Computer and Network Security

EECS 588 — Winter 2009

Overview | Schedule | Readings | Attack Presentations | Course Project

Instructor: Professor J. Alex Halderman
Credits: 4. This course counts towards meeting software quals requirements.
Prerequisites: EECS 482 or EECS 489 or grad standing. Understanding projects and papers will require some operating systems and networking background.
Lectures: TuTh 1:30-3:30, 1018 DOW
Office Hours: TuTh 3:30-4:30, 4717 CSE, or by appointment
Discussion Forum: Available on CTools

This course covers foundational work and current topics in computer systems security. We will read research papers and discuss attacks and defenses against operating systems, client-side software, web applications, and IP networks. Students will be prepared for research in computer security and for security-related research in other subfields, and they will gain hands-on experience designing and evaluating secure systems.

Preliminary Topic List

I'm revising the course this semester, so there will be many opportunities to tailor it to your backgrounds and interests. The tentative list of topics below should give you an idea of what to expect. Feel free to email me if you have any questions or suggestions.

Part 1: Building Blocks

The security mindset, thinking like an attacker, reasoning about risk, research ethics
Symmetric ciphers, hash functions, message authentication codes, pseudorandom generators
Key exchange, public-key cryptography, key management, the SSL protocol

Part 2: Software Security

Exploitable bugs: buffer overflows and other common vulnerabilities – attacks and defenses
Malware: viruses, spyware, rootkits – operation and detection
Automated security testing and tools for writing secure code
Virtualization, sandboxing, and OS-level defenses

Part 3: Web Security

The browser security model
Web site attacks and defenses: cross-site scripting, SQL injection, cross-site reference forgery
Internet crime: spam, phishing, botnets – technical and nontechnical responses

Part 4: Network Security

Network protocols security: TCP and DNS – attacks and defenses
Policing packets: Firewalls, VPNs, intrusion detection
Denial of service attacks and defenses; Wireless security
Data privacy, anonymity, censorship, surveillance

Part 5: Advanced Topics

Hardware security – attacks and defenses
Trusted computing and digital rights management
Electronic voting – vulnerabilities, cryptographic voting protocols
Physical security – locks and safes


There will be no exams. Instead, your grade will be based on the following components:

Class Participation (5%) — I will assign one or two research papers as required reading for each class. We will discuss them in the first half of the meeting.

Paper Responses (15%) — Unless otherwise noted on the reading list, you are required to write a short reaction to each required paper. In it, you should briefly (1) state the problem the paper is trying to solve, (2) summarize its main contributions, (3) evaluate its strengths and weaknesses, (4) suggest at least two interesting open problems on related topics, and (5) tell me if anything was too difficult to understand. Your responses should be no longer than 350 words for each paper and will be graded on a check/check minus scale. They must be emailed to me before the start of class.

Attack Presentation (30%) — Working with a partner, you will choose an attack from a provided list and implement a demonstration exploit. You will give a 15-20 minute presentation were you (1) describe the attack, (2) talk about how you implemented it and give a demo, and (3) discuss possible defenses. Presentations will take place throughout the semester, as indicated on the course schedule.

Group Project (50%) — There will be an extended group project over the course of the semester. It may be done in a group appropriate to the size of your project. Generally, the projects will involve analyzing the security of a system or implementing a new defense mechanism.

Ethics, Law, and University Policies

To defend a system you need to be able to think like an attacker, and that includes understanding techniques that can be used to compromise security. However, using those techniques in the real world may violate the law and the university's computing practices, or may be unethical. You must respect the privacy and property rights of others at all times, or else you will fail the course. Under some circumstances, even probing for weaknesses may result in severe penalties, up to and including civil fines, expulsion, and jail time.

Carefully read the Computer Fraud and Abuse Act (CFAA), a federal statute that broadly criminalizes computer intrusions. This is just one of several laws that govern hacking. Understand what the law prohibits — you don't want to end up like this guy. If in doubt, I can refer you to an attorney.

Please review CAEN's policy document on rights and responsibilities for guidelines concerning use of technology resources at U-M, as well as the Engineering Honor Code. As members of the university, you are required to adhere to these policies.