Announcements

The final assignment is now up on Crowdmark. You should all have received an email notification, if you have not received a notification contact us. Piazza will be disabled for the duration of the assignment, so in case of missing email notifications or other technical issues contact us via email ( m285xu@uwaterloo.ca and hliljest@uwaterloo.ca ).

The assignment is timed. Once started you will have a limited time to complete it; you must complete the assignment before Tuesday, April 12, at 5pm. The assignment description from Crowdmark is below.

Good luck!

The final assignment is available on Monday, April 11th, 2022, at 08:00. Assignment is due before Tuesday, April 12th, 2022, at 17:00.

Once started you will have 2h to complete the assignment on Crowdmark (but no later than the due date). The submission system (Crowdmark) will allow late submissions but you will be penalized 1% per minute.

Total marks: 60 marks

General notes

• You can make use of whatever resources you wish when completing this exam; including your lecture notes, lecture and interactive session materials, course textbooks, assigned readings, or information you source from online resources. If you use resources other than the course material and the course textbook(s), these must be cited.

• If you think there is something ambiguous about a question that forces you to make additional assumptions beyond what the question details, then state those clearly in your response. Do not make unnecessary assumptions that trivialize the question.

• If you run into technical issues, complete the assignment as best you can and contact us via email as soon as possible ( m285xu@uwaterloo.ca and hliljest@uwaterloo.ca ). Piazza will be disabled for the duration of the assignment.

• Academic integrity rules are in force. Do not discuss ideas or approaches to questions with anyone else, including other students taking this course. This assignment is to be an individual effort. Remember that in situations where two or more people submit answers that suggest collusion, ALL persons involved are subject to academic discipline — even if one of those persons created original work and did not copy any information from the other parties.

• Remember to read the questions carefully so you know what is being asked before you craft your answer. You are encouraged to provide sharp, to-the-point responses. Often a fact-filled sentence or two will suffice. Present your answers in a way that makes it easy for the TAs to spot the key points you want to share.

• All questions are answered on Crowdmark. You can use Markdown formatting, but are not required to do so. The questions do not require you to attach files, but if you absolutely want, you can do that.

The grades for Assignment 3 are now released on infodist.

Let us know as soon as possible if you have not received your grade, or if you think a reappraisal is warranted. As before, the deadline for reappraisals is one week (i.e., Wednesday, April 13th). You can find the reappraisal policy on the course syllabus. You can post request privately on Piazza along with a clear justification for your claims.

Hi Everyone,

Welcome to the last week of lectures for CS458/658.

The logistics of the final exam is uploaded in this slide deck. We also prepared a set of review slides that highlights some of the important points covered in the course. We will go over both sets of slides in the last interactive session on April 4th and will upload the lecture recordings as usual.

Thank you again for taking this course with us and best of luck for your exams and future works!

Hi all, we will next Monday publish an optional practice assignment on Crowdmark. It will follow the same logistics as will the final assignment, and is intended to allow you to familiarize yourself with Crowdmark and the assignment logistics. The practice assignment does not include questions and will not be graded in any way. But it will otherwise be set up similar to the final assignment.

While not mandatory, I encourage everyone to submit the practice assignment to make sure everything works as you expect during the actual final assignment. You will on Monday get an email from Crowdmark notifying you about the practice assignment.

Please let us know if you do not, on Monday, receive a notification, have trouble accessing Crowdmark, or cannot find the practice assignment for CS458/658.

For CS658 students who need to submit a survey paper for this course:

Per the discussion on Piazza (question 694), we decided to be OK with a 48-hour extension but anyone submitted the survey paper after the scheduled deadline (which is April 1st, 5pm) will be subject to a 10% penalty on the survey paper itself. No further extensions will be allowed after the 48-hour period.

We hope this can help offload some pressure of the exam period without losing fairness with students who manage to submit the survey paper on time.

Welcome to Module 7, which is also the last module of this course.

In this module, we will cover non-technical aspects of security and privacy related to Computer Science. In particular, we will cover ethics, legal issues, and good practices of administrating security in a corporation setting. As the name suggests, the content is will not be as technical as prior modules but is equally important regardless of what your future endeavors might be.

Note that there are only two lectures on Module 7, so the self-test of Module 7 due this Friday! This Friday also marks the due date for the blog post assignment and the survey paper submission (for CS658). Hurry up if you haven’t completed them.

We will also cover a review of this course next Monday, which will be the last lecture for this course.

Hi Everyone,

The Student Course Perception Survey is now open and your participation and feedback is much appreciated. This is an excellent opportunity for you to evaluate our teaching performance and provide feedback on how this course can be further improved. Rest assured that the survey is anonymous (i.e., all identifying data removed) and all evaluations, comments, and feedback will be taken seriously by us to improve both the course content as well as our teaching styles.

The survey will be open from Wed, Mar 23 midnight to Tue, Apr 5 11:59 p.m.

• If you are taking Section 1, i.e., the 2:30 - 4:00pm session, please follow this link to complete the survey.
• If you are taking Section 2, i.e., the 10:00 - 11:30am session, please follow this link to complete the survey.

This term has been particularly tricky as the school started in full online mode and flipped halfway into the hybrid mode of both in-person and online teaching. Hans and I would like to thank you all for being patient with us as we navigate out of these hard times. We sincerely hope that you enjoyed the course and all the best to your future endeavors.

Best Regards,

Hans & Meng

The grades for Assignment 2 are released.

Let us know as soon as possible if you have not received your grade, or if you think a reappraisal is warranted. As before, the deadline for reappraisals is one week (i.e., Friday, March 25th). You can find the reappraisal policy on the course syllabus. You can post request privately on Piazza along with a clear justification for your claims.

Welcome to Module 6!

This module is about data security and privacy. In this week, we will introduce security concerns in a database design and also discuss some attacks and defenses around data inferences. The next week will be covering differential privacy, a fascinating new privacy notion that is both widely deployed now and under intensive research.

The topic for the interactive session is still open although the tentative plan is to discuss a bit about privacy-preserving data analytics as well as adversarial machine learning (as usual, attacks and defenses).

Last but not least, the milestone for Assignment 3 due at Friday 5pm this week and the full submission due next Friday 5pm. Good luck!

Assignment 3 is released today with milestone due on March 18, 5pm and the full submission due on March 25, 5pm.

Good luck!

In the blog task assignment, we require that the sign-up needs to be done before the reading week in order to get marks for this assignment. Unfortunately, this does not seem to be highlighted enough and as a result, we still got several requests on signing-up for blog posts after the deadline.

In light of this situation, and considering that posting and commenting on security and privacy incidents are beneficial to the whole class, we are considering to move to allowing the blog task sign-up until the due date of this assignment (which is Friday, April 1st at 5pm). However, to be fair with other students who follow the instruction and sign-up before the Reading Week, anyone who signs-up after the Reading Week will receive at most 50% of the marks for this assignment only. That is, at most 2.5% on the overall course grade for this assignment.

TL;DR: For undergraduate students enrolled in CS458, we now offer a cash award of $1,000 for the top-performer of this course.

Award Description

The Cybersecurity and Privacy Institute (CPI) Undergraduate Award is one award, valued at $1,000, to be provided to a full-time student enrolled in CS458. This award is made possible by the Cybersecurity and Privacy Institute to encourage students to actively participate in computer security courses.

Eligibility and Selection

To be eligible for this award, you must be a full-time undergraduate student enrolled in CS458 for the W22 term.

Selection will be based on

• Final course grade (overall ranking)
• Consistency of performance (i.e., minimal 80% course grades in all evaluated components)
• Participation in the class (in-lecture questions, Piazza, etc) – only used to break ties in the final grade

Administration

The award will be administered in accordance with the above terms and conditions, as well as the UW Policy on Undergraduate Student Awards as amended from time to time.

Every eligible student will be automatically considered for the award. If you do not want want to be considered for the award, let us know in writing before the end of the course.

The winner of this award will be announced once all grades for CS458 are finalized. Accepting this award implies a consent to allow your name to be announced in a CPI news item and the CPI website.

About CPI

Cybersecurity and privacy are emerging as central issues our society needs to tackle in the coming decade to secure our future. The University of Waterloo’s Cybersecurity and Privacy Institute (CPI) is tackling these challenges head-on by building on Waterloo’s expertise in computer science, engineering, mathematics, cryptography and quantum computing to create world-leading cybersecurity research and technologies and increasing interdisciplinary collaboration across all faculties.

CPI is hosting a public outreach lecture series titled CPI Talks. CPI Talks will feature well-known experts speaking on cybersecurity and privacy topics that concern the general public as a whole. The talks are intended for people from all walks of life, and thus will be designed so that they are accessible to members of the general public without any pre-requisite background or knowledge in cybersecurity and privacy. In our increasingly digital world, cybersecurity and privacy concerns affect everyone. Everyone is therefore welcome to attend CPI Talks. The next talk is scheduled on April 13 by Seny Kamara from Brown University.

Questions?

If you have any question, please feel free to let the course instructors know by email or post on Piazza.

Welcome back from the Reading Week break!

Module 5 will start this week, it is all about security and privacy issues across the Internet stack. In this week, we will review the cryptographic tools that are foundational to secure the modern Internet and discuss concrete uses cases, including bad examples, across the Internet stack.

As announced before the Reading Week, from this week onward, we will resume in-person lectures in the classroom while also streaming the lecture live on Teams (in the course channel). The streaming will be recorded and posted to LEARN after the scheduled time slots.

Last but not least, Assignment 2 due at Friday 5pm this week. Good luck and enjoy your second half of CS 458/658!

The grades for assignment 1 were released earlier this week. Please let us know as soon as possible if you have not received your grade. As per our reappraisal policy, if you like to have the assignment reappraised. The deadline for reappraisal is extended to one week from this announcement (Friday, March 4). You can post requests privately on Piazza, where you should include a clear justification for your claims.

When we resume in-person activities on Feb 7th, we promised to re-evaluate the in-person teaching situation for this course by the Reading Week. Per the university announcement on Feb 14th, campus re-opening is more affirmative than ever and our experience for the past two weeks also suggested that live lectures can yield better learning experience than video recordings, at least for students who attend the on-campus sessions.

As a result, starting from Feb 28, we will stop using pre-recorded videos for lectures. Instead, we will conduct in-person lectures in the classroom while also streaming the lecture live on Teams (in the course channel). The streaming will be recorded and posted to LEARN after the scheduled time slots.

This change does not mean that we encourage everyone to join our in-person lectures. Instead, if you are feeling unwell or have concerns about the COVID-19 situation, please follow the university guidelines and use the best learning approach you feel comfortable with.

For students who are unable to attend in-person lectures for any reasons, you are expected to have a similar learning experience like the first half of the course, with the only exception being that videos are now available after the lecture instead of before hand.

There is no change on the schedule or content of the course. All assignments will remain online accessible and there will not be any in-person exams. Both instructor office hours and TA office hours will remain online as well.

We are still in this learn-and-adapt phase of return-to-campus so do let us know (via email, office hours, or Piazza) if you have any concerns or feedbacks. We also appreciate the patience and understanding you have shown to us. You all have done a great job in the first half of this course and a Reading Week is well deserved! Enjoy this break and see you again on Feb 28.

Today’s in-person lectures are now over. Announcement-wise, nothing new regarding deadlines; for CS-658 students, you can send your proposals (privately) via Piazza or via email. Regarding assignment 1 grading: it is still ongoing, if possible we will publish those next week, but we cannot promise that.

We apologize for fumbling with the online setup this mornings. Because of this there is only one usable recording (the afternoon session), although the content should be about the same. This should not happen again, but if we nonetheless have issues in the future, please feel free to ping us directly on Teams or elsewhere to bring this to our attention.

On Monday, we will take a brief look back at assignment 1, and then use Wireshark to inspect a traffic dumps to look at encapsulation and port scanning in practice. Base on last week’s experience I suggest we adopt a flipped-classroom approach for the part 3 videos, and discuss possible open questions on Mon/Wed instead of watching the videos in-class.

On Wednesday, in the Interactive session, we will then look at DNS poisoning and ARP spoofing attacks, and traffic dumps thereof. We’ll again be using Wireshark on Wednesday, so those who wish to participate are encouraged to install it beforehand.

As a reminder, the milestone for assignment 2 is due on Friday 5pm, as is the quiz. For those taking CS-658, topic proposals are also due this week.

To avoid the overlapping of Assignment 2 and Assignment 3, we decided to push back the release and due dates for Assignment 3 by one week. Assignment 3 will be released on Wednesday, March 09th with milestone due on Friday, March 18th 5pm and full submission due on Friday, March 25th 5pm.

For everyone taking CS658, this is a kind reminder that you need to turn in a one-page proposal for the survey paper by next Friday 5pm (before the reading week). The proposal should include at least 10 references, preferably papers from top-tier academic conferences.

You also need to get an approval for the survey topic (to make sure that the topic is at an appropriate scope). Please feel free to reach us by making (private) posts on Piazza or by emailing us directly. The instructor office hour next Wednesday (1-2pm) might also be a good opportunity to get topic approvals and/or advice on writing a survey paper.

Assignment 2 is out!

For the lecture today, we will start with a short recap of part 1 of the videos, and some thoughts on how we got to network security from program and operating system security. We will also take a brief look at Assignment 2. And finally, we will end the session by watching part 2 videos for Module. If you have any questions related to the material, you can post them on Piazza beforehand, and of course, bring them up during the lecture.

Welcome to Week 6. Module 4 will start this week, it is all about networks, and related threats and security controls. For module 4, we will continue using pre-recorded video lectures and have an interactive session on Feb 16. In addition, during the scheduled lecture times, you can join us either online on Teams, or in-person in the classroom, to watch the video lectures (that you can also watch asynchronously on LEARN just as before). We can also discuss possible questions that arise from the video. The interactive session will continue as before, but also with the possibility of coming to the classroom in-person.

After the days sessions, I will post any any important discussion points, questions and announcements also on LEARN, so those that prefer can continue to watch video lectures on their own schedule. We will also record all live sessions so that you can watch them afterwards.

We will today (Feb 7) watch part 1 of Module 4, and on Wednesday (Feb 9) watch part 2.

Edited to add: If you plan to attend in-person, please come to the session you have registered for. This ensures we follow safe classroom capacity assignments. You can join either session online via Microsoft Teams if you prefer.

Recent requirements from the school require the instructors to be in-person during scheduled lecture hours. As such, starting Feb 7th, we will have an optional in-person lecture viewing and Q&A session. We will continue to use pre-recorded lecture videos that will be available to you from the start of each Module. During the scheduled lectures, we will view the video lectures and answer questions presented on Teams, Piazza, or in the classroom. The Q&A part is going to be recorded, and you can also participate online via Teams.

We will be discussing the Shellshock vulnerability in the interactive session on Feb 2, you can find details in Interactive session 2 (Feb 2).

As you may have noticed, the university will start with in-person activities again February 7th. For this course, it means that we will gradually start increasing in-person activities. At the same time, we want to take into account safety concerns and also minimize disruptions to your coursework.

As such, we will for now continue asynchronous online video lectures. Instead, we will move the interactive sessions to in-person starting February 7th. This ensures that you will continue to have asynchronous access to lecture videos just as before (as opposed to recorded live lectures after the fact); but also that you have an opportunity to meet and interact with the course staff in-person during the interactive sessions.

We will re-evaluate the situation during the reading week depending on the health situation, attendance to interactive sessions, and feedback from you As promised, asynchronous online access to all mandatory material and assignments will be available throughout the course regardless of how the situation develops.

Reminder that the milestone due time for assignment 1 is today at 5pm. As noted in the assignment, you can submit multiple times. Also, remember that although you can submit up until 48 hours after the due date, you will not receive assistance from the course staff during those extra hours.

Welcome to week 4 and the start of Module 3. In this module we will explore the topic of operating system security. We will cover:

• protection in general purpose operating systems,
• access control,
• how operating systems authenticate users,
• security polices and security model, and
• the design of trusted operating systems.

Each of these parts has a separate lecture video (in the Video Lectures section), and reading materials (in Readings).

The Module 3 self-test is also now open.

As a tip for Assignment 1: While Module 2 gives you the necessarily building blocks for your sploits, especially the first parts of Module 3 might give you some new perspective and ideas for more sploits.

Assignment 1 is now out! Do not wait until the last minute before starting, the assignments will require a substantial amount of work and contribute a large portion of the course grade!

Hi all, we will have the first optional interactive session tomorrow. These will take place on the course Teams, and materials will become available under the Interactive Sessions section on LEARN. For now, it includes a short introduction on what to expect from the sessions. There are also instructions on how to install the VM that will be used at least for interactive session 1, should you wish to install it and follow along.

edited to add: The sessions are now scheduled on Teams during the lecture slots at 10:00 and 14:30. The content is the same for both, you can attend whichever you like.

Welcome to week 3! This this week will continue on Module 2. There is no new material/lectures for this week. The deadline for the Module 2 self-test is Friday.

Assignment 1 will be released on Wednesday, and it will have two deadlines: a milestone Jan 28 and a final deadline on Feb 4.

We will also have our first optional interactive session on Wednesday. We will use the course Microsoft Teams for this and will record the session. There will be two identical sessions during the lecture times on Wednesday (10am, and 2:30pm), you are free to attend either of them. The interactive session are optional and will not include new material that is needed to complete the course. The content this week will focus on memory safety errors and will include hand-on debugging of vulnerable code. As the “interactive” implies, we can also discuss other aspects of Module 1 & 2 based on your input.

For those who haven’t completed the Self-test for Module 1, this is a friendly reminder that this quiz is due Today (Jan 14) at 5pm. The 48 hours grace period does not apply to this and all other self-tests in this course.

Hello everyone,

You might have noticed that besides the Self-test for module 1, two more tasks are released today:

• Blog task designed to acquaint you with the latest developments in computer security and privacy and apply the knowledge in this class to analyze real-world situations, and
• Survey paper (for CS 658 only): designed to expose graduate students to the state-of-the-art research in the areas of security and privacy.

Both tasks due towards the end of the term (April 1st, 5pm) and a milestone for these tasks due in the middle of the term (February 18th, 5pm), just before the reading week.

Although these tasks have a late due date, our suggestion is to start early and get familiar with the requirements. It might be a good idea to first come up with a topic you would like to explore in the security and privacy areas. And then go deeper in the topic in one (or both) of these tasks.

Welcome to Week 1. Hope you have had a great recharge during the holidays.

Module 1 is fully released now. There are two video lectures associated with this module.

• Part 1 provides an overview of the course and summarizes some of the important information found in the Course Syllabus.
• Part 2 is a lecture introducing you to the world of privacy and security.

Don’t miss that all modules also include some mandatory and recommended readings. All link to the readings are provided in the Supporting Materials section of Module 1 on LEARN.

When you have reviewed the materials in this module, complete Quiz/Self-test 1 between Wed, Jan-5 8am and Fri, Jan-14 5pm.

Welcome to CS 458/658 in the W22 term!