CSE 509, System Security, Fall 2020
|Lecturer: ||Nick Nikiforakis
|Teaching Assistants:|| TBD |
|TA Office hours:|| TBD |
|Time:|| TBD |
|Place:|| TBD |
|Office Hours: || TBD, NCS #361 |
|Contact:|| nick[email squiggly thingy] cs.stonybrook.edu|
Important: When sending me an email about the course, make sure your title starts with "[CSE 509]" (without the quotes). Mislabeled or unlabeled emails will, most likely, not be read.
In this class, we will together explore the concepts behind system security. We will look at the core principles behind secure (and insecure) systems and how to both discover vulnerabilities as well as how to correct them.
The course will consist of lectures, assignments, and a course project.
Some of the topics that we will cover are the following:
- Security properties (Confidentiality, Integrity, Availability)
- Passwords, Biometrics, Hardware Tokens
- Access Control (Access control Matrix, Mandatory Access Control, Discretionary Access Control, RBAC, Hierarchical RBAC, Bell-LaPadula, Biba Integrity Model, Chinese wall, ACLs, Capabilities)
- Process separation and Virtual Memory
- Buffer overflows (Stack, Heap, Integer)
- Non-control Data Attacks
- System calls, Understanding of shellcode
- State of Practice Defenses against low-level attacks (ASLR, DEP, Canaries)
- Bounds checkers and modified C libraries
- Workings of browsers (Same-Origin Policy, Session Management, Isolation of documents from different origins)
- Attacks against web applications (XSS, CSRF, Session Fixation, HTTP Parameter Pollution...) and defenses
- Attacks against web servers (SQL Injection, LFI, RFI, Command injections) and defenses
- Attacks against the user (Clickjacking, Malvertising, Cybersquatting, Fake AVs, Scareware, Drive-by downloads) and defenses
- Web privacy
- Other advanced topics, as time allows
Following a long-standing tradition in security courses, there is no official textbook for this course. I am drawing inspiration mostly from the following books:
- Introduction to Computer Security, Goodrich & Tamasia, 2010
- Security Engineering, Ross Anderson, 2008 (Available for free here)
Requirements and Grading
Subject to minor tweaks throughout the semester.
- Assignments: 15% These will include small coding/lab assignments and summarizing classic computer security papers and articles.
- Class Project: 35% Class project will involve coding a system/mechanism for defense or attack purposes.
- Midterm: 20% Brief, in class exam, covering about half of the lectures and studied papers
- Final: 30% Final Exam on everything covered in this class
Schedule and Reading Assignments
|Date ||Topic ||Reading Assignment(s)|
Note: If you have a physical, psychological, medical or learning disability that may impact on your ability to carry out assigned course work, please contact the staff in the Student Accessibility Support Center, Room 128, Educational Communications Center (ECC), 631-632-6748. The center will review your concerns and determine with you what accommodations are necessary and appropriate. All information and documentation of disability are confidential. For more information, please visit their website: https://www.stonybrook.edu/commcms/studentaffairs/sasc/
Note: Each student must pursue his or her academic goals honestly and be personally accountable for all submitted work. Representing another person's work as your own is always wrong. Any suspected instance of academic dishonesty will be reported to the Academic Judiciary. For more comprehensive information on academic integrity, including categories of academic dishonesty, please refer to the academic judiciary website at http://www.stonybrook.edu/uaa/academicjudiciary/.