COS 432: Information Security

Security issues in computing, communications, and electronic commerce. Goals and vulnerabilities; legal and ethical issues; basic cryptology; private and authenticated communication; electronic commerce; software security; viruses and other malicious code; operating system protection; trusted systems design; network security; firewalls; policy, administration and procedures; auditing; physical security; disaster recovery; reliability; content protection; privacy.

Logistics

Contact:
Prof. Nick Feamster
310 Sherrerd Hall
<my last name>@cs.princeton.edu

TAs:
Sotiris Apostolakis
Qipeng Liu
Ming-Yee Tsang
William Yang

Class Location and Time:
Lectures: Mondays and Wednesdays, 11:00 am-12:20 pm, Architecture Building N101

Office Hours (subject to change; will increase around deadlines):
Nick: Mondays 1:30-2:30p (Sherrerd 310) [Wednesdays near deadlines]
Sotiris: Tuesdays 2:00-4:00p (CS 003)
Qipeng: Thursdays 1:00-3:00p (Outside CS 241)
Ming-Yee: Fridays 2:00-4:00p (Frist Galleria)
William: Wednesday 3:00-5:00p (CS 003)

Course Format

The course will meet twice a week for 80-minute lectures.

Recommended Background

Prerequisite: COS 217 and COS 226.

Grading

Grading is based on:

two in-class exams (40%)
five homework assignments (including Dean's Date assignment) (60%)

Late Policy

We understand that sometimes life events occur and that it's not always possible to meet every deadline. As such, we are willing to accept late assignments according to the following policy:

You start the term with a grace period "balance" of 96 hours.
Each assignment will be due at 6:00 p.m. (Princeton Local Time) on the due date.
For each assignment, every hour late (or fraction thereof) that you turn in the assignment will subtract one hour from your grace-period balance. For example, if you turn in your assignment at 7:02 p.m. on the due date, we will count this as two hours against your grace period.
As long as your grace period balance is positive, you can turn in any assignment late without penalty.
Once your grace period balance reaches zero, you will receive half credit for any assignment that you turn in, as long as you turn it in within one week of the due date. If your grace period balance is zero and you turn in an assignment more than one week late, you will receive no credit for the assignment. Important: You must still turn in all assignments to pass the course, even if you receive zero points on an assignment. Turning in all assignments is a necessary condition for passing. (Participating in Build It, Break It, Fix It exempts you from turning in one assignment.)

Excuses with medical documentation are a legitimate exception and will not count against your late period. Any other reasons for lateness---including but not limited to interviews, conferences, etc.---are not legitimate excuses and any resulting lateness will count against your grace period.

Honor Code

Students are expected to abide by the Princeton University Honor Code. Honest and ethical behavior is expected at all times. All incidents of suspected dishonesty will be reported to and handled by the office of student affairs. You are to do all assignments yourself, unless explicitly told otherwise. You may discuss the assignments with your classmates, but you may not copy any solution (or part of a solution) from a classmate.

Reading

There is no required or suggested textbook in this course, because there is no one book that covers the right material in an up-to-date fashion. The resources part of this page includes a list of good books on security.

This schedule and syllabus is preliminary and subject to change.

Slides: A draft of the lecture slides will be posted on the course Blackboard website before lecture. Slides may be updated during lecture (e.g., with drawings, notes, and real-time revisions); slides may again be updated after lecture to reflect topic coverage, in-class notes, etc.

Preparation: If any preparation (reading, videos, etc.) is required, we will post a link to the material in the "preparation" column before lecture.

Date	Topic	Readings	Notes
September 14	Course Overview / Security in Computing	Why Cryptosystems Fail
September 19	Ethics and the Law	Salganik (Ethics), Menlo Report
Module 1: Cryptography
September 21	Message Integrity, Pseudorandom Functions	Anderson 5.3.1-5.3.3	Assignment 1: Cryptography (Due October 12)
September 26	Stream Ciphers, Block Ciphers	Anderson 5.1-5.2, 5.4.2, 5.4.3, 5.5
September 28	Key Exchange and Key Management	Anderson 5.7.2.1, Schneier 12.1- 12.3
October 3	Public Key Cryptography	Anderson 5.7.1, Schneier 19.3; Stallings 9.1, 9.2
Module 2: Systems Security
October 5	Public Key Infrastructure	Bellovin 8
October 10	Access Control and Control Flow	Tannenbaum 4.4.1, 4.5.1-4.5.4
October 12	Buffer Overflows, Shellcode, and Malware	Smashing the Stack	Assignment 2: Application Security (Due October 28)
October 17	Enforcing Access Control: Isolation and Sandboxing	Bellovin 10
October 19	Passwords and Biometrics
October 24	In-Class Exam
October 26	Web Security: TLS, CSS, XSRF	Kaufman 19.1-19.12, RFC 5246 7.4
November 7	Web Privacy: Tracking	Zalewski (First 2 pages of Chapter 9 on SOP for DOM)	Assignment 3: Web Security (Due November 27)
Module 3: Network Security
November 9	Worms and Botnets	Cooke: Zombie Roundup
November 14	DDoS: Spoofing, Reflection, Amplification	Marczak: Great Cannon; Hilton: Dyn Attack
November 16	Routing, Spam, Phishing, Scams.	Global Phishing Survey
November 21	DNS Security; Defenses: IDS and Firewalls	Bellovin 5
November 28	VPNs and Anonymous Communication (+ Philipp Winter on Tor)	Bellovin 6.5	Assignment 4: Network Security (Due December 16; Checkpoint Dec. 7)
November 30	Internet Censorship (+ Roya Ensafi on Measurement)
December 5	In-Class Exam
Module 4: Security in Context
December 7	Security of IoT/Cyberphysical Systems
December 12	Access ISP Security (Video Interview; No Lecture)
December 14	Human Factors and Usable Security (Guest Lecture: Marshini Chetty)		Assignment 5: Dean’s Date Assignment

Course Resources

Optional Reading

There are many good books about cryptography, but relatively few good ones about other computer security topics.

Security Engineering by Ross Anderson [Covers security in general, with many non-computing examples.]
Applied Cryptography by Bruce Schneier. [Very broad coverage of crypto and its applications.]
Cryptography Engineering by Ferguson, Schneier, and Kohno
Introduction to Computer Security by Matt Bishop
Computer Security: Principles and Practice by William Stallings
Computer Security: Art and Science by Matt Bishop
Security in Computing by Charles P. Pfleeger
Introduction to Computer Security by Michael Goodrich and Roberto Tamassia
Computer Security by Dieter Gollman. [General security textbook. Good for what it covers, but doesn't cover everything.]
Building Secure Software by John Viega and Gary McGraw. [How to write software that will have fewer security bugs.]
The Tangled Web: A Guide to Securing Modern Web Applications by Michal Zalewski. [Web security. Strikes a good balance between conceptual exposition and messy detail.]

Overview