Instructors:
Lectures:
Addresses:
Announcements, questions: the class Piazza site, which you sign up for here.
Feel free to mark your question as private if you don't want other students to see it.
Midterms: There will be two midterms in the evening.
- MT1: Tuesday, September 25th, 8-10pm, 145 Dwinelle, 10 Evans, Hearst Field Annex A1, Valley Life Sciences Building 2040, Valley Life Sciences Building 2060. Room allocation algorithm TBD
- MT2: Thursday, November 8th, 8-10pm, 155 Dwinelle, Genetics and Plant Biology 100, 2050 Valley Life Sciences Building
Lectures:
The lecture schedule is subject to change and will be revised as the course progresses.
| Date | Topic | Readings | Slides |
|---|---|---|---|
| Mon 8/20 | No class | ||
| Wed 8/22 | Introduction | [optional: G&T § 1.1, Craft § 1-1.1, 1.3] | Lecture Slides 1Webcast 1 |
| Mon 8/27 | Security Principles | Notes on Principles for Building Secure Systems. Notes on Design Patterns for Building Secure Systems. [G&T § 1.1.4, 3.4.6] | Lecture Slides 2 Webcast 2 |
| Wed 8/29 | Overflows, Injection, and Memory Safety | Notes on Memory Safety. [G&T § 3.4, Craft § 6.1-6.3] Smashing The Stack For Fun And Profit, by Aleph One | Slides 3 Webcast 3 Slides from Matthias Vallentin on a Normal x86 function call, a crash, a control-flow diversion, and Code Injection. |
| Mon 9/3 | Labor Day Holiday | ||
| Wed 9/5 | Software Security: Defenses | Notes on Reasoning About Code and Secure Software Development. [G&T § 9.4-9.5; Craft § 6.5-6.7] Eevee's guide for Testing for People Who Hate Testing | Lecture Slides 4 Webcast 4 |
| Mon 9/10 | Symmetric-Key Cryptography | Notes from Last Semester. [G&T § 8.1-8.1.3, 8.1.7; Craft § 7.1, 7.3.2, 7.3.3] | Lecture Slides 5 |
| Wed 9/12 | Integrity and Authentication | Signatures Notes. [G&T § 1.3.2, 1.3.4, 8.2.3, 8.3, 8.4.1, 8.4.3; Craft § 7.4.2] | Slides 6 |
| Mon 9/17 | Public Key | Asymmetric Cryptography Notes. [G&T § 1.3-1.3.1, 1.3.3, 8.2, 8.5.2] | Slides 7 |
| Wed 9/19 | Key Management | Key Management Notes. [G&T § 1.3.5] | Slides 8 |
| Mon 9/24 | Cryptocurrency and Blockchains: Burn It With Fire | The Risks of Cryptocurrencies | Slides 9 |
| Wed 9/26 | Code Injection | [G&T § 7.2.1, 7.2.6-7.2.8, 7.3.3; Craft § 12.1.4] SQL Injection Attacks by Example, Secure Session Management With Cookies for Web Applications Squigler software and demo logs | Slides 10 |
| Mon 10/1 | Web Security: Background, Same Origin Policy | [G&T § 7.1.1, 7.1.3-7.1.4, 7.3.1-7.3.2, 7.3.4, 7.3.6; Craft § 12.1.1, 12.1.2, 12.1.3] Web Security: Are You Part Of The Problem? | Slides 11 |
| Wed 10/3 | Web Security: Cross-Site Attacks | [G&T § 7.2.3-7.2.4] XSS (Cross Site Scripting) Prevention Cheat Sheet Cross Site Request Forgery: An introduction to a common web application weakness | Slides 12 |
| Mon 10/8 | Web Security: XSS, Misleading Users | [G&T pp. 278-279; § 7.2.2-7.2.3] Clickjacking Defense Cheat Sheet | Slides 13 |
| Wed 10/10 | Network Security: Background | Networking terminology quick-reference. [G&T § 5.1-5.1.2, 5.3-5.3.1, 5.4-5.4.2, 6.1-6.1.2, 7.1-7.1.1; Craft § 5.1, 5.4.1] | Slides 14 |
| Mon 10/15 | Network Attacks: Lower Layers | [G&T § 5.1.3, 5.2.3, 5.3.3-5.3.4, 5.4.4; Craft § 5.3.1] | Slides 15 |
| Wed 10/17 | Network Attacks: DNS & TCP | G&T § 6.1.3 (pp. 278-284) Reliable DNS Forgery in 2008: Kaminsky's Discovery An Illustrated Guide to the Kaminsky DNS Vulnerability | Slides 16 |
| Mon 10/22 | Network Attacks: TCP and TLS | G&T § 1.1.1, 7.1.2, 8.3 | Slides 17 |
| Wed 10/24 | Denial of Service | [G&T § 5-5.4] Mitigating Multiple DDoS Attack Vectors [G&T § 4.4, 6.1.4] The WoSign Saga | Slides 18 |
| Mon 10/29 | Firewalls, DNSSEC | Notes on Firewalls. [G&T § 6.2, 6.3 intro, 6.3.3; Craft § 5.3.2] | Slides 19; Lecture 10/29 Self-Check |
| Wed 10/31 | DNSSEC And Network Monitoring | [G&T § 6.4] | Slides 20; Lecture 10/31 Self-Check |
| Mon 11/5 | Abusing Network Monitoring | [G&T § 6.4] | Slides 21; Lecture 11/5 Self-Check |
| Wed 11/7 | Detecting Attackers | [G&T § 6.4] | Slides 22; Lecture 11/7 Self-Check |
| Mon 11/12 | No Class, Veteran's Day | ||
| Wed 11/14 | Tor and Malcode | Reflections on Trusting Trust | Slides 23 |
| Mon 11/21 | Malware response | [G&T § 4.2, 4.5], A Taxonomy of Computer Worms. Optional but cool: Outwitting the Witty Worm. | Slides 24 |
| Wed 11/23 | No Class, Thanksgiving | ||
| Mon 11/26 | Hardware Attacks | [G&T § 4.3] | |
| Wed 11/30 | Personal Security | Apple iOS Security Guide. | Slides 25 |
| Fri 12/14 | Final Exam 3-6pm RSF Fieldhouse. Yeup, in a gym... |
An overall Google Calendar for the class, including office hours, exams, etc (will be populated over the course of the class):
Staff
 |
||
| Nicholas Weaver |
 |
 |
 |
| Rafael Dutra | Mathew Cha | Arvind Iyengar |
 |
 |
 |
| Nikhil Athreya | Keyhan Vakil | Weikeng Chen |
 |
 |
 |
| Austin Murdock | Eric Contovasilis | Srinivasa Pranav |
 |
 |
 |
| Ruta Joshi | Ruta Jawale | Dorian Chan |
Office hours:
| Time | Room | TA |
|---|---|---|
| Mo 1:00 - 3:00 PM | Soda 329 | Nick Weaver |
| Mo 3:00 - 5:00 PM | Soda 283E | Mathew |
| Mo 5:00 - 6:00 PM | Soda 611 | Dorian |
| Tu 12:00 - 1:00 PM | Soda 283E | Austin |
| Tu 1:00 - 2:00 PM | Soda 611 | Eric |
| Tu 2:00 - 3:00 PM | Soda 651 | Ruta Jawale |
| Tu 4:00 - 6:00 PM | Soda 283H | Arvind Iyengar |
| We 12:00 - 2:00 PM | Soda 283E | Nikhil |
| We 2:00 - 4:00 PM | Soda 283E | Rafael |
| We 5:00 - 6:00 PM | Soda 341B | Pranav |
| Th 4:00 - 5:00 PM | Soda 651 | Ruta Joshi |
| Fr 2:00 - 3:00 PM | Soda 283H | Weikeng |
| Fr 4:00 - 6:00 PM | Soda 651 | Keyhan |
Discussion Section Handouts:
- x86, GDB and Security Principles: (worksheet 1) (solution 1)
- Software Security (worksheet 2) (solution 2)
- Cryptography I (worksheet 3) (solution 3)
- Cryptography II (worksheet 4) (solution 4)
- Cryptography III (worksheet 5) (solution 5)
- SOP, XSS, and SQLi (worksheet 6) (solution 6)
- CSRF and XSS (worksheet 7) (solution 7)
- Networking I (worksheet 8) (solution 8)
- Networking II (worksheet 9) (solution 9)
- Networking III (worksheet 10) (solution 10)
- Clickjacking and Intrusion Detection (worksheet 11) (solution 11)
- Dealer's Choice (worksheet 12) (solution 12)
Discussion Section Times:
102 | Th 11-12 | 3111 Etcheverry | Pranav
103 | Th 11-12 | 289 Cory | Austin
104 | Th 12-1 | 9 Evans | Eric
105 | Th 1-2 | 9 Evans | Keyhan
106 | Th 2-3 | 9 Evans | Ruta Jawale
107 | Th 3-4 | 3105 Etcheverry | Mathew
108 | Th 4-5 | 3105 Etcheverry | Mathew
109 | Th 5-6 | 120 Wheeler | Arvind
110 | Th 5-6 | 3113 Etcheverry | Weikeng
111 | Th 12-1 | 3111 Etcheverry | Ruta Joshi
112 | F 10-11 | 240 Mulford | Rafael
113 | F 11-12 | B51 Hildebrand | Dorian
114 | F 12-1 | 9 Evans | Nikhil
Homeworks:
No late homeworks accepted.
Schedule for homeworks:
- Homework 1: Due Wednesday, September 19th, 11:59PM
- Homework 2: Due Friday, September 28th, 11:59PM
- Homework 3: Due Friday, October 19th, 11:59PM
- Homework 4: Due Monday, November 12th, 11:59PM
- Homework 5: Due Monday, December 3rd, 11:59PM
Projects
WARNING: some projects are exceptions to previously discussed late policy. Please check below/look at Piazza for specific project information.
Note that this late policy applies only to projects, not homeworks (homeworks cannot be turned in late).
Schedule for projects:
- Project 1: Project 1 Instructions, VM Supplement and Image
- Project 2: Project 2 Instructions, Skeleton Code
- Project 3: Project 3 Instructions, Source Code
Exams
There will be two midterms and one final exam.
All exams are mandatory. If you will be unable to attend any of the
dates, you must contact the instructor during the first week
after the times are finalized.
- Midterm 1: Tuesday September 25th, 8-10pm
- Midterm 2: Thursday November 8th, 8-10pm
- Final: Friday December 14th, 3-6pm
Grading
We will compute grades from a weighted average, as follows:
| — | Homeworks: | 16% | (weighting TBA) | ||
| — | Projects: | 24% | (33.3% P1, | 33.3% P2, | 33.3% P3) |
| — | Midterms: | 30% | (50.0% MT1, | 50.0% MT2) | |
| — | Final exam: | 30% |
Course Policies
Contact InformationAnnouncements
Prerequisites
Collaboration
Ethics
Computer accounts
Textbook
Lecture notes
Discussion sections
Re-grading policies
Late homework policy
Advice
Contact information
If you have a question, the best way to contact us is via the class Piazza site. The staff (instructors and TAs) will check the site regularly, and if you use it, other students will be able to help you too. Please avoid posting answers or hints for either homeworks or projects before the assignment is due.
If your question is personal or not of interest to other students, we encourage you to mark the question as private on Piazza: select "Post to: Individual Student(s)/Instructor(s)" at the top and then type "Instructors" in the field underneath it. If you wish to talk with one of us individually in person, you are welcome to come to any of our office hours. We prefer using these methods instead of sending email; regrettably, email does not scale well to a class of this size.
Announcements
The instructors and TAs will periodically post announcements, clarifications, etc. to the Piazza site. Hence it is important that you check it regularly throughout the semester.
Prerequisites
The prerequisites for CS 161 are CS 61B, CS61C, and CS70. We assume basic knowledge of Java, C, and Python. You will need to have a basic familiarity using Unix systems.
Collaboration
Homeworks will specify whether they must be done on your own or may be done in groups. Either way, you must write up your solutions entirely on your own. For homeworks, you must never read, see, or copy the solutions of other students, and you must not allow other students to see your solutions. For projects, you must never read, see, or copy the code or solutions of other students (other than your project partner, for group projects), nor allow students other than your partner to see your solutions or code.
You may use books or online resources to help solve homework problems, but you must always credit all such sources in your writeup and you must never copy material verbatim. Not only is this good scholarly conduct, it also protects you from accusations of theft of your colleagues' ideas. You must not ask for homework/project solutions on Stack Overflow or other online sites; you may ask for help with conceptual questions, but you must credit your sources. You must not receive help on assignments from students who have taken the course in previous years, and you must not review homework or project solutions from previous years.
You must ensure that your solutions will not be visible to other students. If you use GitHub or another source control system to store your solutions electronically, you must ensure your account is configured so your solutions are not publicly visible. If you use GitHub, GitHub offers free student accounts that allow you to keep your solutions private; please use one.
We believe that most students can distinguish between helping other students understand course material and cheating. Explaining a subtle point from lecture or discussing course topics is an interaction that we encourage, but you should never read another student's assignment solution or partial solution, nor have it in your possession, either electronically or on paper (other than for project partners). You must never share your written solutions, or partial solutions, with another student, not even with the explicit understanding that it will not be copied. You must write your homework solution strictly by yourself.
Warning: Your attention is drawn to the Department's Policy on Academic Dishonesty. In particular, you should be aware that copying or sharing solutions, in whole or in part, from other students in the class or any other source without acknowledgment constitutes cheating. Any student found to be cheating will (1) be referred to the Office of Student Conduct, (2) receive negative points on the assignment (i.e., worse than not doing it at all), and, depending on severity, (3) fail the course. Nick in particular is noted for having a sense of vengeance.
Ethics
We will be discussing attacks in this class, some of them quite nasty. None of this is in any way an invitation to undertake these attacks in any fashion other than with informed consent of all involved and affected parties. The existence of a security hole is no excuse. These issues concern not only professional ethics, but also UCB policy and state and federal law. If there is any question in your mind about what conduct is allowable, contact the instructors first.
Computer accounts
We will use 'class' accounts this semester.
Get your account at
webacct.
When you first log in to your account, you will be prompted to
enter information about yourself; that will register you with our
grading software.
If you want to check that you are registered correctly with our
grading software, you can run check-register at any time.
Here is a list of available Instructional "login servers" that can be
sshed into can be found.
Textbook
The class does not have a required textbook. We have not found one that fully treats the material covered in the course, and we want to help you save money, so please don't feel obligated to buy a textbook. However, we know that some students appreciate additional reading to supplement lectures; for them, we recommend Introduction to Computer Security by Goodrich & Tamassia. We also recommend The Craft of System Security by Smith & Marchesini. We will list readings from these textbooks in the syllabus, but these are entirely optional.
Lecture notes
We will provide lecture notes and/or slides for many of the lectures. These materials are not a substitute for attending class, as our discussion in class may deviate from the written material. You are ultimately responsible for material as presented in both lecture and section.
We will be webcasting the class.
Discussion sections
Discussion sections will sometimes cover important material not presented in lecture, and we expect you will attend. Outside of your discussion section, you should feel free to attend any of the staff office hours (not just your section TA's office hours) and ask any of us for help. You can attend any discussion section you want, but if it is too crowded, try a different one: lets load balance by randomization.
Re-grading policies
Any requests for grade changes or re-grading must be made within one week of when the work was returned. To ask for a re-grade for material graded on GradeScope, submit a regrade request on GradeScope. We will provide procedures to request re-grades for other coursework when those are graded. We will not accept verbal re-grade requests. Note that a re-grade can result in a decreased score as well as an increased score, if upon revisiting we discover problems in your work that we previously overlooked.
Bear in mind that a primary aim in grading is consistency, so that all students are treated the same. For this reason, we are unlikely to adjust the score of individual students on an issue of partial credit if the score allocated is consistent with the grading policy we adopted for that problem.
More on homeworks:
If a problem can be interpreted in more than
one way, clearly state the assumptions under which you solve the
problem.
In writing up your homework you are allowed to consult any book,
paper, or published material, except solutions from previous
classes or elsewhere, as stated under the Collaboration section.
If you consult external sources, you must cite your source(s).
We will make
model solutions available after the due date, and feedback will be
available via glookup or GradeScope.
Late homework policy
We will give no credit for homework turned in after the deadline. Please don't ask for extensions. We don't mean to be harsh, but we prefer to make model solutions available shortly after the due date, which makes it impossible to accept late homeworks.
Don't be afraid to ask for help! Are you struggling? We'd much rather you approached us for help than gradually fall behind over the semester until things become untenable. Sometimes this happens when students fear a possibly unpleasant conversation with a professor if they admit to not understanding something. We would much rather resolve/remedy your misunderstanding early than have it expand into further problems later. Even if you are convinced that you are the only person in the class that doesn't understand the material, and think it must be entirely your fault for falling behind, please overcome this concern and ask for help as soon as you need it. Helping you learn the material is what we're here to do, after all!
Likewise, if you are a DSP student, please get your letters in now.
Advice
The following tips are offered based on our experience with CS 161:
1. Don't wait until the last minute to start projects! The projects can be time-consuming. Pace yourself. Students who procrastinate generally suffer.
2. Make use of office hours! The instructors and TAs hold office hours expressly to help you. It is often surprising how many students do not take advantage of this service. You are free to attend as many office hours as you wish. You are not constrained just to use the office hours of your section TA. You will likely get more out of an office hour visit if you have spent some time in advance thinking about the questions you have, and formulating them precisely. (In fact, this process can often lead you to a solution yourself!)
3. Participate actively in discussion sections! Discussion sections are not auxiliary lectures. They are an opportunity for interactive learning. The success of a discussion section depends largely on the willingness of students to participate actively in it. As with office hours, the better prepared you are for the discussion, the more you are likely to get out of it.