Winter 2019 CS 458/658 (Computer Security and Privacy) Syllabus

Instructors Cecylia Bocovich Yaser Baseri
Office Phone x31337
Office Location DC 3333 DC 3331
Office Hours Tuesdays 11:00 am–12:00 pm
or by appointment
TBD
or by appointment
Email cbocovic@uwaterloo.ca yaser.baseri@uwaterloo.ca

Lectures:

This syllabus is a guideline for the course and not a contract. As such, its terms may be altered when doing so is, in the opinion of the instructor, in the best interests of the class.

Required Text

Charles P. Pfleeger, Shari Lawrence Pfleeger, and Jonathan Margulies, Security in Computing, 5th edition, Prentice-Hall, 2015, ISBN 0-13-408504-3 http://www.informit.com/store/security-in-computing-9780134085043

The course textbook is also available in an online edition; a limited number of people from uWaterloo can be using the online edition at one time. If you are off-campus, you can use the library's proxy service to access the book's proxied URL.

Other Resources

Overview

This course provides an introduction to security and privacy issues in various aspects of computing, including programs, operating systems, networks, databases, and Internet applications. It examines causes of security and privacy breaches, and gives methods to help prevent them.

Students completing this course should be better able to produce programs that can defend against active attacks, and not just against random bugs.

Intended audience

Third or fourth year CS students (CS 458), or first year CS graduate students (CS 658)

Prerequisites

CS 350 (Operating Systems). Familiarity with C.

Outline

Introduction to Computer Security and Privacy (1.5 hours)
The meaning of computer security; comparing security with privacy; types of threats and attacks; methods of defense
Program Security (6 hours)
Secure programs; nonmalicious program errors; malicious code; controls against program threats
Operating System Security (6 hours)
Methods of protection; access control; user authentication
Network Security (4.5 hours)
Network threats; firewalls, intrusion detection systems
Internet Application Security and Privacy (9 hours)
Basics of cryptography; security and privacy for Internet applications (email, instant messaging, web browsing); privacy-enhancing technologies
Database Security and Privacy (4.5 hours)
Security and privacy requirements; reliability, integrity, and privacy; inference; data mining; k-anonymity
Non-technical Aspects (4.5 hours)
Administration of security systems; policies; physical security; economics of security; legal and ethical issues

It is expected that you will have read the appropriate sections of the textbook (as noted in the Modules section of LEARN) before class. Additional readings may be assigned as well, and will appear on the lecture slides page; those readings marked as mandatory contain required material for the course; those marked before class must be read before the date of the corresponding lecture.

Grading Policy

There are two options for grading schemes for students enrolled in CS458. One is a project based option and the other is an exam based option. Note that while marks calculated with the project based option do not depend on exam marks, all students must pass the weighted average of both exams to pass the course. Grades will be calculated as follows:

Project Option Exam Option CS658 (grad students)
midterm exam 0% 15% 10%
final exam 0% 30% 20%
assignments 3 * 15% = 45% 3 * 15% = 45% 3 * 10% = 30%
blog task 5% 5% 5%
self-tests 5% 5% 5%
project 45% 0% 30%

Note that even though the exams do not affect the final marks for the project based option, all students still need to pass the exams. For all students, regardless of grading option, If the weighted average of your exam marks is below 50%, you cannot pass the course.

Midterm exam time/location: Thu, Feb 7, 2018, 7:00 pm, STC 0010/0020. There is no alternate midterm.

The midterm and final are closed-book exams. The midterm covers all material presented up to that point in the course. The final exam covers material from the whole term, with emphasis on the second half of the course. Midterms will be returned in class.

Assignments are to be submitted electronically with the "submit" command, and are due at 4:00 pm Eastern Time on their respective due dates. Assignments submitted by other means will not be accepted. Students should make sure early on that the "submit" command works for them. Students should check whether their submitted files correspond to the ones that they intend to submit using the "-print" option of the "submit" command. We may run submissions through MOSS to detect code similarity.

Late submissions for assignments (not including the blog task and the self-tests) will be accepted only up to 48 hours after the original due date. There is no penalty for accepted late submissions, and multiple assignments can be submitted late, including the last one. Course personnel will not give assistance for assignments after their original due dates. Assignments to be submitted on paper are to be handed in at the beginning of the class period on their due date. Late submissions for such assignments will be accepted only up to the beginning of the following class period. Due dates will be posted well in advance on the LEARN course site. Assignment comments and marks will be returned using an online system. -(if electronic)-You must notify your instructors well before the due date of any severe, long-lasting problems that prevent you from completing an assignment on time. The 48 hours grace period does not apply to the due dates for the self-tests, blog task sign-up, and CS 658 proposal and research survey paper; no lates will be accepted for those course components.

Self-tests are meant to help you keep up with the material, and gauge your grasp of it (at a basic level) on an ongoing basis. The availability and deadline information will be posted on LEARN. You can attempt each self-test as often as you like during its availability period; your last grade on each self-test will be the one recorded (although course personnel can see every attempt). No late self-tests will be accepted, nor can they be made up, for any reason, including being late to join the class. Students who join the class on or after the due date of the first self-test will instead be excused from that particular self-test.

It is your responsibility to keep up with all course-related information posted to LEARN.

Reappraisal Policy

If you have an assignment that you would like to have reappraised, please follow the instructions given on Piazza to submit your request. If you have an exam that you would like to have reappraised, please provide the course instructors with a written request on paper and your exam. In either case, include a justification for your claims. The appeals deadline is one week after the respective graded item is first made available. Note that for an exam the entire exam will be remarked, and the assigned grade may go up or down as a result. If your appeal is concerned with a simple calculation error, please see the instructor during their office hours.

Communication

Please direct all communication to the discussion forum in Piazza. For personal matters, a question that might reveal part of a solution, etc., also ask a question in the Piazza discussion forum, but make it visible only to instructors. This way your question can be read only by the course instructors and the TAs. The instructors or TAs may make a question with limited visibility public if they decide that it is of general interest. Please use regular email only as a last resort, and then it must be from your uwaterloo.ca email address.

Important course information will generally be posted to Piazza or LEARN, but may also be sent to your uwaterloo.ca email address. It is your responsibility to monitor all of these channels.

Course Project

Students in 458 who choose the course project option or students registered in CS 658 must complete a course project on a topic related to computer security or privacy. Your topic must be approved in advance by the instructors by submitting a project proposal by the midterm exam date. Projects can vary in terms of deliverables and scope, but one common requirement of all projects is that they must include one deliverable to be shared publicly. Examples of relevant projects could be an in depth survey paper of a security and privacy topic that can be delivered as a wikipedia article, an implementation of a security or privacy tool or concept where the code is public on github, or even an art project that can be publicly viewed or interacted with. The details of the project scope and deliverables will be submitted in the proposal before they are approved by the instructor. You will want to become familiar with the literature relevant to your topic. Related academic venues include USENIX Security, ACM CCS, IEEE Symposium on Security and Privacy, or the NDSS Symposium. Real World Crypto (RWC) is a good place to start for implementation-focused projects. Radical Networks and Our Networks have interested examples on art, activism, or community related projects. Additional milestones for the completion of the paper may be set. The final version is due on April 12. See Keshav's How to Read a Paper for advice on reading a research paper and doing a literature survey.

Teaching Assistants

Security Information

In this course, you will be exposed to information about security problems and vulnerabilities with computing systems and networks. To be clear, you are not to use this or any other similar information to test the security of, break into, compromise, or otherwise attack, any system or network without the express consent of the owner. In particular, you will comply with all applicable laws and UW policies, including, but not limited to, the following:

Violations will be treated severely, and with zero tolerance.

Academic Integrity

Students are encouraged to talk to one another, to the TAs, to the instructors, or to anyone else about any of the assignments. Any assistance, though, must be limited to discussion of the problem and sketching general approaches to a solution. Each student must write his or her own solutions, including code and documentation if appropriate, for the assignments. Consulting another student's solution is prohibited, and submitted solutions may not be copied from any source. In particular, submitting assignments copied in whole or in part from assignment submissions to a previous offering of this course, or from any offering of any other course, is forbidden, even if a student is resubmitting his or her own work. These and any other forms of collaboration on assignments constitute cheating. If you have any questions about whether some activity constitutes cheating, please ask the instructors.

The general Faculty and University policy:

Note for Students with Disabilities

AccessAbility Services, located in Needles Hall, Room 1401, collaborates with all academic departments to arrange appropriate accommodations for students with disabilities without compromising the academic integrity of the curriculum. If you require academic accommodations to lessen the impact of your disability, please register with AccessAbility at the beginning of each academic term.