**CSE 127: Intro to Computer Security**
[*Deian Stefan*](https://cseweb.ucsd.edu/~dstefan/)
About
==============================================================
This course focuses on computer security, covering a wide range of topics on
both the _defensive_ and _offensive_ side of this field. Among these will be
systems security and exploitation (e.g., buffer overflows and return-oriented
programming), sandboxing and isolation, covert channels, network security,
language-based security, cryptography, privacy and anonymity. The goal of the
course is to provide an appreciation of how to think adversarially with respect
to computer systems as well as an appreciation of how to reason about attacks
and defenses.
To complete the projects in this course, you will need to be able to write code
in C and (some) C++, and have some understanding of x86 assembly, JavaScript,
PHP and SQL. We will not teach these in lecture; you are expected to learn them
on your own or ask for help in section or office hours. If you don't know C,
K&R's [The C Programming
Language](https://en.wikipedia.org/wiki/The_C_Programming_Language) is a go to,
but the [Hacking](https://nostarch.com/hacking2.htm) book is probably enough
and covers x86 assembly and many of the topics in this class.
Class details
==============================================================
Lectures:
: Monday and Wednesday, 5:00--6:20pm
Staff:
: **Instructor**: Deian Stefan
: **Teaching Assistants**: Evan Johnson, John Renner, David Thien, Zije Zhao
Section:
: Friday, 5:00-5:50pm
Office hours (all on Zoom):
: **Evan**: Tuesday, 3:00-4:00pm
: **John**: Wednesday, 1:30-2:30pm @ Art of Espresso & on Zoom
: **David**: Thursday, 4:30-5:30pm
: **Zije**: Friday, 10:00-11:00am
: **Deian**: Monday, 1:30-2:30pm
Web tools:
: [Piazza](https://piazza.com/ucsd/fall2021/cse127) for all communication.
([Configure your piazza privacy settings](https://piazza.com/myprofile).)
: [Gradescope](https://www.gradescope.com/courses/318577) for assignments and exam.
: [Zoom (via Canvas)](https://canvas.ucsd.edu/courses/29606) for lecture, section, and all office hours.
Calendar and readings
==============================================================
Mon Sept 27 2021: Introduction
- [*Slides*](slides/1-introduction.pdf)
- *Read*: [This World of Ours](https://www.usenix.org/system/files/1401_08-12_mickens.pdf) by James Mickens
- *Watch*: [USENIX Security 2018 Keynote](https://www.usenix.org/conference/usenixsecurity18/presentation/mickens) by James Mickens
- *Optional*: [EFF write up on Van Buren case](https://www.eff.org/deeplinks/2021/06/van-buren-victory-against-overbroad-interpretations-cfaa-protects-security)
Wed Sept 29 2021: Buffer overflow attacks
- [*Slides*](slides/2-bufferoverflows.pdf)
- [*GDB buffer overflow notes*](notes/bufferoverflow.html)
- *Read*: [Smashing the Stack for Fun and Profit](http://phrack.org/issues/49/14.html#article) by Aleph One
- *Optional:* 0x300-0x320 from [Hacking](https://nostarch.com/hacking2.htm). 0x200-0x270 if you don't have a strong C background.
- *Resources mentioned in class:* [Project Zero exploits](https://googleprojectzero.blogspot.com/2020/07/mms-exploit-part-1-introduction-to-qmage.html), [finger daemon](https://minnie.tuhs.org/cgi-bin/utree.pl?file=4.3BSD/usr/src/etc/fingerd.c), [GEF](https://gef.readthedocs.io/en/master/), [Compiler explorer](https://godbolt.org/z/3iFhjy)
Fri Oct 1 2021: [PA1: GDB + x86](pa/pa1.html)
Mon Oct 4 2021: Buffer overflow defenses
- [*Slides*](slides/3-lowlevelmitigations.pdf)
- *Read*: [ASLR](https://pax.grsecurity.net/docs/aslr.txt) and [NOEXEC](https://pax.grsecurity.net/docs/noexec.txt)
Wed Oct 6 2021: Memory (un)safety
- [*Slides*](slides/4-ropcfi.pdf)
- *Read*: [Low-Level Software Security by Example](papers/erlingsson:low.pdf) by Ulfar Erlingsson et al.
- [*return to libc and ROP notes*](notes/rop.html)
- *Optional*: [The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86)](papers/shacham:rop.pdf) by Hovav Shacham, [Hacking Blind](papers/bittau:brop.pdf) by Andrea Bittau et al., and [Control-Flow Integrity](papers/abadi:cfi.pdf) by Martin Abadi et al.
Fri Oct 8 2021: [PA2: Buffer overflows](pa/pa2.html)
Mon Oct 11 2021: More memory (un)safety
- [*Slides*](slides/5-heapint.pdf), [*Example code*](notes/heap)
- *Read*: [Fantastic memory issues and how to fix them](https://educatedguesswork.org/posts/memory-safety/) by Eric Rescorla and [Understanding glibc malloc](https://sploitfun.wordpress.com/2015/02/10/understanding-glibc-malloc/) by sploitfun
- *Optional*: [Advanced Doug lea's malloc exploits](http://phrack.org/issues/61/6.html) by jp, [Automatic Techniques to Systematically Discover New Heap Exploitation Primitives](https://www.usenix.org/conference/usenixsecurity20/presentation/yun) by Insu Yun et al.
Wed Oct 13 2021: Sandboxing and isolation
- [*Slides*](slides/6-isolation.pdf)
- *Watch*: [USENIX Security talk](https://www.usenix.org/conference/usenixsecurity20/presentation/narayan) by Shravan Narayan
- *Read*: [The Road to Less Trusted Code: Lowering the Barrier to In-process Sandboxing](https://cseweb.ucsd.edu/~dstefan/noindex/login2020/) by Garfinkel et al.
- *Optional*: [Retrofitting Fine Grain Isolation in the Firefox Renderer](https://cseweb.ucsd.edu/~dstefan/pubs/narayan:2020:rlbox.pdf) by Narayan et al., [Operating System Security](http://www.morganclaypool.com/doi/abs/10.2200/S00126ED1V01Y200808SPT001) by Trent Jaeger, [Android System and kernel security](https://source.android.com/security/overview/kernel-security), and [https://www.apple.com/business/docs/iOS_Security_Guide.pdf](https://www.apple.com/business/docs/iOS_Security_Guide.pdf)
Fri Oct 15 2021: [PA3: Library sandboxing](pa/pa3.html)
Mon Oct 18 2021: Side channels
- [*Slides*](slides/7-sidechannels.pdf)
- *Read*: [Efficient Cache Attacks on AES, and Countermeasures](papers/tromer:cache.pdf) by Eram Tromer et al.
- *Optional*: [Chapter 19](https://www.cl.cam.ac.uk/~rja14/Papers/SEv3-ch19-7sep.pdf) of Security Engineering
Wed Oct 20 2021: Side channles (cont) + Spectre attacks + Midterm review
- [*Slides*](slides/7-sidechannels.pdf)
- *Read*: [Spectre Attacks: Exploiting Speculative Execution](https://spectreattack.com/spectre.pdf) byPaul Kocher et al.
Mon Oct 25 2021: Midterm
Wed Oct 27 2021: Web intro
- [*Slides*](slides/8-webintro.pdf)
- *Read*: [CSRF, XSS, SQLi notes](https://cseweb.ucsd.edu/~dstefan/cse127-winter19/notes/lecture13/), php's [SQL Injection](https://www.php.net/manual/en/security.database.sql-injection.php)
- *Optional*: [Web technology for developers](https://developer.mozilla.org/en-US/docs/Web), and [Browser Security Handbook: Basic concepts behind web browsers](https://code.google.com/p/browsersec/wiki/Part1)
Fri Oct 29 2021: [PA4: Side channels](pa/pa4.html)
Mon Nov 1 2021: Web attacks and defenses
- [*Slides*](slides/9-webattacks.pdf)
- *Read*: [Robust defenses for cross-site request forgery](papers/csrf.pdf) by Adam Barth, Collin Jackson, and John C. Mitchell, [Finding and Fixing DOM-based XSS with Static Analysis](https://blog.mozilla.org/attack-and-defense/2021/11/03/finding-and-fixing-dom-based-xss-with-static-analysis/) by Frederik Brun
- *Additinal slides*: [*more on CSP, CORS, etc.*](https://cseweb.ucsd.edu/~dstefan/cse127-fall20/slides/11-webdefenses.pdf)
Wed Nov 3 2021: Network intro
- [*Slides*](slides/10-networkintro.pdf)
- *Read*: [Security problems in the TCP/IP protocol suite](https://www.cs.columbia.edu/~smb/papers/ipext.pdf) by Steven Bellovin. And [a look back](https://www.cs.columbia.edu/~smb/papers/acsac-ipext.pdf) at this paper.
- *Optional*: Wikipedia articles on [Autonomous System](http://en.wikipedia.org/wiki/Autonomous_system_%28Internet%29), [OSPF routing](http://en.wikipedia.org/wiki/Open_Shortest_Path_First), [Border Gateway Protocol](http://en.wikipedia.org/wiki/Border_Gateway_Protocol), [User Datagram Protocol](http://en.wikipedia.org/wiki/User_Datagram_Protocol), [Transmission Control Protocol](http://en.wikipedia.org/wiki/Transmission_Control_Protocol), and [Domain Name System](http://en.wikipedia.org/wiki/Domain_Name_System)
Fri Nov 5 2021: [PA5: Web security](pa/pa5.html)
Mon Nov 8 2021: Network attacks
- [*Slides*](slides/11-networkattacks.pdf)
- *Read*: [Security problems in the TCP/IP protocol suite](https://www.cs.columbia.edu/~smb/papers/ipext.pdf) by Steven Bellovin. And [a look back](https://www.cs.columbia.edu/~smb/papers/acsac-ipext.pdf) at this paper.
- *Read*: [SAD DNS Explained](https://blog.cloudflare.com/sad-dns-explained/) by Marek VavruĊĦa and Nick Sullivan
- *Optional read*: [BGP leaksand cryptocurrencies](https://blog.cloudflare.com/bgp-leaks-and-crypto-currencies/) by Louis Poinsignon.
Wed Nov 10 2021: Network defenses
- [*Slides*](slides/12-networkdefenses.pdf)
- *Read*: [NAT Slipstreaming](https://samy.pl/slipstream/) by Samy Kamkar. And,
if you haven't read it, [a look
back](https://www.cs.columbia.edu/~smb/papers/acsac-ipext.pdf) at this paper.
Fri Nov 12 2021: [PA6: Networking](pa/pa6.html)
Mon Nov 15 2021: Symmetric-key crypto
- [*Slides*](slides/13-symmetriccrypto.pdf)
- *Read*: [Chapter 5](https://www.cl.cam.ac.uk/~rja14/Papers/SEv3-ch5-7sep.pdf) (skip 5.2.3, 5.2.5, 5.3.4, 5.3.5, 5.4, 5.7, 5.8) of Security Engineering
- *Optional*: [Communication Theory of Secrecy Systems](https://archive.org/stream/bstj28-4-656#page/n0/mode/2up) by Shannon
Wed Nov 17 2021: Public-key crypto
- [*Slides*](slides/14-pubkeycrypto.pdf)
- *Read*: Sections 5.2.5, 5.3.4, 5.3.5, 5.7, 5.8 of Security Engineering
- *Read*: [Bleichenbacher's RSA signature forgery based on implementation error](https://mailarchive.ietf.org/arch/msg/openpgp/5rnE9ZRN1AokBVj3VqblGlP63QE/) by Hal Finney
Fri Nov 19 2021: [PA7: Crypto](pa/pa7.html)
Mon Nov 22 2021: TLS, PKI, and CT
- [*Slides*](slides/15-tls.pdf)
- *Read*: [The Illustrated TLS 1.2 Connection](https://tls.ulfheim.net/) and [TLS 1.3 edition](https://tls13.ulfheim.net/)
Wed Nov 24 2021: No class
Fri Nov 26 2021: [PA8: MicroTLS](pa/pa8.html)
Mon Nov 29 2021: Privacy, anonymity, ethics, and hygiene
- [*Slides*](slides/16-privacy.pdf)
- *Watch*: [Crypto 2020 Invited talk](https://www.youtube.com/watch?v=Ygq9ci0GFhA) by Seny Kamara
- *Read*: [Chapter 26](https://www.cl.cam.ac.uk/~rja14/Papers/SEv3-ch26-7sep.pdf) of Security Engineering
- *Optional*: [Chapter 20](https://www.cl.cam.ac.uk/~rja14/Papers/SEv3-ch20-7sep.pdf) (skip 20.5-20.7) of Security Engineering, [Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0](http://www.cs.berkeley.edu/~tygar/papers/Why_Johnny_Cant_Encrypt/OReilly.pdf), [Tor: The Second-Generation Onion Router](https://svn.torproject.org/svn/projects/design-paper/tor-design.pdf), [Bernstein v. United States](http://cr.yp.to/export.html), [Off-the-Record Communication, or, Why Not To Use PGP](https://otr.cypherpunks.ca/otr-wpes.pdf), [Forward Secrecy for Asynchronous Messages](https://whispersystems.org/blog/asynchronous-security/), and [Robust De-anonymization of Large Sparse Datasets](http://www.cs.utexas.edu/~shmat/shmat_oak08netflix.pdf)
Wed Dec 1 2021: Invited talk + Final review
Thu Dec 9 2021: Final exam
Textbook
==============================================================
We will occasionally be assigning readings from Ross Anderson's [Security
Engineering](https://www.cl.cam.ac.uk/~rja14/book.html) and various other
online resources and research papers. We may also assign optional reading from
Jon Erickson's [Hacking: The Art of
Exploitation](https://nostarch.com/hacking2.htm).
Evaluation and grading
==============================================================
Beyond lectures, we will reinforce concepts and explore new ones via
programming assignments, a final exam, and online discussions. Each of these
will be used towards your final grade, as further described below.
Programming assignments (55%)
-----------------------
We will have eight programming assignments. These assignments are meant to both
reinforce your knowledge of the concepts covered in lecture and get you to
think about security in more depth, beyond what is covered lecture.
You are expected to work on the assignments by yourself. You may discuss the
assignments with students from the course---in general---but not any specific
solution. There are no late days, but you will receive an additional 10% if you
turn in your assignment by the early date. Specifically, we'll compute each
assignment grade as:
```
early ? min(100%, grade + grade*10%) : grade
```
If you consult anything (books, academic papers, internet resources, people)
when working on the assignments, note this in your submission. We encourage
outside learning but expect you to not seek out specific details about a
solution---anything submitted should be considered your own work. Similarly,
you are expected to not publish or otherwise share your solutions at any point
(even after the class is over). If you are unsure about what is allowed,
please ask the course staff.
Exam (40%)
-----------------------
The midterm is
**closed-book**, but you may use a double-sided cheat sheet (letter-size).
The final is
**closed-book**, but you may use 2 double-sided cheat sheets (letter-size).
The exams will make up 40% of your grade. Since the final is cumulative your
midterm grade will be calculated as:
```
midterm > 0 ? max(final, midterm) : 0
```
This means that (1) you basically get a second chance if you don't so well on
the midterm and (2) you must show up to both the midterm and the final. If you
need to miss either exam because of an emergency, contact the instructor.
Participation (5%)
-----------------------
We will assign readings with most lectures. You are expected to have a vague
understanding of the concepts that will be discussed in class. This will allow
us to spend the lecture time to solidify your understanding. But we recommend
re-reading after class as well.
Asking and answering questions in lecture, on Piazza, or during office hours
counts towards your class participation. Starting discussions (e.g., around the
readings) online also counts is encouraged!
Scribe notes (≤ 10%)
-----------------------
We are working on scribe notes to make up for the lack of a textbook. Groups
from [Nadia Heninger](https://cseweb.ucsd.edu/~nadiah/)'s CSE 127 (Winter 2021)
put together the first set of lecture notes. You can earn up to 10% in extra
credit by contributing to this effort. Since this is extra credit (and you
would be editing existing text), we expect your contributions to be
substantial: This means the final text should clear, well-organized, and
complete. Take a look at [scribe notes from David Wagner's class at
Berkeley](https://sp20.cs161.org/assets/notes/MemorySafety.1.24.pdf) for
motivation. If you are interested in this, form a group and contact the
instructor.
Academic integrity and student conduct
==============================================================
By taking this course, you implicitly agree to abide by the UCSD policies on
[Integrity of
Scholarship](https://senate.ucsd.edu/Operating-Procedures/Senate-Manual/appendices/2)
and [Student Conduct](https://students.ucsd.edu/sponsor/student-conduct/). See
the [Academic Integrity Support for Remote
Learning](https://academicintegrity.ucsd.edu/take-action/covid-19-students.html).
University rules on integrity of scholarship and code of conduct are taken
seriously and will be enforced.
Acknowledgements
==============================================================
The course structure and many of the ideas and slides are influenced or directly from
other courses taught at
Berkeley ([David Wagner](https://people.eecs.berkeley.edu/~daw/) and [Raluca Popa](https://people.eecs.berkeley.edu/~raluca/)),
Oberlin ([Stephen Checkoway](https://checkoway.net/)),
Stanford ([Dan Boneh](https://crypto.stanford.edu/~dabo/), [John Mitchell](https://theory.stanford.edu/people/jcm/), and [Zakir Durumeric](https://zakird.com)),
UT Austin ([Hovav Shacham](https://www.cs.utexas.edu/directory/hovav-shacham)),
UCSD ([Stefan Savage](https://cseweb.ucsd.edu/~savage/), [Nadia Heninger](https://cseweb.ucsd.edu/~nadiah/)) and
UIUC ([Kirill Levchenko](https://klevchen.ece.illinois.edu/)).
If we missed anybody please let us know!