Computer & Network Security

EECS 588 – Winter 2018

Overview Schedule Readings Labs Course Project

New this year: The course will emphasize embedded security research for protecting emerging computing systems with application to medical devices, autonomous vehicles, and IoT.

Wait list: Sorry, the course is full.

Instructor: Kevin Fu
Credits: 4.   This course counts towards meeting software quals requirements.
Prerequisites:  **Graduate standing in EECS, or EECS482, or EECS489.
Success in this course requires a mature understanding of computer systems.
Lectures: TuTh 1:30–3:30PM, 1690 Beyster
Lab: Open Mon 3:00–5:00PM and Fri 8:30–10:30AM, 2336 EECS
(not weekly; check calendar for lab hours for access to benchtop lab equipment)
Calendar iCal feed
GSIs: Connor Bolton
Office hours: Tuesday 3:30pm-4:30pm
Room Number: 4918 in the BBB
Andrew Kwong
Office hours: Thursday 3:30pm-4:30pm
Room Number: 4918 in the BBB
Swag Lab: Swagat Tripathy
Forum: We use Piazza for online discussion and announcements. For administrative issues, use Piazza's private messaging function. For non-urgent matters, the course staff can be reached at
Materials: We use Canvas to distribute materials.
Resources Cryptographic Hardware and Embedded Security (CHES) Workshop
USENIX Security
IEEE Security and Privacy (Oakland)
Writing with Sources: A Guide for Students, 3rd Edition by Gordon Harvey
The Mayfield Handbook of Technical and Scientific Writing
Art of Electronics, 3rd Edition by Horowitz and Hill
AARL Handbook

This intensive research course covers foundational work and current topics in computer systems security. We will analyze research papers, write technical essays, and carry out benchtop experiments. Students will be prepared for graduate research in computer security. Students will learn methodologies for reproducible research, and experience the art of technical writing to communicate complex thoughts in simple prose. Students will gain hands-on experience designing and evaluating secure computer systems.

**Prereqs and Wait List

This is a course designed primarily for PhD students. To be considered for the wait list, please send to the eecs588.w18 email list information about your student status (undergraduate, SGUS, masters, PhD) and degree program. Email the staff a paragraph on how graduate-level research in embedded security would fit in your career plans. You are welcome to mention any previous computer engineering and/or security experience (courses, grades, etc.). Upper-level undergraduates with experience in computer engineering or computer system security (e.g., EECS473, EECS388) may contact staff for consideration of an override. The official prereqs are certain EECS courses that the instructor has never attended or taken. Having experience in computer engineering or electronics will give you an advantage on the lab homework, but we will teach students how to use basic benchtop electronics equipment. Students should have a mastery of English exposition.

Preliminary Topic List

The tentative list of topics below should give you an idea of what to expect.

Part 1: Building Blocks

Threat modeling, principles of information security and privacy, risk, research ethics
Foundations: Science of Security
Lab: Intro to oscilloscopes, Fourier transforms, function generators, software radios

Part 2: Embedded Security

Side channels, spectral analysis, timing attacks, power analysis, data remanence
Applications: Smartcards, RFID, IoT
Lab: Side channel analysis of cryptographic hardware

Part 3: Sensor Security

Physics of security, transducers, MEMS, audible and ultrasonic acoustics, RF, optics
Applications: Medical devices, autonomous vehicles
Lab: Fault injection attacks and intentional interference against analog sensors

Part 4: Computer Systems Security

Web security, network security, anonymity, cryptography and security protocols, PL
Applications: Internet security, software security
Lab: Group projects

Part 5: Special Topics

Human factors, Internet crime, spam, phishing, economics, public policy
Applications: Society and the Real World
Lab: Group projects


There will be no exams. Instead, your grade will be based on the following:

Class Participation and Paper Presentation (15%) — Every week, we will suggest supplementary papers associated with the core reading. Each student will make one five-minute presentation on a recent paper. Pedantic use of slides are frowned upon unless there are key measurements difficult to convey in chalk.

Paper Reviews and Essays (20%) — Nearly every lecture will involve a writing assignment alternating between one-page essays and paper reviews. See Lecture 1 for details on the process and grading.

Hands-on Labs (20%) — Working mostly in small teams, students will carry out several homework assignments pertaining to reproducing embedded security experiments from our paper reading. Homeworks range from learning how to use an oscilloscope to simple power analysis to extract cryptographic keys from a microcontroller. The first lab will be individual.

Research Project (45%) — You will conduct an extended research project during the semester, with the goal of writing a publishable workshop paper. This work should be done in a small group of 2-3 students. Typical project topics involve reproducing previously published research to find interesting new directions or analyzing the security of a system or developing a new security mechanism.

Ethics, Law, and University Policies

To defend a system, you need to be able to think like an attacker, and that includes understanding techniques that can be used to compromise security. However, using those techniques in the real world may violate the law or the university’s rules, and it may be unethical. Under some circumstances, even probing for weaknesses may result in severe penalties, up to and including expulsion, civil fines, and jail time. Our policy in EECS 588 is that you must respect the privacy and property rights of others at all times, or else you will fail the course.

Acting lawfully and ethically is your responsibility. Carefully read the Computer Fraud and Abuse Act (CFAA), a federal statute that broadly criminalizes computer intrusion. This is one of several laws that govern “hacking.” Understand what the law prohibits — you don’t want to end up like this guy. The EFF provides helpful advice on vulnerability reporting and other legal matters. If in doubt, we can refer you to an attorney.

Please review ITS’s policies on responsible use of technology resources and CAEN’s policy documents for guidelines concerning proper use of information technology at U-M, as well as the Engineering Honor Code. As members of the university, you are required to abide by these policies.