Instructor: Dr. Melissa Danforth
Office Hours: MWF 2:45-3:45pm and TuTh 12:00-1:00pm (link posted on Moodle)
Email: melissa@cs.csub.edu or mdanforth@csub.edu (CSUB.edu goes to my phone)
Moodle website:
https://moodle3.cs.csub.edu/course/view.php?id=41
Course meets MW 4:00-5:15pm (lecture) and Tu 4:00-6:30pm (lab) on Zoom
(Zoom information will be posted on Moodle).
General Class Structure:
- First Monday (August 24th): Attendance is required for class overview.
- Other Mondays: Attendance is optional. Lecture will be on textbook
material. Some Mondays will not have a Zoom meeting due to a campus
meeting I have on Monday once or twice a month. Those days will be noted
on Moodle and a prerecorded lecture will be available.
- Tuesdays (lab days): Attendance is optional. Demos of the labs will be
given over Zoom and I will be available in Zoom / Discord to help with
labs, but you can also opt to do the labs on your own time and get help
via email or office hours.
- Wednesdays: Attendance is strong encouraged. Discussion will be on case
studies and out of textbook materials, including any timely security
compromises that happen during class.
Contact me if you have any issues with attending sessions, such as Internet
issues, power outages, technical difficulties, work conflicts, or other
university excused absences. Please contact me as soon as possible after the
absence, and preferably before class if you know before class that you will
not be able to attend.
Webcams will not be required of students. I have configured Zoom to allow
phone call-ins and to mask phone numbers for those who have to call in to
attend.
Videos of the lectures and lab demos will be posted to Moodle after processing
and closed-captioning. Give at least a few days for that to occur (longer if
the automatic closed-captioning requires significant editing).
Working in teams or groups is optional in this course. If you do opt to form
a team for the project or work in groups on the group assignments, you must
complete that work virtually, with no face-to-face meetings. Use virtual
collaboration tools such as git, Slack, Discord, Zoom, MS Teams, etc. to
manage your group work and team work.
Identification and quantification of security weaknesses, primarily in source
code and executables. Topics include professional ethics, source code
auditing, common source code errors, the runtime stack and memory systems,
common attacks against executables, risk assessment, vulnerability
classification, static binary analysis, and mitigation techniques.
Catalog Prerequisites: CMPS 2240/224 and CMPS 3500/350.
Non-official alternative prereqs (with approved electronic Add Slip):
CMPS 2240/224 and either CMPS 3350/335 or 3500/350.
Knowledge of assembly language (preferably Intel x86 64-bit)
Knowledge of programming languages in C/C++ family
Understanding of computer language translation from source code to binary
Knowledge of the basic memory structure (runtime stack, heap, etc.)
4 semester units. 3 units lecture (150 minutes), 1 unit lab (150 minutes).
As a 4000-level elective course, students are expected to engage in independent
learning in this course through reading assignments, case studies, and a
project. Critical thinking, independent evaluation, and troubleshooting are
important traits for the cybersecurity profession.
Lectures after the third week will assume that you have completed the reading
assignments and will focus on exploring examples and scenarios, including more
modern examples and scenarios, related to the topics of the week. Case studies
will also analyze more modern examples of vulnerabilities and will be discussed
in lectures on Wednesdays.
Plan to spend an average of 8-12 hours outside of class each week on this
course. More time may be required in some weeks.
Selected elective for CS
The Art of Software Security Assessment: Identifying and Preventing Software
Vulnerabilities. Mark Dowd, John McDonald, Justin Schuh. Addison-Wesley, 2007,
ISBN-13: 978-0-321-44442-4.
Computer Security: Art and Science, 2nd edition. Matt Bishop. Addison-Wesley,
2019, ISBN-13: 978-0-321-71233-2.
http://nob.cs.ucdavis.edu/book/
(Note: There is an abridged version of the book available that is titled
"Introduction to Computer Security" by Matt Bishop)
Supporting articles and current events relating to the course will be posted
on the Moodle site.
Melissa Danforth
This course covers the following ACM/IEEE CS2013 (Computer Science)
Body of Knowledge student learning outcomes:
- CS-IAS/Foundational Concepts in Security
- CS-IAS/Principles of Secure Design
- CS-IAS/Defensive Programming
- CS-IAS/Threats and Attacks
- CS-PL/Static Analysis
- CS-SE/Software Construction
The course maps to the following student learning outcomes for Computer Science
(CAC/ABET):
- 1. An ability to analyze a complex computing problem and to apply principles
of computing and other relevant disciplines to identify solutions.
-
- 4. An ability to recognize professional responsibilities and make informed
judgements in computing practice based on legal and ethical principles.
-
| Week | Chapter(s) | Topics |
|---|
| 1 | Chapter 1 |
Professional ethics, Classic security goals (confidentiality, integrity, etc.), Threats and threat exposure, Vulnerability categories, Audit overview |
| 2 | Chapter 2 |
Design reviews, Fundamental design flaws, Threat modeling |
| 3 | Chapter 3 |
Operational review, Attack surfaces, Hardening |
| 4 and 5 | Chapter 4 |
Review/Audit process, Audit strategies |
| 5 to 7 | Chapter 5 |
Memory corruption: buffer overflows, heap overflows, global and static data, shellcode, protection mechanisms |
| 8 to 10 | Chapter 6 |
C/C++ language issues, Expression evaluation, Type conversions, Common mistakes |
| 11 to 13 | Chapter 8 |
String handling issues, String encodings, Metacharacter handling and injection issues, String functions, Hex encoding |
| 13 and 14 | Chapter 7 |
Auditing techniques for source code and binary analysis |
| 15 | Not in book |
Hardware vulnerabilities (Spectre, Meltdown, etc.) |
| 15 and 16 | n/a |
Project presentations on last lab day |
Specific reading assignments for each week will be posted to the Moodle site.
Students are responsible for their own attendance. The topics covered
in lecture will be listed on Moodle along with my personal lecture notes
before class. Recordings of the classes will be posted to Moodle after
processing. Attendance on Wednesdays is strongly encouraged since it will
focus on discussions of materials beyond the textbook.
Over the course of the term, there will be classroom discussions on
contentious issues in cybersecurity, such as discussing various approaches
to disclosing vulnerabilities. Opinions will differ, sometimes drastically,
during these discussions, hence why they are matters of debate within the
cybersecurity field. Students are expected to be civil to, and respectful
of, one another during these discussions.
You may discuss the assignments with others in the class. A message board
is also available on Moodle for discussions.
If the assignment is a group assignment, the group can turn in one assignment
for the entire group. If the assignment is an individual assignment,
each student must turn in their own work in their own words; no direct
copying from any source is allowed.
Refer to the Academic Integrity policy in the campus catalog and class
schedule for more details. You can also refer to the Academic Integrity
policy at the Office of Student Rights and Responsibilities at
https://www.csub.edu/osrr/
To request academic accomodations, please contact the Office of Services
for Students with Disabilities (SSD) and email me an accomodations letter from
the SSD Office. Policies from the SSD Office relating to accomodations, such
as scheduling policies for using their testng center, must also be followed.
For more information about the services and policies of the SSD Office, contact
their staff by email and/or visit their website at
https://www.csub.edu/ssd/
If you are experiencing challenges related to basic needs, such as food
insecurity, housing insecurity, or other challenges, there are resources
available to you. The campus Food Pantry, located next to the Student
Union, is open with reduced hours during Fall 2020. The Food Pantry also
has information about services and monthly food distributions. Please visit the
Food Pantry
website for hours and information. For housing concerns and other basic
needs, please contact the Campus Advocate at 654-6210 or Jason Watkins,
Assistant Director for Basic Needs, at 654-3360.
| Quizzes | Ungraded. They let you spot-check your understanding of the textbook. |
| Labs | 20% |
| Homework / Case Studies | 20% |
| Project and Project Milestones | 20% |
| Midterm | 20% |
| Final | 20% |
Grades are posted on Moodle. Note: Moodle does not penalize your grade for
any ungraded assignments, so it will show your "current" overall percentage
based off the classwork graded to-date.
It is your responsibility to check Moodle for grades and any comments on
assignments. If you believe you submitted your assignment on time but the
comment field says "assignment not received", contact me.
Lab assignments will be posted on the course website. The labs are due
at 11:55pm on the following Monday. Partial credit will be given for
incomplete labs. Late labs will not be accepted.
You may work on labs in groups of up to 3 students. If you work in a group,
only one student needs to submit the assignment, but make sure to put
everyone's names on the assignment each week. Only the students whose names
are on the assignment will get credit for the lab. If you are in a group but
are not the one submitting the assignment to Moodle, you may put a comment
in Moodle's Note field indicating who did submit the assignment for your
group.
Submit your work to Moodle and I will grade it during my next grading session.
Do NOT email your submission as the campus spam system sometimes silently
blocks emails with attachments.
Homework assignments and due dates will be posted on the course website.
Partial credit will be given for incomplete homework submissions. Since
we will be discussing many of the homework assignments in class after the
due date, late homework submissions will not be accepted.
Assignments must be turned in via the Moodle website. Do NOT email your
submission as the campus spam system sometimes silently blocks emails with
attachments.
Homeworks may be discussed with others in the class, but every student must
turn in their own assignments in their own words. Copying from other students,
the Internet, previous solutions, the textbook, etc. are all considered
violations of the Academic Integrity Policy.
For the case study homework assignments in particular, I expect students to
express the concepts in their own words and perform their own analysis of
the provided articles. Case studies are a vital part of this course to
give more recent information about vulnerabilities and to grade your ability
to learn from, and analyze, technical articles. If you are having any
difficulty the case studies, or if you would like to discuss the case
studies in more depth, please see me during office hours.
Quizzes are on the reading assignments from the textbook. Quizzes will be
posted on Moodle and are primarily for you to spot-check your understanding
of the reading assignments. Moodle will automatically grade the quiz when it
is submitted, and you may attempt the quiz as many times as you want.
Submissions must be in LibreOffice/OpenOffice (ODT), Word (DOC or DOCX), PNG,
JPEG, GIF, or PDF format. TXT and RTF files have had issues being uploaded to
Moodle by students in the past, so I would recommend avoiding those formats.
You may also write your answers in the Moodle Notes section if you can
adequately answer them in Moodle's text box. Note that the Moodle text box
does not handle metacharacters like < or &. Rather than using those
characters, spell it out, e.g. "less-than", "lt", "and", etc. If you have
a large number of these characters, it is safer to upload a file rather than
use the Moodle text box.
Moodle records the last time you edit the Notes field or upload a file as
the submission time for the assignment. You do not need to hit the "Submit
for Grading" button for me to see your work.
If you have drawn something out by hand, take a picture or use a scanner and
upload the image to Moodle. Please keep the file sizes reasonable, but also
make sure the image is legible.
If you submit multiple files, please name them in a fashion that indicates
what they contain, e.g. hw1_q2_drawing.jpg, hw2_part1.pdf, hw2_part2.pdf,
and so on.
If you have any difficulties submitting to Moodle, contact me or Steve Garcia
for help. Emailed submissions are not guaranteed to be accepted since my
email volume is so high and the spam detection software can silently drop
emails.
All students will be required to complete a source code auditing project as
part of this course. Students may work individually or on teams of up to 4
students for the project. You are expected to choose a portion of an
open-source project to audit. The amount of code being reviewed will depend
on the number of people working on the project, e.g. an individual will be
expected to audit a much smaller amount of code than a team of 4.
I strongly suggest choosing an open-source project that is written in C or
C++, as that is the family of source code vulnerabilities which we will learn
about in this course. Choosing another programming language will mean having
to learn about their common coding problems and interpretter/compiler issues
on your own, which will make the project much harder.
Each project must have a proposal which lists the nature of the project (e.g.
the open-source project selected and which file(s) the team will be auditing),
the team members, any previous work any team member has done on the project,
and a brief list of tools that will be needed for the project. The proposal
will count for a portion of the Project grade.
There will also be project milestones throughout the term to see what sort of
progress has been made on the project. These milestones will be either a
written report or a Zoom check-in meeting scheduled outside of the normal
class meeting times.
At the end of the term, each team will be required to prepare a presentation
about their project. Project presentations will happen on the last lab day
(and last lecture day if needed). A Moodle poll will be set up for teams to
select a presentation time slot. The presentation will count for a portion of
the Project grade.
A project writeup will also be required at the end of the term. Requirements
for the writeup will be posted on Moodle and discussed in class. The writeup
will count for the a portion of the Project grade.
The rubrics used to assess the end-of-term presentation and project writeup
will be posted on Moodle.
The midterm exam will be available on Moodle from 8:00am Tuesday October
13, 2020 to 11:55pm Wednesday October 14, 2020. When you begin the midterm
on Moodle, you will have a 2 hour and 30 minute countdown timer to complete
the exam.
If you have any connectivity, power, or technology issues (hopefully not
meatball sandwich issues) that cause you to lose connection to Moodle during
the attempt, email me ASAP so I can reset your attempt.
It is your responsibility to log in to Moodle and take the midterm during
this time frame. I do not give make-up midterm exams. If you miss the midterm
and you believe you have a valid university excused absence, contact me as
soon as possible and I will evaluate the situation. For students where I
approve the absence as an excused absence, the final exam will count for
both the midterm and final weight in the grade calculation. For students
without an approved excused absence, the midterm exam will be recorded as
a 0 in the grade calculation.
Wednesday December 16, 2020 from 5:00-7:30pm (
NOTE: This
is later than the class normally meets on Wednesday so plan accordingly)
If you cannot make the scheduled final time because it conflicts with another
final or you have more than two finals scheduled that day, arrange an
alternate time with me at least ONE WEEK in advance of the above date.
Melissa Danforth on 19 August 2020
Approved by CEE/CS Department in Spring 2014
Effective Fall 2016