| Instructor: | Amir Rahmati |
| Office hours: Tu 3:30–4:30, 4901 Beyster, or by appointment (Jan 17 and 24 have no fixed office hours yet) | |
| Instructor: | Earlence Fernandes |
| Office hours: Tu 3:30–4:30, 4901 Beyster, or by appointment (Jan 17 and 24 have no fixed office hours yet) | |
| Credits: | 4. This course counts towards meeting software quals requirements. |
| Prerequisites: | EECS 482 Operating Systems, EECS 489 Networking (recommended), or grad standing. Success in this course requires a mature understanding of software systems. |
| Lectures: | TuTh 1:30–3:30, 1690 Beyster |
| GSI: | Kevin Eykholt (4945 Beyster, meetings by appointment) |
| Forum: | We'll use Piazza for online discussion and announcements. For administrative issues, email eecs588.w17@umich.edu. |
| Resources |
Security Research at Michigan Security Reading Group CSE CTF Club |
This intensive research seminar covers foundational work and current topics in computer systems security. We will read research papers and discuss attacks and defenses against operating systems, client-side software, web applications, and IP networks. Students will be prepared for research in computer security and for security-related research in other subareas, and they will gain hands-on experience designing and evaluating secure systems.
Preliminary Topic List
There will be many opportunities to tailor the course to your backgrounds and interests. The tentative list of topics below should give you an idea of what to expect. See the course schedule and reading list for additional details. Please get in touch if you have questions or suggestions.
Part 1: Building Blocks
The security mindset, thinking like an attacker, reasoning about risk, research ethicsSymmetric ciphers, hash functions, message authentication codes, pseudorandom generators
Key exchange, public-key cryptography, key management, the TLS protocol
Part 2: Software Security
Exploitable bugs: buffer overflows and other common vulnerabilities – attacks and defensesMalware: viruses, spyware, rootkits – operation and detection
Automated security testing and tools for writing secure code
Virtualization, sandboxing, and OS-level defenses
Part 3: Web Security
The browser security modelWeb site attacks and defenses: cross-site scripting, SQL injection, cross-site request forgery
Internet crime: spam, phishing, botnets – technical and nontechnical responses
Part 4: Network Security
Network protocols security: TCP and DNS – attacks and defensesPolicing packets: Firewalls, VPNs, intrusion detection
Denial of service attacks and defenses
Wireless and mobile device security
Data privacy, anonymity, censorship, surveillance
Part 5: Special Topics
Hardware security – attacks and defensesTrusted computing and digital rights management
Electronic voting – vulnerabilities, cryptographic voting protocols
Physical security – locks and safes
Grading
There will be no exams. Instead, your grade will be based on the following:Class and Paper Presentation (15%) — Every week, two students will present the two papers we are discussing that week. You are free to choose which paper you want to present, and you can re-use the slides from the conference talk of the paper. If there are no slides, you will have to make a short set of slides (suitable for 20 minutes) discussing the paper (do not worry about making the slides fancy; as long as they are readable, it is fine).
Paper Responses (10%) — You are required to write a short critical response for each paper we read. We'll look for evidence that you read the paper and thought carefully about the topic. Responses are due at the beginning of class.
Attack Presentation (25%) — Working with a partner, choose an attack from the provided list and implement a demonstration exploit. In a 20 minute presentation, explain the attack, talk about how you implemented it and give a demo, and discuss possible defenses. Presentations will take place throughout the semester per the course schedule.
Research Project (50%) — You will conduct an extended research project during the semester, with the goal of writing a publishable workshop paper. This work should be done in a group of size appropriate to the scope of your investigation. Typical project topics involve analyzing the security of a system or developing a new security mechanism.
Ethics, Law, and University Policies
To defend a system, you need to be able to think like an attacker, and that includes understanding techniques that can be used to compromise security. However, using those techniques in the real world may violate the law or the university’s rules, and it may be unethical. Under some circumstances, even probing for weaknesses may result in severe penalties, up to and including expulsion, civil fines, and jail time. Our policy in EECS 588 is that you must respect the privacy and property rights of others at all times, or else you will fail the course.
Acting lawfully and ethically is your responsibility. Carefully read the Computer Fraud and Abuse Act (CFAA), a federal statute that broadly criminalizes computer intrusion. This is one of several laws that govern “hacking.” Understand what the law prohibits — you don’t want to end up like this guy. The EFF provides helpful advice on vulnerability reporting and other legal matters. If in doubt, we can refer you to an attorney.
Please review ITS’s policies on responsible use of technology resources and CAEN’s policy documents for guidelines concerning proper use of information technology at U-M, as well as the Engineering Honor Code. As members of the university, you are required to abide by these policies.