• Novemeber 2: Note new office hours!
  • Reminder: Most announcements are on Piazza!
  • September 18: Webpage is up -- stay tuned! Make sure to subscribe to the Piazza page. That is where most action is going to take place. This page will just serve for very long-term official announcements.

General information

  • Total credits: 4
  • Topics: Applied cryptography, authentication and access controly; buffer overflows; web security (injection and cross-scripting attacks); network security; policies.
  • Prerequisites: The formal prerequisite is CS170 (but if you did not take it, talk to me asap). Informally, we need some familiarity with programming languages and systems


Instructor: Stefano Tessaro, tessaro(at)cs(dot)ucsb(dot)edu, Harold Frank Hall 1117

Teaching assistants

  • Kun Wan (kun(at)cs)
  • Ravi Kumar Suresh Babu (ravikumar(at)cs)

Weekly schedule

  • Class time and location
    TR 2:00pm-3:15pm (Phelps 3515)
  • Discussions
    Fri 9-9:50am (Girv 2129)
    Fri 10-10:50am (Girv 2123)
  • Office hours
    ST: Thu 3:30-5pm or by appointment (HFH 1117)
    TA Office Hours: Mon 3-5pm (TA Trailer 936)


No mandatory textbook. Some good options matching parts of this class will be communicated.


We are going to use Piazza for discussions about this class: (and enroll here!)


  • Homework: There will be 6 problem sets distributed over the quarter. Problem sets are posted online on Wednesday, by 11:59pm PST, and are due 10 days later on Friday, 5pm PST (use the homework box in the CS mail room for submission). Alternatively, you can submit homework in your session on Friday morning. You will be able to hand in solutions to programming tasks online. (Instructions will be on the assignment, as methods will vary.) Homework will be graded and you are required to hand in your own solution for each homework.
  • Midterm: There will be one midterm during class on Tuesday, October 25 (Details will be announced in Piazza.)
  • Final: Details to be announced.
  • Final grade: The final grade will be distributed as follows: Homework (40%), midterm (20%), final (40%).
  • Academic Honesty: The following applies to every course you attend at UC Santa Barbara (from UCSB Campus Regulations, Chapter VII: "Student Conduct and Discipline"):

    It is expected that students attending the University of California understand and subscribe to the ideal of academic integrity, and are willing to bear individual responsibility for their work. Any work (written or otherwise) submitted to fulfill an academic requirement must represent a student’s original work. Any act of academic dishonesty, such as cheating or plagiarism, will subject a person to University disciplinary action. Using or attempting to use materials, information, study aids, or commercial “research” services not authorized by the instructor of the course constitutes cheating. Representing the words, ideas, or concepts of another person without appropriate attribution is plagiarism. Whenever another person’s written work is utilized, whether it be a single phrase or longer, quotation marks must be used and sources cited. Paraphrasing another’s work, i.e., borrowing the ideas or concepts and putting them into one’s “own” words, must also be acknowledged. Although a person’s state of mind and intention will be considered in determining the University response to an act of academic dishonesty, this in no way lessens the responsibility of the student.

    Specifically for the current CS177 course this means that
    • You are not allowed to copy or transcribe answers to homework assignments from others or other sources.
    • Although you are allowed to discuss homework assignments with others, you should write down your answers independently. You should always be able to argue and explain your answers when asked for clarifications.
    • During the Midterm and Final Examination no electronics are allowed, additional notes are only allowed to the extent described prior to the test.
    • When you will be unable to hand in the homework in time you should report this to the lecturer (ST) as soon as possible, but always before the deadline. No matter the reason, you will always be asked to present documentation.
    • When in doubt, ask.
    Students violating the rules of Academic Honesty will receive an "F" for the course and will be reported to the Dean of Students Office.
  • You all have agreed to UCSB's computer use policy. Please revise it at carefully at

Schedule and Homework

The following is a tentative schedule, and is intended to give a rough idea about what I hope to cover in the class and in which order. There will be (slight) changes depending on the pace of the class, and more information will appear on the schedule.

WeekDate Lecture contents Further Reading Assignments
0 2016-09-22 Welcome to CS177
  • Introduction: What is computer security?
  • Basic security terminology: Goals, Threats, Vulnerabilities
  • Ethical aspects
  • Organizational details
1 2016-09-27 Cryptography I
  • Symmetric-key cryptography: Models and attack types, Kerchoff's Principle
  • Block ciphers
  • AES and DES
2016-09-29 Cryptography II
  • Modes of operation: CTR and CBC
  • Integrity
  • MACs
  • Authenticated encryption
2 2016-10-04 Cryptography III
  • Padding oracle attacks
  • Modular arithmetic
  • RSA Encryption Algorithm
2016-10-06 Cryptography IV
  • Factoring Attacks
  • Digital signatures
  • Certificates and public-key infrastructures
  • TLS/SSL discussion
  • HW1 due
3 2016-10-11 Passwords and authentication
  • Crypto pitfalls: Random-number generation and side channels
  • Authentication and Passwords
  • Password hashing
2016-10-13 Passwords and authentication (2)
  • More on password hashing (discussion of HW3)
  • Biometrics
  • Challenge-response
  • Multi-factor authentication
  • Password-based cryptography
  • HW2 due
4 2016-10-18 Basics of Access Control
  • Crypto wrap up
  • Access control matrices
  • Access control lists and capabilities
  • Access control in UNIX
2016-10-20 Canceled
  • HW3 due
5 2016-10-25 MIDTERM
2016-10-27 Buffer Overflows I
  • x86 architecture
  • Introduction to buffer overflows
6 2016-11-01 Buffer overflows II
  • Buffer overflows: Details
  • Injecting shellcode
  • Also: Heap overflows, integer overflows
  • Brief overview of defense mechanisms
2016-11-03 Buffer Overflows III
  • Prevention methods for buffer overflows
  • W^X flags
  • Return-to-libc attacks
  • Address space layout randomization (ASLR)
  • Stack canaries
Web Security I
  • Basics of HTTP
7 2016-11-08 Web Security II
  • Cookies
  • Session hijacking
  • PHP injection attacks
  • SQL injection attacks
  • Cross-site request forgeries (and countermeasures)
  • Cross-site scripting attacks
2016-11-10 Malware
  • Computer viruses: Variants and examples
  • Trojans
  • Computer worms
  • HW4 due
8 2016-11-15 Network Security I
  • Review of IP, ICMP, TCP
  • Spoofing
  • Denial of service attacks
  • Predictable sequence numbers
2016-11-17 Network Security II
  • DNS security / caching attacks
  • BGP security issues
  • Network intrusion and port scanning
  • HW5 due
9 2016-11-22 Special topic I -- Cryptocurrencies
2016-11-24 Holiday -- Thanksgiving
10 2016-11-29 Special topic II -- Privacy
  • Surveillance techniques
  • Censorship
  • Data privacy
  • HW6 due
10 2016-11-29 Wrapping Up
  • Class Evaluation
  • Grade statistics so far
  • Q & A


The following are some links relevant to this class: