Broad, active, hands-on and implementation-based approach to computer security. Fundamental cryptographic theory, advanced techniques and application. Complexity, cryptanalysis, and impact of technological change. Core security theory; confidentiality, integrity, availability. Security models. Risk assessment and decision-making. Issues for general-purpose, trusted and "cloud" operating system security including hardware requirements, authentication, access control, information flow and assurance. Program and network security fundamentals and best practices including coding principles, firewalls and network design. Exploits, defenses and remediation for multiple issues pertaining to software, hardware, databases and networks. Political, social and engineering issues relating to security and privacy.
This course addresses UMD's Graduate Program Goal Categories 1 (Knowledge and Scholarly Formation), 3 (Communication Skills), 4 (Leadership and Collaborative Skills) and 5 (Cultural Competence and Global Context Formation of the Field). In particular, it covers the following Student Learning Outcomes (SLO):
Peter A. H. Peterson
Email: pahp@d.umn.edu
Ph: 218.726.7988
Office: Heller Hall 329 or 334
Office Hours:
Day | Time | Location | |
Lecture | MWF | 1:00-1:50 | HH 306 |
Lab* | M | 4:00-4:50 | MWAH 187 |
*Lab times will sometimes be used for specific class activities, but will often be used as a guaranteed-available meeting time for group projects / hackathons.
We will use Canvas for grading, submissions and other class-related activities.
This class is going to be a hands-on, dynamic exploration of advanced topics in Computer Security. My goal is that class time will be split between lecture, discussion and presentations on hands-on experimentation/research on open-ended topics performed by students. You will be expected to write regularly, and you will be graded (in part) on your writing. Ultimately, I hope that the class is interesting and useful for you, introduces you to new concepts, helps develop your technical chops, and gives you a gratifying open-ended research experience.
Graduate student or 4332 / 5332 and instructor consent.
Computer Security happens in the real world, using real systems, facing real adversaries. While theory and intellectual knowledge (i.e., "book larnin'") are essential, being able to use that knowledge effectively in the real world is just as (if not more) important.
As a result, this Computer Security class includes a significant amount of hands-on coding, debugging, experimentation, etc., in live and realistic environments. Required projects will involve programming and debugging in C, Perl, PHP, Bash, MySQL and other languages. You'll definitely encounter stuff you've never worked with before, but you do not need to be a coding wizard to succeed and no specific experience with these languages is necessary. However, basic programming literacy and proficiency in at least one language such as Python, Java or C/C++/C# and the understanding that all computer languages are fundamentally similar is critical. Similarly, previous coursework in networking or operating systems, and/or experience working at the Linux/Unix command-line will be helpful but is not strictly necessary.
However, in all three areas -- programming new languages, networking and the Linux/Unix command-line, the critical prerequisite is a willingness to learn, experiment, push yourself and do things.
Throughout the course, students will be assigned research papers or articles related to the course material. These papers will be available online.
Crypto-Gram is a monthly email newsletter that summarizes some of the best information on noted security expert Bruce Schneier's blog. This is an excellent source of information for what's happening in the security world, from both technological and political angles. We will discuss topics raised in new issues in class as time permits.
Subscribe at https://lists.schneier.com/cgi-bin/mailman/listinfo/crypto-gram
Infosec News is a service of LARS (Laboratory for Advanced Research in Systems) at UMD, and is a weekly, student-written summary of important news in computer security. The purpose of this list is to facilitate students staying on top of security news and to practice writing about technical subjects. We'll talk about the news of the week, and you'll contribute some summaries as part of your homework.
Other readings (paper handouts or online resources) may be assigned and used during class. We will send an email to the class when this occurs.
Projects may take place on the DETER testbed, a large public testbed used for cyber-security research and education.
MWAH 187 is our lab location, which is so that everyone can have access to a spare computer with root access. However, if you have the ability to run virtual machines on your laptop (and have sufficient space) you shouldn't need to pay the deposit for the hard drive. Unlike CS 4332 / 5332, many projects will simply use whatever your preferred platform is.
If you do need a Linux machine you can break, bring a refundable deposit of $35 to the CS Department office (320 HH). In exchange, you'll get a key to a locker in MWAH 187 containing a hard drive you will use throughout the semester. Get your deposit back by returning the hard drive at the end of class.
You will also have 24/7 access to MWAH 187 via your RFID key fob, ensuring that you will have a supported and fully customizable environment for homework projects throughout the semester. If you have a RFID fob, you should already have access to MWAH 187. If you don't have a fob, see someone in HH 320. (There is no charge for the RFID key.)
Canvas will be used to manage multiple aspects of the course, including homework submission, grading, announcements, discussions, etc.
Grading is broken down as follows:
Final grades will be assigned as follows:
We will make every effort to post grades to Moodle in a timely fashion.
This course will include a two written midterms and a final, the time and location of which will be:
The midterms will focus on material from that period of the course. The final will be cumulative but will skew towards the material presented in the latter third of class.
Class will include discussion, lectures, activities, and presentations. Students are expected but not explicitly required to attend all scheduled class meetings (although chronic absenteeism would affect participation). It is the responsibility of students to plan their schedules to avoid excessive conflict with course requirements. However, there are legitimate and verifiable circumstances that lead to excused student absence from the classroom. These include subpoenas, jury duty, military duty, religious observances, illness, bereavement for immediate family, and NCAA varsity intercollegiate athletics. For complete information, please see: https://www.d.umn.edu/vcaa/ExcusedAbsence.html
If you miss class for whatever reason, it is your responsibility to obtain the information covered in class from a classmate or instructor.
Partial credit is always given for projects and homework. Most assignments can also be submitted late at a penalty of 10% (of 100%) per late day (i.e., on the 10th late day, the assignment will be worth 0 points). Some work cannot be submitted late (e.g., exams, security summaries for Information Security News, etc.).
Early or make up exams will not be given (see "Late Work," above), except for extreme emergencies (and with the instructors consent).
I will not give incompletes except for very extreme circumstances (e.g., a major health crisis accompanied by a doctor's note). The last day to turn in extra credit tasks is the last day of Finals Week.
If you use Duo Security to sign in to University applications, YOU ARE STRONGLY ENCOURAGED to set up back-up devices in Duo Security so that you are prepared in the event that your primary Duo device is unavailable (you forgot it, it was stolen, it’s broken, the battery is dead, etc.). Learn about back up devices at z.umn.edu/backupdevices.
As a Duo user, it is your responsibility to come prepared to sign in to applications necessary for class activities, including exams and quizzes. If you are unable to sign in, you may lose points for the class activity. Failure to bring your Duo device or a back-up is not an excused absence or a valid reason for make up work.
Learn more about Duo Security at z.umn.edu/duosecurity.
Academic dishonesty tarnishes UMD's reputation and discredits the accomplishments of students. Academic dishonesty is regarded as a serious offense by all members of the academic community. UMD's Student Academic Integrity Policy can be found at: https://www.d.umn.edu/vcaa/StudentAcademicIntegrity.html
I will initiate academic dishonesty proceedings against anyone who obviously cheats in the class or intentionally plagiarizes.
UMD is committed to providing a positive, safe, and inclusive place for all who study and work here. Instructors and students have mutual responsibility to insure that the environment ... supports teaching and learning, is respectful of the rights and freedoms of all members, and promotes a civil and open exchange of ideas. Making hostile, threatening, discriminatory or disparaging remarks toward or about the instructor, other members of the class or groups of people will not be tolerated. To reference the full policy please see: https://www.d.umn.edu/vcaa/TeachingLearning.html
Appropriate classroom conduct promotes an environment of academic achievement and integrity. Disruptive classroom behavior that substantially or repeatedly interrupts either the instructor's ability to teach, or student learning, is prohibited. Disruptive behavior includes inappropriate use of technology in the classroom. Examples include ringing cell phones, text-messaging, watching videos, playing computer games, email, or surfing the Internet on your computer instead of note-taking or other instructor-sanctioned activities.
Students are expected adhere to Board of Regents Policy: https://www.d.umn.edu/vcaa/documents/Student_Conduct_Code.pdf
We cover sensitive security topics in this class (e.g., software exploits, network vulnerabilities, etc.) because it is impossible to write secure code or be well-informed about security issues without understanding vulnerabilities and how you can defend against them.
However, because this knowledge can be used for destructive purposes, you will be required to sign a statement indicating that you will only perform sensitive security-related course tasks in approved ways and acknowledging that you understand that using computer systems in unauthorized ways can have serious academic and legal consequences.
Project assignments must be your own work. You may discuss general, high-level, or conceptual issues with other students, but should not share actual code or answers with others. Cheating is considered to be sharing code either by copying, retyping, looking at, or supplying a copy of a file, and applies to information from both current and previous versions of this class (i.e., looking at answers from a previous semester is considered cheating). For group projects, these rules apply between groups instead of individuals.
Sometimes, students feel compelled to cheat on homework because they are afraid of admitting that they do not understand the material or do not know how to complete some task or overcome some technical hurdle. Nobody understands everything -- you should never be afraid of asking questions you have made a reasonable effort to answer. If you are struggling with any material in the class, please come talk to the TA or the instructor early enough to get the help you need -- that is the reason we are here.
While getting answers from current or previous students is considerd cheating, in this class it is acceptable to find and use existing code snippets, libraries, tutorials, HOWTO's, Stack Exchange information and other similar resources, provided that the information used is from a legitimate source (i.e., not a cheating website) and you cite the resource used.
Please note that this policy may not apply to other classes at UMD (or elsewhere). I believe this policy makes sense in this course because, rather than demonstrating your understanding by designing and programming discrete, standalone solutions, most projects involve solving large, system-level problems using a synthesis of many smaller solutions (some original and some found elsewhere). In many cases, we have intentionally left critical information out of course materials explicitly so that you will need to go online to find resources with the answers.
That said, it is up to you to ensure that any source you use is sufficiently attributed; this should -- at the very least -- include a comment(in your source code or writeup) identifying:
In the case of libraries or programs provided by us for the class (e.g., tcpdump or ettercap) or widely available pre-packaged applications (such as tools available in the standard Ubuntu distribution), it is sufficient to refer to the software by name. For example, "I installed the chaosreader package from the Ubuntu repository and used it to extract data from the network trace" or "I got this command line from the tcpdump manpage."
Finally, it is also your responsibility to understand any material you use -- its purpose or functionality may be included in later assignments or tests.
If you have any questions about this policy or how to make proper attribution, please contact your instructor.
Taking notes is a means of recording information but more importantly of personally absorbing and integrating the educational experience. However, broadly disseminating class notes beyond the classroom community or accepting compensation for taking and distributing classroom notes undermines instructor interests in their intellectual work product while not substantially furthering instructor and student interests in effective learning.
In particular:
Students may not distribute, via the Internet or other means, lecture notes or instructor-provided materials, except to other members of the same class or with the express written consent of the instructor.
This includes the solutions to homework, quizzes, exams and course projects.
For additional information, please see: https://www.d.umn.edu/vcaa/ClassNotesAppropriateUseof.html
As instructor I shall make every attempt to treat all students equally, without regard to race, religion, color, sex, handicap, age, veteran status, gender identity or sexual orientation. Furthermore, I will not tolerate behavior that excludes or marginalizes anyone. I strongly encourage you to talk to me if you have any concerns regarding equal opportunity in the classroom. To inquire further about the University's policy on equal opportunity, contact the Office of Equal Opportunity (6827), 269-273 DAdB.
It is my policy, and the policy and practice of the University of Minnesota Duluth to create inclusive learning environments for all students, including students with disabilities. If there are aspects of this course that result in barriers to your inclusion or your ability to meet course requirements -- such as time limited exams, inaccessible web content, or the use of non-captioned videos -- please notify the instructor as soon as possible. You are also encouraged to contact the Office of Disability Resources to discuss and arrange reasonable accommodations.
Please call 218-726-6130 or visit the DR website at https://www.d.umn.edu/access for more information.
As a student you may experience a range of issues that can cause barriers to learning, such as strained relationships, increased anxiety, alcohol/drug problems, feeling down, difficulty concentrating and/or lack of motivation. These mental health concerns or stressful events may lead to diminished academic performance or reduce a student's ability to participate in daily activities. University of Minnesota services are available to assist you with addressing these and other concerns you may be experiencing. You can learn more about the broad range of confidential mental health services available on campus via the UMD Health Service Counseling website at https://www.d.umn.edu/hlthserv/counseling/
If you think these services might help you, I urge you to take advantage of them as soon as possible.
Some policy text used or adapted from the following sources (with permission):