Day 1: Monday, January 13

UNCG classes cancelled before noon due to snow and road conditions.

Day 2: Wednesday, January 15

Reading: Textbook sections 1.1 and 1.4
Topic 1: Abbrieviated class introduction [Slides]
Topic 2: verview of computer security – basic goals and terminology – day 1 [Slides]
Class examples will use voting/elections as an on-going example - info on voting in the U.S.
Optional reading on threat modeling: OWASP Threat Modeling Cheat Sheet

No class on Monday, January 20 – Dr. Martin Luther King Jr. Holiday

Day 3: Wednesday, January 22

Topics: Overview of computer security – basic goals and terminology – day 2 (slides continued from last time)

Day 4: Monday, January 27

Reading: Textbook, sections 1.2, 9.1–9.2
Topics: Security (access control) models – day 1 [Slides]

Day 5: Wednesday, January 29

Topics: Security (access control) models – day 2

Day 6: Monday, February 3

Due: Assignment 1
Reading: Textbook section 1.3 and Section 1 of Randomness, Entropy, Keys, and Powers of Two Estimation
Topics: Cryptography: Basic cryptographic threat model, key sizes, brute force attacks, and estimation techniques [Slides]

Day 7: Wednesday, February 5

Reading: Sections 2–3 of Randomness, Entropy, Keys, and Powers of Two Estimation
Topics: Randomization, probability theory review, entropy, and effect on brute force search (slides continued from last time)

Day 8: Monday, February 10

Reading: Textbook, sections 8.1–8.2
Topics: Fundamental cryptographic services - encryption (symmetric and public key) and hash functions [Slides]

Day 9: Wednesday, February 12

Reading: Textbook, sections 8.3–8.4
Topics: Cryptography for integrity - MACs, digital signatures, certificates (slides continued)

Day 10: Monday, February 17

Due: Assignment 2
Topics: Some specific cryptographic techniques [Slides]

Day 11: Wednesday, February 19

Reading: Formal Models for Cryptography
Topics: Cryptography: Theory and Practice (models, breakdowns in practice, and programming) [Slides]

Day 12: Monday, February 24

Reading: Textbook, sections 2.1–2.5
Topics: Physical security [Slides]

Day 13: Wednesday, February 26

Reading: Textbook Sections 3.1–3.3
Topics: Operating System Security – Basics and Linux demos - day 1 [Slides]

Day 14: Monday, March 3

Due: Assignment 3
Topics: Operating System Security – Basics and Linux demos - day 2

Day 15: Wednesday, March 5

Midterm Exam

No class on March 10 – March 14 (Spring break)

Day 16: Monday, March 17

Topics: Midterm Information/Review; Advanced OS Security (sandboxes, chroot, and containers) [Slides]

• Required reading: Linux Virtualization – Chroot Jail, from the “GeeksforGeeks” website.
• Required reading: What is a Container?, from the Docker web site.
• Required reading: The Evolution of Linux Containers and Their Future, from the DZone web site.

Day 17: Wednesday, March 19

Reading: Textbook, Section 3.4
Topics: Software security and vulnerabilities, Part 1 [Slides]

Day 18: Monday, March 24

Topics: Software security and vulnerabilities, Part 1 – continued

Day 19: Wednesday, March 26

Topics: Software security and vulnerabilities, Part 2 [Slides]
Required reading:

• Return-oriented programming. Yes, this is a Wikipedia page, but it gives a good high-level overview of return-oriented programming.
• Static analysis for security, by Gary McGraw. This is a little old (written in 2004), but it’s one of the best high-level “what is static analysis?” write-ups I could find.
• Fuzzing. Wikipedia again. This is pretty light, but gives a good overview. For more information on fuzz testing, see the last item in the supplemental reading list below.

Supplemental reading: Good information for students who want to dig deeper.

• StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks, by Crispin Cowan. This is the original (1998) paper on StackGuard, the canary technique for detecting stack-smashing buffer overflow attacks. In addition to the content being relevant, this is a really good example of an applied security research paper.
• What is soundness (in static analysis)?, by Michael Hicks. A very nice writeup about trade-offs that have to be considered in creating a static analysis tool, and measures or concepts of “goodness” such as soundness, completeness, precision, and recall.
• Lessons from Building Static Analysis Tools at Google, by Sadowski, Aftandilian, Eagle, Miller-Cushon, and Jaspan (Communications of the ACM, April 2018). Experience with static analysis in a really large software organization is very different from examples in a classroom. This article talks about experiences with static analysis at Google.
• SAGE: Whitebox Fuzzing for Security Testing by Godefroid, Levin, and Molnar. Really nice article talking about fuzz testing.
• Evaluating Empirical Evaluations (for Fuzz Testing), by Michael Hicks. This is a blog post about research that the author did on the (ahem) fuzziness of evaluating fuzz testing (no, he didn’t put it that way, I did – sorry).

Day 20: Monday, March 31

Due: Assignment 4
Topics: Software security and vulnerabilities, Part 2 – continued

Day 21: Wednesday, April 2

Reading: Textbook, Chapter 4
Topics: Malware [Slides]

Day 22: Monday, April 7

Reading: Textbook, Chapter 7 and OWASP Top 10
Topics: Web Security – day 1 [Slides]

Day 23: Wednesday, April 9

Topics: Web Security – day 2

Day 24: Monday, April 14

Due: Assignment 5
Reading: Textbook, Chapter 5
Topics: Web Security – day 3

Day 25: Wednesday, April 16

Topics: Network Security I – day 1 [Slides]

Day 26: Monday, April 21

Reading: Textbook, Sections 6.1–6.4
Topics: Network Security I – day 2

Day 27: Wednesday, April 23

Topics: Network Security II – day 1 [Slides]

Day 28: Monday, April 28

Topics: Network Security II – day 2

Day 29: Wednesday, April 30

Due: Assignment 6
Topics: Class wrap-up and review

Wednesday, May 7, 8:00 AM

All students: Final Exam