>

Overview

Instructor Trent Jaeger (trentj 'at' ucr.edu)
Location Lecture: SSC 123; Lab: Chung 142
Meeting Times Lecture: T-TH 11:00am-12:20pm; Lab: W 5:00pm-7:50pm
Credits 4
TA Zheng Zhang (zheng.zhang 'at' email.ucr.edu or zzhan173 'at' ucr.edu)
Office Hours Prof. Jaeger: Tu 3-4pm and Fr 2-3pm at WCH 442
Zheng Zhang: ThF 400-500pm at WCH 110

Course Summary

In this course, we will investigate the causes of programming errors that often lead to exploitation and examine techniques to prevent such errors and their exploitation. The course aims to teach students about the types of flaws programmers may create, techniques to detect such flaws in programs, and defensive programming techniques to avoid such flaws and prevent exploitation. In addition, programmers often need to implement and maintain security mechanisms into their programs, so this course will teach students about common security mechanisms and methods for implementing such mechanisms.

Topics will include a review of C programming fundamentals, typical program exploits, safe programming practices to avoid flaws that lead to exploits, program-wide defenses to prevent exploitation of flaws, program testing methods, additional flaws and defenses, and some related research experience studies.

A detailed list of a lecture by lecture contents, assignments, and due dates (subject to change as semester evolves) is available on the course schedule.

Grading

The course will be graded on programming projects, exams, homeworks, and class participation in the following proportions:

25% Programming Projects
10% Homeworks (2)
25% Midterm Exam
35% Final Exam
5% Class Participation

Projects

During this course, students perform some security projects examining attacks and defenses. The amount of coding will not be large, but the projects will require deep knowledge of the C programming language and runtime. Knowledge of the debugger will be a plus, but there will be some training provided.

Grades will be based on the factors specific to each project.

Exams

This course will have midterm and final exams. The midterm will be given in class. The final exam will be comprehensive.

Class Participation

Class participation includes participation in lectures. Lectures are augmented by various readings, which are expected to be read prior to class (note: reading materials twice - once before and once after the lecture worked for my comprehension). During the lecture, we will discuss the readings, and students are required to participate in discussions during each lecture. Ultimately, the students' ability to exhibit comprehension of readings is essential to a good grade.

Lateness Policy

You have 4 days of slack from deadlines for homeworks or projects for the semester. There is a 2% bonus (total course points) if you do not use any - all or nothing. No further credit for late projects, so use these days judiciously.

Course Outline

A rough outline of the class is as follows:

  1. Introduction
  2. Password Security
  3. Software Security
    1. History of Attacks
    2. Vulnerabilities
    3. Attacks on the Stack
    4. Attacks on the Heap
    5. Attacks on System Resources
  4. Network Security
    1. Web and Browser Security
    2. Firewalls
  5. Hardening Software
    1. Fixing Software
    2. Current Defenses
  6. Access Control
    1. Basics
    2. Mandatory Access Control

Academic Integrity Policy

Academic integrity is the pursuit of scholarly activity in an open, honest and responsible manner. Academic integrity is a basic guiding principle for all academic activity at the University of California, and all members of the University community are expected to act in accordance with this principle. Consistent with this expectation, all course activities should be performed in compliance with the University’s Academic Integrity Polices & Procedures.

The course projects are to be carried out individually (i.e., within the project team). Students are explicitly not allowed to share information, source code, or even discuss the contents of the projects. Any violation of this policy will be considered cheating and will result in the student receiving an 'F' grade for the project and a full letter grade off the final grade for the course. Students with more than one violation may face stronger penalties per the university policy.

Students are forbidden from copying code, makefiles, or any other material from the Internet (such as publicly available Github repos). Plagiarism will be strictly enforced through in-depth reviews of your submissions. Any violation in the letter or spirit of this policy will also be considered cheating, and handled as described above. Note that any publication of the assignments (e.g., via github or other system) is considered a violation of the above policy.

Ethics Statement

This course considers topics involving software exploitation techniques. As part of this investigation we will cover technologies whose abuse may infringe on the rights of others. As an instructor, I rely on the ethical use of these technologies. Unethical use may include circumvention of existing security or privacy measurements for any purpose, or the dissemination, promotion, or exploitation of vulnerabilities of these services. Exceptions to these guidelines may occur in the process of reporting vulnerabilities through public and authoritative channels. Any activity outside the letter or spirit of these guidelines will be reported to the proper authorities and may result in dismissal from the class.

When in doubt, please contact the instructor for advice. Do not undertake any action that could be perceived as technology misuse anywhere and/or under any circumstances unless you have received explicit permission from Professor Jaeger.