Overview

Instructor Trent Jaeger (trentj 'at' ucr.edu)
Location Lecture: Humanities & Social Sciences (HMNSS) 1503; Lab: Sproul 2340
Meeting Times Lecture: MWF 1:00pm-1:50pm; Lab: Th 3:00pm-5:50pm
Credits 4
TA Xin'an Zhou (xinan.zhou 'at' email.ucr.edu)
Office Hours Prof. Jaeger: M 4pm-5pm and W 3-4pm at WCH 442
Xin'an Zhou: M 9am-10:30am at WCH 367 plus other times for projects

Course Summary

In this course, we will investigate the causes of programming errors that often lead to exploitation and examine techniques to prevent such errors and their exploitation. The course aims to teach students about the types of flaws programmers may create, techniques to detect such flaws in programs, and defensive programming techniques to avoid such flaws and prevent exploitation. In addition, programmers often need to implement and maintain security mechanisms into their programs, so this course will teach students about common security mechanisms and methods for implementing such mechanisms.

Topics will include a review of C programming fundamentals, typical program exploits, safe programming practices to avoid flaws that lead to exploits, program-wide defenses to prevent exploitation of flaws, program testing methods, additional flaws and defenses, and some related research experience studies.

A detailed list of a lecture by lecture contents, assignments, and due dates (subject to change as semester evolves) is available on the course schedule.

NOTE: Course materials will be released (to the "schedule" web page) as the course progresses, and new assignments and deadlines will be added (also to the "schedule" web page).  Please check the schedule often.

Grading

The course will be graded on programming projects, exams, quizzes, and class participation in the following proportions:

24% Programming Projects (3)
16% Quizzes (4)
25% Midterm Exam
30% Final Exam
5% Class Participation

Projects

During this course, students perform some security projects examining attacks and defenses. Each project will be for a team of two (2) people, which will be the same team for all projects. The amount of coding will not be large, but the projects will require deep knowledge of the C programming language and runtime. Knowledge of the debugger will be a plus, but there will be some training provided.

Grades will be based on the factors specific to each project.

Exams

This course will have midterm and final exams. The midterm will be given in class. The final exam will be comprehensive.

Quizzes

There will be quizzes give at four (4) points during the semester to test your knowledge on topics we have covered in class or homeworks. The scope of each quiz will be from the prior quiz to the lecture prior to the quiz date. More details in class.

Homeworks

There will be two ungraded homeworks during the quarter to prepare for each exam. Some parts of the homework can also help prepare for the quizzes - questions related to the material covered in lecture.

Class Participation

Class participation includes participation in lectures. Lectures are augmented by various readings, which are expected to be read prior to class (note: reading materials twice - once before and once after the lecture worked for my comprehension). During the lecture, we will discuss the readings, and students are required to participate in discussions during each lecture. Ultimately, the students' ability to exhibit comprehension of readings is essential to a good grade.

Lateness Policy

You have 4 days of slack from deadlines for homeworks or projects for the semester. There is a 2% bonus (total course points) if you do not use any - all or nothing. No further credit for late projects, so use these days judiciously.

When you exhaust your slack days, there is a 20% per day per assignment score deduction from the late assignment (only). That is, a late deduction will be made against an assignment only if: (1) all the slack days have been exhausted and (2) that assignment is late.

Course Outline

A rough outline of the class is as follows:

  1. Introduction
  2. Software Security
    1. Vulnerabilities
    2. Attacks on the Stack
    3. Attacks on the Heap
  3. Hardening Software
    1. Fixing Software
    2. Software Testing
    3. Current Defenses
  4. Access Control
    1. Basics
    2. Mandatory Access Control
    3. Attacks on System Resources
  5. Network Security
    1. Web and Browser Security
    2. Firewalls
  6. Hardware Security

Academic Integrity Policy

Academic integrity is the pursuit of scholarly activity in an open, honest and responsible manner. Academic integrity is a basic guiding principle for all academic activity at the University of California, and all members of the University community are expected to act in accordance with this principle. Consistent with this expectation, all course activities should be performed in compliance with the University Academic Integrity Polices & Procedures.

The course projects are to be carried out in teams of two independently. . Students are explicitly not allowed to share information, source code, or even discuss the contents of the projects. Any violation of this policy will be considered cheating and will result in the student receiving an 'F' grade for the project and a full letter grade off the final grade for the course. Students with more than one violation may face stronger penalties per the university policy.

Students are forbidden from copying code, makefiles, or any other material from the Internet (such as publicly available Github repos). Plagiarism will be strictly enforced through in-depth reviews of your submissions. Any violation in the letter or spirit of this policy will also be considered cheating, and handled as described above. Note that any publication of the assignments (e.g., via github or other system) is considered a violation of the above policy.

Ethics Statement

This course considers topics involving software exploitation techniques. As part of this investigation we will cover technologies whose abuse may infringe on the rights of others. As an instructor, I rely on the ethical use of these technologies. Unethical use may include circumvention of existing security or privacy measurements for any purpose, or the dissemination, promotion, or exploitation of vulnerabilities of these services. Exceptions to these guidelines may occur in the process of reporting vulnerabilities through public and authoritative channels. Any activity outside the letter or spirit of these guidelines will be reported to the proper authorities and may result in dismissal from the class.

When in doubt, please contact the instructor for advice. Do not undertake any action that could be perceived as technology misuse anywhere and/or under any circumstances unless you have received explicit permission from Professor Jaeger.