CCOM 4995 Systems and Network Security

Draft Syllabus

Professor

Field Value
Name Humberto Ortiz-Zuazaga
Office NCL A-159
Laboratory NCL A-158
Telephone 787-764-0000 x88363
email humberto.ortiz@upr.edu
Web page http://ccom.uprrp.edu/~humberto/
Office hours Tuesday, Thursday 8:00-9:30 AM
Wednesday 3:00-4:30 PM
or by appointment

Description

In this course, students will learn secure system and network administration techniques. Students will have hands-on system administration experiences with key Internet services, will learn about important security issues related to such services, and will be exposed to techniques and tools to analyze, defend and secure systems and networks.

Pre-requisites

  1. CCOM 4088 - Introduction to Cybersecurity
  2. One of:

    • CCOM 4086 - Computer Architecture
    • CCOM 4017 - Operating Systems
    • CCOM 4205 - Computer Networks

Content

The course will use material developed for MIT's Graduate Computer Systems Security class under a Creative Commons Attribution license. The original course material describes the content as:

Lectures cover threat models, attacks that compromise security, and techniques for achieving security, based on recent research papers. Topics include operating system (OS) security, capabilities, information flow control, language security, network protocols, hardware security, and security in web applications. Assignments include labs that involve implementing and compromising a secure web server and web application, and a group final project.

Objectives

After successfully completing the course students will be able to:

  1. Analyze a computer system, identifying one or more potential security vulnerabilities.
  2. Exploit common security vulnerabilities.
  3. Understand mitigation techniques implemented in modern computer systems.
  4. Implement changes to a computer system to mitigate security risks.
  5. Assess the risks in a computer system.

Course schedule

Class will meet Monday and Wednesday from 8:30 to 9:50 AM in NCL A-141. In UPR-RP attendance is compulsory.

Tentative course calendar

Date Topic Chapter Lecture Lab
Aug 8 Intro 0x100 Lec 1 text, video
Aug 10 Assembly, GDB 0x250 - 0x253 Lab 1 (part 1, exercise 1)
Aug 15 Stack overflows 0x300 - 0x321 Lec 2 text, video (skip baggy bounds)
Aug 17 Stack exploit 0x480 - 0x482 Lab 1 (part 1, exercise 2)
Aug 22 Shellcode 0x500 - 0x530
Aug 24 Stack hardening 0x6a0 - 0x6c1 Lec 3 text, video (skip baggy bounds) Lab 1 (part 2, exercise 3)
Aug 29 ROP Attacks Introduction to ROP
Aug 31 Privilege separation 0x280 - 0x283 Lec 4 text, video Lab 2 (exercise 1, 2, 3)
Sep 5 Holiday Labor Day
Sep 7 Sandboxing
Sep 12 Web security OWASP slides Lec 8 text, video Lab 2 (exercise 9, 10, 11)
Sep 14 Securing web services Security in Django Lec 9 text, video
Sep 19 Ur/Web Ur/Web paper Lec 11 video Lab 4
Sep 21 Networking 0x430 - 0x475 Lec 12 text, video
??? Kerberos Lec 13 text
Sep 26 HTTPS 0x741 Lec 15 text, video Lab 5
Sep 28 Exam 1
Oct 3 Side channel attacks paper Lec 16 text, video Lab 7 (project)
Oct 5 Passwords 0x760 - 0x764 Lec 17 text, video
Oct 10 Private browsing paper Lec 18 text, video
Oct 12 Holiday Descubrimiento de America
Oct 17 Tor paper Lec 19 videp
Oct 19 Android security paper Lec 20 text, video
Oct 24 TaintDroid paper Lec 21 text, video
Oct 26 Medical devices paper Lec 15 video
Oct 31 Tahoe filesystem paper
Nov 2 Bitcoin paper
Nov 7 Twister paper
Nov 9 IPSEC paper
Nov 14 DNSSEC paper
Nov 16 Secure Multiparty Computation paper
Nov 21 Zero Knowledge Authentication paper
Nov 23 Project presentations
Nov 28 Project presentations
Nov 30 Project presentations
Dec 5 Project presentations

Instructional resources

The course will be hosted on the UPR RP Moodle. Register and stay tuned for our polls and forum postings.

The course will use material developed for MIT's Graduate Computer Systems Security class which has lecture notes, videos, lab assignments and quizzes online, as well as links to reference material.

Textbook

We will mostly use the MIT course materials

We will also use the book. Hacking: the Art of Exploitation, 2nd Edition. Jon Erickson. No Starch Press. 2008.

Software

MIT's Lab 1 provides a virtual machine image you will use for the lab assignments. I have tested the image on VirtualBox (OS X and linux) and kvm (on linux). Other students have had trouble with the gdb command on OS X. MIT recommends running in VMWare player or kvm.

Evaluation

Students work will be evaluated on a 100% basis with the standard curve.

  • Participation in course forums (online, classroom), 5% final grade
  • Homework and quizzes, 25% final grade
  • Two partial exams, 50% final grade
  • Project, 20% final grade

Reasonable accommodations for students

Students with disabilities properly registered with the Office of Affairs for Persons with Disabilities Oficina de Asuntos para la Persona con Impedimento (O.A.P.I.) should notify the professor at the start of the semester. The professor will make reasonable accommodations to support the student, in consultation with OAPI.

Academic integrity

The University of Puerto Rico promotes the highest standards of academic and scientific integrity. Article 6.2 of the UPR Student Bylaws (Certification JS 13 2009–2010) states that “academic dishonesty includes but is not limited to: fraudulent actions, obtaining grades or academic degrees using false or fraudulent simulations, copying totally or partially academic work from another person, plagiarizing totally or partially the work of another person, copying totally or partially responses from another person to examination questions, making another person to take any test, oral or written examination on his/hers behalf, as well as assisting or facilitating any person to incur in the aforementioned conduct”. Fraudulent conduct refers to “behavior with the intent to defraud, including but not limited to, malicious alteration or falsification of grades, records, identification cards or other official documents of the UPR or any other institution.” Any of these actions shall be subject to disciplinary sanctions in accordance with the disciplinary procedure, as stated in the existing UPR Student Bylaws.

DISCLAIMER: The above statement is an English translation, prepared at the Deanship of Academic Affairs of the Medical Sciences Campus, of certain parts of Article 6.2 of the UPR Student Bylaws “Reglamento General de Estudiantes de la Universidad de Puerto Rico”, (Certificación JS 13 2009-2010). It is in no way intended to be a legal substitute for the original document, written in Spanish.