CS 231: Computer Security

Winter 2018

Help

Samples

Class Notes

Thoughts on improving the course next time

Week 1

Thinking about threats; Kali; TCP, HTTP, and packet sniffing

• [In class 1/3] A brief introduction to Kali Linux
• [Due 8:30, 1/5] A network tools scavenger hunt. NOTE: bring your answers printed on paper to class on Friday.
• [Read by 1/5]
  • Inside the Twisted Mind of the Security Professional, by Bruce Schneier
  • The Preface and Chapter 1 of Ross Anderson's Security Engineering, 2nd edition
  • The CS231 course information page
  • The CS231 ethics page.
• [In class 1/5] Testing your network tools homework.
• [Read by 1/8]
  • Reflections on Trusting Trust, by Ken Thompson. Also, do some searching to learn about the aftermath of the presentation of this paper.
  • Sections 1, 1.1, 2, 2.1, and 2.2 of RFC 7230: Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing
  • Section 4 and Section 5.5 in RFC 7230: Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content. Bring questions to class.

Week 2

Packet sniffing with wireshark; a few essential cryptographic concepts

• [In class 1/8] Getting started with Wireshark. Optionally, hand in questions you would like Jeff to discuss on Wednesday.
• [Due 11:59PM 1/10] HTTP's Basic Access Authentication: a Story. Hand in via github as described in the assignment.
• [Read by 1/12] The RSA cryptosystem (Wikipedia) and Diffie-Hellman key exchange (Wikipedia)
• [By 1/12] Find answers to these questions about cryptography. Nothing to hand in.
• [In class 1/12] DH and RSA by hand. Nothing to hand in.
• [Due 11:59PM 1/16] Being Eve

Week 3

PKI; certificates; SSH; TLS

• [Read by 1/22] Cryptographic hash functions (Wikipedia), Public key infrastructure (Wikipedia), and X.509 (Wikipedia)
• [In class 1/19] RSA in practice. Nothing to hand in.
• [Due 11:59PM 1/24] Some cryptographic scenarios
• [Study] Questions about public key infrastructure. Just like the "questions about cryptography" from last week, you should think about these questions in preparation for the in-class exam on 1/29.
• [In class 1/22] Observing an SSH session

Week 4

TLS; exam

• [In class 1/26] Observing a TLS session

Week 5

Threat modeling; miscellaneous conceptual frameworks

• [Read by 2/2]
  • Application Threat Modeling. Try to extract a short list of key ideas from this moderately long article.
  • Sections 8.2 and 8.3 of Anderson's Security Engineering, with a focus on the nature of security policy models, the Bell-LaPadula model, and the Biba model.
  • The CIA Triad.
  • Dig a little deeper by reading this blog post questioning the currency of the CIA Triad
  • And a more detailed framework, the Parkerian Hexad.
• [Due 11:59PM Friday 2/2] A STRIDE-based threat analysis
• [Read by 2/5] Chapter 2 from Anderson's Security Engineering, on the relevance of usability and psychology to security.
• [Due 11:59PM Wednesday 2/7] Passwords

Week 6

Midterm break; intro to penetration testing

• [Due 11:59 Monday 2/12] Host discovery & port scanning

Week 7

More penetration testing; ethics; Sandia Labs visit

• [In class 2/12] Metasploit basics
• [Due 11:59PM Thursday 2/22] "How it works" presentation. See the assignment for details of when to submit slides, and when the presentations will take place.
• [Read by 2/14] ACM Code of Ethics and Professional Conduct
• [Due 11:59PM Wednesday 2/21] Ethics scenario
• [In class 2/16] Cross-site scripting (XSS)

Week 8

Web security; CrowdStrike visit; presentations

Week 9

More presentations; miscellaneous topics

• [Due 5:00PM Wednesday 3/14] Takehome final

Week 10

More miscellaneous topics