Syllabus
Table of contents
- Overview
- Intended audience
- Course outline
- Grading policies
- Textbook and other resources
- Course mechanics
- Communication
- Teaching with health and wellness considerations
- Highlighted university policies
- Territorial acknowledgement
This syllabus is a guideline for the course and not a contract. As such, its terms may be altered when doing so is, in the opinion of the instructor(s), in the best interests of the class.
Overview
This course provides an introduction to security issues in modern software, operating systems, and other computing platforms (e.g., mobile and cloud environments). It examines causes of security breaches and gives methods to help detect, isolate, and prevent them.
Students completing this course should be able to identify common attack vectors against modern computing environments and deploy state-of-the-practice detection and defense practices.
Intended audience
Third or fourth year CS students (CS 489), or first year CS graduate students (CS 698)
Prerequisites
CS 350 (Operating Systems). Familiarity with C.
Course outline
Module - Introduction to Software and System Security
- Resources
- slides.pdf
- Jan 09
- Lecture: Course logistics
- Lecture: Basis concepts in security
- Textbook Pfleeger et al. chapters 1.1 - 1.8
- Textbook van Oorschot chapters 1.1 - 1.4, 1.6
- Optional reading The 10 privacy principles of PIPEDA
- Optional reading A terminology for talking about privacy
- Optional reading Federal privacy reform in Canada: The Consumer Privacy Protection Act
- Optional reading Modernizing Canada’s Privacy Act
- Optional reading Microsoft’s report on Russian Cyberattacks in Ukraine
- Optional reading Social Security Employees in Illinois Sentenced in Federal Court on Charges Including Bribery and Identity Theft
- Lecture: Basis concepts in security
Module - Program Security
- Resources
- slides.pdf
- Jan 11
- Lecture: Flaws and failures
- Textbook Pfleeger et al. chapters 3.1
- Textbook van Oorschot chapters 6.1 - 6.8
- Mandatory reading before class Smashing The Stack For Fun And Profit
- Optional reading On the Evolution of Buffer Overflows
- Optional reading Exploiting Format String Vulnerabilities
- Optional reading Example format string vulnerabilities (November 2011)
- Optional reading Example format string vulnerabilities (May 2012)
- Optional reading A Taxonomy of Computer Program Security Flaws, with Examples
- Textbook Pfleeger et al. chapters 3.1
- Jan 16
- Lecture: Unintentional Security flaws and malicious code
- Textbook Pfleeger et al. chapters 3.2
- Textbook van Oorschot chapters 7.1 - 7.4
- Optional reading Morris worm
- Optional reading The Spread of the Sapphire/Slammer Worm
- Optional reading Slammed!
- Optional reading Technical analysis of client identification mechanisms
- Textbook Pfleeger et al. chapters 3.2
- Jan 18
- Lecture: Defenses against security flaws
- Textbook Pfleeger et al. chapters 3.2
- Textbook van Oorschot chapters 7.5 - 7.9
- Mandatory reading before class Reflections on Trusting Trust
- Optional reading US Federal Student Aid website has a Facebook web bug
- Optional reading Linux Kernel “Back Door” Attempt
- Optional reading The backdooring of SquirrelMail
- Optional reading Clickjacking attack (Interface illusion)
- Optional reading MITM Malware Re-Writes Online Bank Statements
- Textbook Pfleeger et al. chapters 3.2
- Jan 23
- Lecture: Defenses against security flaws (continued)
- Textbook Pfleeger et al. chapters 3.3
- Textbook van Oorschot chapters 1.7, 6.9
- Optional reading An operating system kernel with a formal proof of security
- Optional reading Bugs in open source software: #gotofail
- Optional reading Bugs in open source software: Heartbleed
- Textbook Pfleeger et al. chapters 3.3
Module - Operating System Security
- Resources
- slides.pdf
- Jan 25
- Lecture: Protecting OSes and access control
- Textbook Pfleeger et al. chapters 5.1
- Textbook van Oorschot chapters 5.1 - 5.2
- Optional reading Android permissions demystified
- Optional reading Google launches its third major operating system, Fuchsia
- Textbook Pfleeger et al. chapters 5.1
- Jan 30
- Lecture: User authentication
- Textbook Pfleeger et al. chapters 5.1
- Textbook van Oorschot chapters 5.1 - 5.2
- Optional reading Breaking SMS-based two-factor authentication: Attacking the cellular network
- Optional reading Breaking SMS-based two-factor authentication: Android malware for stealing SMS messages
- Optional reading Passphrases that you can memorize — But that even the NSA can’t guess
- Optional reading The top 50 woeful passwords exposed by the Adobe security breach
- Optional reading Password Security: A Case History
- Optional reading Facebook’s password hashing scheme
- Optional reading LinkedIn Revisited - Full 2012 Hash Dump Analysis
- Optional reading Anatomy of a password disaster - Adobe’s giant-sized cryptographic blunder
- Optional reading Largest password data breach in history has been leaked online
- Textbook Pfleeger et al. chapters 5.1
- Feb 01
- Lecture: Security policies and trusted OSes
- Textbook Pfleeger et al. chapters 5.2
- Textbook van Oorschot chapters 3.5
- Optional reading ‘Fake fingerprint’ Chinese woman fools Japan controls
- Optional reading Politician’s fingerprint ‘cloned from photos’ by hacker
- Optional reading Vietnamese security firm: Your face is easy to fake
- Optional reading Android facial recognition based unlocking can be fooled with photo
- Optional reading Breaking Windows Hello Face Authentication
- Optional reading Reverse-Engineered Irises Look So Real, They Fool Eye-Scanners
- Optional reading Border Drones with Facial Recognition
- Textbook Pfleeger et al. chapters 5.2
- Feb 06
- Lecture: Security policies and trusted OSes (continued)
- Textbook Pfleeger et al. chapters 5.2
- Textbook van Oorschot chapters 1.7
- Mandatory reading before class The Protection of Information in Computer Systems, section I.A.
- Optional reading The Security Principles of Saltzer and Schroeder, illlustrated with scenes from Star Wars
- Optional reading Reliably Erasing Data From Flash-Based Solid State Drives
- Optional reading SELinux
- Textbook Pfleeger et al. chapters 5.2
Module - Mobile Security
- Resources
- slides.pdf
- Feb 08
- Lecture: Mobile security ecosystem
- Feb 13
- Lecture: Mobile application security
- Feb 15
- Lecture: Advanced topics in Android security
Module - Non-techincal Aspects in Security
- Feb 27
- Lecture: Ethical and legal issues
- Lecture: Administering security
- Feb 29
- Lecture: A brief introduction on blockchains
Module - Common Bugs and Vulnerabilities
- Mar 05
- Lecture: Memory errors and data races
- Mar 07
- Lecture: Other typical bug types
Module - Bug Finding Tools and Practices
- Mar 12
- Lecture: Fuzz testing
- Mar 14
- Lecture: Static and symbolic reasoning
Module - Defenses against Common Vulnerabilities
- Mar 19
- Lecture: Runtime sanity checks
- Mar 21
- Lecture: Moving-target defense
- Mar 26
- Lecture: Compartmentalization / sandboxing
- Mar 28
- Lecture: Authentication and capabilities
Module - Hardware Security
- Apr 02
- Lecture: Hardware security accelerators
- Apr 04
- Lecture: Side channel attacks and defenses
Grading policies
Score composition
Grades will be calculated as follows:
Component | Weight (CS 489) | Weight (CS 698) |
---|---|---|
Assignment 1 | 25% | 20% |
Assignment 2 | 25% | 20% |
Assignment 3 | 25% | 20% |
Assignment 4 | 25% | 20% |
Research write-up | (optional) | 20% |
For students taking CS 489, the research project is optional. But if you choose to do it, you can use the grade to replace the lowest grade of your assignments. For students taking CS 698, the research project is mandatory.
Please consult the course weekly schedule for the assessment deadlines.
Assignment details
Course assignments: The four assignments might include either written or programming exercises or both, and cover new material in the course since the previous assignment.
Please start working on the assignments in advance of the deadlines. To motivate you to do so, we may require you to submit milestones for some or all of them.
Assignments can be submitted multiple times, and the last one will be used for marking.
Assignments 1 - 4 are due by the end of day (i.e., 11:59pm) Waterloo time on their respective due dates. These assignments are to be submitted electronically with the submit
command. Assignments submitted by other means will not be accepted.
Late submission of course assignments
Late submissions for any of these assignments will, in general, NOT be accepted unless you have presented valid Verification of Illness Form to your corresponding faculty/department (e.g., for students in the Math faculty, please follow instructions here).
If you anticipate any severe, long-lasting problems that prevent you from completing an assignment on time, you must notify your instructor(s) well before the due date (at least a week) to receive an accommodation.
Marks and comments for the assignments will be returned using a course-specific web service.
Research project: Students registered in CS 698 must conduct a mini research project on a topic related to software and system security. (This assessment component is optional for students enrolled in CS 489). See the assessment page for details.
Late submission of the research write-up
Late submission for the research write-up is NOT accepted given the sufficiently long preparation time for this assignment.
Reappraisal policy
If you have an assignment that you would like to have reappraised, please follow the instructions given on Piazza to submit your request. Include a clear justification for your claims. The appeals deadline is one week after the respective graded item is first made available. If your appeal is concerned with a simple calculation error, please see the TA(s) during their office hours.
For students auditing this course
Students who are auditing this course are encouraged to complete all assignments similar to grade-seeking students. To pass this course in auditing, the minimal requirement is scoring at least 25% in the overall course grade.
Textbook and other resources
The textbooks for this course include:
Computer Security and the Internet: Tools and Jewels from Malware to Bitcoin (2nd Edition) by Paul C. van Oorschot. Springer, 2021. ISBN: 978-3-030-83410-4 (hardcopy), 978-3-030-83411-1 (eBook). This text book is freely available for download from the author’s web page.
Security in Computing (5th Edition) by Charles P. Pfleeger, Shari Lawrence Pfleeger, and Jonathan Margulies. Prentice-Hall, 2015. ISBN: 0-13-408504-3. Link to book information.
Additional readings will be assigned, and will appear on the course website; readings marked as mandatory contain required material for the course. You must read these mandatory readings; those marked before class must be read before the date of the corresponding lecture.
Other resources for this course include:
- Schneier on Security: A blog covering current computer security and privacy issues.
- The RISKS Digest: A forum on risks to the public in computers and related systems.
- BugTraq: A full disclosure moderated mailing list for the detailed discussion and announcement of computer security vulnerabilities.
- Freedom To Tinker: A blog which often discusses security and privacy issues, frequently related to copyright and to electronic voting.
- Threat Level: A forum dedicated to privacy, crime and security online.
Course mechanics
- Working remotely: The CSCF offers a help page regarding CS and campus VPNs.
- Linux account: If you do not have a
linux.student.cs
account for some reason, ask CSCF helpdesk for help. If you need to reset your password see CSCF account help. - submit command: We will be using the
submit
command to submit assignments 1, 2 and 3. You may consult this CSCF submit page. You should make sure early on that thesubmit
command works for them. You should check whether their submitted files correspond to the ones that they intend to submit using the-print
option of thesubmit
command. We may run submissions through MOSS to detect code similarity.
Communication
It is your responsibility to keep up with all course-related information posted to Piazza and the course website.
- Piazza: Please direct all communication to the discussion forums to Piazza. This includes questions on materials in lectures, assignments, and general logistics. Bear in mind with the following etiquette when communicating on Piazza:
- Please go through your peers’ and the instructors/TAs’ notes or comments, before posting a question.
- If question doesn’t exist and it involves private content (query about grades, partial progress towards solution), create a private question that is only visible to the instructors and TAs. (The instructor(s) or TAs may make a private question public, possibly after editing it, if they decide that it is of general interest.) Otherwise, in general, create a public post so that your peers can benefit from the answers/comments too.
- Tag your question with the appropriate folder for the assignment etc.
- Email: Important course information will generally be posted to Piazza, but may also be sent to your
uwaterloo.ca
email address. For personal matters, such as an illness, please email the instructors directly. We will only reply back to email from youruwaterloo.ca
email address, for privacy rules.
Teaching with health and wellness considerations
As the university resumes in-person teaching practices, we will follow university policies and recommendations for an on-campus teaching experience for course delivery, i.e., lectures will NOT be recorded nor live-streamed.
If you have long-lasting health or wellness issues, please discuss them with course instructions as early as possible so we can arrange accommodations accordingly.
Highlighted university policies
Security information
In this course, you will be exposed to information about security problems and vulnerabilities with computing systems and networks. To be clear, you are not to use this or any other similar information to test the security of, break into, compromise, or otherwise attack, any system or network without the express consent of the owner. In particular, you will comply with all applicable laws and UW policies, including, but not limited to, the following:
- UW Policy 33, Ethical Behaviour
- Guidelines on Use of UW Computing and Network Resources
- Examples Reflecting the Application of the above Guidelines
- MFCF Account Usage Policy
- CSCF-Specific Policies
Violations will be treated severely, and with zero tolerance.
Academic integrity
Students are encouraged to talk to one another, to the TAs, to the instructor(s), or to anyone else about any of the assignments. Any assistance, though, must be limited to discussion of the problem and sketching general approaches to a solution. Each student must write his or her own solutions, including code and documentation if appropriate, for the assignments. Consulting another student’s solution is prohibited, and submitted solutions may not be copied from any source. In particular, submitting assignments copied in whole or in part from assignment submissions to a previous offering of this course, or from any offering of any other course, is forbidden, even if a student is resubmitting his or her own work. These and any other forms of collaboration on assignments constitute cheating. If you have any questions about whether some activity constitutes cheating, please ask the instructor(s).
The general Faculty and University policy:
- Academic integrity: In order to maintain a culture of academic integrity, members of the University of Waterloo community are expected to promote honesty, trust, fairness, respect and responsibility. Check the Office of Academic Integrity’s website for more information.
- Grievance: A student who believes that a decision affecting some aspect of his/her university life has been unfair or unreasonable may have grounds for initiating a grievance. Read Policy 70 — Student Petitions and Grievances, Section 4. When in doubt please be certain to contact the department’s administrative assistant who will provide further assistance.
- Discipline: A student is expected to know what constitutes academic integrity, to avoid committing academic offenses, and to take responsibility for his/her actions. A student who is unsure whether an action constitutes an offense, or who needs help in learning how to avoid offenses (e.g., plagiarism, cheating) or about “rules” for group work/collaboration should seek guidance from the course professor, academic advisor, or the Undergraduate Associate Dean. For information on categories of offenses and types of penalties, students should refer to Policy 71 — Student Discipline. For typical penalties, check Guidelines for the Assessment of Penalties.
- Avoiding academic offenses: Most students are unaware of the line between acceptable and unacceptable academic behaviour, especially when discussing assignments with classmates and using the work of other students. For information on commonly misunderstood academic offenses and how to avoid them, students should refer to the Faculty of Mathematics Cheating and Student Academic Discipline Policy.
- Appeals: A decision made or a penalty imposed under Policy 70, Student Petitions and Grievances (other than a petition) or Policy 71, Student Discipline may be appealed if there is a ground. A student who believes he/she has a ground for an appeal should refer to Policy 72 — Student Appeals.
Diversity
It is our intent that students from all diverse backgrounds and perspectives be well served by this course, and that students’ learning needs be addressed both in and out of class. We recognize the immense value of the diversity in identities, perspectives, and contributions that students bring, and the benefit it has on our educational environment. Your suggestions are encouraged and appreciated. Please let us know ways to improve the effectiveness of the course for you personally or for other students or student groups. In particular:
- We will gladly honour your request to address you by an alternate/preferred name or gender pronoun. Please advise us of this preference early in the semester so we may make appropriate changes to our records.
- We will honour your religious holidays and celebrations. Please inform of us these at the start of the course.
- We will follow AccessAbility Services guidelines and protocols on how to best support students with different learning needs.
Note for Students with Disabilities: AccessAbility Services, located in Needles Hall North, Room 1401, collaborates with all academic departments to arrange appropriate accommodations for students with disabilities without compromising the academic integrity of the curriculum. If you require academic accommodations to lessen the impact of your disability, please register with AccessAbility at the beginning of each academic term.
Mental health support
The Faculty of Math encourages students to seek out mental health support if needed.
On-campus Resources:
- Campus Wellness
- Counselling Services: email or 519-888-4567 ext 32655
- MATES: one-to-one peer support program offered by Federation of Students (FEDS) and Counselling Services: email
- Health Services: located across the creek from the Student Life Centre, 519-888-4096
Off-campus Resources:
- Good2Talk (24/7): Free confidential help line for post-secondary students, 1-866-925-5454
- Here 24/7: Mental Health and Crisis Service Team, 1-844-437-3247
- OK2BME: set of support services for lesbian, gay, bisexual, transgender or questioning teens in Waterloo, 519-884-0000 ext 213
Territorial acknowledgement
We acknowledge that we live and work on the traditional territory of the Attawandaron (Neutral), Anishinaabeg, and Haudenosaunee peoples. The University of Waterloo is situated on the Haldimand Tract, the land promised to the Six Nations that includes ten kilometres on each side of the Grand River.