And CCOM6995-004 Topics in CCOM: systems and network security
Syllabus
University of Puerto Rico
Rio Piedras Campus
College of Natural Sciences
Department of Computer Science
Spring 2026
Professor
| Field | Value |
|---|---|
| Name | Humberto Ortiz-Zuazaga |
| Office | NCL A-159 |
| Laboratory | NCL A-158 |
| Telephone | 787-764-0000 x88363 |
| humberto.ortiz@upr.edu | |
| Web page | http://ccom.uprrp.edu/~humberto/ |
| Office hours | Monday and Wednesday 3:00 - 4:00 PM |
| or by appointment |
Description
In this course, students will learn secure system and network administration techniques. Students will have hands-on system administration experiences with key Internet services, will learn about important security issues related to such services, and will be exposed to techniques and tools to analyze, defend and secure systems and networks.
Credits
- 3 credits, 3 hr./week
Pre-requisites
- CCOM 4088 - Introduction to Cybersecurity
-
One of:
- CCOM 4086 - Computer Architecture
- CCOM 4017 - Operating Systems
- CCOM 4205 - Computer Networks
-
Students from SICI can substitute:
- SICI 4286 - Local Area Networks
- SICI 4025 - Design and Analysis of Systems
Content
The course will use material developed for MIT's Graduate Computer Systems Security class under a Creative Commons Attribution license. The original course material describes the content as:
Lectures cover threat models, attacks that compromise security, and techniques for achieving security, based on recent research papers. Topics include operating system (OS) security, capabilities, information flow control, language security, network protocols, hardware security, and security in web applications. Assignments include labs that involve implementing and compromising a secure web server and web application, and a group final project.
Objectives
After successfully completing the course students will be able to:
| Course Objective | Program Outcome |
|---|---|
| Analyze a computer system, identifying one or more potential security vulnerabilities | Creative and analytic ability, and capacity for logical reasoning |
| Exploit common security vulnerabilities | Ability to identify, organize, evaluate, and use information |
| Understand mitigation techniques implemented in modern computer systems | Ability to identify and formulate problems in various real-life situations that can be solved by concepts and computational models and to implement them effectively |
| Implement changes to a computer system to mitigate security risks | Apply principles and practices for secure computing |
| Assess the risks in a computer system | Creative and analytic ability, and capacity for logical reasoning |
Course schedule
Class will meet Mondays and Wednesdays from 4:00 to 5:20 PM in CN 114-B. Attendance is highly recommended.
Tentative course calendar
| Date | Topic | Reading | Lab |
|---|---|---|---|
| Jan | Intro | ||
| OWASP | OWASP Top 10: 2025 | ||
| GDB | GDB Manual | Lab 1 | |
| Stack smashing | Smashing the stack in the 21st century | ||
| HTTP | How the web works: HTTP and CGI explained | ||
| Feb | Stack Hardening | ||
| Defeating stack hardening | ROP tutorial | ||
| Privilege separation | Preventing Privilege Escalation | Lab 2 | |
| Web security | Web security reading | ||
| Mar | Network security | IP Spoofing: an introduction | BGP Highjacking |
| RSA | Small RSA | ||
| RSA | Big RSA |
Instructional resources
The course will be hosted on the UPR RP Moodle. Register and stay tuned for our polls and forum postings.
The course will use material developed for MIT's Graduate Computer Systems Security class which has lecture notes, videos, lab assignments and quizzes online, as well as links to reference material.
Textbook
We will mostly use the MIT course materials
Software
MIT's Lab 1 provides a virtual machine image you will use for the lab assignments. I have tested the image on VirtualBox (OS X and linux) and kvm (on linux). If you are on a new (M1, M2 ...) Mac, you will probably need to run a linux virtual machine in the cloud. I have prepared instructions for getting lab1 to work on an Ubuntu 22.04 image on an x86_64 machine.
Course policies
Be excellent to each other.
Evaluation
Students work will be evaluated on a 100% basis with the standard curve.
- Participation in course forums (online, classroom), 25% final grade
- Homework and quizzes, 50% final grade
- Project, 25% final grade
Policies
Attendance
Certificación 111, 2023-2024 del Senado Académico: Establece la Normativa de Asistencia del estudiantado subgraduado. Requiere que el profesor registre todas las ausencias e informe este dato al Registrador junto con las calificaciones, sin importar la modalidad del curso.
Athletics
Ley 220: Ley de acuerdos académicos para atletas universitarios: Garantiza acuerdos académicos para estudiantes atletas acreditados, permitiéndoles solicitar ajustes razonables a su carga académica durante periodos de entrenamiento o competencia avalados por la LAI.
Contingency plan
In case circumstances beyond our control impede the ability to hold presential clases, the professor will communicate to the students alternative methods for completing the work.
Alternative Teaching Methods
Certification No. 112 (2014-2015) of the Governing Board defines a classroom course as a course in which 75% or more of the hours of instruction require the physical presence of the students and the teacher in the classroom. This means that 25% of a classroom course could be offered without requiring the physical presence of the students and the teacher in the classroom. If necessary, this course will be able to complete up to 25% of the contact hours (11.25 hours) on a non-face-to-face basis by alternative methods such as: videoconferences, instructional modules, discussion forums and others. If so, the calendar/agenda will be modified to include the topics that will be covered by alternative methods.
Reasonable accommodations for students
The University of Puerto Rico (UPR) complies with all federal and state laws and regulations regarding discrimination, including the American with Disabilities Act (ADA) and the Commonwealth of Puerto Rico Law 51. Students who have a disability or condition that may impair their ability to complete assignments or otherwise satisfy course criteria are encouraged to meet with the professor to identify, discuss and document any feasible instructional modifications or accommodations. The student should notify the instructor such disability or condition as soon as such disability or condition is known to the student. The student may also contact the Dean of Student Affair for information and auxiliary aid.
Students with disabilities properly registered with the Oficina de Servicios a Estudiantes con Impedimentos should notify the professor at the start of the semester. The professor will make reasonable accommodations to support the student, in consultation with OSEI.
Academic integrity
The University of Puerto Rico promotes the highest standards of academic and scientific integrity. Article 6.2 of the UPR Students General Bylaws (Board of Trustees Certification 13, 2009-2010) states that academic dishonesty includes, but is not limited to: fraudulent actions; obtaining grades or academic degrees by false or fraudulent simulations; copying the whole or part of the academic work of another person; plagiarizing totally or partially the work of another person; copying all or part of another person answers to the questions of an oral or written exam by taking or getting someone else to take the exam on his/her behalf; as well as enabling and facilitating another person to perform the aforementioned. Any of these behaviors will be subject to disciplinary action in accordance with the disciplinary procedure laid down in the UPR Students General Bylaws.
Discrimination
The University of Puerto Rico prohibits discrimination based on sex, sexual orientation, and gender identity in any of its forms, including that of sexual harassment. According to the Institutional Policy Against Sexual Harassment at the University of Puerto Rico, Certification Num. 107, 2021-2022 from the Board of Governors, any student subjected to acts constituting sexual harassment, must turn to the Office of the Student Ombudsperson, the Office of the Dean of Students, and/or the Coordinator of the Office of Compliance with Title IX for an orientation and/or a formal complaint.
Certificación 107 (2021–2022) Junta de Gobierno
Política institucional para atender situaciones de discrimen por sexo o género. Incluye disposiciones sobre hostigamiento sexual, violencia sexual, violencia doméstica, violencia en cita y acecho. Sustituye la Certificación 130 (2014–2015) de la Junta de Gobierno.
POLÍTICA Y PROCEDIMIENTO PARA EL MANEJO DE SITUACIONES DE DISCRIMEN POR SEXO O GÉNERO EN LA UNIVERSIDAD DE PUERTO RICO
La Política y procedimientos para el manejo de situaciones de discrimen por sexo o género en la Universidad de Puerto Rico, Certificación 107 (2021-2022) de la Junta de Gobierno, asegura que la Universidad de Puerto Rico, como institución de educación superior y centro laboral, protege los derechos y ofrece un ambiente seguro a todas las personas que interactúan en ella, ya sea a estudiantes, empleados, contratistas o visitantes. La misma tiene como fin promover un ambiente de respeto a la diversidad y los derechos de los integrantes de la comunidad universitaria y establece un protocolo para el manejo de situaciones relacionadas con las siguientes conductas prohibidas: discrimen por razón de sexo, género, embarazo, hostigamiento sexual, violencia sexual, violencia doméstica, violencia en cita y acecho, en el ambiente de trabajo y estudio
Certificación 125 (2023–2024) de la Junta de Gobierno
Establece las políticas institucionales para la creación y codificación de cursos, e incluye los requisitos del prontuario sobre acomodo razonable, integridad académica, diversidad, equidad e inclusión, y el plan de contingencia para interrupciones de clases. También dispone que, ante una emergencia, el profesor debe comunicarse por correo institucional u otros medios y mantener la modalidad del curso según programado. Según lo establece la Certificación Núm. 125 JG (2023–2024), en el Anejo 2: Componentes del Prontuario de un Curso, se indica que: “En caso de surgir una emergencia o interrupción de clases, el profesor se comunicará con los estudiantes vía correo electrónico institucional u otros medios disponibles para coordinar la continuidad del ofrecimiento. El plan de contingencia debe preservar la modalidad en la que el curso fue creado y programado en la oferta académica.”
Circular 8 (2024-2025) del DAA
Requiere que en el prontuario se indique el nivel permitido de uso de herramientas de inteligencia artificial, según las guías institucionales para su integración ética en actividades académicas y de investigación.
No es permitido el uso de herramientas de inteligencia artificial para completar ningun trabajo del curso.
References
-
Computer Systems: A Programmer's Perspective, 3rd Edition. Randal E. Bryant and David R. O'Hallaron, Pearson. 2016. ISBN-13: 978-0134092669
-
Secrets & Lies: Digital Security in a Networked World. Bruce Schneier, John Wiley & Sons . 2000. ISBN 978-0-471-45380-2
-
Computer Systems Security. MIT. 2026. Available at http://css.csail.mit.edu/6.566/2026/general.html
-
Mary Micco and Hart Rossman. 2002. Building a cyberwar lab: lessons learned: teaching cybersecurity principles to undergraduates. SIGCSE Bull. 34, 1 (February 2002), 23-27. DOI=https://dx.doi.org/10.1145/563517.563349
-
Cheung, Ronald S., et al. "Challenge based learning in cybersecurity education."; Proceedings of the 2011 International Conference on Security & Management. Vol. 1. 2011.
-
Nance, K., Hay, B., Dodge, R., Seazzu, A., & Burd, S. (2009). Virtual laboratory environments: Methodologies for educating cybersecurity researchers. Methodological Innovations Online, 4(3), 3-14. http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.452.3587&rep=rep1&type=pdf
-
Alex Reese. Introduction to Return Oriented Programming, 2013. Available online at http://codearcana.com/posts/2013/05/28/introduction-to-return-oriented-programming-rop.html