CY 3740 - Systems Security
Welcome to the landing page for what will eventually become
the CY 3740 Fall 2021 website!
At this time I'm not officially affiliated with Northeastern yet, and
all of my previous email accounts you'll find in various directories are
fubar. You can reach me at the address you see on your left until we
sort things out... but I'm also creating this page so that you
don't have to go through the scarring experience of writing a stiff
email to a professor. Everything you need to know about this course is
below. Please pretend that this is a formal syllabus.
So what's the big deal?
This course will teach you security. All of it.
I realize that's a very ambitious goal for a 4-month stint. You won't
have become a leet hacker by Spring, BUT you'll be equipped with all the
fundamentals and pointers to go down the security rabbit hole as deep as
you need or want to. If you want a career in security, take this
course. If you want to do something else with your life, it's still a
mighty good idea to take it; security has already become a topic you
can't avoid no matter what career path you choose.
The course has two main components: classes and
Classes are just so much fun it's beyond belief, I
can't express it with words, you need to come and see for yourself. We
meet on Tuesdays from 6pm to
9pm. Be absolutely sure that you make it. There is no
security book that covers this material, and I guarantee that you'll be
completely lost if you don't attend classes. If you can't be present, DO
NOT sign up, you've been warned.
Challenges are like homework but way more
spectacular. I give you something to break, you do that, everything gets
graded automatically, you get infinite tries until you succeed, and when
you're done you know you're done. There is no report to write, no paper
to submit. It's fast and fun. There'll be a new challenge every week,
keeping you on your toes, but they're very lean and focused so that you
don't waste your time with the unfun overhead. It'll be quick and
Here comes the important part.
Classes are good fun, but this course is more about
the challenges. You'll do a great deal of learning on
your own. Classes will cover the basics, but the first time you see a
challenge you may experience a fleeting WTF? sensation. These
won't be a straightforward application of what you learned in class that
day, you'll need to do some research and reading on your own, and then
it'll click, and that'll feel really good.
All of this is designed to give you a real-life security professional
experience. You'll write real exploits and break very realistic
applications. Okay the applications are actually crap but the
vulnerabilities are directly adapted from real-life cases. Many security
professionals start and end their careers without having exploited a
single SQL injection or stack overflow vulnerability. This is not a
knock on them, but after completing this course, you'll be in a
different league. No real-life exploit plays out like the simple
examples in a textbook. The challenges capture that well, you need to be
patient, and then figure out how to apply your hacker toolset to the
Also notice that we are approaching things from an attacker's
perspective most of the time. I won't make you defend anything or write
secure code. I'll make you recognize bad code and bad design. I'll have
you constantly break things in a safe environment, so that you get sick
of it by the time we're done, and you spend the rest of your life making
the world more secure. That last part wasn't a
joke, ethical hacking is a concept you'll hear a whole
lot in my class. Thinking like an attacker is an asset, acting like one
is a crime. If you were planning on getting rowdy on the Internet, don't
come to my class. I'll call the cops on you.
Expect 10 main challenges. Add another 5, optional, but more
quirky. There's plenty of extra points to score, but it's perfectly fine
if you don't want the extras, an "A" is very doable without them.
There are 2 exams. Exams are often boring, and therefore I make them
fun, and in the process impose more WTF? moments on
students. To avoid that we might have a few short quizzes in the same
format, so that y'all are prepared for what's coming.
Those last bits about challenges and exams sound scary. Is it scary?
This is an easy no. My job is to make you succeed, and
most of you will succeed. You'll have 24-hour support when you get
stuck. There is always that one guy that tries extra hard to fail; don't
be that guy and you won't have problems. The structure may feel a bit
different to your typical CS or engineering courses. Different doesn't
equate to difficult, I bet you'll find this easier and less time
consuming than most other courses.
reviews for CS 5770 which follows a similar format, see what other
people thought. Of course, take both positive and negative comments with
a grain of salt.
Can we get a proper syllabus now?
CY 3740 and CY 5770 are similar enough that you SHOULD NOT take
both. Pick one. Keep in mind that CY 3740 is the more advanced course
despite being listed as an undergraduate course.
Tuesdays, 6pm-9pm. Bring coffee.
- Fundamental security concepts
- Select cryptography topics every security professional must know
- Linux security, operating systems, virtualization, containerization
- Web application security
- Even more web application security
- Memory corruption, buffer overflows, heap attacks, return-oriented programming
- Malware, lightweight reversing concepts
- System architecture design, and how to review it for security
- Safety (which is different from security!)
- The extremely dull stuff companies pay you $$$ for: policies,
processes, SDLC... i.e., real life
The list of topics is similar to CY 2550 on the surface. This course is
the followup to that, we'll repeat the fundamentals, but then go into a
lot more depth for each topic.
This is not a cryptography course. That's a different beast. There is
a course for that, look it up.
We will only superficially cover lower network layers. There is a
network security course for that. We'll spend most of our time in the
This is not a theory-focused course. If you want formal security
proofs, this isn't it. This is practical, hands-on aspects of systems
- No Windows-specific topics here, which usually means no Active
Directory security. Otherwise everything we learn applies to all
- Interest in security.
- The capacity to attend classes. I don't take attendance, but you
can't do this without hearing me talk.
- Good understanding of computer architecture.
- Low-level programming skillz. You will write C, nothing you can't
learn in a single day, but if you hate programming you'll hate this
- Linux. You need to be comfortable in a CLI.
- Patience. You'll do independent research.
- Computer networks and HTTP knowledge is good to have, but we'll
cover what's necessary.
- Challenges, 5% each, 50% total
- Quizzes, 10%
- Midterm exam, 20%
- Final exam, 20%
- Bonus challenges, ?%
I curve grades in mysterious ways.