CMPS 451 Vulnerability Analysis
Sections 1 and 2 - Spring 2015
Instructor and Contact Information
Instructor: Dr. Melissa Danforth
Office: Sci III 319, 654-3180
Office Hours: MTuW 2:00 - 3:00pm, F 2:00 - 4:00pm, and by appointment
Email: melissa@cs.csubak.edu

Course website: http://www.cs.csubak.edu/~mdanfor/ under Teaching menu
Moodle website: http://moodle.cs.csubak.edu/moodle/course/view.php?id=91

Course meets MW 3:15 - 4:55pm and Tu 3:15 - 5:45pm in Sci III 311

Catalog Description
Identification and quantification of security weaknesses in programs, systems and networks. Topics include professional ethics, static binary analysis, dynamic binary analysis, anti-analysis techniques, risk assessment, penetration testing, vulnerability classification and mitigation techniques. Prerequisite: CMPS 350
Prerequisites by Topic
Knowledge of programming languages
Basics of computer language translation
Units and Contact Time
5 quarter units. 4 units lecture (200 minutes), 1 unit lab (150 minutes).
Type
Selected elective for CS
Required Textbook
The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities. Mark Dowd, John McDonald, Justin Schuh. Addison-Wesley, 2007, ISBN-13: 978-0-321-44442-4.
Recommended Textbook and Other Supplemental Materials
Computer Security: Art and Science. Matt Bishop. Addison-Wesley, 2002, ISBN-13: 978-0201440997. http://nob.cs.ucdavis.edu/book/
(Note: There is an abridged version of the book available that is titled "Introduction to Computer Security" by Matt Bishop)
Coordinator(s)
Melissa Danforth
Student Learning Outcomes
This course covers the following ACM/IEEE CS2013 (Computer Science) Body of Knowledge student learning outcomes:

CS-IAS/Foundational Concepts in Security
CS-IAS/Principles of Secure Design
CS-IAS/Defensive Programming
CS-IAS/Threats and Attacks
CS-PL/Static Analysis
CS-SE/Software Construction

ABET Outcome Coverage
The course maps to the following performance indicators for Computer Science (CAC/ABET):
3e. An understanding of professional, ethical, legal, security, and social issues and responsibilities.
3j. An ability to apply mathematical foundations, algorithmic principles, and computer science theory in the modeling and design of computer-based systems in a way that demonstrates comprehension of the tradeoffs involved in design choices.
Lecture Topics and Rough Schedule
WeekChapter(s)Topics
1 and 2Chapters 1, 2, and 3 Professional ethics, Classic security goals (confidentiality, integrity, etc.), Threats, Vulnerabilities, Audits, Threat exposure
2 and 3Chapter 5 Memory corruption: buffer overflows, heap overflows, global and static data, shellcode, protection mechanisms
4 and 5Chapters 6 and 8 C/C++ language issues; String and character handling issues
5 and 6Chapter 4 Auditing tools for source code and binary analysis
6 and 7Chapter 7 Auditing techniques for source code and binary analysis
8 and 9Chapters 9 and 10 Vulnerabilities and analysis for Unix/Linux systems
10n/a Project presentations and/or Interactive tutorials
Design Content Description
Not applicable to this course.
Attendance
Students are responsible for their own attendance. The topics covered in lecture will be listed on the course website. Lab attendance is not required but is strongly encouraged. If you attend lab and finish your lab work before leaving, you can get it "instantly" graded by coming up and showing me your work.
Academic Integrity Policy
You may discuss the assignments with others in the class. If the assignment is a group assignment, the group can turn in one assignment for the entire group. If the assignment is an individual assignment, each student must turn in their own work in their own words; no direct copying from any source is allowed. Refer to the Academic Integrity policy in the campus catalog and class schedule for more details.
Computer Labs Outside of Class
The CEE/CS Tutoring Center in Sci III 324 is available for use by students in this course outside of class time on a first come, first serve basis. Priority in the lab is given to students who are completing assignments for CEE/CS courses. See the schedule on the door for hours the lab will be open.

There are also computers available in the CEE/CS Major Study Lounge in Sci III 341 (formerly the CEE/CS Library). This room is only open when faculty members are on campus, e.g. approximately 8am to 5pm on weekdays. If the door is currently locked, see Steve, Erika, myself, or another faculty member to unlock it.

Grading
Labs/Homework/Quizzes 25%
Midterm 25%
Project 25%
Final 25%

Grades are posted on Moodle. Note: Moodle does not penalize your grade for any ungraded assignments, so it will show your "current" overall percentage based off the classwork graded to-date.

It is your responsibility to check Moodle for grades and any comments on assignments. If you believe you submitted your assignment on time but the comment field says "assignment not received", contact me.

Labs
Lab assignments will be posted on the course website. The labs are due at noon on the day after the lab (Wednesday). Partial credit will be given for incomplete labs. Late labs will not be accepted. The lowest lab grade will not be counted towards the overall lab grade.

You may work on labs in groups of up to 3 students. If you work in a group, make sure to put everyone's names on the assignment each week. Only the students whose names are on the assignment will get credit for the lab.

If you attend the lab session on Tuesday and finish the lab by the end of the session, come show your work to me to get "instantly" graded on Moodle. If you do not attend the lab, submit your work to Moodle. Emailed submission are not guaranteed to be accepted.

Homework
Homework assignments and due dates will be posted on the course website. Assignments must be turned in via the Moodle website. Emailed submissions are not guaranteed to be accepted.

Homeworks may be discussed with others in the class, but every student must turn in their own assignments in their own words. Copying from other students, the Internet, previous solutions, the textbook, etc. are all considered violations of the Academic Integrity Policy.

Quizzes
Quizzes will be posted on Moodle and must be completed by the date indicated. Moodle will automatically grade the quiz when it is submitted, although it will hide detailed information until after the quiz closes.
Moodle Submission Guidelines
Submissions must be in text (TXT), OpenOffice (ODT), DOC, PNG, JPEG, GIF, or PDF format. DOCX files will not be accepted since they do not display properly on Linux. You may also just write your answers in the Notes section if you can adequately answer them in text format. Moodle records the last time you edit the Notes field or upload a file as the submission time for the assignment.

If you have drawn something out by hand, take a picture or use a scanner. Moodle has a maximum file size of 2MB, so keep this in mind when creating your files. Split information over multiple files if needed.

If you submit multiple files, please name them in a fashion that indicates what they contain, e.g. hw1_q2_drawing.jpg, hw2_part1.pdf, hw2_part2.pdf, and so on.

If you have any difficulties submitting to Moodle, contact me or Steve Garcia for help. Emailed submissions are not guaranteed to be accepted since my email volume is so high and the spam detection software can silently drop emails.

Project
All students will be required to complete a project on the topic area. The project might involve survey of current research in the field. The project might also involve learning about a technique or methodology that we will not directly cover in the course. Students may work on teams of up to 4 students for the project.

Each project must have a proposal which lists the nature of the project (e.g. the topic researched), the team members, any previous work any team member has done on the project, and a brief list of tools that will be needed for the project. Project proposals are due by the end of the 3rd week of class and will count for a portion of the Project grade.

At the end of the quarter, each team will be required to prepare a presentation or interactive tutorial about their project. The last week of class, including the lab period on June 9th, will be used for these presentations/tutorials. This will count for a portion of the Project grade.

A project writeup will also be required. Requirements for the writeup will be posted on Moodle and discussed in class. The writeup will count for the remaining portion of the Project grade.

The presentation and project will be assessed with the standard department oral and written communication rubric. The rubric will be posted on Moodle.

Midterm
The midterm will be given on Monday May 4, 2015 during lecture time

A review session will be held on the previous Friday, May 1st, at 3:30pm in Sci III 311.

Final
Wednesday June 10, 2015 from 5:00 - 7:30pm in Sci III 311

If you cannot make the scheduled final time because it conflicts with another final or you have more than two finals scheduled that day, arrange an alternate time with me at least ONE WEEK in advance of the above date.

The final review session will be Friday June 5th at 3:30pm in Sci III 311 since the campus did not provide a reading/study day this quarter.

Prepared By
Melissa Danforth on 24 March 2015
Approval
Approved by CEE/CS Department on [date]
Effective Spring 2015