This is the syllabus for CSP 544: System and Network Security. This class is meant for junior/senior undergraduates and graduate students.
We increasingly live in a digitally-connected world. More of our personal systems, national infrastructures, automobiles, and smart devices are becoming internet-connected, so the importance of secure systems is more critical than ever. Unfortunately, tracking the trend for internet-connected systems is an increasing prevalence of malicious actors and criminals intent on breaking, subverting, and otherwise sabotaging important systems. Billions of dollars are lost and thousands of lives are affected by such cybercrime, and there is a dearth of trained talent to offset these trends. We must endeavor to train ethical hackers with strong cyber-security techniques, who understand the toolkits and trades employed by cybercriminals, and imbue them with an ethos of using their knowledge for good.
This course will be a programming-based, learn-by-doing-oriented course focused on applying foundational principles in security to real systems and networks . You will implement several real attacks and take advantage of several recreated vulnerable systems in order to understand the modern landscape of network and systems security. Other than implementing our own attacks, we will also be looking at various case studies of attacks and defense strategies, including known exploit proofs-of-concept, published papers, and documents from security agencies and cyber-security research firms.
Our goals with this course are as follows:
The course is organized into multiple cycles and each cycle will focus on one topic in system and network security from theory to practice. We will first study the theory behind various attack vectors as well as countermeasures, and then gain deep insights through hands-on construction and experimentation with real-world implementations. Ideally, we will participate in a capture-the-flag competition at the end of the course. Topics include but are not limited to malware design (e.g., rootkit), web security (e.g., sql injection attacks, cross-site scripting attacks), OS and software security (e.g., shared library, reverse engineering, buffer overflow attacks, vulnerability scanning), network security (e.g., packet sniffing and spoofing, firewalls, protocol-specific attacks) and cryptography.
There are no required textbooks for the course. Recommended texts can be found on the course webpage.
You're expected to attend lectures/lab sessions; When possible we will post lecture notes/slides online after lecture, but this is not a guarantee, so come to lecture!
For many lectures, we will be posting required readings on the course webpage, from various sources. Be sure to read them! If a reading is marked as required, the reading content is fair game for exams. Any readings I post that are required will be freely available either from the web or from me.
By far the most important part of this course is the labs. You will learn by doing. Thus, they will comprise the lion's share of your grade. Unless otherwise noted you will be working individually on projects. You will be graded on your lab reports that you submit when you are finished.
Unless otherwise noted, you will be submitting lab reports when your lab work is done. You will submit them on Blackboard by the due date listed on the course webpage.
For all projects, you can submit up to two days late with penalties. Each day you will be docked 10%. So if I have a perfect project, submitting two days late will give me 80%. After two days, submissions will not be accepted, and you will receive a zero.
If you have an emergency or are ill, it may be possible to excuse you from a project or to get you an extension, but contact me (or have a friend or family member contact me) as soon as you can. Please don't wait until you get well / get back into town / start worrying about your Final Grade. Overly delayed requests may be denied. Requests made after classes end will be denied.
If you think a test or project has been misgraded, then if the TA graded it, discuss it with the TA first. If you still think it's been misgraded, discuss it with me. Regrade requests must be specific: Don't just ask us to regrade an entire problem or assignment. Also, you must include your justification for a higher grade: Don't just say you think you deserve more points. Regrade requests should be timely, else they may be denied. In particular, regrade requests made after classes end will be denied.
There will be only a final, comprehensive exam during the last week of classes (not during finals week). There will be no midterm.
For the final exam, you can bring one 8.5" x 11" or A4 page of notes (both sides; doesn't matter if it's hand-written or printed, etc.) No other notes, no sharing notes, no books; no phones, no calculators or other aids or devices.
If you can't make it to an exam because you're sick or have an emergency, it may be possible to get you a makeup exam, but contact me (or have a friend or family member contact the instructor) as soon as you can. Overly delayed requests may be denied, so don't wait until you get well / get back into town / start worrying about your Final Grade. Requests made after classes end will be denied (so be on top of things, since the only exam for this course is during the final week!)
Make-up exams are not a guaranteed right, especially if you ask after the exam. Barring some urgent reason, you must take tests at the scheduled time (Getting a cheaper airline ticket is not considered to be an urgent reason).
If during the test, you feel too ill to finish it, stop and come up and talk to me so we can work on rescheduling it — don't turn in the test and then come to me later. Similarly, don't turn in the Final if you want a grade of Incomplete.
The grade break-down for the semester is as follows:
| EOS Pts | Category |
|---|---|
| 70.0% | Labs and reports |
| 20.0% | Participation |
| 10.0% | Final Exam |
| All values are scaled to 100 before taking the final sum | |
| EOS Pts | Category |
|---|---|
| 80.0% | Labs and reports |
| 20.0% | Final Exam |
| All values are scaled to 100 before taking the final sum | |
| Letter | EOS Pts |
|---|---|
| A | 90 - 100 |
| B | 80 - 89 |
| C | 70 - 79 |
| D | 60 - 69 |
| E | 0 - 59 |
Roughly nine times out of ten, there's no ambiguity as to what your Final Grade is; the only judgement comes in at the borders. I will look for every reason I can find to push you up to the next higher grade, such as: Your Final Exam score is much higher than the average. In addition, if you're two points short on the Final Exam, I'll give you the benefit of the doubt. On the other hand, if you're five points short, you get the lower grade.
The Final Grade describes the overall quality of your semester's work: It all gets piled onto a big scale and our job is to tell you what the Quality meter says.
For figuring out Final Grades, there are two ethical/professional principles we must follow. Violating these principles would be unethical and unprofessional of us and it would cheat the other students.
First principle: Grades can be based only on the quality of your work. So unfortunately, you can work hard for the course but still earn a low grade. I'm sorry if a low grade makes your life harder, but that's absolutely not a reason to raise your grade.
The second principle: Grading has to be done on a level playing field: We can't give one person an opportunity that we don't offer to everyone unless it's to re-level the playing field. This is why questions like "Can I retake the an test or can you give me some extra work to raise my grade?" have the answer "No."
In short: DO NOT CHEAT! Why would you do that? You're paying for this, so you might as well get something out of it. All students are responsible for maintaining the highest level of academic integrity, as discussed in the IIT Code of Academic Honesty. The normal penalty for violations of this policy, especially copying or other cheating during tests, is an E for the course, plus notification of the student's advisor and/or department and any appropriate administrators.
IIT's academic honesty policy forbids:
Reasonable accommodations will be made for students with a letter of accommodation from The Center for Disability Resources (3424 S. State Street - 1C3-2; 312-567-5744; ). Please discuss any necessary accommodations with me, well ahead of time.