI, such as ChatGPT, to produce your code, and you may not upload the code we provide to any such system (this would be a copyright violation). If you are using code you find elsewhere, you must cite it in the comments.
The final exam is a set of four questions that you might be asked on a typical interview for a computer security-related position. Each of these is assessed as a separate Challenge Problem, using the same 4-point scale. Students who do not need the additional challenges to reach their final grade goal are not required to take the final exam.
Students will not be able to resubmit final exam questions. The final exam time is also the absolute deadline for any resubmissions of prior auto-graded work. Challenge Problem resubmissions must be made by the day before the final, though we ask that you complete all of your resubmissions well before this.
There are also a series of in-class exercises and homework mini-projects. These are for your benefit as a way to reinforce concepts from the lectures, and are likely (in some cases) to help with the projects.
This course will not be curved. Instead, the following serves as a contract that enables each student to determine what letter grade they hope to achieve, and what precisely is required to earn this grade.
Plusses and minuses are awarded for work that falls between the criteria for two grades, as illustrated by the following. A student is one objective away from an A. For example, they have only 16 challenge problems assessed at an M or better, but 10 of these are an E. That student will earn an A-.
Another student is more than one objective away from an A, but over halfway from the B criteria to the A criteria in all objectives. That is, at least 16 Challenge Problems at M or better, with at least 8 at E. That student will earn a B+.
You are expected to adhere to the University's academic integrity policy. All work that is not explicitly stated to be a team effort must be done by you alone. You have 24 hours after the deadline of any graded work to self-report lapses in academic integrity, which we can then hopefully resolve without a reference to the Office of Student Conduct.
Posting of any project/exercise implementation (even after the course is over) in a publicly available online location (e.g., github or sourcehut) is prohibited under the Code of Academic Integrity (facilitation of academic dishonesty). Any student responsible for this will be reported to the Office of Student Conduct and risks the sanction of an "XF" in the course. You may post your code on a public site such as a GitHub or SourceHut private repository to share with potential employers, as long as access is appropriately restricted.