Course Syllabus

Jump to Today

CY 5770 Software Vulnerabilities and Security 

Spring 2020

Course Description:

This course is a foundational graduate security course, providing an introduction to tools, concepts and ideas of modern-day security and privacy. It starts by defining security goals and objectives, and covers the most important cryptographic concepts. It then discusses in detail the common software programming, configuration and design vulnerabilities, and how they can be exploited. In doing so, it focuses on several central security themes, including: system, software security, network, and web security.

Course Outcomes:

By the end of this course, the students will be able to:

  • Given a specific situation or a security goal, select and apply an appropriate cryptographic tool

  • Prevent software vulnerabilities by utilizing good security practices and effective techniques during software development

  • Apply various approaches to detect the presence of vulnerabilities during software development and deployment

  • Recognize vulnerabilities that may be introduced at different levels of the software stack, and develop and apply code to mitigate those vulnerabilities

  • Recognize an ongoing attack, and select and apply an appropriate prevention and mitigation technique

Expected Course Schedule:

The following is a preliminary class progression covering the 15 weeks of the course (January 9 - April 25). It is subject to changes.

  • Week 1: Introduction to Security and Privacy
  • Week 2: Cryptography, cryptanalysis and Classical Cryptosystems
  • Week 3: Block Ciphers and Public Key Cryptography. Elliptic curves.
  • Week 4: Hash Functions and Message Authentication Codes
  • Week 5: Digital Signatures and Key Management
  • Week 6: Introduction to blockchain, cryptocurrencies and smart contracts.
  • Week 7: Information Security and Overview of Software Vulnerabilities. MIDTERM
  • Week 8: Software Vulnerabilities and Malware Analysis. 
  • Week 9: Spring break.
  • Week 10: Users, Privileges, and Privilege Escalation Vulnerabilities (lecture 9)
  • Week 10: Shells, Races and Sandboxing (lecture 10).
  • Week 11: Memory corruptions.
  • Week 12: Memory corruptions. Network Security.
  • Week 13: Network security.
  • Week 14. Basic Web Security Model. SSL/TLS
  • Week 15: Privacy and Anonymity. Social engineering.
  • Finals week: Project Presentations

Course Activities:

This course includes the following required activities and assignments:

Weekly readings

Weekly readings provide the background knowledge, terminology, and practical examples you need in order to understand, and correctly apply fundamental course concepts. You are responsible for completing the specific module readings, for viewing the presentations and demonstrations, and completing the concept checks included in the lessons. All materials should be completed in the order in which they are presented, and by the due dates specified, within the weekly module.

Reading assignments

Most weeks, you will read one published paper on a topic related to the material presented in class. You will then write a short comment about the paper, and how it relates to the weekly lesson materials. Your comments will be posted on the course discussion board, available only to the instructors and your classmates, and you will be graded based upon the quality of your initial post, and your participation in that weekly discussions.

Quizzes

Several times per term, we will review the relevant course material using short online quizzes. You will have a few minutes to work on the quizzes individually and/or in groups, and then we will work on them as a class. The instructors will make the quizzes available to the students participating remotely shortly before the start of the class.

Homework

You will have eight homework assignments in this course, and those will be a mix of written questions, programming, and simulation problems.

Written questions are expected to reinforce your understanding of the concepts and ideas presented in class. On the other hand, programming and simulation problems are expected to give you a more practical, hands-on experience with some of the presented concepts. While these programming and simulation problems may be designed with a specific programming language/tool in mind, you are welcome to code them up using any programming language/software tool you prefer (unless stated otherwise). You should, however, submit all your code and simulation models with your homework. We will use Khoury GitHub for the submission of these assignments.

Midterm

The midterm will be a take-home, open-book exam that will ask you to apply what you have learned in the first half of the course. You will have a full week to work on it, and will submit your solutions via Blackboard.

Project

The final component of this course is a project, and its goal is to give you a deeper understanding of how to think about, and how to solve a real-life problem from a security perspective.

For the project, you will choose a topic related to any area of security and privacy (including those not directly covered in this course). You can work on the project either individually, or in groups of up to two persons. When working in a group, your end result should reflect the fact that it is a multi-person effort.

Grading/Evaluation Standards:

Your grade in this course will be based on midterm, quizzes, reading assignments, homework assignments, and project. The expected grade breakdown is:

  • Quizzes: 5%

  • Reading Discussions: 10%

  • Midterm – 15%

  • Project – 25%

  • Homework – 45%

Course Grading Scale:

The grading scale and the points break down in this course will be as follows:

  • A= 95%-100%
  • A-= 90-94%
  • B+= 87-89%
  • B= 83-86%
  • B-= 80-82%
  • C+= 77-79%
  • C = 73-76%
  • C-=70-72%
  • D+=67-69%
  • D=63-66%
  • D-=60-62%
  • F=Below 60

Course Material:

There is no official textbook for this course. Instead, we will rely on lectures and readings.

Additionally, you might find these books useful.

  • N. Daswani, C. Kern, and A. Kesavan, Foundations of Security, What Every Programmer Needs to Know, Apress, 2007
  • C. Kaufman, R. Perlman, and M. Speciner, Network Security: Private Communication in a Public World, Prentice Hall, 2002
  • D. Stinson, Cryptography Theory and Practice, Third Edition, CRC Press, 2006
  • W. Stallings, Cryptography and Network Security, Principles and Practice, 5th Edition, Prentice 
Hall, 2006
  • B. Schneier, Applied Cryptography, Protocols, Algorithms and Source Code in C, Wiley, 1996
  • Menezes, P. Van Oorschot, S. Vanstone, Handbook of Applied Cryptography (available online)
  • Wenliang Du: Computer Security - A Hands On Approach, CreateSpace, 2017
  • Georgia Weidman: Penetration Testing, No Starch Press Inc, 2014.
  • James Forshaw: Attacking Network Protocols, No Starch Press Inc, 2018.
  • Christopher Hadnagy: Social Engineering: The Science of Human Hacking, Wiley, 2018.
 

Assignment Turn-in and Late Submission:

All assignments (including homework assignments, midterm, and project assignments) should be submitted as outlined in the assignment. Please, do not use email for assignment submissions.

Late Assignment Turn-in:

All assignments are due by their assigned due date, but we understand that you may have to sometimes turn them in late. The grading penalty is 10% of the grade that you would otherwise receive for each day, or part of the day, that you are late. No submissions will be accepted after 7 days.

Collaboration:

In this course, we want you to learn from each other. You are allowed (and encouraged) to talk to your classmates and other students about all course assignments. You may also consult outside reference materials, or the instructor. However, all material that you decide to turn in should reflect your own understanding of the subject matter at the time of writing. If you work with someone else on any assignment, please include their names on the material that you turn in.

Special Accommodations/ADA:

In accordance with the Americans with Disabilities Act (ADA 1990), Northeastern University seeks to provide equal access to its programs, services, and activities. If you will need accommodations in this class, please contact the Disability Resource Center (www.northeastern.edu/drc/) as soon as possible to make appropriate arrangements, and please provide the course instructors with any necessary documentation. The University requires that you provide documentation of your disabilities to the DRC so that they may identify what accommodations are required, and arrange with the instructor to provide those on your behalf, as needed.

Ethics:

This course will cover some sensitive material that includes information on how to exploit vulnerable software. Attack-oriented work must be restricted to the computing resources provided. Alternatively, students can perform this work using personal resources as long as other computing resources are not affected. In particular, attacks performed against University resources, or the open Internet are expressly prohibited. Students should also be familiar with the University Appropriate Use policy.

Academic Integrity:

All students must adhere to the university’s Academic Integrity Policy, which can be found on the website of the Office of Student Conduct and Conflict Resolution (OSCCR), athttp://www.northeastern.edu/osccr/academicintegrity/index.html. Please be particularly aware of the policy regarding plagiarism. As you probably know, plagiarism involves representing anyone else’s words or ideas as your own. It doesn’t matter where you got these ideas—from a book, on the web, from a fellow-student, from your family member. It doesn’t matter whether you quote the source directly or paraphrase it; if you are not the originator of the words or ideas, you must state clearly and specifically where they came from. Please consult an instructor if you have any confusion or concerns when preparing any of the assignments so that together. You can also consult the guide “Avoiding Plagiarism” on the NU Library Website at http://www.lib.neu.edu/online_research/help/avoiding_plagiarism/. If an academic integrity concern arises, one of the instructors will speak with you about it; if the discussion does not resolve the concern, we will refer the matter to OSCCR.

 

 

Course Summary:

Date Details Due