This is the syllabus for CSE 466, Fall 2018.
This course will take students through an exploration of the ways that the Security of Computer Systems can fail. Security is a complicated thing: it is only as strong as its weakest link, and a small, single mistake can often bring down otherwise extremely secure software.
Taking the intuition that, to build secure systems in the future, one must understand how security can break, we will cover a number of different failure modes of compuer systems, ranging from application security to network and operating system security to web security. Each lecture will consist of an introduction to a new topic, examples of real-world effects of security failures related to the topic, and an assignment for students to explore these concepts.
These assignments will be very thorough, and by the end, students will have an intuitive understand on how to exploit these vulnerabilities, and will have the building blocks needed to prevent them, both in the lab and in the real world.
This course will be EXTREMELY challenging, and students are expected to learn some of the necessary technologies on their own time.
This course requires a good understanding of low-level computer architecture (for example, students should understand x86 assembly) and low-level programming languages (specifically, C), and good command of a high-level programming language (specifically, Python). You should have a very good background in operating systems (especially Linux or UNIX variants). If you do not have these skills, or do not plan on acquiring them very early in the course, you will have a hard time. A good approximation of the type of material that you will be faced with is the first six levels of the Vortex wargame.
There is no recommended textbook for this course. Any reading material assigned will be from publicly-available sources on the internet.
All announcements and communications for the class will take place through the class mailing list. Students are required to subscribe to the class mailing list.
Student may use the class mailing list to ask questions or clarifications, and the TA, Instructor, or other students can answer. Note that sharing solutions or answers is expressly prohibited.
Questions should be emailed to both the TA (firstname.lastname@example.org) and the professor (email@example.com), for example, via this link. Questions meant just for the professor should be addressed to the following email address: firstname.lastname@example.org.
If at all possible, please use the mailing (email@example.com) list for communication to the professor or the TAs, unless the communication is private. This way, the entire class will benefit from your question. Note that if we deem it necessary and helpful, we will CC the class mailing list when replying to direct emails.
The course will consist of weekly modules about:
- Linux operating system fundamentals, program misuse and privilege escalation.
- Sandboxes and sandbox failures.
- Serialization vulnerabilities.
- Program reverse engineering.
- Traditional memory corruption (buffer overflows).
- Binary code injection.
- Advanced exploitation scenarios.
- Modern symmetric encryption security.
- Modern asymmetric encryption security.
- Content injection beyond binary code.
- Security of machine learning and AI.
In addition, there will be a review/midterm week and a review/finals week. There is a buffer to spend two weeks on one module (most likely, advanced exploitation scenarios).
Students will be evaluated on their performance on 13 equal one-week homework assignments, a one-week take-home midterm exam, and a one-week takehome final exam. Each assignment will consist of a large amount of varied, but slightly similar challenges. Exams will consist of a large amount of different challenges seen in previous assignments. Solving these challenges may require the use or implementation of fairly complex hacking tools. Solving each individual challenge will grant a student- and challenge-specific passcode, called a “flag”. Redemption of this flag will count toward some amount of points, depending on the assignment.
For each assignment, earned points map to a percent that directly impacts the student’s grade, from 0 to 110 percent. 70 percent is a 1:1 mapping from points: that is, every student to get 70 points on an assignment is guaranteed to get 70 percent from that assignment toward their final score. The other 40 percent (to a maximum of 110) is awarded on a curve, with students receiving anywhere from 0 to 40 percent based on their performance compared to other students. These percentages will be assigned by sorting students (with more than 70 points) by their point amount and giving the top student 40 percent, the next 39, and so on. If more than 40 students have more than 70 points, we will calculate “point buckets” to assign percentages to. For example, if a eighty students get an equal distribution of points from 70 through 150, then the top two students will get 40 percent, the next two will get 39, and so on. If fewer than 40 students have more than 70 points, the percentages rewarded will be clustered toward the top. For example, if only four students have more than 70 points, the top will get 110 percent, the next 109, the next 108, and the last 107, with everyone else getting their points as their percent. If students tie for a spot, they will both receive that amount of percent.
Each homework assignment will have some amount of percent (between 0 and 10) that will only be redeemable in the last half of class, after the end of the lecture component, after the homework is assigned. If you miss class, you will have to make up for this lost percentage by getting 110 percent on a future next assignment.
Additionally, any responsibly-disclosed serious security issues in course infrastructure will earn an extra 5 to 50 “bug bounty” percent, depending on the severity of the issue. Spurtious reports may earn a negative percentage report of up to -15 percent. Don’t waste our time.
The percentages from each homework, midterm, and exam will be equally weighted. Each student’s final grade will be the sum of their accumulated percentages across assignments and exams (where the maximum is 1650 percent plus any extra bug bounty percentages) divided by 1500 percent. This translates to a letter grade range of:
The upshot of this system is:
- As long as you do the bare minimum (70 points per assignment), you will get a C. To get better than a C, you will need to do better than your peers.
- You can get 10 extra credit percent per assignment, up to an equivalent of one and a half assignments worth of points. This is to make up for late homework and missed homework not being accepted. This also, theoretically, means that everyone can get a B or better in the class, despite the curve.
Homework Due Dates
Homework will be assigned toward the end of each class every week, and will be due noon before the next class. All grading is done automatically through flag submissions, and late submissions will not be accepted under any circumstances.
Students requesting disability accommodations should register with the Disability Resource Center (DRC) and present the instructor with appropriate documentation from the DRC.
Plagiarism and Cheating
Plagiarism or any form of cheating in assignments or projects is subject to serious academic penalty. To understand your responsibilities as a student read: ASU Student Code of Conduct and ASU Student Academic Integrity Policy. There is a zero tolerance policy in this class: any violation of the academic integrity policy will result in a zero on the assignment and the violation will be reported to the Dean’s office. Plagiarism is taken very seriously in this course.
Examples of academic integrity violations include (but are not limited to):
- Sharing code with a fellow student (even if it’s only a few lines).
- Collaborating on code with a fellow student (unless explicitly allowed).
- Using another students solution to solve a challenge and get a flag.
Posting your assignment solutions online before the due date of the assignment is expressly forbidden, and will be considered a violation of the academic integrity policy. Note that this includes working out of a public Github repository. The Github Student Developer Pack provides unlimited private repositories while you are a student, making it easy to begin with a private GitHub repository and easily make it public after the assignment deadline.
Information in the syllabus may be subject to change with reasonable advance notice and an email to the class mailing list.
This syllabus based on the syllabi of Adam Doupé (with permission). Otherwise copyright 2017 Yan Shoshitaishvili, along with all lectures and course-related written materials. During this course students are prohibited from making audio, video, digital, or other recordings during class, or selling notes to or being paid for taking notes by any person or commercial firm without the express written permission of the faculty member teaching this course. Be reasonable.
Title IX is a federal law that provides that no person be excluded on the basis of sex from participation in, be denied benefits of, or be subjected to discrimination under any education program or activity. Both Title IX and university policy make clear that sexual violence and harassment based on sex is prohibited. An individual who believes they have been subjected to sexual violence or harassed on the basis of sex can seek support, including counseling and academic support, from the university. If you or someone you know has been harassed on the basis of sex or sexually assaulted, you can find information and resources at https://sexualviolenceprevention.asu.edu/faqs.
As a mandated reporter, I am obligated to report any information I become aware of regarding alleged acts of sexual discrimination, including sexual violence and dating violence. ASU Counseling Services, https://eoss.asu.edu/counseling, is available if you wish discuss any concerns confidentially and privately.