CS279 - Advanced Topics in Security

Security issues impact practical aspects of our lives. To address the ever-changing set of security issues that affect applications, operating systems, and network infrastructures, it is necessary to understand the details of both the vulnerabilities that make security compromises possible and the countermeasures that are required to detect and block the attacks that exploit these vulnerabilities.

This course focuses on how to analyze the security of a computer system. Therefore, this course will present concepts and approaches that allow one to design secure systems, evaluate their security posture, and detect/deflect attacks against them.

The course mixes a practical, hands-on approach with a discussion of the current research in the field. Participants will learn how vulnerabilities are found and how these vulnerabilities can be exploited to compromise the security of a system. This knowledge is a fundamental prerequisite for the correct design of protection systems. The course includes also live security exercises in a protected environment, where the knowledge about both attack and defense mechanisms is validated in the field.

Ethical issues will also be discussed.

Note: This class satisfies the requirements for both the "systems" and "applications" tracks of the CS curriculum.

Prerequisites

The course requires very good programming/development skills (C, C++, Unix, and a scripting language, such as Python or Perl), a basic background in operating systems, and some basic knowledge about networks.

Instructor

Giovanni Vigna

Engineering I, Room 2117

Phone: +1 (805) 893-7565

Class schedule

Tuesdays and Thursday, 1pm-3pm, in Phelps 1401.

Office hours

Tuesdays 3pm-4pm and by appointment.

Teaching Assistants

Nicholas Childers, voltaire@cs.ucsb.edu

Office hours: Thursdays 3pm-5pm, in CSIL.

Contacting the instructor/TA

The instructor and the TA can be contacted by sending an email to cs279@cs.ucsb.edu.

Every student must have a CS account and must subscribe to the cs279-users mailing list. The mailing list will be used to distribute last-minute information about the class.

Information about the mailing list is available at lists.cs.ucsb.edu.

Topics

• Introduction, History, Ethics
• A Crash Course On Cryptography
• Network Vulnerability Analysis
• Network Protection
• Application Vulnerability Analysis
• Web Application Vulnerability Analysis
• Protocol Vulnerability Analysis
• Vulnerability Analysis of E-Voting Systems
• Conclusions (including level 8 walkthrough)

Course material

The course does not have a mandatory textbook. However, these are suggested books that contain material presented in the class.

• "The Shellcoder's Handbook," by Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, Sinan Eren, Neel Mehta, and Riley Hassell. John Wiley & Sons, 2004.
• "Exploiting Software: How to Break Code," by G. Hoglund and G. McGraw, Addison-Wesley, 2004.

Several of the topics covered during the course will be supported by material distributed by the instructor.

Course requirements

There will be homework assignments, a midterm, and a final. In addition, students will participate in one or more live security exercises.

The final grade will be determined according to the following weight:

• Homeworks: 60%
• Midterm (October 28, during class): 12.5%
• Final (December 4, during class): 12.5%
• Live Exercise (December 5, 8am-5pm in CSIL): 15%

Homework Assignments

• Homework 1
• Homework 2
• Homework 3
• Homework 4 (optional)

Food 4 Security Thoughts

• October 2, 2008
• October 7, 2008 (video)
• October 14, 2008
• October 16, 2008
• October 23, 2008
• October 30, 2008
• November 13, 2008
• November 18, 2008
• November 20, 2008
• November 25, 2008

---

Giovanni Vigna - http://www.cs.ucsb.edu/~vigna