Syllabus
University of Puerto Rico
Rio Piedras Campus
College of Natural Sciences
Department of Computer Science
Professor
| Field | Value |
|---|---|
| Name | Humberto Ortiz-Zuazaga |
| Office | NCL A-159 |
| Laboratory | NCL A-158 |
| Telephone | 787-764-0000 x88363 |
| humberto.ortiz@upr.edu | |
| Web page | http://ccom.uprrp.edu/~humberto/ |
| Office hours | Monday, Wednesday 10:00-11:30 AM |
| or by appointment |
Description
In this course, students will learn secure system and network administration techniques. Students will have hands-on system administration experiences with key Internet services, will learn about important security issues related to such services, and will be exposed to techniques and tools to analyze, defend and secure systems and networks.
Credits
- 3 credits, 3 hr./week
Pre-requisites
- CCOM 4088 - Introduction to Cybersecurity
-
One of:
- CCOM 4086 - Computer Architecture
- CCOM 4017 - Operating Systems
- CCOM 4205 - Computer Networks
-
Students from SICI can substitute:
- SICI 4286 - Local Area Networks
- SICI 4025 - Design and Analysis of Systems
Content
The course will use material developed for MIT's Graduate Computer Systems Security class under a Creative Commons Attribution license. The original course material describes the content as:
Lectures cover threat models, attacks that compromise security, and techniques for achieving security, based on recent research papers. Topics include operating system (OS) security, capabilities, information flow control, language security, network protocols, hardware security, and security in web applications. Assignments include labs that involve implementing and compromising a secure web server and web application, and a group final project.
Objectives
After successfully completing the course students will be able to:
| Course Objective | Program Outcome |
|---|---|
| Analyze a computer system, identifying one or more potential security vulnerabilities | Creative and analytic ability, and capacity for logical reasoning |
| Exploit common security vulnerabilities | Ability to identify, organize, evaluate, and use information |
| Understand mitigation techniques implemented in modern computer systems | Ability to identify and formulate problems in various real-life situations that can be solved by concepts and computational models and to implement them effectively |
| Implement changes to a computer system to mitigate security risks | Ability to identify and formulate problems in various real-life situations that can be solved by concepts and computational models and to implement them effectively |
| Assess the risks in a computer system | Creative and analytic ability, and capacity for logical reasoning |
Course schedule
Class will meet Monday and Wednesday from 8:30 to 9:50 AM in CN 114-A. In UPR-RP attendance is compulsory.
Alternative Teaching Methods
Certification No. 112 (2014-2015) of the Governing Board defines a classroom course as a course in which 75% or more of the hours of instruction require the physical presence of the students and the teacher in the classroom. This means that 25% of a classroom course could be offered without requiring the physical presence of the students and the teacher in the classroom. If necessary, this course will be able to complete up to 25% of the contact hours (11.25 hours) on a non-face-to-face basis by alternative methods such as: videoconferences, instructional modules, discussion forums and others. If so, the calendar/agenda will be modified to include the topics that will be covered by alternative methods.
Tentative course calendar
| Date | Topic | Chapter | Lecture | Lab |
|---|---|---|---|---|
| Aug | Intro | 0x100 | Lec 1 text, video | |
| Assembly, GDB | 0x250 - 0x253 | Lab 1 (part 1, exercise 1) | ||
| Stack overflows | 0x300 - 0x321 | Lec 2 text, video (skip baggy bounds) | ||
| Sep | Stack exploit | 0x480 - 0x482 | Lab 1 (part 1, exercise 2) | |
| Shellcode | 0x500 - 0x530 | |||
| Stack hardening | 0x6a0 - 0x6c1 | Lec 3 text, video (skip baggy bounds) | Lab 1 (part 2, exercise 3) | |
| ROP Attacks | Introduction to ROP | |||
| Oct | Privilege separation | 0x280 - 0x283 | Lec 4 text, video | Lab 2 (exercise 1, 2, 3) |
| Web security | OWASP 2017 slides | Lec 8 text, video | Lab 2 (exercise 9, 10, 11) | |
| Securing web services | Security in Django | Lec 9 text, video | ||
| Ur/Web | Ur/Web paper | Lec 11 video | Lab 4 | |
| Nov | Networking | 0x430 - 0x475 | Lec 12 text, video | |
| RSA | Small RSA | |||
| RSA | Big RSA | |||
| HTTPS | 0x741 | Lec 15 text, video | Final Project | |
| Dec | Tor | paper | Lec 19 video | |
| Tahoe filesystem | paper | |||
| Bitcoin | paper | |||
| Scuttlebutt | paper |
Instructional resources
The course will be hosted on the UPR RP Moodle. Register and stay tuned for our polls and forum postings.
The course will use material developed for MIT's Graduate Computer Systems Security class which has lecture notes, videos, lab assignments and quizzes online, as well as links to reference material.
Textbook
We will mostly use the MIT course materials
We will also use the book. Hacking: the Art of Exploitation, 2nd Edition. Jon Erickson. No Starch Press. 2008. ISBN-13: 978-1-59327-144-2
Software
MIT's Lab 1
provides a
virtual machine image
you will use for the lab assignments. I have tested the image on
VirtualBox (OS X and linux) and kvm (on linux). Other students have
had trouble with the gdb command on OS X. MIT recommends running in
VMWare player or kvm.
Course policies
Be excellent to each other.
Evaluation
Students work will be evaluated on a 100% basis with the standard curve.
- Participation in course forums (online, classroom), 25% final grade
- Homework and quizzes, 50% final grade
- Project, 25% final grade
Reasonable accommodations for students
Students with disabilities properly registered with the Office of Affairs for Persons with Disabilities Oficina de Asuntos para la Persona con Impedimento (O.A.P.I.) should notify the professor at the start of the semester. The professor will make reasonable accommodations to support the student, in consultation with OAPI.
Academic integrity
The University of Puerto Rico promotes the highest standards of academic and scientific integrity. Article 6.2 of the UPR Student Bylaws (Certification JS 13 2009–2010) states that “academic dishonesty includes but is not limited to: fraudulent actions, obtaining grades or academic degrees using false or fraudulent simulations, copying totally or partially academic work from another person, plagiarizing totally or partially the work of another person, copying totally or partially responses from another person to examination questions, making another person to take any test, oral or written examination on his/hers behalf, as well as assisting or facilitating any person to incur in the aforementioned conduct”. Fraudulent conduct refers to “behavior with the intent to defraud, including but not limited to, malicious alteration or falsification of grades, records, identification cards or other official documents of the UPR or any other institution.” Any of these actions shall be subject to disciplinary sanctions in accordance with the disciplinary procedure, as stated in the existing UPR Student Bylaws.
DISCLAIMER: The above statement is an English translation, prepared at the Deanship of Academic Affairs of the Medical Sciences Campus, of certain parts of Article 6.2 of the UPR Student Bylaws “Reglamento General de Estudiantes de la Universidad de Puerto Rico”, (Certificación JS 13 2009-2010). It is in no way intended to be a legal substitute for the original document, written in Spanish.
References
-
Computer Systems: A Programmer's Perspective, 3rd Edition. Randal E. Bryant and David R. O'Hallaron, Pearson. 2016. ISBN-13: 978-0134092669
-
Secrets & Lies: Digital Security in a Networked World. Bruce Schneier, John Wiley & Sons . 2000. ISBN 978-0-471-45380-2
-
Computer Systems Security. MIT. 2015. Available at http://css.csail.mit.edu/6.858/2015/general.html
-
Mary Micco and Hart Rossman. 2002. Building a cyberwar lab: lessons learned: teaching cybersecurity principles to undergraduates. SIGCSE Bull. 34, 1 (February 2002), 23-27. DOI=https://dx.doi.org/10.1145/563517.563349
-
Cheung, Ronald S., et al. "Challenge based learning in cybersecurity education."; Proceedings of the 2011 International Conference on Security & Management. Vol. 1. 2011.
-
Nance, K., Hay, B., Dodge, R., Seazzu, A., & Burd, S. (2009). Virtual laboratory environments: Methodologies for educating cybersecurity researchers. Methodological Innovations Online, 4(3), 3-14. http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.452.3587&rep=rep1&type=pdf
-
Alex Reese. Introduction to Return Oriented Programming, 2013. Available online at http://codearcana.com/posts/2013/05/28/introduction-to-return-oriented-programming-rop.html