Kaan Onarlioglu

CY 3740 / CY 5770 - Systems Security

Welcome to the landing page for CY 3740 / CY 5770. All formal communications and course materials will be available on the private course infrastructure. You'll get access to that after your first lecture. In the meantime, here's a quick introduction.

You can reach me at the address you see on your left, but I'm creating this page so that you don't have to go through the scarring experience of writing a stiff email to a professor. Everything you need to know about this course is below. Please pretend that this is a formal syllabus.

So what's the big deal?

This course will teach you systems security. All of it.

I realize that's an ambitious goal for a 4-month stint. You won't have become a leet hacker by the end, but you'll be equipped with all the fundamentals to go down the security rabbit hole as deep as you wish. If you pursue a career in security, you must take and ace this course. If you want to be a generalist software engineer, you must, too. If you want to do something else with your life, it's still a mighty good idea to take it. Security is a cross-cutting concern that you can't avoid no matter what career path you choose.

The course has two components: lectures and challenges.

Lectures are just so much fun it's beyond belief, I can't express it with words, you need to come and see for yourself. Be absolutely sure that you make it. There is no structured resource that covers this material with proper scientific scrutiny; you can't wing it on your own. If you can't be present, don't sign up. You have been warned.

Challenges are like homework but way more spectacular. I give you something to break, you do that, everything gets graded automatically, you get infinite tries until you succeed, and when you're done you know you're done. If you do CTFs, you know the drill. There is no report to write, no paper to submit, no stressful wait for grades. It's fast and fun. There'll be a new challenge every week, keeping you on your toes, but they're very lean so that you don't waste your time with the unfun overhead.

Here comes the important part.

Lectures are critical, but merely showing up and listening to me ramble on about security won't get you far. Challenges require a significant investment on your part. The first time you see a challenge, you may experience a fleeting WTF? sensation. It won't be a mindless application of the lecture. You'll need to research and practice the subject matter on your own, maybe learn tools I've never shown you.

This is designed to give you a real-life security professional experience. You'll do real analysis, write real exploits, and break very realistic applications. Okay, the applications are crap, but the vulnerabilities are directly adapted from real-life cases. No toy examples here. Many security professionals start and end their careers without having exploited a single memory corruption vulnerability. This isn't a knock on them, but after completing this course, you'll be in a different league. No exploit plays out like the examples in a textbook. The challenges capture that well, you need to keep calm and apply your hacker toolset to the circumstances.

We approach things from an attacker's perspective most of the time—this isn't necessarily the way to think about security, but this is often the component missing in a typical CS curriculum. I'll make you recognize bad code and bad design. I'll have you constantly break things in a safe environment, so that you get sick of it by the time we're done, and spend the rest of your life making the world secure. That last part wasn't a joke. Ethical hacking is a concept you'll hear a whole lot in my class. Thinking like an attacker is an asset, acting like one is a crime. If you start getting rowdy on the Internet, I won't hesitate to call the cops on you.

That said, this is not a penetration testing or offensive security course. Everything is a means to teach how to design and implement systems securely. You'll learn ethical hacking in the process; consider that a bonus.

Expect 10 main challenges. Add another 5-10, optional, but more quirky. There's plenty of extra points to score, but it's perfectly fine if you don't want the extras, an "A" is very doable without them. Bonuses give you wiggle room to get a top grade even if you miss a few things.

There are 2 exams. Exams are often boring, and therefore I make them fun, and in the process impose more WTF? moments on students. To avoid that we might have a few short quizzes in the same format, so that y'all are prepared for what's coming.

That bit about challenges and exams sounds scary. Is it scary?

This is an easy no. My job is to make you succeed, and most of you will succeed. If you get a B, I too get a B in teaching. We don't want that.

You'll have 1:1 support when you get stuck. The course structure may feel different to your typical CS courses. Different doesn't mean difficult, I bet you'll find this less time consuming than many other courses.

All that with one big caveat. This is a technical, hands-on course. I expect everyone to be comfortable with using computers professionally. In our domain that means eating coding tasks for breakfast with a side of the Linux command line interface. I serve bite-size refreshers for everything else like operating systems and web topics, you can learn those as you go, but you must know the meat and potatoes of computer science before you sign up. A heads up that students with no technical background or those who are only interested in security management topics sometimes find the material hard to digest. Hence, the difficulty goes up significantly, and they need to invest the eggstra thyme and effort to ketchup. If unsure, come see the first lecture. Rest assured that the humor will be of a higher caliber.

Check out my TRACE course reviews and Rate My Professors page. See what other people thought. Take both positive and negative comments with a grain of salt.

There has been a dramatic increase in enrollment since I started teaching this course, and sadly, a startling decline in student engagement and performance to go with it. I have sufficient data points (and Discord intelligence) to conclude that this is correlated with swaths of students brushing aside the course requirements, and then knowingly ignoring my intro lecture warnings, hoping that a professor with a good TRACE record will carry them to an easy A.

I offer you stronger language lest there be any confusion: If you aren't a Linux user and aren't willing to become one fast, or if you don't trust yourself to rapidly write 100 lines in <a language you don't know> to do basic file and socket I/O, you'll have a miserable time.

Striving to accommodate everyone while struggling to offer a fun experience for the upper percentiles, I and my teaching minions have gradually increased our support levels to an unreasonable load, and simultaneously lowered the bar for success. Now that the bar is on the floor, I am forced to recalibrate.

Expect strict enforcement of the prerequisites and a less forgiving experience. That involves replacing the open challenge structure with traditional deadlines, undoing the unrealistic simplifications to the material, eliminating partial grades, and an increased focus on binary hacking. This should have no negative impact on students already equipped with the clearly listed skill requirements. It'll hopefully help the rest make better informed decisions.

This is still a self-contained security course. I assume no security background whatsoever.

Okay, but is the course hard?

I find it bordering on trivial personally. I can solve every challenge within minutes and get a perfect score on every exam without even studying.

If you don't like that answer, take a moment to reflect on the futility of the question.

Can I take the course remotely?

No.

I try my best to accommodate sporadic absence by setting up live Zoom sessions and recording them. I don't take attendance, and frankly I don't mind if you choose not to show up on any given day. Skip a lecture when you need to, don't waste a wellness day on me, don't ask for permission.

That being said, all accommodations are delivered on a best effort basis. IT wrecks NUWave again? Your cat takes over the laptop? I forget to hit unmute on Zoom? Tough luck. The onus is on you to find a way to catch up.

Even when everything goes according to plan, consider Zoom sessions degraded-mode lectures. This is officially an on-campus course, and we are not guaranteed a room with remote teaching capabilities. Even when we have tech, it rarely works. You'll miss out on my board doodles, you won't hear classroom discussion, and I won't answer questions over Zoom. You'll entirely miss out on the 1:1 help sessions after lectures.

Finally, you must absolutely be present for exams. I only do vintage paper exams, this isn't negotiable except under existential-caliber circumstances.

If you ask me whether I do remote, the official answer is NO. I take zero responsibility should you ignore that and bomb. Read the above again and make your own decision.

I'm already a 1337 hacker. What now?

Technical as it may be, this is still a course that assumes no hands-on security experience. If you're already pwning famous CTFs left, right, and center, you may find the material too elementary. Yes, we'll have interesting challenges, but we'll definitely start at the basic web injection tricks and buffer overflows without stack protections. So, if you expect multi-stage memory exploits and VM escapes, you're probably not the target audience. Sorry, but that's not what the course was designed for.

If this is an elective course for your program, consider taking something else.

Otherwise, if it's mandatory, enjoy an easy time and take the opportunity to pick up a new hobby.

Here's an obligatory reminder that self-assessments are scientifically shown to be biased towards overconfidence. I have students every term that self-report as being experts, but then struggle (in a good way). Also, another reminder that offensive security, penetration testing, bug bounty hunting... don't equal systems security. You may be surprised at how much security theory helps augment your hacking skills.

I'm in the CS program. Not CY. Should I take this?

Especially you should take this.

Security is computer science. Everything else is marketing.

I hate my life. How can I prep for the course instead of enjoying the break?

Learn Linux.

Install a sophisticated distro, learn to set it up, live in it for a few weeks, get things done in the terminal. Couldn't go wrong with Arch Linux and a tiling window manager of your choice; no desktop environment. Supplement with a Linux administration book. All of this is stuff I'll NOT teach you, but I'll expect you to know.

Sign me up... but I need an approval/a pre-requisite waiver. Can I get one? Should I?

I don't know. Hopefully you do.

I have no data points to verify whether your background qualifies you for a waiver. This is on you. Read this page, run your self-evaluation routine, make your own decision, take responsibility for your decision.

If you decide that you can handle it, follow the process, do the paperwork, apply for a waiver... Don't ask me for permission, don't notify me. Fight it out with your advisor if you must. I don't want to be in the loop. In your waiver justification, simply leave a note stating you've read this page, and you know what you're doing. I see a request, I approve it.

Can we get a proper syllabus now?

Potential Topics

I curate topics based on the scientifically proven methodology of blending my whimsies with the vagaries of the security scene.

• Security principles
• Security architecture
• Minimum cryptography every security professional must know (yet they often don't)
• Linux security
• Web application security: The Classics
• Web application security Mk II: À La Mode
• Memory corruption
• Algorithmic complexity
• Side-channels
• Safety (which isn't security!)
• Reverse engineering
• Contemporary malware
• The extremely dull stuff companies pay you $$$ for, i.e., information security management
• Threat modeling (the way it's actually done in a serious technology house)
• Systems security research, aka "Usenix Security vs. Black Hat"

Non-Topics

• This isn't a cryptography course. That's 4770, and it's a must if you want to do security.
• On the web front, we focus on systems-centric HTTP issues. No lower network layers or Internet security protocols. That's 4740, and you should take it sometime.
• No formal security proofs. This is hands-on aspects of systems security. Still with plenty of abstractions and theory, but not the kind that involves math and formalisms.
• No Windows configuration topics, no Active Directory penetration testing material. No penetration testing in general.
• No blockchains. Definitely no cryptocurrencies or NFTs. "Crypto" means "cryptography." People who say otherwise can't be trusted.

Requirements

• Linux skills. You need to be comfortable in a terminal.
• Programming skills. If you hate programming, you'll hate this course.
• Interest in security. Challenges require patience, self-discipline, and the drive to keep pushing forward into uncharted territory out of sheer curiosity and enjoyment. Here's a snapshot of what happens otherwise.
• An understanding of computer architecture, networks, and HTTP is great to have, but we'll cover the essentials. You must fill in the blanks on your own.

Grading

• Challenges, 60%
• Quizzes, 10%
• Midterm exam, 15%
• Final exam, 15%
• Bonus challenges, ?%

I curve grades harder than Shou curves lasers.

Testimonials

Can I TA this class?

I'm glad you ask the question after reading this page. I encourage you to apply. See the FAQ for the process.