CS 4740/6740 - Network Security
|Room:||Hayden Hall 221|
|Office Hours:||Tuesdays, 10am-12pm|
|Teaching Assistant:||Pavitra Srinivasan|
|TA Office Hours:||Wednesdays 10am-12pm in the first floor CCIS Lab|
|Class Forum:||On Piazza|
The networking of the world has brought many tangible benefits to people and companies. However, these networks also enable criminals, pranksters, hacktivists, and national militaries to reach out and attack targets all over the world in microseconds, from anywhere, at any time. Data breaches, mass identity theft, denial of service attacks, critical zero-day exploits, malware and botnet infestations, etc. are now weekly news events, and there is no sign that these dangerous trends will abate any time soon. It is critical that students who will engineer the systems of tomorrow understand the threats of today, in order to produce robust and secure software in the future.
CS 4740/6740 is a mixed undergraduate and graduate-level course on network security covering a diverse range of topics at all layers of the networking stack, from physical devices up to application-level security. The course focuses on the intersection between systems security principles and computer networking, from abstract models to their application in systems code, the Web, and mobile platforms. We will examine real-world attacks against various types of protocols and systems, as well as look at techniques to stop these attacks, and how to construct more secure, robust software in general. This class has a pronounced emphasis on practical techniques for both defending and attacking systems, with the overall goal of teaching students about the "attackers mindset".
The official prequisite for Network Security is CS 4700/5700 Fundamentals of Computer Networks. However, this will be a demanding course that will cover a broad range of topics. CS 5600 Computer Systems or any other course in the fundamentals of computer architecture and operating systems is highly recommended.
Students taking this course are expected to have a working knowledge of fundamental computer hardware concepts. This includes familiarity with assembly language, memory architectures, basic I/O devices, and the ISO/OSI networking stack. You will encounter x86 assembly code within the course projects and while you are debugging, and you will be asked to write (relatively short) sequences of code in assembly.
The class forum is on Piazza. Why Piazza? Because they have a nice web interface, as well as iPhone and Android apps. Piazza is the best place to ask questions about projects, programming, debugging issues, exams, etc. In order to keep things organized, please tag all posts with the appropriate hashtags, e.g. #lecture1, #project3, etc. I will also use Piazza to broadcast announcements to the class. Bottom line: unless you have a private problem, post to Piazza before writing me/the TA an email.
Schedule, Lecture Slides, and Assigned Readings
|Date||Slides||Piazza Tag||Other Material||Comments|
|Jan. 13||Introduction, Fundamentals||#lecture1||Join Piazza|
|Jan. 20||Hijacking, Denial of Service, and Intrusion Detection||#lecture2|
|Jan. 27||Authentication (w/ Audio)||#lecture3||Proj. 1 Out|
|Feb. 3||Network and Transport Layer Security||#lecture4|
|Feb. 10||Snow Day||Proj. 1 Due|
|Feb. 17||Naming and Routing||#lecture5||DNS, BGP||Proj. 2 Out|
|Mar. 3||Memory (Un)safety, Basic Expliots||#lecture6||ELF Binaries/Program Stack,
|Mar. 10||Spring Break!|
|Mar. 17||Host-based defenses (DEP, ASLR, CFI)||#lecture7||Exploit Prevention||Proj. 2 Due, Proj. 3 Out|
|Mar. 24||Web Platforms, Basic Web Attacks||#lecture8|
|Mar. 31||HTML5, CSP, CORS, Browser Separation, Extensions||#lecture9|
|Apr. 7||Web Privacy, Anonymity||#lecture10||Proj. 3 Due, Proj. 4 Out|
|Apr. 14||The Cybercrime Underground||#lecture11|
|Apr. 21||Final Exam||#final|
|Apr. 28||Proj. 4 Due|
There is no textbook for this course. Instead, I will provide links to relevent review materials and academic papers. These links appear in the "Other Material" column in the above calendar.
There will be four programming projects throughout the semester. Programming projects are due at 11:59:59pm on the specified date. We will use a turn-in script to create a compressed archive of the project files, timestamp them, and submit them for grading. These projects require significant reverse-engineering, analysis, and coding, hence students are recommended to start early!
|Assignment||Slides||Description||Due Date||Piazza Tag|
|Project 1||Authentication||February 10||#project1|
|Project 2||Memory Corruption I||March 17||#project2|
|Project 3||Memory Corruption 2||April 7||#project3|
|Project 4||Web Vulnerabilities||April 28||#project4|
You will form groups of two people to do the projects. I will allow you to form your own groups; if you are having trouble finding a partner, post a notice to Piazza. Since you are free to choose your partners, I will not be sympathetic to complaints at the end of the semester about how your group-mates did not do any work. All group members should be involved in all major design decisions, and groups should develop a programming plan that can be effectively parallelized. You may switch groups between programming projects.
There will be one midterm and one final. All exams will be closed book and closed notes, and computers are not allowed nor is any access to the Internet via any device. The exams will cover material from lectures, readings, and the projects. The final will be cumulative, so review everything!
|Projects:||13% each (52% total)|
Each project will include a breakdown of how it will be graded.
To calculate final grades, I simply sum up the points obtained by each student (the points will sum up to some number x out of 100) and then use the following scale to determine the letter grade: [0-60] F, [60-62] D-, [63-66] D, [67-69] D+, [70-72] C-, [73-76] C, [77-79] C+, [80-82] B-, [83-86] B, [87-89] B+, [90-92] A-, [93-100] A. I do not curve the grades in any way. All fractions will be rounded up.
Requests for Regrading
In this class, we will use the Coaches Challenge to handle requests for regrading. Each student is allotted two (2) challenges each semester. If you want a project or a test to be regraded, you must come to the professors office hours and make a formal challenge specifying (a) the problem or problems you want to be regraded, and (b) for each of these problems, why you think the problem was misgraded. If it turns out that there has been an error in grading, the grade will be corrected, and you get to keep your challenge. However, if the original grade was correct, then you permanently lose your challenge. Once your two challenges are exhausted, you will not be able to request regrades. You may not challenge the use of slip days, or any points lost due to lateness.
Note that, in the case of projects, all group members must have an available challenge in order to contest a grade. If the challenge is successful, then all group members get to keep their challenge. However, if the challenge is unsuccessful, then all group members permamently lose one challenge.
For programming projects, we will use flexible slip days. Each student is given four (4) slip days for the semester. You may use the slip days on any project during the semester in increments of one day. For example, you can hand in one project four days late, or one project two days late and two projects one day late. You do not need to ask permission before using slip days; simply turn in your assignment late and the grading scripts will automatically tabulate any slip days you have used.
Slip days will be deducted from each group member's remaining slip days. Keep this stipulation in mind: if one member of a group has zero slip days remaining, then that means the whole group has zero slip days remaining.
After you have used up your slip days, any project handed in late will be marked off using the following formula:
Original_Grade * (1 - ceiling(Seconds_Late / 86400) * 0.2) = Late_Grade
In other words, every day late is 20% off your grade. Being 1 second late is exactly equivalent to being 23 hours and 59 minutes late. Since you will be turning-in your code on the CCIS machines, their clocks are the benchmark time (so beware clock skew between your desktop and CCIS if you're thinking about turning-in work seconds before the deadline). My late policy is extremely generous, and therefor I will not be sympathic to excuses for lateness.
It's ok to ask your peers about the concepts, algorithms, or approaches needed to do the assignments. We encourage you to do so; both giving and taking advice will help you to learn. However, what you turn in must be your own, or for projects, your group's own work. Looking at or copying code or homework solutions from other people or the Web is strictly prohibited. In particular, looking at other solutions (e.g., from other groups or prior CS 3700 students) is a direct violation. Projects must be entirely the work of the students turning them in, i.e. you and your group members. If you have any questions about using a particular resource, ask the course staff or post a question to the class forum.
All students are subject to the Northeastern University's Academic Integrity Policy. Per CCIS policy, all cases of suspected plagiarism or other academic dishonesty must be referred to the Office of Student Conduct and Conflict Resolution (OSCCR). This may result is deferred suspension, suspension, or expulsion from the university.
Accomodations for Students with Disabilities
If you have a disability-related need for reasonable academic accommodations in this course and have not yet met with a Disability Specialist, please visit www.northeastern.edu/drc and follow the outlined procedure to request services. If the Disability Resource Center has formally approved you for an academic accommodation in this class, please present the instructor with your "Professor Notification Letter" at your earliest convenience, so that we can address your specific needs as early as possible.
Title IX makes it clear that violence and harassment based on sex and gender are Civil Rights offenses subject to the same kinds of accountability and the same kinds of support applied to offenses against other protected categories such as race, national origin, etc. If you or someone you know has been harassed or assaulted, you can find the appropriate resources here.