CS 4740/6740 - Network Security

General Information

Professor: Christo Wilson
Room: Hayden Hall 221
Time: Tuesdays, 6-9pm
Office Hours: Tuesdays, 10am-12pm
Teaching Assistant: Pavitra Srinivasan
TA Email: srinivasan.p@husky.neu.edu
TA Office Hours: Wednesdays 10am-12pm in the first floor CCIS Lab
Class Forum: On Piazza

Course Description

The networking of the world has brought many tangible benefits to people and companies. However, these networks also enable criminals, pranksters, hacktivists, and national militaries to reach out and attack targets all over the world in microseconds, from anywhere, at any time. Data breaches, mass identity theft, denial of service attacks, critical zero-day exploits, malware and botnet infestations, etc. are now weekly news events, and there is no sign that these dangerous trends will abate any time soon. It is critical that students who will engineer the systems of tomorrow understand the threats of today, in order to produce robust and secure software in the future.

CS 4740/6740 is a mixed undergraduate and graduate-level course on network security covering a diverse range of topics at all layers of the networking stack, from physical devices up to application-level security. The course focuses on the intersection between systems security principles and computer networking, from abstract models to their application in systems code, the Web, and mobile platforms. We will examine real-world attacks against various types of protocols and systems, as well as look at techniques to stop these attacks, and how to construct more secure, robust software in general. This class has a pronounced emphasis on practical techniques for both defending and attacking systems, with the overall goal of teaching students about the "attackers mindset".

Prerequisites

The official prequisite for Network Security is CS 4700/5700 Fundamentals of Computer Networks. However, this will be a demanding course that will cover a broad range of topics. CS 5600 Computer Systems or any other course in the fundamentals of computer architecture and operating systems is highly recommended.

Students taking this course are expected to have a working knowledge of fundamental computer hardware concepts. This includes familiarity with assembly language, memory architectures, basic I/O devices, and the ISO/OSI networking stack. You will encounter x86 assembly code within the course projects and while you are debugging, and you will be asked to write (relatively short) sequences of code in assembly.

All of the projects in this course will be built on Linux, so proficiency with basic Unix command line utilities and SSH is essential. Furthermore, this course will cover security topics over a broad range of different technologies, so students are expected to understand C/C++, HTML and Javascript, and at least one scripting language like Python.

Class Forum

The class forum is on Piazza. Why Piazza? Because they have a nice web interface, as well as iPhone and Android apps. Piazza is the best place to ask questions about projects, programming, debugging issues, exams, etc. In order to keep things organized, please tag all posts with the appropriate hashtags, e.g. #lecture1, #project3, etc. I will also use Piazza to broadcast announcements to the class. Bottom line: unless you have a private problem, post to Piazza before writing me/the TA an email.

Schedule, Lecture Slides, and Assigned Readings

Date Slides Piazza Tag Other Material Comments
Jan. 13 Introduction, Fundamentals #lecture1 Join Piazza
Jan. 20 Hijacking, Denial of Service, and Intrusion Detection #lecture2
Jan. 27 Authentication (w/ Audio) #lecture3 Proj. 1 Out
Feb. 3 Network and Transport Layer Security #lecture4
Feb. 10 Snow Day Proj. 1 Due
Feb. 17 Naming and Routing #lecture5 DNS, BGP Proj. 2 Out
Feb. 24 Midterm #midterm
Mar. 3 Memory (Un)safety, Basic Expliots #lecture6 ELF Binaries/Program Stack,
Stack Smashing
Mar. 10 Spring Break!
Mar. 17 Host-based defenses (DEP, ASLR, CFI) #lecture7 Exploit Prevention Proj. 2 Due, Proj. 3 Out
Mar. 24 Web Platforms, Basic Web Attacks #lecture8
Mar. 31 HTML5, CSP, CORS, Browser Separation, Extensions #lecture9
Apr. 7 Web Privacy, Anonymity #lecture10 Proj. 3 Due, Proj. 4 Out
Apr. 14 The Cybercrime Underground #lecture11
Apr. 21 Final Exam #final
Apr. 28 Proj. 4 Due

Textbook

There is no textbook for this course. Instead, I will provide links to relevent review materials and academic papers. These links appear in the "Other Material" column in the above calendar.

Projects

There will be four programming projects throughout the semester. Programming projects are due at 11:59:59pm on the specified date. We will use a turn-in script to create a compressed archive of the project files, timestamp them, and submit them for grading. These projects require significant reverse-engineering, analysis, and coding, hence students are recommended to start early!

Assignment Slides Description Due Date Piazza Tag
Project 1 Authentication February 10 #project1
Project 2 Memory Corruption I March 17 #project2
Project 3 Memory Corruption 2 April 7 #project3
Project 4 Web Vulnerabilities April 28 #project4

You will form groups of two people to do the projects. I will allow you to form your own groups; if you are having trouble finding a partner, post a notice to Piazza. Since you are free to choose your partners, I will not be sympathetic to complaints at the end of the semester about how your group-mates did not do any work. All group members should be involved in all major design decisions, and groups should develop a programming plan that can be effectively parallelized. You may switch groups between programming projects.

Exams

There will be one midterm and one final. All exams will be closed book and closed notes, and computers are not allowed nor is any access to the Internet via any device. The exams will cover material from lectures, readings, and the projects. The final will be cumulative, so review everything!

Grading

Projects: 13% each (52% total)
Quizzes: 5%
Midterm: 15%
Final: 23%
Participation: 5%

Each project will include a breakdown of how it will be graded.

To calculate final grades, I simply sum up the points obtained by each student (the points will sum up to some number x out of 100) and then use the following scale to determine the letter grade: [0-60] F, [60-62] D-, [63-66] D, [67-69] D+, [70-72] C-, [73-76] C, [77-79] C+, [80-82] B-, [83-86] B, [87-89] B+, [90-92] A-, [93-100] A. I do not curve the grades in any way. All fractions will be rounded up.

Requests for Regrading

In this class, we will use the Coaches Challenge to handle requests for regrading. Each student is allotted two (2) challenges each semester. If you want a project or a test to be regraded, you must come to the professors office hours and make a formal challenge specifying (a) the problem or problems you want to be regraded, and (b) for each of these problems, why you think the problem was misgraded. If it turns out that there has been an error in grading, the grade will be corrected, and you get to keep your challenge. However, if the original grade was correct, then you permanently lose your challenge. Once your two challenges are exhausted, you will not be able to request regrades. You may not challenge the use of slip days, or any points lost due to lateness.

Note that, in the case of projects, all group members must have an available challenge in order to contest a grade. If the challenge is successful, then all group members get to keep their challenge. However, if the challenge is unsuccessful, then all group members permamently lose one challenge.

Late Policy

For programming projects, we will use flexible slip days. Each student is given four (4) slip days for the semester. You may use the slip days on any project during the semester in increments of one day. For example, you can hand in one project four days late, or one project two days late and two projects one day late. You do not need to ask permission before using slip days; simply turn in your assignment late and the grading scripts will automatically tabulate any slip days you have used.

Slip days will be deducted from each group member's remaining slip days. Keep this stipulation in mind: if one member of a group has zero slip days remaining, then that means the whole group has zero slip days remaining.

After you have used up your slip days, any project handed in late will be marked off using the following formula:

Original_Grade * (1 - ceiling(Seconds_Late / 86400) * 0.2) = Late_Grade

In other words, every day late is 20% off your grade. Being 1 second late is exactly equivalent to being 23 hours and 59 minutes late. Since you will be turning-in your code on the CCIS machines, their clocks are the benchmark time (so beware clock skew between your desktop and CCIS if you're thinking about turning-in work seconds before the deadline). My late policy is extremely generous, and therefor I will not be sympathic to excuses for lateness.

Cheating Policy

It's ok to ask your peers about the concepts, algorithms, or approaches needed to do the assignments. We encourage you to do so; both giving and taking advice will help you to learn. However, what you turn in must be your own, or for projects, your group's own work. Looking at or copying code or homework solutions from other people or the Web is strictly prohibited. In particular, looking at other solutions (e.g., from other groups or prior CS 3700 students) is a direct violation. Projects must be entirely the work of the students turning them in, i.e. you and your group members. If you have any questions about using a particular resource, ask the course staff or post a question to the class forum.

All students are subject to the Northeastern University's Academic Integrity Policy. Per CCIS policy, all cases of suspected plagiarism or other academic dishonesty must be referred to the Office of Student Conduct and Conflict Resolution (OSCCR). This may result is deferred suspension, suspension, or expulsion from the university.

Accomodations for Students with Disabilities

If you have a disability-related need for reasonable academic accommodations in this course and have not yet met with a Disability Specialist, please visit www.northeastern.edu/drc and follow the outlined procedure to request services. If the Disability Resource Center has formally approved you for an academic accommodation in this class, please present the instructor with your "Professor Notification Letter" at your earliest convenience, so that we can address your specific needs as early as possible.

Title IX

Title IX makes it clear that violence and harassment based on sex and gender are Civil Rights offenses subject to the same kinds of accountability and the same kinds of support applied to offenses against other protected categories such as race, national origin, etc. If you or someone you know has been harassed or assaulted, you can find the appropriate resources here.