This course is an introduction to computer security. I will teach this course in 4 modules. Each module consists of 4-6 lectures. The modules are described here.

Lecture dates | Time | Place: Tue-Thu | 1-2:20 PM | QNC 2502

STAFF (Office hours)

Instructor: Dr. Vijay Ganesh
Office: DC 2530
Date / Time: Tue - Thu / 2:30 - 3:30 PM
TA: Carlos Moreno
Office: EIT 4103
Date / Time: Wed / 3:30 - 4:30 PM
TA: Frank Imeson
Office: E5 4119
Date / Time: Fri / 1 - 2 PM
TA: Alireza Sharifi
Office: DC 3576
Date / Time: Tue / 9 - 10 AM

Lecture Schedule

Assigned Reading (Books chapters, papers)
Jan 8, 2013
Lecture 1: Introduction to computer security. basic concepts such as confidentiality, integrity, availability, SYN cookies, policy and mechanism, trust and assumptions. Material sourced from Matt Bishop's book Introduction to Computer Security, and lecture slides by Professor Bill Young of UT, Austin.
Jan 10, 2013
Lecture 2 (Slides 1-25) (With permission and courtesy of Professor Dan Boneh of Stanford University): Control hijack attacks. Buffer overflow vulnerabilities and stack smashing attacks, integer overflow vulnerabilities, string format vulnerabilities. Attacks that combine different kinds of vulnerabilities. 
Jan 15, 2013
Lecture 3 (Slides 26 - 58) (With permission and courtesy of Professor Dan Boneh of Stanford University): Techniques to prevent, detect and recover from control hijack attacks. Typesafe languages. Address space layout randomization (ASLR). Stack canaries.  Safe libraries (LibSafe). Heap-spraying attacks.  Techniques to protect against heap-spray attacks.

Project guidlines
Jan 17, 2013
Lecture 4: Testing, analysis and verification for security. Automated testing techniques, program analysis for security, fuzzing, whitebox fuzzing, model-checking and advanced verification techniques.
Jan 22, 2013
Lecture 5: Malware, computer viruses, worms, trojan horses, detailed description of the Stuxnet worm and comparison with the Aurora worm.
Jan 24, 2013
Lecture 6: Malware analysis. Static and dynamic techniques to detect malware. Signature-based detection. Polymorphism and metamorphism. Semantic-aware detection. Obfuscation. Dynamic information-flow tracking for runtime monitoring. Explicit and implicit taint.
Jan 29, 2013
Lecture 7: SAT solvers for software engineering and computer security. Why we need SAT solvers. Concolic testing revisited. Basic DPLL SAT solver with backjumping.
Jan 31, 2013
Lecture 8: Basics of cryptography. One-time pad. Stream and block ciphers. MACs. Public-key cryptography. Uses of cryptography.

Feb 5, 2013
Lecture 9: Side-channel analysis and attacks. Timing, power, cache,...

Feb 12, 2013
Lecture 10: Motivation for public-key cryptography, Basic number theory, Diffie-Hellman key exchange protocol, RSA public-key encryption scheme, digital signatures

Feb 14, 2013
Lecture 11: Cryptographic hash functions. Properties such as collision resistance (weak and strong), inversion resistance. How hash functions work.

Feb 26, 2013
Lecture 12: (also available in pptx format): Browser security. How browsers work. Same-origin Policy. JavaScript and XSS attacks.

Feb 28, 2013
Lecture 13 (pptx format): CSRF (Cross-Site Request Forgery) attacks

Mar 5, 2013
Review of material covered so far in preparation for the mid-term

Mar 6, 2013

Mar 7, 2013
No class

Mar 12, 2013
Lecture 14: Click-jacking attacks (Excellent Talk by David Lin-shung Huang of CMU) ; Discussion of solutions to mid-term exam questions

Mar 14, 2013
Lecture 15: Security in control systems by Professor Shreyas Sundaram. Detailed analysis of the Stuxnet virus.
Mar 21, 2013
Lecture 16 (pptx format): Network security. Basics of TCP/IP and BGP. TCP Spoofing. BGP attacks. DNS cache poisoning attacks.

Mar 26, 2013
Lecture 17 (pptx format): The problem with formal verification (undecidable) and model-checking (PSPACE-complete). Principles of secure design: Isolation, compartmentalization, principle of least privilege, principle of safe defaults, access control (ACLs, capabilities and role-based).
Mar 28, 2013
Lecture 18 (Overview of computer security concepts. Distributed Denial of Service attacks)

April 2, 2013
Lecture 19 (pptx format): Lecture by Dr. Glenn Wurster from Blackberry. Security in the real world.

April 4, 2013
Project demo starting 1 PM @ EIT 3142

Apr 17, 2013
Final Exam from 9 AM - 11:30 AM in Rooms RCH 103, 105

I would like to acknowledge the following people who have been very kind in sharing with me the lecture materials, notes etc. from their respective courses, and given me permission to use them as I wish in this course.

Professor Dan Boneh (Stanford)
Professor Matt Bishop (UC, Davis)
Professor David Brumley (CMU)
Professor Kevin Du (Syracuse)
Professor Mahesh Tripunitara (Waterloo)
Professor Koushik Sen (Berkeley)
Professor William D. Young (UT, Austin)
Professor Konstantin (Kosta) Beznosov (University of British Columbia)
Professor Cristian Cadar (Imperial College, London)