CY 3740 / CY 5770 - Systems Security
Welcome to the landing page for CY 3740 / CY 5770. All
formal communications and course materials will be available on the
private course infrastructure. You'll get access to that after your
first class. In the meantime, here's a quick introduction.
You can reach me at the address you see on your left, but I'm
creating this page so that you don't have to go through the
scarring experience of writing a stiff email to a professor. Everything
you need to know about this course is below. Please pretend that this is
a formal syllabus.
So what's the big deal?
This course will teach you security. All of it.
I realize that's an ambitious goal for a 4-month stint. You won't have
become a leet hacker by the end, but you'll be equipped with all the
fundamentals to go down the security rabbit hole as deep as you wish.
If you pursue a career in security, you must take and
ace this course. If you want to do something else with your life, it's
still a mighty good idea to take it. Security has
become a topic you can't avoid no matter what career path you
choose. You'll thank me when you get your paycheck.
The course has two components: classes and
challenges.
Classes are just so much fun it's beyond belief, I
can't express it with words, you need to come and see for
yourself. Be absolutely sure that you make it. There is no
security book that covers this material; you'll be lost if you don't
attend classes. If you can't be present, do not sign
up, you have been warned. Sporadic absences are okay, I'll try my best
to set up a Zoom session.
Challenges are like homework but way more
spectacular. I give you something to break, you do that, everything gets
graded automatically, you get infinite tries until you succeed, and when
you're done you know you're done. There is no report to write, no paper
to submit, no stressful wait for grades. It's fast and fun. There'll be
a new challenge every week, keeping you on your toes, but they're very
lean so that you don't waste your time with the unfun overhead.
Here comes the important part.
Classes are good fun, but this course is more about
the challenges. You'll do a great deal of learning on
your own. Classes cover the basics, but the first time you see a
challenge you may experience a fleeting WTF? sensation. These
won't be a straightforward application of classroom material, you'll
need to do some research and reading on your own, and then it'll click,
and that'll feel good.
This is designed to give you a real-life security professional
experience. You'll write real exploits and break very realistic
applications. Okay the applications are actually crap but the
vulnerabilities are directly adapted from real-life cases. Many security
professionals start and end their careers without having exploited a
single XSS or stack overflow vulnerability. This is not a knock on them,
but after completing this course, you'll be in a different league. No
exploit plays out like the examples in a textbook. The challenges
capture that well, you need to keep calm and apply your hacker toolset
to the circumstances.
We approach things from an attacker's perspective most of the time. I
won't make you defend anything or write secure code. I'll make you
recognize bad code and bad design. I'll have you constantly break things
in a safe environment, so that you get sick of it by the time we're
done, and you spend the rest of your life making the world more
secure. That last part isn't a joke. Ethical hacking is
a concept you'll hear a whole lot in my class. Thinking like an attacker
is an asset, acting like one is a crime. If you start getting rowdy on
the Internet, I'll call the cops on you.
Expect 10 main challenges. Add another 5, optional, but more
quirky. There's plenty of extra points to score, but it's perfectly fine
if you don't want the extras, an "A" is very doable without them. This
gives you wiggle room to get a top grade even if you miss a few things.
There are 2 exams. Exams are often boring, and therefore I make them
fun, and in the process impose more WTF? moments on
students. To avoid that we might have a few short quizzes in the same
format, so that y'all are prepared for what's coming.
Those bits about challenges and exams sound scary. Is it
scary?
This is an easy no. My job is to make
you succeed, and most of you will succeed. If you get a B, I too get a B
in teaching. We don't want that.
You'll have online and 1:1 support when you get stuck. The course
structure may feel different to your typical CS or engineering
courses. Different doesn't equate to difficult, I bet you'll find
this easier and less time consuming than most other
courses. Grades should never be a problem.
All that with one big caveat. This is a technical,
hands-on course. I expect everyone to be comfortable with using
computers professionally. In our domain that means eating coding tasks
for breakfast with a side of the Linux command line interface. I serve
bite-sized refreshers for everything else like operating systems and
Internet topics and you can learn those as you go, but you must know the
meat and potatoes of computer science before you sign up. A heads up
that students with no technical background or those who are only
interested in security management topics sometimes find the material
hard to digest. Hence, the difficulty goes up significantly, and they
need to invest the eggtra thyme and effort to ketchup. If unsure, come
see the first class. Be assured that the humor is of a higher caliber.
Check out
my Fall
2021
and Spring
2022 reviews and see what other people thought. Take both positive
and negative comments with a grain of salt. Other reviews are on TRACE
and Rate My Professors.
Can we get a proper syllabus now?
Topics
- Security principles
- Minimum cryptography every security professional must know (yet they often don't)
- Linux security, virtualization
- Web application security
- Web application security 2.0
- Memory corruption, binary exploitation
- Side-channel attacks
- Algorithmic complexity attacks
- Safety (which is not security!)
- Malware, lightweight reversing
- System architecture design, threat modeling
- The extremely dull stuff companies pay you $$$ for, i.e.,
information security management
Non-Topics
-
This is not a cryptography course. That's a different beast. There is
a course for that, look it up.
-
We only superficially cover lower network layers. There is a network
security course for that. We focus on the Application Layer.
-
This is not a theory course. If you want formal security proofs, this
isn't it. This is hands-on aspects of systems security.
- No Windows topics, which means no Active Directory
security. Otherwise everything we learn applies to all operating
systems.
Requirements
- Interest in security.
- Patience. You'll do independent research.
- The capacity to attend classes.
- Linux. You need to be comfortable in a CLI.
- Programming skills. If you hate programming you'll hate this
course.
- An understanding of computer architecture, networks, and HTTP is
good to have, but we will cover the basics.
Grading
- Challenges, 5% each, 50% total
- Quizzes, 10%
- Midterm exam, 20%
- Final exam, 20%
- Bonus challenges, ?%
I curve grades in mysterious ways.