CS 231: Computer Security

Fall 2016

Help

Samples

Class Notes

Week 1

Trust, thinking about threats, and a mini-intro to TCP/IP

• [Read by 9/14] Inside the Twisted Mind of the Security Professional, by Bruce Schneier
• [Read by 9/14] Reflections on Trusting Trust, by Ken Thompson. Also, do some searching to learn about the aftermath of the presentation of this paper.
• [Read by 9/14] The Preface and Chapter 1 of Ross Anderson's Security Engineering, 2nd edition
• [Due 9:50, 9/16] A network tools scavenger hunt. NOTE: bring your answers printed out on paper to class on Friday.
• [Read by 9/19] Sections 1, 1.1, 2, 2.1, and 2.2 of RFC 7230: Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing. Also, all of Section 4 and Section 5.5 in RFC 7230: Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content. Bring questions to class.

Week 2

Packet sniffing with wireshark; beginning cryptography; SSH

• [In class 9/19] Getting started with Wireshark. Optionally, hand in questions you would like Jeff to discuss on Wednesday.
• [Due 11:59PM 9/22] HTTP's Basic Access Authentication: a Story. Hand in via Moodle.
• [Read by 9/23] The RSA cryptosystem (Wikipedia)
• [By 9/23] Find answers to these questions about cryptography. Nothing to hand in.

Week 3

Cryptography continued; SSH

• [Due 11:59PM 9/27] Being Eve
• [In class, 9/26] Lab: RSA in practice
• [Read by 9/28] Cryptographic hash functions (Wikipedia) and Public key infrastructure (Wikipedia)
• [Read by 9/30] X.509 (Wikipedia)
• [Due 11:59PM 9/30] Some cryptographic scenarios

Week 4

SSL/TLS

• [Read during the week of 10/3] advice for reading the SSH specification.
• [Due 11:59PM 10/7] Connecting SSH packets to the specs. You'll have at least half of class time on 10/5 to work on this assignment.

Week 5

Threat modeling, social engineering

• [Read by 10/10] Application Threat Modeling. Try to extract a short list of key ideas from this moderately long article. Also, read Sections 8.2 and 8.3 of Anderson's Security Engineering, with a focus on the nature of security policy models, the Bell-LaPadula model, and the Biba model.
• [Read by 10/12] The CIA Triad. Dig a little deeper by reading this blog post questioning the currency of the CIA Triad, as well as this description of the more detailed framework, the Parkerian Hexad.
• [Read by 10/14] Chapter 2 from Anderson's Security Engineering, on the relevance of usability and psychology to security. Also...[I have to find the other thing I want you to read here...I'll find it this weekend]
• [Due 11:59PM Thursday 10/13] A STRIDE-based threat analysis
• [In class, 10/12] Passwords: round 1
• [In class, 10/14] Passwords: round 2

Week 6

Midterm break, XSS, ARP cache poisoning

• [Due 11:59PM Friday 10/21] Cross-site scripting
• [Read by 10/21] Address Resolution Protocol and ARP Spoofing. On Friday, we'll discuss ARP Spoofing as a technique for establishing man-in-the-middle status.

Week 7

Buffer overflow, ARP poisoning, etc.

• [Lab in class] Buffer overflow lab. Nothing to hand in.
• [Slides due 8:00PM Tuesday 11/1] "How does it work?" presentation.

Week 8

Voting, presentations, visitors

• [By 11/2] If you have questions you want to ask the Nov 4 visitors from CrowdStrike, post your questions on this spreadsheet.

Weeks 9, 10

Wrapping up.

• [Links due by 11:59PM Sunday, 11/13] A research project in web form
• [5:00PM, 11/21] Takehome final. Submit as a PDF via Moodle. Include your source code, if any, in your PDF as appendices.