CS 161: Computer Security

Spring 2010

Instructors:
  Vern Paxson (737 Soda)
  David Wagner (733 Soda)

TAs:
  John Bethencourt
  Erika Chin
  Matt Finifter
  Cynthia Sturton
  Joel Weinberger

Lectures:
  MWF, 5:00-6:00pm, 100 Lewis

Sections:
  101. Tu 10:00-11:00, 155 Barrows (Weinberger)
  102. Tu 11:00-12:00, 4 Evans (Chin)
  103. Tu 2:00-3:00, 75 Evans (Bethencourt)
  104. Tu 3:00-4:00, 6 Evans (Finifter)
  105. Tu 4:00-5:00, 105 Latimer (Sturton)
  106. Tu 5:00-6:00, 4 Evans (Sturton)
  107. Tu 10:00-11:00, 3105 Etcheverry (Finifter)
  108. Tu 2:00-3:00, 70 Evans (Weinberger)

Office hours:
  Bethencourt: Friday 4-5 in 751 Soda
  Chin: Friday 1-2 in 611 Soda
  Finifter: Monday 10-12 in 611 Soda
  Paxson: Monday 1:30-2:30 in 737 Soda (by appointment the week of May 3-7)
  Sturton: Thursday 3-5 in 611 Soda
  Wagner: Wednesday 2-3 in 733 Soda
  Weinberger: Monday 1-3 in 751 Soda

Addresses:
  Web page: http://www-inst.eecs.berkeley.edu/~cs161/
  Announcements, questions: ucb.class.cs161 (see below)
  Email: cs161@inst.eecs (see below)


Lectures

The lecture schedule is subject to change and will be revised as the course progresses.

Topic Readings Slides
Wed 1/20 Introduction P&P Section 1, [Optional: A Chapter 1] Slides
Fri 1/22 Buffer Overflows / Memory Safety Notes. P&P Section 3.0, 3.1, 3.2 Slides
Mon 1/25 Defending Against Memory Safety Vulnerabilities Notes Slides (corrected)
Wed 1/27 Principles of Secure Software Notes. P&P Section 3.5 Slides
Fri 1/29 Securing Software, con't Notes Slides
Mon 2/1 Web Security P&P pp. 424-427.
[Optional: Web Security: Are You Part Of The Problem?]
[Optional: SQL Injection Attacks by Example]
Slides
Wed 2/3 Web Security, con't P&P pp. 433-437.
[Optional: Web Security: Are You Part Of The Problem?]
[Optional: XSS (Cross Site Scripting) Prevention Cheat Sheet]
Slides
Fri 2/5 Web Authentication P&P Section 4.5.
[Optional: Secure Session Management With Cookies for Web Applications]
Mon 2/8 Background on Networking P&P Section 7.0, 7.1 (pp. 376-396). Slides
(Supplementary slides)
Wed 2/10 Network Attacks P&P pp. 396-424. Slides
Fri 2/12 Network Attacks, con't (no additional readings)
[Optional: Reliable DNS Forgery in 2008: Kaminsky's Discovery, An Illustrated Guide to the Kaminsky DNS Vulnerability]
Slides
Mon 2/15 HOLIDAY
Wed 2/17 Network Control P&P Section 7.4 Slides
Fri 2/19 Network Control, con't Notes. P&P pp. 449-450 (Virtual Private Networks) Slides
Mon 2/22 Denial-of-Service P&P pp. 427-432 Slides
Netalyzr slides
Wed 2/24 Confused deputy, malware
Fri 2/26 Midterm 1
Mon 3/1 Communication Security, Symmetric Key Cryptography Notes. P&P Chapters 2.1, 2.4.
Wed 3/3 Public Key Cryptography Notes. P&P Chapter 2.7.
Fri 3/5 Message Authentication Codes, Digital Signatures Notes.
Mon 3/8 Key Exchange, Key Management Notes.
Wed 3/10 PKI, Attacks on Cryptography Notes. Also see the slides. Slides
Fri 3/12 Attacks on Cryptography Slides
Mon 3/15 Securing Internet Communication [Optional: P&P Chapter 7.3] Slides
Wed 3/17 Applications of Cryptography Slides
Fri 3/19 OS Security P&P Chapter 4.0-4.4 (pp. 188-219)
[Optional: A Chapter 4]
Mon 3/22 SPRING BREAK
Wed 3/24 SPRING BREAK
Fri 3/26 SPRING BREAK
Mon 3/29 Usability, Human Factors [Optional: A Chapter 2] Slides
Wed 3/31 Privacy P&P Chapter 10.0-10.6 (pp. 603-638) Slides (corrected)
Fri 4/2 Midterm 2
Mon 4/5 Remanence Slides
Wed 4/7 Detecting Attackers P&P Chapter 7.5 (pp. 484-490)
[Optional: A Chapter 21.4.3/21.4.4]
Slides
Fri 4/9 Detecting Attackers, con't Slides
Mon 4/12 Viruses P&P Chapter 3.3 (pp. 111-141)
[Optional: A Chapter 21.3]
Slides
Wed 4/14 Worms Slides
Fri 4/16 Worms, Botnets & the Underground Economy Slides
Mon 4/19 E-Voting [Optional: A pp.759-763] Slides
Wed 4/21 Spam and Spammer Profits Slides
Fri 4/23 Copy protection Notes (incomplete).
P&P Chapter 11.1 (pp. 649-662)
[Optional: A Chapter 22]
Mon 4/26 Surreptitious Communication P&P pp. 150-160
[Optional: A Chapter 17]
Slides
Additional slides
Wed 4/28 Tamper Resistance [Optional: A Chapter 16]
Fri 4/30 Course Summary / Final Review
Fri 5/14 Final Exam, 11:30AM - 2:30PM





Homeworks

Homeworks are due on Thursday at 11:59pm in the drop box labelled "CS 161" in 283 Soda, unless otherwise stated. Homework solutions must be legible; we do not attempt to grade messy and unreadable solutions. You must print your name, your class account name (e.g., cs161-xy), your TA's name, the discussion section time where you want to pick up the homework, and the homework number prominently on the first page and staple all pages together. You risk receiving no credit for any homework lacking this information. No late homeworks will be accepted.

Discussion Sections

Handouts from discussion sections will be posted here.

Projects

There will be approximately 3 course projects. If your project submission is late, we will penalize your grade as follows: less than 24 hours late, you lose 10%; less than 48 hours late, you lose 20%; less than 72 hours late, you lose 40%; at or after 72 hours, late submissions are no longer accepted. (There are no slip days.) Note that this late policy applies only to projects, not homeworks.



Exams

There will be two midterms and one final exam.

All exams are mandatory. If you are taking CS160, CS164, or another course whose final exam conflicts with that of CS161, see below.

There will be a final exam review on Wednesday, 5/12/10, 3:30-5:30 PM in 155 Dwinelle.

Grading

Grades will be computed from a weighted average, as follows:


COURSE POLICIES

Contact information: If you have a question, the best way to contact us is via the class newsgroup, ucb.class.cs161. The staff (instructors and TAs) will check the newsgroup regularly, and if you use the newsgroup, other students will be able to help you too. Please avoid posting answers to homework questions before the homework is due. See our instructions on how to access the course newsgroup.

If your question is personal or not of interest to other students, send email to cs161@inst.eecs. Email to this address is forwarded to the instructors and all TAs. If you wish to talk with one of us individually, you are welcome to come to our office hours. If the office hours are not convenient, you may make an appointment with any of us by email. Please reserve email for the questions you can't get answered in office hours, in discussion sections, or through the newsgroup.

Announcements: The instructors and TAs will periodically post announcements, clarifications, etc. to the newsgroup. Hence it is important that you check the newsgroup frequently throughout the semester.

Prerequisites: The prerequisites for CS 161 are CS 61B, CS61C, and either CS70 or Math 55. We will assume basic knowledge of both Java and C. You will need to have a basic familiarity using Unix systems. If you need help, the CSUA runs help sessions.

Collaboration: Homework assignments will specify whether they must be done on your own or whether they may be done in groups. Either way, you must write up your solutions entirely on your own. You must never read or copy the solutions of other students, and you must not share your own solutions with other students. You may use books or online resources to help solve homework problems, but you must always credit all such sources in your writeup and you must never copy material verbatim. Not only is this good scholarly conduct, it also protects you from accusations of theft of your colleagues' ideas. You must not receive help on homework assignments from students who have taken the course in previous years, and you must not review homework solutions from previous years.

We believe that most students can distinguish between helping other students understand course material and cheating. Explaining a subtle point from lecture or discussing course topics is an interaction that we encourage, but you should never read another student's homework solution or partial solution, nor have it in your possession, either electronically or on paper. You must never share your written solutions, or a partial solutions, with another student, even with the explicit understanding that it will not be copied -- not even with students in your homework group. You must write your homework solution strictly by yourself.

Warning: Your attention is drawn to the Department's Policy on Academic Dishonesty. In particular, you should be aware that copying or sharing solutions, in whole or in part, from other students in the class or any other source without acknowledgment constitutes cheating. Any student found to be cheating risks automatically failing the class and being referred to the Office of Student Conduct.

Ethics: We will be discussing attacks in this class, some of them quite nasty. None of this is in any way an invitation to undertake these attacks in any fashion other than with informed consent of all involved and affected parties. The existence of a security hole is no excuse. These issues implicate not only professional ethics, but also UCB policy and state and federal law. If there is any question in your mind about what conduct is allowable, please contact the instructors first.

Computer accounts: We will use 'class' accounts this semester. You will need to obtain an account form with a username and password from us. When you first log into your account, you will be prompted to enter information about yourself; that will register you with our grading software. If you want to check that you are registered correctly with our grading software, you can run check-register at any time.

Textbook: The required textbook is Security in Computing, 4th ed. (Charles P. Pfleeger, Shari Lawrence Pfleeger; Prentice Hall, 2007). There is also an optional supplemental text: Security Engineering, 2nd ed. (Ross Anderson; Wiley, 2008). The first edition of the supplemental text is also available online at Ross Anderson's web site; but I recommend buying the second edition, if you can afford it, as it has plenty of wonderful content.

Lecture notes: We will provide lecture notes or slides for many of the lectures. You should not view the availability of lecture notes or slides as a substitute for attending class, as our discussion in class may deviate from the written material.

Discussion sections: Attendance at discussion sections is expected, and sections may cover important material not covered in lecture. Please enroll in a discussion section via Telebears, if you have not already. You may only enroll in a discussion section that has space available; see the online schedule. You may switch discussion sections only with the approval of the TA of the section you want to switch to, and only if that section is not full. Outside of your discussion section, you should feel free to attend any of the staff office hours (not just your section TA's office hours) and ask any of us for help.

Re-grading policies: Any requests for grade changes or re-grading must be made within one week of when the work was returned. To ask for a re-grade, staple to your work a cover page that specifies:

Give this to your TA. Without this page, your work will not be re-graded. Even if you ask for only one problem to be re-graded, your entire work may be re-graded, so your score could decrease, stay the same, or increase. We will not accept verbal re-grade requests or re-grade requests without a cover sheet stapled on. Don't expect us to re-grade your homework on the spot: we normally take the time to read your appeal at some point after it is submitted.

Bear in mind that our primary aim in grading is consistency, so that all students are treated the same; for this reason, we are unlikely to adjust the score of one student on an issue of partial credit if the score allocated is consistent with the grading policy we adopted for that problem.

More on homeworks: If a problem can be interpreted in more than one way, clearly state the assumptions under which you solve the problem. In writing up your homework you are allowed to consult any book, paper, or published material, except homework solutions from prior years, as stated under the Collaboration section. If you consult external sources, you are required to cite your source(s). Model solutions will be made available after the due date. Graded problem sets will be returned in discussion section.

Late homework policy: We will give no credit for homework turned in after the deadline. Please don't ask for extensions. We don't mean to be harsh, but we prefer to make model solutions available shortly after the due date, which makes it impossible to accept late homeworks.

Exams: The midterms and final exam are mandatory. If you are unable to attend any midterm, contact the instructors without delay. Note that CS160 and CS164 have their final exams scheduled at the same time as CS161's final exam, even though their lectures are at a different time. As a special accomodation for students who would like to take CS160 or CS164 in addition to CS161, we will offer the CS161 final exam at an alternate time on May 14th, 3-6pm, in 306 Soda. The alternate exam time is only available to students taking another course (e.g., CS160 or CS164) whose exam is scheduled at the same time as CS161's final exam.

If you wish to take the final exam at the alternate time, you must register in advance by filling out this survey by January 29th at the latest. If you cannot make the official CS161 final exam time for any reason other than conflict with another course, please contact the CS161 instructors without delay (by the end of the first week of classes); you may need to drop CS161. If you have a final exam conflict with another course and you cannot attend the alternate exam time, either, then you must drop CS161; we will not be offering any other alternate time slot, and the final exam is mandatory.

Don't be afraid to ask for help: Are you struggling? We'd rather you approached us for help, rather than falling behind gradually over the semester until things become untenable. Sometimes this happens when students are afraid of an unpleasant conversation with a professor if they admit to not understanding something. We would much rather deal with your misunderstanding early than deal with its consequences later. Even if you are convinced that you are the only person in the class that doesn't understand the material, and that it is entirely your fault for having fallen behind, please overcome your feeling of guilt and ask for help as soon as you need it. Remember that the other students in the class are working under similar constraints--they are taking multiple classes and are often holding down outside employment. Don't hesitate to ask us for help--helping you learn the material is what we're paid to do, after all!

Advice: The following tips are offered based on our experience with CS 161:

1. Don't wait until the last minute to start projects! The projects can be time-consuming. Pace yourself. Students who procrastinate generally suffer.

2. Make use of office hours! The instructors and TAs hold office hours expressly to help you. It is often surprising how many students do not take advantage of this service. You are free to attend as many office hours as you wish. You are not constrained just to use the office hours of your section TA. You will also likely get more out of an office hour if you have spent a little time in advance thinking about the questions you have, and formulating them precisely. (In fact, this process can often lead you to a solution yourself!)

3. Participate actively in discussion sections! Discussion sections are not auxiliary lectures. They are an opportunity for interactive learning. The success of a discussion section depends largely on the willingness of students to participate actively in it. As with office hours, the better prepared you are for the discussion, the more you are likely to get out of it.


Mail inquiries to cs161@inst.eecs.berkeley.edu.