CS 491/591 Introduction to Computer Security - Fall 2017

Instructor Contact

Dr. Charles V. Wright
Office: FAB 120-25
Phone: 503-725-4252
Email: cvwright cs pdx edu (fill in the missing punctuation)
Office Hours: T 3-5pm, or by appointment

Course Information

Time: Mondays and Wednesdays, 2:00-3:50pm
Location: ASRC 001

For more details, see the full PDF version of the syllabus.

Course Schedule

Date Topics and Readings Homework
Sep 25 Introduction
  • Administrivia
  • Course overview
Program Layout in Memory
  • If you need a refresher on C or x86 assembly language programming, look through Chapter 0x200 in Erickson after class. Follow along with his examples using gdb.
  • Also see Gustavo Duarte's Anatomy of a Program in Memory for another view of the same topic.
Software Vulnerabilities and Exploits - Part 1
  • See also pp. 115-142 in Erickson.
Homework 1

Watch after class:
Sep 27 Software Security
  • Stack Buffer Overflows
  • Code Injection Attacks
Read before class:
Oct 2 Software Security
  • Code Injection Attacks
  • Shellcode and Payload
Stack-based Defenses
  • StackGuard and stack canaries
HW1 Due at 10pm
Oct 4 In-class Exercise
  • Debugging with GDB on the Linux Lab
Software Security
  • Virtual Memory Review
  • System-level Defenses: ASLR and DEP
Read before class:
Oct 9 Software Security: More attacks
  • Heap Attacks
  • Format String Attacks
  • Return-Oriented Programming
Read before class:
Oct 11 Intro to the Seclab
  • Intro exercise: Capturing your first flag!
Software Security
  • More format strings: Example Code
  • ASLR and its effectiveness
Read before class: Homework 2 assigned; Due Oct 16th

Due to technical difficulties, Homework 2 has been postponed.
Homework 2 is now active. See below or click for details.
Oct 13 Homework 2 is now live. Due Oct 22nd.
Oct 16 Software Security
  • Address Space Layout Randomization (ASLR)
OS and Hardware Support for Security
  • Hardware privilege levels
  • Intro to access control
  • Access control theory - Lampson's matrix
Read before class:
Oct 18 Malware
  • Viruses
  • Worms
  • Botnets
  • The Underground Economy
Oct 23 Authentication
  • How not to store passwords
  • Password hashing
  • Biometrics
Oct 25 Access Control Theory and Practice
  • More on access control lists (ACLs)
  • Capabilities
Homework 3 assigned.

Supplementary Readings:
Oct 30 Midterm Exam
  • Low-level system architecture
  • Software exploitation techniques (stack smashing, format string, heap overflows)
  • Software based defenses
  • Malicious software (viruses, worms, ...)
  • Prof Wright is sick
  • Please use class time to work on Homework 3
Nov 6 Intrusion Detection and Anti-Virus
  • Blacklisting
  • Anomaly Detection
  • Whitelisting
Nov 8 Security Policies
  • Security: Bell-LaPadula
  • Integrity: Biba
Authentication (part 2)
  • Weakness of Passwords
  • Alternative Schemes: Something you have, Something you are
Nov 13-15 The Race to the Bottom
  • What if You Can't Trust Your Network Card?
  • LO-PHI
Nov 20 Web Security
  • Backend: Access control limitations
  • Frontend: Same-Origin Policy
  • Attacks: Cross-Site Scripting, Cross-Site Request Forgery, SQL Injection
Nov 27-29 Research Paper Presentations Homework 4 (due at the end of the term)
Dec 6 Final Exam 12:30-2:20pm