Announcements

  • Warning: CS170 has been canceled this Fall. You will not need to take the class any more to take this class - this is to allow students who were planning to take 170 and 177 concurrently to still attend 177.
  • September 26: Full webpage is live. Do subscribe to Piazza, as most announcements will go through that.
  • September 26: No sections this week.

General information

  • Total credits: 4
  • Topics: Applied cryptography, authentication and access controly; buffer overflows; web security (injection and cross-scripting attacks); network security; policies.
  • Prerequisites: No formal prerequisite -- CS170 (Operating Systems) was required, but due to a last minute cancelation of the class we will be covering material withnout needing CS170 background. Informally, we need some familiarity with programming languages and systems

Team

Instructor: Stefano Tessaro, tessaro(at)cs(dot)ucsb(dot)edu, Harold Frank Hall 1117

Teaching assistants

  • Kevin Burk (kburk@cs)
  • Christian Daley (christiandaley@ucsb.edu)

Weekly schedule

  • Class time and location
    TR 12:30pm-1:45pm (GIRV 2128)
  • Sections
    Fri 11-11:50am (Phelps 1440)
    Fri 12-12:50pm (Phelps 1448)
  • Office hours
    ST: Thu 4-5pm or by appointment (HFH 1117)
    TA Office Hours: Kevin: Tu 2-4pm (CSIL); Christian: We 12-2pm (CSIL)

Textbook

No mandatory textbook. Some good options matching parts of this class will be communicated.

Piazza

We are going to use Piazza for discussions about this class: http://piazza.com/ucsb/fall2018/cs177/home (and enroll here!)

Grading

  • Homework: There will be 6 problem sets distributed over the quarter. Problem sets are posted online on Wednesday, by 11:59pm PST, and are due 10 days later on Friday, 5pm PST. (There will be exceptions around Thanksgiving, to accommodate for holiday travel.) Alternatively, you can submit homework in your session on Friday morning. You will be able to hand in solutions to programming tasks online. (Instructions will be on the assignment, as methods will vary.) Homework will be graded and you are required to hand in your own solution for each homework.
  • Midterm: There will be one midterm during class on Tuesday, October 30 (Details will be announced in Piazza.)
  • Final: The final is expected to take place on Monday, December 10, 12-3pm.
  • Final grade: The final grade will be distributed as follows: Homework (30%), midterm (20%), final (50%).
  • Academic Honesty: The following applies to every course you attend at UC Santa Barbara (from UCSB Campus Regulations, Chapter VII: "Student Conduct and Discipline"):

    It is expected that students attending the University of California understand and subscribe to the ideal of academic integrity, and are willing to bear individual responsibility for their work. Any work (written or otherwise) submitted to fulfill an academic requirement must represent a student’s original work. Any act of academic dishonesty, such as cheating or plagiarism, will subject a person to University disciplinary action. Using or attempting to use materials, information, study aids, or commercial “research” services not authorized by the instructor of the course constitutes cheating. Representing the words, ideas, or concepts of another person without appropriate attribution is plagiarism. Whenever another person’s written work is utilized, whether it be a single phrase or longer, quotation marks must be used and sources cited. Paraphrasing another’s work, i.e., borrowing the ideas or concepts and putting them into one’s “own” words, must also be acknowledged. Although a person’s state of mind and intention will be considered in determining the University response to an act of academic dishonesty, this in no way lessens the responsibility of the student.

    Specifically for the current CS177 course this means that
    • You are not allowed to copy or transcribe answers to homework assignments from others or other sources.
    • Although you are allowed to discuss homework assignments with others, you should write down your answers independently. You should always be able to argue and explain your answers when asked for clarifications.
    • During the Midterm and Final Examination no electronics are allowed, additional notes are only allowed to the extent described prior to the test.
    • When you will be unable to hand in the homework in time you should report this to the lecturer (ST) as soon as possible, but always before the deadline. No matter the reason, you will always be asked to present documentation.
    • When in doubt, ask.
    Students violating the rules of Academic Honesty will receive an "F" for the course and will be reported to the Dean of Students Office.
  • You all have agreed to UCSB's computer use policy. Please revise it at carefully at
    http://www.engr.ucsb.edu/eci/about/computer-use-policy/.

Schedule and Homework

The following is a tentative schedule, and is intended to give a rough idea about what I hope to cover in the class and in which order. There will be (slight) changes depending on the pace of the class, and more information will appear on the schedule.

WeekDate Lecture contents Further Reading Assignments
0 2018-09-27 Welcome to CS177
  • Introduction: What is computer security?
  • Basic security terminology: Goals, Threats, Vulnerabilities
  • Ethical aspects
  • Organizational details
1 2018-10-02 Cryptography I
  • Symmetric-key cryptography: Models and attack types, Kerchoff's Principle
  • Block ciphers
  • AES and DES
2018-10-04 Cryptography II
  • Modes of operation: CTR and CBC
  • Integrity
  • MACs
  • Authenticated encryption
2 2018-10-09 Cryptography III
  • Padding oracle attacks
  • Modular arithmetic
  • RSA Encryption Algorithm
2018-10-11 Cryptography IV
  • Factoring Attacks
  • Digital signatures
  • Certificates and public-key infrastructures
  • TLS/SSL discussion
  • HW1 due
3 2018-10-16 Passwords and authentication
  • Crypto pitfalls: Random-number generation and side channels
  • Authentication and Passwords
  • Password hashing
2018-10-18 Passwords and authentication (2)
  • More on password hashing (discussion of HW3)
  • Biometrics
  • Challenge-response
  • Multi-factor authentication
  • Password-based cryptography
  • HW2 due
4 2018-10-23 Basics of Access Control
  • Crypto wrap up
  • Access control matrices
  • Access control lists and capabilities
  • Access control in UNIX
2018-10-25 Spare / guest lecture
  • HW3 due
5 2018-10-30 MIDTERM
 
2018-11-01 Buffer Overflows I
  • x86 architecture
  • Introduction to buffer overflows
6 2018-11-06 Buffer overflows II
  • Buffer overflows: Details
  • Injecting shellcode
  • Also: Heap overflows, integer overflows
  • Brief overview of defense mechanisms
2018-11-08 Buffer Overflows III
  • Prevention methods for buffer overflows
  • W^X flags
  • Return-to-libc attacks
  • Address space layout randomization (ASLR)
  • Stack canaries
Web Security I
  • Basics of HTTP
7 2018-11-13 Web Security II
  • Cookies
  • Session hijacking
  • PHP injection attacks
  • SQL injection attacks
  • Cross-site request forgeries (and countermeasures)
  • Cross-site scripting attacks
2018-11-15 Malware
  • Computer viruses: Variants and examples
  • Trojans
  • Computer worms
  • HW4 due
8 2018-11-20 Malware Wrap up Network Security I
  • Review of IP, ICMP, TCP
  • Spoofing
2018-11-22 Holiday -- Thanksgiving
9 2018-11-27 Network Security II
  • Denial of service attacks
  • Fragmentation attacks
  • TCP security
  • Predictable sequence numbers
  • HW5 due
2018-11-29 Network Security III
  • DNS security / caching attacks
  • BGP security issues
  • Network intrusion and port scanning
  • Idle scans
10 2018-12-04 Privacy
  • Surveillance techniques
  • Censorship
  • Data privacy
10 2018-12-06 Wrapping Up
  • Class Evaluation
  • Grade statistics so far
  • Q & A
  • HW6 due Friday