CIS 551 / TCOM 401 - Computer and Network Security
Spring 2008


Topics     Reading     Projects     Grading     Lectures     Policies

Time: Tues. & Thurs. 1:30 - 3:00
Room: Towne 303

Instructor:

    Steve Zdancewic
      e-mail: cis551 (AT) seas.upenn.edu
      office hours: Tues. 9:30-10:30 (and by appointment) Levine 511

Teaching Assistant:

  Jianzhou Zhao
      e-mail: cis551 (AT) seas.upenn.edu
      office hours: Weds. 1:30 - 2:30
      Location: 612 Levine Hall

Course contact information:

  Class mailing list: CIS551-401-08A (AT) lists.upenn.edu (open to all members of the class)
  News group: upenn.cis.cis551

Topics:

  • System Security: hacker behavior, intrusion & anomaly detection, hacker and admin tools
  • Networks & Infrastructure: TCP/IP, Denial of Service, IPSEC, TLS/SSL
  • Basic Cryptography: Shared key crypto (AES/DES), Public Key Crypto (RSA), hashes
  • Crypto software: Open SSL library, applications (authentication, digital signatures)
  • Trust & Configuration management
  • Malicious code: buffer overflows, viruses, worms, protection mechanisms
  • Covert Channels

Reading

The following books contain useful course material, and much of the lecture content is derived from them (and other sources). Copies of these books are on reserve in the Penn Engineering Library.

  • Security in Computing (3rd edition) by Pfleeger and Pfleeger
  • Computer Networks: A Systems Approach (3rd edition) by Larry L. Peterson and Bruce S. Davie
  • Applied Cryptography (2nd edition) by Bruce Schneier

In addition, the following papers and web sites provide supplementary material. Reading selections from these sources will be announced in class.

Projects

Project 1: Buffer Overflows Due: 8 Feb. 2008 at 11:59 p.m.

Project 2: Network Intrusion Detection Due: 7 Mar. 2008 at 11:59 p.m.

Project 3: Cryptography Due: 4 April 2008 at 11:59 p.m.
Project 4: Secure Distributed Banking Due: 02 May 2008 at 11:59 p.m.

Grading Criteria

  • 16%   Midterm I - tentative date Feb. 19th
  • 16%   Midterm II - tentative date Apr. 1st
  • 25%   Final exam - date to be determined by registrar
  • 40%   Course projects (group projects)
  • 03%   Course participation

Lecture Slides and Notes

Schedule

Date
Topic
Notes
1/17
Introduction & Overview

1/22
Secure Systems Design & Buffer Overflows

1/24
Buffer Overflows & Malicious Code

1/29
Worms & Worm Propagation Models

2/1
Access Control I

2/5
Access Control II, Multilevel Security

2/7
Java & C# Stack Inspection

2/12
Covert Channels / TCSEC / Common Criteria

2/14
Networks Basics Review / CRCs

2/19
Midterm I

2/21
Ethernet, 802.11, WEP

2/26
802.11, WEP, TCP

2/28
IP / ARP / DNS / Attacks

3/4
NATs / Firewalls / Figerprint Extraction

3/6
Intrusion / Preliminary Cryptography

3/11

Spring Break
3/13

Spring Break
3/18
Block Ciphers/DES/AES/Hashes/Diffie-Hellman

3/20
Public Key Cryptography / RSA

3/25
Dolev Yao / Authentication Protocols

3/27
Signatures / Key Exchange / Kerberos

4/1

Midterm II
4/3
SSH / Human Authentication/ S/Key

4/8
Trusted Computing / Attestation

4/10
Electronic Voting (I)

4/15
Electronig Voting (II)

4/17
Secret Sharing / Anonymity

4/22
Web Security (I)

4/24
Web Security (II) / Phishing

4/29
Review
Last day of classes
5/12
Final Exam
Noon - 2:00, DRLB A6
*indicates dates when Prof. Zdancewic will be away.

Course Policies

  • Individual homework assignments will be available on the web pages. They are to be completed independently and turned in at the beginning of class on the due date.
  • Late homework will not be accepted without prior permission of the instructor unless there are emergency circumstances.
  • Teams for group projects will consist of two or three students. Students are not permitted to work individually on the team projects.

Regrade Policy

Regrade requests should be sent to the TA. Only reasonable requests will be considered. The entire homework or exam will be regraded. Note that this means that the score on a regraded homework might decrease.

Academic Integrity

This course will abide by the University's Code of Academic Integrity. In particular, for individual projects and group projects, the following guidelines should be followed:
  • For individual projects, you must type in and edit your own code, documentation, and any other materials submitted for grading.
    • Copying someone else's file is not allowed.
    • Allowing someone else to copy a file of yours, either explicitly or implicitly by leaving your code unprotected, is not allowed.
    • Editing each other's files is not allowed
  • Regarding the ethics of what you may or may not discuss with others:
    • "High level" discussions are fine.
      For example, discussions about the problem statement.
    • "Low level" discussions are fine.
      For example, discussions about C syntax or using gdb, understanding compiler error messages, understanding the mechanics of the tools and libraries used for the projects.
    • "Mid level" discussions require discretion. In this CIS course, discussions at this level must be limited.  Unless explicitly stated otherwise, you may not collaborate significantly with classmates (except group project members) at this level.  If you have minor discussions with others at this level or get help from outside resources (tutors, web sites, etc), you must cite at the top of the submitted projects the names of the people or websites who helped you and how they did. For example:
            /**
             * Chris Brown
             * Project 1
             * 5/6/2008
             * I received tips from Jo Johnson on the i/o and example.com/mem.htm on memory
             */
              
  • If there is any doubt about the use of external sources or collabortation, please ask for clarification by the course staff.