CY 3740 / CY 5770 - Systems Security
Welcome to the landing page for CY 3740 / CY 5770 Spring
2022. All formal communications and course materials will be
available on the private course infrastructure. You'll get access to
that after your first class. In the meantime, here's a quick
You can always reach me at the address you see on your left, but I'm
also creating this page so that you don't have to go through
the scarring experience of writing a stiff email to a
professor. Everything you need to know about this course is
below. Please pretend that this is a formal syllabus.
So what's the big deal?
This course will teach you security. All of it.
I realize that's a very ambitious goal for a 4-month stint. You won't
have become a leet hacker by the end, BUT you'll be equipped with all
the fundamentals to go down the security rabbit hole as deep as you need
or want to. If you want a career in security, take this course. If you
want to do something else with your life, it's still a mighty
good idea to take it; security has already become a topic you
can't avoid no matter what career path you choose. You'll thank me when
you get your pay check.
The course has two main components: classes and
Classes are just so much fun it's beyond belief, I
can't express it with words, you need to come and see for yourself. We
meet on Thursdays from 6pm to
9pm. Be absolutely sure that you make it. There is no
security book that covers this material, and I guarantee that you'll be
lost if you don't attend classes. If you can't be present, DO NOT sign
up, you've been warned.
Challenges are like homework but way more
spectacular. I give you something to break, you do that, everything gets
graded automatically, you get infinite tries until you succeed, and when
you're done you know you're done. There is no report to write, no paper
to submit, no stressful wait for grades. It's fast and fun. There'll be
a new challenge every week, keeping you on your toes, but they're very
lean and focused so that you don't waste your time with the unfun
Here comes the important part.
Classes are good fun, but this course is more about
the challenges. You'll do a great deal of learning on
your own. Classes will cover the basics, but the first time you see a
challenge you may experience a fleeting WTF? sensation. These
won't be a straightforward application of classroom material, you'll
need to do some research and reading on your own, and then it'll click,
and that'll feel really good.
All of this is designed to give you a real-life security professional
experience. You'll write real exploits and break very realistic
applications. Okay the applications are actually crap but the
vulnerabilities are directly adapted from real-life cases. Many security
professionals start and end their careers without having exploited a
single XSS or stack overflow vulnerability. This is not a knock on them,
but after completing this course, you'll be in a different league. No
exploit plays out like the examples in a textbook. The challenges
capture that well, you need to keep calm and apply your hacker toolset
to the circumstances.
Notice that we are approaching things from an attacker's perspective
most of the time. I won't make you defend anything or write secure
code. I'll make you recognize bad code and bad design. I'll have you
constantly break things in a safe environment, so that you get sick of
it by the time we're done, and you spend the rest of your life making
the world more secure. That last part isn't a
joke, ethical hacking is a concept you'll hear a whole
lot in my class. Thinking like an attacker is an asset, acting like one
is a crime. If you are planning on getting rowdy on the Internet, don't
come to my class. I'll call the cops on you.
Expect 10 main challenges. Add another 5, optional, but more
quirky. There's plenty of extra points to score, but it's perfectly fine
if you don't want the extras, an "A" is very doable without them. This
gives you a lot of room to get a top grade even if you miss a few
There are 2 exams. Exams are often boring, and therefore I make them
fun, and in the process impose more WTF? moments on
students. To avoid that we might have a few short quizzes in the same
format, so that y'all are prepared for what's coming.
Those bits about challenges and exams sound scary. Is it
This is an easy no. My job is to make
you succeed, and most of you will succeed. If you get a B, I too get a B
in teaching. We don't want that.
You'll have support when you get stuck. The course structure may feel a
bit different to your typical CS or engineering courses. Different
doesn't equate to difficult, I bet you'll find this easier and
less time consuming than most other courses. Grades should
never be a problem.
2021 reviews and see what other people thought. Take both positive
and negative comments with a grain of salt. Previous reviews are on
Can we get a proper syllabus now?
Thursdays, 6pm-9pm. Bring coffee.
- Security principles
- Minimum cryptography every security professional must know (yet they often don't)
- Linux security, operating systems, virtualization, containerization
- Web application security
- Web application security 2.0
- Memory corruption, attacks on binaries
- Malware, lightweight reversing
- Side-channel attacks
- Algorithmic complexity attacks
- System architecture design, threat modeling
- Safety (which is not security!)
- The extremely dull stuff companies pay you $$$ for, i.e.,
information security management
This is not a cryptography course. That's a different beast. There is
a course for that, look it up.
We will only superficially cover lower network layers. There is a
network security course for that. We'll spend most of our time in the
This is not a theory course. If you want formal security proofs, this
isn't it. This is practical, hands-on aspects of systems security.
- No Windows-specific topics here, which usually means no Active
Directory security. Otherwise everything we learn applies to all
- Interest in security.
- Patience. You'll do independent research.
- The capacity to attend classes.
- Linux. You need to be comfortable in a CLI.
- Programming skills. You'll write some C, nothing you can't learn in
a single day, but if you hate programming you'll hate this
- Decent understanding of computer architecture.
- Computer networks and HTTP knowledge is good to have, but we'll
cover what's necessary.
- Challenges, 5% each, 50% total
- Quizzes, 10%
- Midterm exam, 20%
- Final exam, 20%
- Bonus challenges, ?%
I curve grades in mysterious ways.