CS 161: Computer Security

Instructor: Nicholas Weaver

Lecture: M/W/F 2-3pm at Dwinelle 155

Skip to current week

Date Lecture Readings Discussion
Wed
08/28
Introduction

Required: If You Are Being Stalked by an Ex, an App Can’t Protect You

Optional: G&T § 1.1, Craft § 1-1.1, 1.3]

No discussion!
Fri
08/30
Security Principles

Required: Notes on Principles for Building Secure Systems.

Required: Notes on Design Patterns for Building Secure Systems.

Optional: G&T § 1.1.4, 3.4.6

Sun
09/01

Homework 1 Released

x86, GDB, and Security Principles (solutions)
Mon
09/02
Labor Day
Wed
09/04
More Security Principles
Fri
09/06
Memory Safety

Notes on Memory Safety.
[G&T § 3.4, Craft § 6.1-6.3]
Smashing The Stack For Fun And Profit, by Aleph One

Notes on Reasoning About Code and Secure Software Development.
[G&T § 9.4-9.5; Craft § 6.5-6.7]
Eevee’s guide for Testing for People Who Hate Testing

Sun
09/08

Project 1 Released

Software Security (solutions)
Mon
09/09
Memory Safety Defenses

Slides from Matthias Vallentin on a Normal x86 function call, a crash, a control-flow diversion, and Code Injection.

Wed
09/11
IND-CPA, OTP and Block ciphers

Notes.
[G&T § 8.1.0-8.1.3, 8.1.6-8.1.7; Craft § 7.1, 7.3.2 - 7.3.3]

Technical Analysis of the Pegasus Exploits on iOS

Engima Machine Notebook

Fri
09/13
Symmetric key encryption

Notes.
[G&T § 8.1.0-8.1.3, 8.1.6-8.1.7; Craft § 7.1, 7.3.2 - 7.3.3]

Optional: Stick figure guide to AES

Sun
09/15

Homework 1 Due

Cryptography I (solutions)
Mon
09/16
Hashing

A GIF which displays its own MD5 hash

Another one, with a writeup

Wed
09/18
Public Key Exchange

Notes, section 1

[G&T § 1.3-1.3.1, 1.3.3, 8.2, 8.5.2; Craft § 7.5]

Fri
09/20

Project 1 Due

Fri
09/20
Public Key Encryption, Hashing

The Debian PGP disaster that almost was

DSA requirements for random k value

U2F ECDSA vulnerability

Notes, section 2

[G&T § 1.3-1.3.1, 1.3.3, 8.2, 8.5.2]

Mon
09/23

Midterm 1 (7-9pm)

Cryptography II (solutions)
Mon
09/23
No lecture.
Wed
09/25
Integrity and Authentication

Notes.
[G&T § 1.3.2, 1.3.4, 8.2.3, 8.3, 8.4.1, 8.4.3; Craft § 7.4.2]

Fri
09/27
CryptoFails

Snake Oil

Why Special Agent Johnny Still Can’t Encrypt

Cryptorisks

Sat
09/28

Homework 2 Released

Mon
09/30
Intro to web security, Same-origin policy

[G&T § 7.1.1, 7.1.3-7.1.4, 7.3.1-7.3.2, 7.3.4, 7.3.6; Craft § 12.1.1, 12.1.2, 12.1.3]
Web Security: Are You Part Of The Problem?

Spanish Flu

Squigler Demo

Cryptography III (solutions)
Wed
10/02
The Web...

See above.

Fri
10/04
Hardware Attacks

“Optional: Meltdown and Spectre

Mon
10/07
Same-origin Policy and Cookies

Same-origin policy

Cookies

Optional: “Cookies Lack Integrity”

Canceled due to outage
Wed
10/09
Canceled (power outage)
Fri
10/11
Canceled (power outage)
Sat
10/12

Homework 2 Due

Mon
10/14

Project 2 Released

Web Security I (solutions)
Mon
10/14
XSS and CSP

Secure Session Management With Cookies for Web Applications

Wed
10/16
CSRF and Session Management

OWASP Cheatsheet Series (take a look at XSS, CSRF, SQL Injection, Clickjacking and Command Injection)

[G&T § 7.1.4, 7.2.1, 7.2.7, Craft § 12.1.4]

Fri
10/18
End Web & Start Networking
Mon
10/21
Network Security: Background

Networking terminology quick-reference.
[G&T § 5.1-5.1.2, 5.3-5.3.1, 5.4-5.4.2, 6.1-6.1.2, 7.1-7.1.1; Craft § 5.1, 5.4.1]

Web Security II (solutions)
Wed
10/23
Network Attacks: Lower Layers

[G&T § 5.1.3, 5.2.3, 5.3.3-5.3.4, 5.4.4; Craft § 5.3.1]

Fri
10/25
Network Attacks: DNS & IP & TCP

G&T § 6.1.3 (pp. 278-284)
Reliable DNS Forgery in 2008: Kaminsky’s Discovery
An Illustrated Guide to the Kaminsky DNS Vulnerability

Mon
10/28
Canceled (power outage) Web Security III/Network Security I (solutions)
Tue
10/29

Homework 3 Released

Wed
10/30
Network: TCP and TLS

G&T § 1.1.1, 7.1.2, 8.3

Fri
11/01

Project 2 Due

Fri
11/01
Network Security: TLS
Mon
11/04
Denial of Service, Firewalls

[G&T § 5-5.4]
Mitigating Multiple DDoS Attack Vectors [G&T § 4.4, 6.1.4]
The WoSign Saga

Network Security II (solutions)
Wed
11/06
DNSSEC

How DNSSEC Works

Fri
11/08
Intrusion Detection

Notes on Firewalls.
[G&T § 6.2, 6.3 intro, 6.3.3; Craft § 5.3.2]

Mon
11/11

Homework 3 Due

No discussion (Midterm week)
Mon
11/11
Veterans Day
Wed
11/13
Network Monitoring

[G&T § 6.4]

Thu
11/14

Midterm 2 (7-9pm)

Fri
11/15
Network Spying

In Defense of Bulk Surveillance; It Works

In Contempt of Bulk Surveillance; It’s Too Easy

A Risk Analysis of Huawei’s 5G

Sat
11/16

Project 3 Released

Mon
11/18
Networking Censorship

A Deep Dive Into Internet Censorship in Russia

Network Security III (solutions)
Wed
11/20
Malcode and Reflections on Trusting Trust

X3DH Key Agreement

Double Ratchet

Fri
11/22
Nuclear Weapons

iOS Security Guide (System Security, Encryption, User Password Management) – no need to memorize this info, but it often inspires test questions. Focus on understanding design tradeoffs and reasoning.

Trump and the Nuclear Codes, How to Launch a Nuclear Weapon

Mon
11/25
Malcode

Reflections on Trusting Trust

No discussion!
Wed
11/27
Thanksgiving
Fri
11/29
Thanksgiving
Mon
12/02
Malcode Miscellaneous Topics (solutions)
Wed
12/04

Project 3 Due

Wed
12/04
Personal Security

A Taxonomy of Computer Worms

Fri
12/06
Conclusions
Mon
12/09
RRR Week
Wed
12/11
RRR Week
Fri
12/13
RRR Week
Mon
12/16
Finals Week
Wed
12/18
Finals Week
Thu
12/19

Final (3-6pm)

Fri
12/20
Finals Week