CMPS 223: Advanced Computer Security, Fall 2018

Overview

This course explores the foundations and applications of computer security. We will read papers on a variety of topics, including security semantics, authorization logic, information flow control, trusted hardware, cryptocurrencies, and smart contracts.

Information

Meeting time and place

The course meets Tuesdays and Thursdays from 3:20pm to 4:55pm in Baskin Engineering 372.

Jump to schedule

Canvas

We will use the course Canvas site for submissions, communication, and announcements.

Course Staff

Name Position Email Phone Office/consulting hours
Owen Arden Instructor Turn on JavaScript to view the email address 2-7044 Mondays 1pm - 2pm
or by appointment

Prerequisites

  • Security — Familiarity with systems security, cryptography, and access control. CMPS 122 or similar should be adequate.
  • Programming languages — Familiarity with program semantics and type systems. CMPS 203 or possibly CMPS 112
       Background resources:
    • Andrew Myers lecture notes (especially Operational Semantics and Types sections)
    • Types and Programming Languages, by Benjamin Pierce
  • Formal methods — Some degree of mathematical maturity, ability to understand and do formal proofs, logical reasoning.

Coursework

The main work of the course will be reading and presenting classic and recent research papers in computer security, writing short responses, and discussing the papers in class. Getting the most out of this class requires being prepared for and participating in paper discussions, so attendance is expected, and sharing your perspective is important!

Evaluation will be based on paper responses, presentations, paper discussions (online and in class), homeworks, and a final project. There will be no exams.

  • 40% Paper responses
  • 15% Class participation
  • 20% Presentations
  • 20% Project
  • 5% Homework

Writing paper responses

The day before each paper is discussed in class, students post a response to the paper on Canvas. The response should discuss (in any format):

  • The problem the paper is trying to solve
  • How it solves the problem
  • How it improves on previous solutions
  • A specific concept or aspect of the paper you want to discuss online or in class
Responses are graded on an 10-point scale: 2 points for each of the above topics, plus 2 points for clarity and insightfulness. Late responses receive a 1 point deduction for each day late, unless prior arrangements are made. After posting their own response, students will be able to read and comment on other student responses. Read some of the other responses and possibly reply to them to help jumpstart the in-class discussion.

Class participation

The content of this course revolves around paper discussions, so attendance and participation is expected. Students may participate through online and in-class discussions.

Presentations

Students will prepare 30-minute presentations for a small number of papers. These presentations should introduce the problem area targetted by the paper, extract and explain its technical contribution, and evaluate its stengths and weaknesses. Presentations do not have to be comprehensive, and they should not be section-by-section "walkthroughs" of the paper. The goal is to focus in on the most important content of the paper to deepen other students' understanding and facilitate discussion.

Presentations are evaluated on a 10-point scale: 2 points for each of the following components, plus 2 points for clarity and polish.

  • Motivating or explanatory examples
  • Setting and background
  • Main technical content
  • Facilitating discussion
Clarity and polish points are given automatically for students that schedule (or record) a practice talk at least 1 day before the presentation to receive feedback.

Project

Students will form groups of 2 or 3 to design and implement a project with a significant security component. Projects may take many forms, but in general should include an implemented or simulated system that does something interesting with potential security issues that are protected by some enforcement mechanism. Each group will submit a writeup (min. 5-page, 10pt, single column), their implementation and some demonstration of its functionality. The writeup should include:

  • A precise defintion of what it means for that system to be secure
  • A precise description of the threat model
  • A description of the enforcement mechanism
  • An argument for why the enforcement mechanisms ensure the definition of security.
  • A discussion of this argument's assumptions, and the level of assurance of the design’s and/or implementation’s correctness.
Projects will be evaluated on a 20-point scale: 10 points for the design and implementation, 5 points for the demo, and 5 points for the writeup.

Schedule (subject to change)

# Date Topic/notes Readings Presenter Assignments
1 Thu 09/27/18 Course overview and introduction Schneider Ch. 1 Owen (Slides: Course Overview, Intro) sign up for papers!
Sun 09/30/18 Paper rankings due: form
2 Tue 10/02/18 Authentication and access control Schneider Ch.5 Ch.7 Ch.8 Owen
3 Thu 10/04/18 The semantics of security policies Owen (Slides: [Hyper]Properties)
Fri 10/05/18 HW1 out
4 Tue 10/09/18 Isolation and sandboxing Christopher Villalpando Estrada (SFI)
5 Thu 10/11/18 Authorization logic James Hughes (NAL)
6 Tue 10/16/18 Dynamic information flow control

Huimin Yan (Flume)

Roy Shadmon (DStar)

7 Thu 10/18/18 PL crash course Owen
Fri 10/19/18 HW1 due / HW2 out
8 Tue 10/30/18 Language-based IFC Suhas Mohan (Facets)
9 Thu 11/01/18 Secure declassification and endorsement Jiahua You (NMIFC)
10 Tue 11/06/18 Verifying complex low-level systems
11 Thu 11/08/18 Verifying untrusted code
Fri 11/09/18 HW2 due / HW3 out
12 Tue 11/13/18 Securing outsourced computation James Hughes (IntegriDB)
13 Thu 11/15/18 Byzantine Fault Tolerance Jiahua You (HoneyBadgerBFT)
14 Tue 11/20/18 Blockchains Roy Shadmon (Ethereum)
15 Tue 11/27/18 Blockchain attacks Huimin Yan (Selfish mining)
16 Thu 11/29/18 New approaches to Byzantine agreement Christopher Villalpando Estrada (Algorand)
Fri 11/30/18 HW3 due
17 Tue 12/04/18 Privacy on the blockchain Suhas Mohan (Hawk)
18 Thu 12/06/18 TBA