CIS-331: Introduction to Networks and Security
Fall 2019
Instructor: Sebastian Angel
Room: BENN 401
Time: Tu/Th 10:30 AM–12:00 PM
Email: sebastian.angel at cis.upenn.edu
Discussion: Piazza
Office hours: Thursday 4 PM–6 PM (Levine 604)
This course introduces principles and practices of computer and network security. It covers the following:
Even though NETS students are not required to take CIS 240, it is a prerequisite for this course. We will be enforcing these prerequisites.
Name | Email (at seas.upenn.edu) | Office hours (location) |
---|---|---|
Lawrence Dunn | dunnla | Tuesday 12:15–2:15 PM (GRW 5th floor bump space) |
Natasha Gedeon | nged | Wednesday 12:30–2:30 PM (GRW 5th floor bump space) |
Amit Lohe | alohe | Wednesday 4–6 PM (Levine 6th floor bump space) |
Michael Zhou | mizho | Friday 12:30 PM–2:30 PM (Levine 5th floor bump space) |
There is no required textbook for this course. The following three books (available for free) are good extra sources:
There will be 4 homework assignments to be completed individually, and 4 projects to be done in pairs. There are two exams: a midterm and a final.
Late Days. You will have a budget of five late days (24-hour periods) over the course of the semester that you may use to turn assignments in late without penalty and without needing to ask for an extension. Late pair projects will be charged to both partners. Once your late days are used up, extensions will only be granted in extraordinary circumstances. Late days can be used for homeworks and projects, but not exams. To use a late day, just turn in your assignment late. There is no need to notify the course staff. If you have an extenuating circumstance, you must contact the course staff before the assignment is due.
We encourage you to discuss the problems and your general approach with other students in the class. However, the answers you turn in must be your own original work, and you must adhere to Penn’s Code of Academic Integrity.
For more information, see the Office of Student Conduct.
The University of Pennsylvania provides reasonable accommodations to students with disabilities who have self-identified and received approval from the Office of Student Disabilities Services (SDS). If SDS has approved your request for accommodations, please make an appointment to meet with me as soon as possible in order to discuss the arrangements for your accommodations. SDS services are free and confidential.
The CIS department and all of the faculty and staff are committed to making your studies here at Penn a safe and rewarding experience. This can only happen if we work together to create an inclusive environment that welcomes all students, regardless of their race, ethnicity, gender identity, sexuality, or socioeconomic status. Diversity, inclusion, and belonging are all core values of this course. All participants in this course deserve, and should expect, to be treated with respect by other members of the community. We encourage all students to visit the CIS Diversity site to learn about all avaialble resources.
A sense of belonging can also affect students’ mental health and wellness, which is of utmost importance to the course instruction staff, if not the University as a whole. All members of the instruction staff will be happy to chat or just to listen if you need someone to talk to, even if it’s not specifically about this course.
If you or someone you know is in distress and urgently needs to speak with someone, please do not hesitate to contact CAPS: 215-898-7021; 3624 Market St. If you are uncomfortable reaching out to CAPS, any member of the instruction staff will be happy to contact them on your behalf.
Date | Topic | Reading |
---|---|---|
8/27 |
Introduction course overview, threat models, defensive programming |
The Security Mindset by B. Schneier How to think like a security professional by T. Kohno This World of Ours by J. Mickens |
8/29 |
Control hijacking buffer and integer overflow, stack smashing, format string vulnerability |
Memory Safety Attacks and Defenses by D. Wagner Smashing the stack for fun and profit by Aleph One errata for "Smashing the stack for fun and profit" by M. Walfish (optional) Low-level Software Security by Example by U. Erlingsson, Y. Younan, and F. Piessens (optional) Basic Integer Overflows by blexim |
9/3 |
Control hijacking defenses stack canaries, NX bit, ASLR |
Buffer Overflows: Attacks and Defenses by C. Cowan, P. Wagle, C. Pu, S. Beattie, and J. Walpole Smashing the stack in 2011 by P. Makowski |
9/5 |
Return-oriented programming bypassing NX and ASLR |
Return-to-libc attacks by c0ntex (optional) Return-Oriented Programming: Systems, Languages, and Applications by Roemer et al. (optional) Introduction to return-oriented programming by A. Reece |
9/10 |
OS security privilege separation, isolation, setuid, chroot |
Principles for Building Secure Systems by D. Wagner Design Patterns for Building Secure Systems by D. Wagner The Confused Deputy by N. Hardy |
9/12 |
Passwords Password attacks, usability, hygiene, alternatives |
The Tangled Web of Password Reuse by Das et al. |
9/17 |
Cryptography introduction confidentiality, adversaries, classic ciphers |
Historical ciphers by N. Smart Introduction to cryptography by B. Barak (Chapter 1.1–1.3) |
9/19 |
Classic ciphers and symmetric encryption I Vigenere cipher, one-time pad, perfect secrecy |
Information-theoretic security by N. Smart |
9/24 |
Symmetric encryption II stream ciphers, PRGs, unpredictability |
Historical stream ciphers by N. Smart Pseudorandomness by B. Barak |
9/26 |
Symmetric encryption III statistical tests, indistinguishability, negligible functions, semantic security |
Negligible functions by D. Boneh and V. Shoup Computational security by B. Barak |
10/1 |
Symmetric encryption IV and Hash functions block ciphers, PRPs, Merkle-Damgard construction |
Block ciphers by N. Smart Hash functions by N. Smart. (optional) Hash functions and Bitcoin by B. Barak. |
10/3 |
MACs and authenticated encryption length extension attacks, PRFs, ciphertext integrity |
Pseudorandom Functions by M. Bellare and P. Rogaway Message authenticated Codes by N. Smart. |
10/8 |
Public Key Encryption I Diffie-Hellman key exchange, trapdoor functions, public key encryption from trapdoor functions |
Asymmetric Encryption by D. Wagner Public Key Tools by D. Boneh and V. Shoup |
10/10 | Fall break | |
10/15 |
Public key Encryption II RSA trapdoor permutation, RSA-KEM, RSA-OAEP, RSA digital signatures, RSA-FDH, PKCS#1 v1.5 |
Public key encryption by D. Boneh and V. Shoup MACs and Digital Signatures by R. Popa and D. Wagner |
10/17 |
HTTPS and PKIs Certificates, PKI, TLS handshake, forward secrecy |
Everything you Never Wanted to Know about PKI but were Forced to Find Out by P. Gutmann |
10/22 | Midterm Exam | Includes content up to Public Key Encryption I (10/8) |
10/24 |
Web overview threat model, HTTP, HTML, JavaScript |
Web technology for developers by Mozilla |
10/29 |
Web Attacks I (Guest lecture) Same origin policy, cookies, SQL injection |
Secure Session Management With Cookies for Web Applications by Chris Palmer SQL injection prevention cheat sheet by OWASP |
10/31 |
Web attacks II CSRF, XSS |
|
11/5 |
Networking I TCP/IP, BGP, DNS |
Security problems in the TCP/IP protocol suite by S. Bellovin What is BGP by Cloudflare |
11/7 |
Networking II Ethernet, ARP, DHCP, NAT |
|
11/12 |
Denial of service (Guest lecture) DOS, DDOS, SYN flooding, client puzzles |
An analysis of China's "Great Cannon" by Marczak et al. |
11/14 |
Network attacks and defenses DNS poisoning, BGP hijacking |
DNS security threats and mitigations by Google A Study of Prefix Hijacking and Interception in the Internet by H. Ballani, P. Francis, and X. Zhang |
11/19 |
Privacy End-to-end encrypted email, VPN, Private browsing |
Deep dive on End-to-End encryption by the EFF An Analysis of Private Browsing Modes in Modern Browsers by Aggarwal et al. |
11/21 |
Censorship The great firewall of China, decoy routing, domain fronting |
The Great Firewall Revealed by Global Internet Freedom Consortium. Decoy Routing by Karlin et al. Blocking-resistant communication through domain fronting by Fifield et al. |
11/26 | Thanksgiving break | |
11/28 | Thanksgiving break | |
12/3 |
Anonymity Tor |
Tor: The Second-Generation Onion Router by R. Dingledine, N. Matthewson, and P. Syverson. |
12/5 |
Underground economy Spam, phishing, botnets |
|
12/7 |
Project 4 due | |
12/12 | Final Exam: 9 AM–11 AM (Location: STIT B6) |