CS 161 : Computer Security

Spring 2013

Instructor:

Vern Paxson (office hours Mon 1-2 in 737 Soda)

TAs:

Jethro Beekman (office hours Tu/Th 2-3 in 411 Soda alcove)
Mobin Javed (office hours Wed 10-12 in in 611 Soda alcove)
Antonio Lupher (office hours Tu 1-2 in 651 Soda alcove, Th 1-2 in 411 Soda alcove)
Paul Pearce (office hours Tu/Th 5:15-6:15 in 751 Soda alcove)
Matthias Vallentin (office hours Mon 2-4 in 611 Soda alcove)

Lectures:

  TuTh, 3:30-5PM, F295 Haas School of Business

Sections:

  1.   Wed     9:00-10:00    285 Cory (Jethro)
  2.   Wed   10:00-11:00    B56 Hildebrand (Paul)
  3.   Wed   11:00-12:00    385 LeConte (Paul)
  4.   Wed       1:00-2:00    3 Evans (Mobin)
  5.   Wed       2:00-3:00    71 Evans (Mobin)
  6.   Wed       2:00-3:00    3105 Etcheverry (Matthias)
  7.   Wed       3:00-4:00    87 Evans (Matthias)
  8.   Wed       4:00-5:00    71 Evans (Jethro)
  9.   Wed       5:00-6:00    2 Evans (Antonio)

Addresses:

Web page: http://www-inst.eecs.berkeley.edu/~cs161/
Announcements, questions: the class Piazza site, which you sign up for here.
Feel free to email any question/comment you want to make privately to the instructor at vern@eecs.berkeley.edu.

Lectures:

The lecture schedule is subject to change and will be revised as the course progresses.

Data Topic Readings Slides
Tue 1/22 Introduction Anderson Chapter 1 Slides
Thu 1/24 Overflows, Injection, and Memory Safety Notes.
G&T Section 3.4-3.4.3, pp. 149-156; Section 3.4.5 p. 162
Smashing The Stack For Fun And Profit, by Aleph One
Slides
Illustrations of memory safety with: normal execution, crashing, diverting control flow, and injecting code.
Tue 1/29 Software Security: Defenses Notes on Reasoning About Code and Secure Software Development.
G&T Section 3.4.3, pp. 157-158;
Section 9.4-9.5, pp. 464-474
Slides
Thu 1/31 Software Security: Principles Notes on Principles for Building Secure Systems and Design Patterns for Building Secure Systems.
G&T Section 1.1.4, 3.4.6, (pp. 15-18, 163-165)
Slides
Tue 2/5 Background on Networking Networking terminology quick-reference.
G&T Section 5.1-5.1.2, 5.3-5.3.1, 5.4-5.4.2, 6.1-6.1.2, 7.1-7.1.1
(pp. 222-226, 236-240, 246-250, 270-277, 328-333)
Slides
Thu 2/7 Network Attacks G&T Section 5.1.3, 5.3.3-5.3.4, 5.4.4
(pp. 227-228, 242-245, 246-250, 253-255)
Slides
Tue 2/12 Network Attacks, con't G&T Section 6.1.3 (pp. 278-284)
Reliable DNS Forgery in 2008: Kaminsky's Discovery, An Illustrated Guide to the Kaminsky DNS Vulnerability
Slides
Thu 2/14 Network Control: Firewalls Notes on Firewalls.
G&T Section 6.2, 6.3 intro, 6.3.3 (pp. 287-291, 292, 297-298)
Slides
Tue 2/19 Firewalls, con't /
Denial-of-Service
G&T Section 5-5.4 (pp. 256-261) Slides
Thu 2/21 Denial of Service, con't /
Web Security
G&T Section 7.1.1, 7.1.3-7.1.4, 7.3.1-7.3.2, 7.3.4, 7.3.6 (pp. 328-333, 339-346, 368-371, 378, 380-381);
Web Security: Are You Part Of The Problem?
Slides
Tue 2/26 Web Security, con't G&T Section 7.2.1, 7.2.6-7.2.8, 7.3.3 (pp. 347-348, 357-367, 372-377);
SQL Injection Attacks by Example,
Secure Session Management With Cookies for Web Applications
Slides (as presented in lecture)
Thu 2/28 Web Security, con't G&T Section 7.2.3-7.2.4 (pp. 351-355);
XSS (Cross Site Scripting) Prevention Cheat Sheet

Summaries of Web Attacks.

Squigler software.

Bro script for tracking Web interactions via network monitoring. Download Bro and execute using
"bro -i lo0 -C hdr-dump.bro"
Slides
Tue 3/5 Impersonation G&T pp. 278-279; Section 7.2.2-7.2.3 (pp. 349-351); A Chapter 2 Slides
Thu 3/7 Midterm Exam
Tue 3/12 Symmetric Key Cryptography Notes.
G&T Section 8.1-8.1.3, 8.1.7 (pp. 388-391, 393-394, 402-405)
Slides
Thu 3/14 Encrypting/Decrypting, con't Notes.
G&T Section 1.3-1.3.1, 1.3.3 (pp. 25-30, 32-35), Section 8.2, 8.5.2 (pp. 406-416, 431-438)
Slides
Tue 3/19 Integrity and Authentication Notes.
G&T Section 1.3.2, 1.3.4 (p. 31, pp. 35-37),
Section 8.3-8.4 (pp. 417-424)
Diagram of AES-EMAC (updated 3/21 for clarity)
Thu 3/21 Key Management Notes.
G&T 1.3.5 (pp. 37-38)
A few slides
Tue 3/26 SPRING BREAK
Thu 3/28 SPRING BREAK
Tue 4/2 Securing Internet Communication: TLS G&T Section 1.1.1 (pp. 3-8), 7.1.2 (pp. 334-338) Slides (updated/fixed)
Thu 4/4 Securing Internet Communication:
TLS & DNSSEC
G&T Section 4.4 (pp. 202-207);
Section 6.1.4 (pp. 285-286)
Slides
Tue 4/9 Detecting Attackers G&T Section 6.4 (pp. 299-312);
A Chapter 21.4.3/21.4.4
Slides (updated to reflect as presented in lecture)
Thu 4/11 Detecting Attackers, con't Slides
Tue 4/16 Malware G&T Section 4.2, 4.5 (pp. 181-187, pp. 208-214);
A Chapter 21.3
Slides
Thu 4/18 Malware, con't G&T Section 4.3 (pp. 188-201) Slides
Tue 4/23 Internet Freedom
Guest lecture by
Paul Pearce
A Sections 7.5.4, 21.4.2, 23.4,
24.3 (intro through 24.3.5), 24.4
Slides
Thu 4/25 Information Leakage G&T p. 13; Section 2.4 (pp. 88-98);
A Chapter 17
Slides
Tue 4/30 Monetizing Attacks / The Underground Economy Slides as presented in lecture
Thu 5/2 Course Review Slides
Wed 5/8 Q/A with GSIs
10AM - 5PM
306 Soda
Fri 5/17 Final Exam
7PM - 10PM
Wheeler Auditorium

Homeworks:

Homeworks will be submitted either electronically or via hardcopy using the drop box labelled "CS 161" in 283 Soda, as stated in the assignment. Homework solutions must be legible; we may mark off for difficult-to-read solutions, or even refrain from grading them entirely. When submitting hardcopy, you must print your name, your class account name (e.g., cs161-xy), your TA's name, the discussion section time where you want to pick up the homework, and the homework number prominently on the first page. Staple all pages together. You risk receiving no credit for any homework lacking this information!
No late homeworks accepted.

Schedule for homeworks:


Discussion Sections

Handouts from discussion sections:

Projects

There will be 2 course projects. We will penalize late project submissions as follows: less than 24 hours late, you lose 10%; less than 48 hours late, you lose 20%; less than 72 hours late, you lose 40%; at or after 72 hours, late submissions no longer accepted. (There are no "slip days".)

Note that this late policy applies only to projects, not homeworks (which cannot be turned in late).

Schedule for projects:


Exams

There will be one midterm and one final exam.

The midterm will be given on Thursday March 7 during regular class hours, 3:30-5PM, in the regular lecture room.

  • Solutions for blue and gold versions of the midterm.
The final will be held Friday May 17, 7-10PM, in Wheeler Auditorium.

Grading

We will compute grades from a weighted average, as follows:

  • Homeworks: 20%
  • Projects: 30%
  • Midterm: 20%
  • Final exam: 30%

Course Policies

Contact information: If you have a question, the best way to contact us is via the class Piazza site. The staff (instructors and TAs) will check the site regularly, and if you use it, other students will be able to help you too. Please avoid posting answers to homework questions before the homework is due.

If your question is personal or not of interest to other students, send email to vern@eecs.berkeley.edu, or to one of the TAs if you prefer. If you wish to talk with one of us individually in person, you are welcome to come to our office hours. If the office hours are not convenient, you can make an appointment with any of us by email. Please reserve email for the questions you can't get answered in office hours, in discussion sections, or through the newsgroup.

Announcements: The instructors and TAs will periodically post announcements, clarifications, etc. to the Piazza site. Hence it is important that you check the it reguarly throughout the semester.

Prerequisites: The prerequisites for CS 161 are CS 61B, CS61C, and either CS70 or Math 55. We assume basic knowledge of both Java and C. You will need to have a basic familiarity using Unix systems.

Collaboration: Assignments will specify whether they must be done on your own or may be done in groups. Either way, you must write up your solutions entirely on your own. You must never read or copy the solutions of other students, and you must not share your own solutions with other students. You may use books or online resources to help solve homework problems, but you must always credit all such sources in your writeup and you must never copy material verbatim. Not only is this good scholarly conduct, it also protects you from accusations of theft of your colleagues' ideas. You must not receive specific help on homework assignments from students who have taken the course in previous years, and you must not review homework solutions from previous years.

We believe that most students can distinguish between helping other students understand course material and cheating. Explaining a subtle point from lecture or discussing course topics is an interaction that we encourage, but you should never read another student's homework solution or partial solution, nor have it in your possession, either electronically or on paper. You must never share your written solutions, or a partial solutions, with another student, even with the explicit understanding that it will not be copied -- not even with students in your homework group. You must write your homework solution strictly by yourself.

Warning: Your attention is drawn to the Department's Policy on Academic Dishonesty. In particular, you should be aware that copying or sharing solutions, in whole or in part, from other students in the class or any other source without acknowledgment constitutes cheating. Any student found to be cheating risks automatically failing the class and referral to the Office of Student Conduct.

Ethics: We will be discussing attacks in this class, some of them quite nasty. None of this is in any way an invitation to undertake these attacks in any fashion other than with informed consent of all involved and affected parties. The existence of a security hole is no excuse. These issues concern not only professional ethics, but also UCB policy and state and federal law. If there is any question in your mind about what conduct is allowable, contact the instructors first.

Computer accounts: We will use 'class' accounts this semester. You will need to obtain an account form with a username and password from your section TA. When you first log into your account, you will be prompted to enter information about yourself; that will register you with our grading software. If you want to check that you are registered correctly with our grading software, you can run check-register at any time.

Textbook: The class does not have a required textbook. That said, we particularly recommend Introduction to Computer Security by Goodrich & Tamassia. Another book optionally recommended as a partial resource is Security Engineering, 2nd ed. by Ross Anderson. The first edition of this book is also available online at Ross Anderson's web site.

Lecture notes: We will provide lecture notes and/or slides for many of the lectures. We do not advise viewing the availability of lecture notes or slides as a substitute for attending class, as our discussion in class may deviate from the written material. You are ultimately resposible for material as presented in lecture and section.

Discussion sections: Attendance at discussion sections is expected, and sections may cover important material not covered in lecture. Outside of your discussion section, you should feel free to attend any of the staff office hours (not just your section TA's office hours) and ask any of us for help.

Re-grading policies: Any requests for grade changes or re-grading must be made within one week of when the work was returned. To ask for a re-grade, staple to your work a cover page that specifies:

Give this to your TA. Without this page, your work will not be re-graded. Even if you ask for only one problem to be re-graded, your entire work may be re-graded, so your score could decrease, stay the same, or increase. We will not accept verbal re-grade requests or re-grade requests without a cover sheet stapled on. Don't expect us to re-grade your homework on the spot: we normally take the time to read your appeal at some point after it is submitted.

Bear in mind that a primary aim in grading is consistency, so that all students are treated the same. For this reason, we are unlikely to adjust the score of individual students on an issue of partial credit if the score allocated is consistent with the grading policy we adopted for that problem.

More on homeworks: If a problem can be interpreted in more than one way, clearly state the assumptions under which you solve the problem. In writing up your homework you are allowed to consult any book, paper, or published material, except solutions from previous classes or elsewhere, as stated under the Collaboration section. If you consult external sources, you must cite your source(s). We will make model solutions available after the due date, and will return graded problem sets in a later discussion section.

Late homework policy: We will give no credit for homework turned in after the deadline. Please don't ask for extensions. We don't mean to be harsh, but we prefer to make model solutions available shortly after the due date, which makes it impossible to accept late homeworks.

Don't be afraid to ask for help! Are you struggling? We'd much rather you approached us for help than gradually fall behind over the semester until things become untenable. Sometimes this happens when students fear a possibly unpleasant conversation with a professor if they admit to not understanding something. We would much rather resolve/remedy your misunderstanding early than have it expand into further problems later. Even if you are convinced that you are the only person in the class that doesn't understand the material, and think it must be entirely your fault for falling behind, please overcome this concern and ask for help as soon as you need it-- helping you learn the material is in fact what we're paid to do, after all!

Advice: The following tips are offered based on our experience with CS 161:

1. Don't wait until the last minute to start projects! The projects can be time-consuming. Pace yourself. Students who procrastinate generally suffer.

2. Make use of office hours! The instructors and TAs hold office hours expressly to help you. It is often surprising how many students do not take advantage of this service. You are free to attend as many office hours as you wish. You are not constrained just to use the office hours of your section TA. You will likely get more out of an office hour visit if you have spent some time in advance thinking about the questions you have, and formulating them precisely. (In fact, this process can often lead you to a solution yourself!)

3. Participate actively in discussion sections! Discussion sections are not auxiliary lectures. They are an opportunity for interactive learning. The success of a discussion section depends largely on the willingness of students to participate actively in it. As with office hours, the better prepared you are for the discussion, the more you are likely to get out of it.