CS 161: Computer Security

Instructor: Nicholas Weaver

Lecture: M/W/F 2-3pm at Dwinelle 155

Date	Lecture	Readings	Discussion
Wed 08/28	Introduction	Required: If You Are Being Stalked by an Ex, an App Can’t Protect You Optional: G&T § 1.1, Craft § 1-1.1, 1.3]	No discussion!
Fri 08/30	Security Principles	Required: Notes on Principles for Building Secure Systems. Required: Notes on Design Patterns for Building Secure Systems. Optional: G&T § 1.1.4, 3.4.6	No discussion!
Sun 09/01	Homework 1 Released		x86, GDB, and Security Principles (solutions)
Mon 09/02	Labor Day
Wed 09/04	More Security Principles
Fri 09/06	Memory Safety	Notes on Memory Safety. [G&T § 3.4, Craft § 6.1-6.3] Smashing The Stack For Fun And Profit, by Aleph One Notes on Reasoning About Code and Secure Software Development. [G&T § 9.4-9.5; Craft § 6.5-6.7] Eevee’s guide for Testing for People Who Hate Testing
Sun 09/08	Project 1 Released		Software Security (solutions)
Mon 09/09	Memory Safety Defenses	Slides from Matthias Vallentin on a Normal x86 function call, a crash, a control-flow diversion, and Code Injection.
Wed 09/11	IND-CPA, OTP and Block ciphers	Notes. [G&T § 8.1.0-8.1.3, 8.1.6-8.1.7; Craft § 7.1, 7.3.2 - 7.3.3] Technical Analysis of the Pegasus Exploits on iOS Engima Machine Notebook
Fri 09/13	Symmetric key encryption	Notes. [G&T § 8.1.0-8.1.3, 8.1.6-8.1.7; Craft § 7.1, 7.3.2 - 7.3.3] Optional: Stick figure guide to AES
Sun 09/15	Homework 1 Due		Cryptography I (solutions)
Mon 09/16	Hashing	A GIF which displays its own MD5 hash Another one, with a writeup
Wed 09/18	Public Key Exchange	Notes, section 1 [G&T § 1.3-1.3.1, 1.3.3, 8.2, 8.5.2; Craft § 7.5]
Fri 09/20	Project 1 Due
Fri 09/20	Public Key Encryption, Hashing	The Debian PGP disaster that almost was DSA requirements for random k value U2F ECDSA vulnerability Notes, section 2 [G&T § 1.3-1.3.1, 1.3.3, 8.2, 8.5.2]
Mon 09/23	Midterm 1 (7-9pm)		Cryptography II (solutions)
Mon 09/23	No lecture.
Wed 09/25	Integrity and Authentication	Notes. [G&T § 1.3.2, 1.3.4, 8.2.3, 8.3, 8.4.1, 8.4.3; Craft § 7.4.2]
Fri 09/27	CryptoFails	Snake Oil Why Special Agent Johnny Still Can’t Encrypt Cryptorisks
Sat 09/28	Homework 2 Released
Mon 09/30	Intro to web security, Same-origin policy	[G&T § 7.1.1, 7.1.3-7.1.4, 7.3.1-7.3.2, 7.3.4, 7.3.6; Craft § 12.1.1, 12.1.2, 12.1.3] Web Security: Are You Part Of The Problem? Spanish Flu Squigler Demo	Cryptography III (solutions)
Wed 10/02	The Web...	See above.
Fri 10/04	Hardware Attacks	“Optional: Meltdown and Spectre”
Mon 10/07	Same-origin Policy and Cookies	Same-origin policy Cookies Optional: “Cookies Lack Integrity”	Canceled due to outage
Wed 10/09	Canceled (power outage)
Fri 10/11	Canceled (power outage)
Sat 10/12	Homework 2 Due
Mon 10/14	Project 2 Released		Web Security I (solutions)
Mon 10/14	XSS and CSP	Secure Session Management With Cookies for Web Applications
Wed 10/16	CSRF and Session Management	OWASP Cheatsheet Series (take a look at XSS, CSRF, SQL Injection, Clickjacking and Command Injection) [G&T § 7.1.4, 7.2.1, 7.2.7, Craft § 12.1.4]
Fri 10/18	End Web & Start Networking
Mon 10/21	Network Security: Background	Networking terminology quick-reference. [G&T § 5.1-5.1.2, 5.3-5.3.1, 5.4-5.4.2, 6.1-6.1.2, 7.1-7.1.1; Craft § 5.1, 5.4.1]	Web Security II (solutions)
Wed 10/23	Network Attacks: Lower Layers	[G&T § 5.1.3, 5.2.3, 5.3.3-5.3.4, 5.4.4; Craft § 5.3.1]
Fri 10/25	Network Attacks: DNS & IP & TCP	G&T § 6.1.3 (pp. 278-284) Reliable DNS Forgery in 2008: Kaminsky’s Discovery An Illustrated Guide to the Kaminsky DNS Vulnerability
Mon 10/28	Canceled (power outage)		Web Security III/Network Security I (solutions)
Tue 10/29	Homework 3 Released
Wed 10/30	Network: TCP and TLS	G&T § 1.1.1, 7.1.2, 8.3
Fri 11/01	Project 2 Due
Fri 11/01	Network Security: TLS
Mon 11/04	Denial of Service, Firewalls	[G&T § 5-5.4] Mitigating Multiple DDoS Attack Vectors [G&T § 4.4, 6.1.4] The WoSign Saga	Network Security II (solutions)
Wed 11/06	DNSSEC	How DNSSEC Works
Fri 11/08	Intrusion Detection	Notes on Firewalls. [G&T § 6.2, 6.3 intro, 6.3.3; Craft § 5.3.2]
Mon 11/11	Homework 3 Due		No discussion (Midterm week)
Mon 11/11	Veterans Day
Wed 11/13	Network Monitoring	[G&T § 6.4]
Thu 11/14	Midterm 2 (7-9pm)
Fri 11/15	Network Spying	In Defense of Bulk Surveillance; It Works In Contempt of Bulk Surveillance; It’s Too Easy A Risk Analysis of Huawei’s 5G
Sat 11/16	Project 3 Released
Mon 11/18	Networking Censorship	A Deep Dive Into Internet Censorship in Russia	Network Security III (solutions)
Wed 11/20	Malcode and Reflections on Trusting Trust	X3DH Key Agreement Double Ratchet
Fri 11/22	Nuclear Weapons	iOS Security Guide (System Security, Encryption, User Password Management) – no need to memorize this info, but it often inspires test questions. Focus on understanding design tradeoffs and reasoning. Trump and the Nuclear Codes, How to Launch a Nuclear Weapon
Mon 11/25	Malcode	Reflections on Trusting Trust	No discussion!
Wed 11/27	Thanksgiving
Fri 11/29	Thanksgiving
Mon 12/02	Malcode		Miscellaneous Topics (solutions)
Wed 12/04	Project 3 Due
Wed 12/04	Personal Security	A Taxonomy of Computer Worms
Fri 12/06	Conclusions
Mon 12/09	RRR Week
Wed 12/11	RRR Week
Fri 12/13	RRR Week
Mon 12/16	Finals Week
Wed 12/18	Finals Week
Thu 12/19	Final (3-6pm)
Fri 12/20	Finals Week