Computer & Network Security

EECS 588 – Winter 2023

OverviewReadingsCourse Project

Professor: Roya Ensafi
Student hours: Tu 3:30–4:30 PM ET or by appointment
Credits: 4.   This course counts towards meeting software quals requirements.
Prerequisites:  EECS 482 Operating Systems, EECS 489 Computer Networks, EECS 388 Introduction to Security, or grad standing.
Success in this course requires a mature understanding of software systems.
Enrollment:  All students registering for the class will be first put on the waitlist, an override will be issued around the time of the first class, holding back some capacity for potential new students.
Lectures: TuTh 1:30–3:30 PM ET
Office Hour Zoom: Link
Location: 1012 FXB
GSI: Diwen Xue (Student hours (remote): Fr 1:00–2:00 PM ET or by appointment) Link
Forum: We will use Canvas for submitting and peer-reviewing Paper Responses and Piazza for online discussion and announcements.
Please use for all correspondence and reporting administrative issues.
Resources Security Research at Michigan
Security Reading Group

This intensive research seminar covers foundational work and current topics in computer systems security. We will read research papers and discuss attacks and defenses against operating systems, client-side software, web applications, and IP networks. Students will be prepared for research in computer security and for security-related research in other subareas, and they will gain hands-on experience designing and evaluating secure systems.

Preliminary Topic List

There will be many opportunities to tailor the course to your backgrounds and interests. The tentative list of topics below should give you an idea of what to expect. See reading list for additional details. Please get in touch if you have questions or suggestions.

Network Security

The security mindset, thinking like an attacker, reasoning about risk, research ethics
Network protocols security: TCP and DNS – attacks and defenses
Denial of service attacks, botnets and defenses

Privacy and Human Factors

Anonymity, secure messaging, censorship resistance, circumvention
Authentication, usability in security and privacy
Privacy attacks and privacy enhancing technologies

Systems Security

Key exchange, public-key cryptography, real-world cryptography attacks
The TLS protocol, certificate ecosystem
Malware: viruses, spyware, rootkits – operation and detection
Hardware attacks, side-channels and OS-level defenses
Critical systems, physical attacks

Special Topics

Machine learning
Election security and surveillance
Mobile security


There will be no exams. Instead, your grade will be based on the following:

Class Participation (20%) — You will read one or two research papers for each class. After paper presentation by a group, we will discuss the strengths, weaknesses, scope, and future research areas related to the paper. Please try to attend the class discussions and be prepared to make substantive intellectual contributions. Participation on Canvas and Piazza discussions will also be considered towards this grade.

Paper Responses (15%) — You are required to write a short critical response for each paper we read (excluding recommended papers). Responses are due at the beginning of class. You will also review and rate your peers' reviews after the class. Look for evidence that the reviewever thought carefully about the topic.

Paper Presentation (25%) — Working with a partner, choose one of the topics from the reading list, read both the required and recommended papers, and prepare a 50 minute presentation. 30 minutes of your presentation should discuss details of the required paper and and the other 20 minutes should present an overview of the recommended papers and general research in the area. You will receive a Google Form after the first class that will let you choose a topic of preferance.

Research Project (40%) — You will conduct an extended research project during the semester, with the goal of writing a publishable workshop paper. This work should be done in a group of size appropriate to the scope of your investigation. Typical project topics involve analyzing the security of a system or developing a new security mechanism.

Ethics, Law, and University Policies

To defend a system, you need to be able to think like an attacker, and that includes understanding techniques that can be used to compromise security. However, using those techniques in the real world may violate the law or the university’s rules, and it may be unethical. Under some circumstances, even probing for weaknesses may result in severe penalties, up to and including expulsion, civil fines, and jail time. Our policy in EECS 588 is that you must respect the privacy and property rights of others at all times, or else you will fail the course.

Acting lawfully and ethically is your responsibility. Carefully read the Computer Fraud and Abuse Act (CFAA), a federal statute that broadly criminalizes computer intrusion. This is one of several laws that govern “hacking.” Understand what the law prohibits — you don’t want to end up like this guy. The EFF provides helpful advice on vulnerability reporting and other legal matters. If in doubt, we can refer you to an attorney.

Please review ITS’s policies on responsible use of technology resources and CAEN’s policy documents for guidelines concerning proper use of information technology at U-M, as well as the Engineering Honor Code. As members of the university, you are required to abide by these policies.

Students with Disabilities

If you believe you need an accommodation for a disability, please let thee instructor know at the earliest opportunity. Some aspects of courses may be modified to facilitate your participation and progress. As soon as you make an instructor aware of your needs, they can work with the Services for Students with Disabilities (SSD) office to help determine appropriate academic accommodations. Information you provide will be treated as private and confidential.

Audio/Video Recordings

Students may not record or distribute any class activity without written permission from the instructor, except as necessary as part of approved accommodations for students with disabilities. Any approved recordings may only be used for the student’s own private use.