CS 161: Computer Security (Under Construction)

Instructors: Raluca Ada Popa and David Wagner

Lecture: M/W/F 1-2pm at Dwinelle 155

Skip to current week

Date Lecture Readings Discussion
Mon
01/20
MLK Jr. Day No discussion!
Wed
01/22
Introduction

Required: If You Are Being Stalked by an Ex, an App Can’t Protect You

Optional: G&T § 1.1, Craft § 1-1.1, 1.3]

Fri
01/24
Security Principles

Required: Notes on Principles for Building Secure Systems.

Required: Notes on Design Patterns for Building Secure Systems.

Optional: G&T § 1.1.4, 3.4.6

Mon
01/27
More Security Principles x86, GDB, and Security Principles
Wed
01/29
Memory Safety

Notes on Memory Safety.
[G&T § 3.4, Craft § 6.1-6.3]
Smashing The Stack For Fun And Profit, by Aleph One

Notes on Reasoning About Code and Secure Software Development.
[G&T § 9.4-9.5; Craft § 6.5-6.7]
Eevee’s guide for Testing for People Who Hate Testing

Fri
01/31
Memory Safety Defenses

Slides from Matthias Vallentin on a Normal x86 function call, a crash, a control-flow diversion, and Code Injection.

Mon
02/03
IND-CPA, OTP and Block ciphers

Notes.
[G&T § 8.1.0-8.1.3, 8.1.6-8.1.7; Craft § 7.1, 7.3.2 - 7.3.3]

Technical Analysis of the Pegasus Exploits on iOS

Engima Machine Notebook

Software Security
Wed
02/05
Symmetric key encryption

Notes.
[G&T § 8.1.0-8.1.3, 8.1.6-8.1.7; Craft § 7.1, 7.3.2 - 7.3.3]

Optional: Stick figure guide to AES

Fri
02/07
Hashing

A GIF which displays its own MD5 hash

Another one, with a writeup

Mon
02/10
Public Key Exchange

Notes, section 1

[G&T § 1.3-1.3.1, 1.3.3, 8.2, 8.5.2; Craft § 7.5]

Cryptography I
Wed
02/12
Public Key Encryption, Hashing

The Debian PGP disaster that almost was

DSA requirements for random k value

U2F ECDSA vulnerability

Notes, section 2

[G&T § 1.3-1.3.1, 1.3.3, 8.2, 8.5.2]

Fri
02/14
No lecture.
Mon
02/17
Integrity and Authentication

Notes.
[G&T § 1.3.2, 1.3.4, 8.2.3, 8.3, 8.4.1, 8.4.3; Craft § 7.4.2]

Cryptography II
Wed
02/19
CryptoFails

Snake Oil

Why Special Agent Johnny Still Can’t Encrypt

Cryptorisks

Fri
02/21
Intro to web security, Same-origin policy

[G&T § 7.1.1, 7.1.3-7.1.4, 7.3.1-7.3.2, 7.3.4, 7.3.6; Craft § 12.1.1, 12.1.2, 12.1.3]
Web Security: Are You Part Of The Problem?

Spanish Flu

Squigler Demo

Mon
02/24
The Web...

See above.

Cryptography III
Wed
02/26
Hardware Attacks

“Optional: Meltdown and Spectre

Fri
02/28
Same-origin Policy and Cookies

Same-origin policy

Cookies

Optional: “Cookies Lack Integrity”

Mon
03/02
TBA TBA
Wed
03/04
TBA
Fri
03/06
XSS and CSP

Secure Session Management With Cookies for Web Applications

Mon
03/09
CSRF and Session Management

OWASP Cheatsheet Series (take a look at XSS, CSRF, SQL Injection, Clickjacking and Command Injection)

[G&T § 7.1.4, 7.2.1, 7.2.7, Craft § 12.1.4]

Web Security I
Wed
03/11
End Web & Start Networking
Fri
03/13
Network Security: Background

Networking terminology quick-reference.
[G&T § 5.1-5.1.2, 5.3-5.3.1, 5.4-5.4.2, 6.1-6.1.2, 7.1-7.1.1; Craft § 5.1, 5.4.1]

Mon
03/16
Network Attacks: Lower Layers

[G&T § 5.1.3, 5.2.3, 5.3.3-5.3.4, 5.4.4; Craft § 5.3.1]

Web Security II
Wed
03/18
Network Attacks: DNS & IP & TCP

G&T § 6.1.3 (pp. 278-284)
Reliable DNS Forgery in 2008: Kaminsky’s Discovery
An Illustrated Guide to the Kaminsky DNS Vulnerability

Fri
03/20
Canceled (power outage)
Mon
03/23
Network: TCP and TLS

G&T § 1.1.1, 7.1.2, 8.3

Web Security III/Network Security I
Wed
03/25
Network Security: TLS
Fri
03/27
Denial of Service, Firewalls

[G&T § 5-5.4]
Mitigating Multiple DDoS Attack Vectors [G&T § 4.4, 6.1.4]
The WoSign Saga

Mon
03/30
DNSSEC

How DNSSEC Works

Network Security II
Wed
04/01
Intrusion Detection

Notes on Firewalls.
[G&T § 6.2, 6.3 intro, 6.3.3; Craft § 5.3.2]

Fri
04/03
Veterans Day
Mon
04/06
Network Monitoring

[G&T § 6.4]

TBA
Wed
04/08
Network Spying

In Defense of Bulk Surveillance; It Works

In Contempt of Bulk Surveillance; It’s Too Easy

A Risk Analysis of Huawei’s 5G

Fri
04/10
Networking Censorship

A Deep Dive Into Internet Censorship in Russia

Mon
04/13
Malcode and Reflections on Trusting Trust

X3DH Key Agreement

Double Ratchet

Network Security III
Wed
04/15
Nuclear Weapons

iOS Security Guide (System Security, Encryption, User Password Management) – no need to memorize this info, but it often inspires test questions. Focus on understanding design tradeoffs and reasoning.

Trump and the Nuclear Codes, How to Launch a Nuclear Weapon

Fri
04/17
Malcode

Reflections on Trusting Trust

Mon
04/20
TBA TBA
Wed
04/22
TBA
Fri
04/24
Malcode
Mon
04/27
Personal Security

A Taxonomy of Computer Worms

Miscellaneous Topics
Wed
04/29
Conclusions
Fri
05/01
RRR Week
Mon
05/04
RRR Week
Wed
05/06
RRR Week
Fri
05/08
Finals Week
Mon
05/11
Finals Week
Wed
05/13
Finals Week
Fri
05/15