CSE 484/M584

Assignments and labs will be posted on this page throughout the quarter. All dates are tentative until the assignment/lab is officially posted.

In-Class Activities

We will use Gradescope "quizzes" to support in-class activities in every lecture. These form the basis of your participation grade. We will not count in-class activities during the first week of class while enrollment stabilizes.

You are required to complete all activities. We expect that you complete these activities during class, from the lecture room. However, we will accept submissions for up to half of the in-class activities a week late, to allow for illness/etc. You do not need to request an extension for these, just submit late!

You don't need to write essays here, and you don't even need to get the answer right (though you should learn the right answer from the lecture/discussion). Grading is on the basis of "did the submission attempt to answer the question?" Submissions that are unrelated to the question or say "I don't know" will not receive credit.

Homeworks

Unless otherwise specified, submit labs through Gradescope. We will assume you are using late days unless you tell us otherwise.

Homework 1

Labs

Unless otherwise specified, submit labs through Gradescope. We will assume you are using late days unless you tell us otherwise.

Lab SSH/SCP/git Guide

Lab 1 - Binary exploitation

Lab 1 is about binary exploitation. You'll need to read some C code, use gdb, and write a series of exploits!

Lab 1 - Binary Security
- Part A: Due April 9th 11:59pm -- See Gradescope for handins
- Part B: Due April 16th 11:59pm -- See Gradescope for handins

Strongly recommended readings:

Summary of why the stack frame pointer exists, and notes on printf exploitation (no new information).
Smashing the Stack for Fun and Profit [Corrected and reformatted, original]
Exploiting Format String Vulnerabilities
Once Upon a free() for Extra Credit exploit5

Lab 2 - Cryptography

Lab 2 - Cryptography didn't solve my problem :(

Lab 3 - Web applications

Lab 2 is all about web application security. You'll need to write a small amount of PHP and JavaScript.

Lab 4 - Root-cause analysis and Patching

The final lab will combine aspects of the labs and homeworks and require you to identify vulnerabilties, evaluate their severity, and patch them. It is split into 3 parts, with part A designed to introduce you to the code you'll be examining with more guidance than parts B and C.

M584 Computer Security Research Readings

A core part of the course for M584 students is reading and summarizing research papers on computer security and privacy topics.

You will need to submit 1 paper summary each week, due Friday at 11:59pm. You may select either one of the specific papers listed below, or any paper from a computer security conference (see links below.)

You may not use generative AI to analyze the paper, generate partial or complete summaries, etc.

What to submit for your summary:

Each security reading review should cover the following material in full sentences (not just bullets.) The summarization components are welcome to be succinct, but should capture all relevant points.:

Paper Bibliographic Information. Paper title and author(s)
Problem. Short summary of the problem that the paper tries to address.
Approach. Short summary of the authors’ approach for solving the problem.
Conclusions. Short summary of the author’s conclusions.
The paper's new ideas. Two (or more) important new ideas this paper presents, and why they are important. (Or, if you think there are no new important ideas, an argument supporting your position.)
Improvements. Two (or more) ideas on how the paper could be improved, and why implementing your ideas would be an improvement.
New directions. Two important, open research questions on the topic, and why those questions matter.

You should submit to gradescope before 11:59pm on Fridays. Your evaluation for each reading should be between 1 and 1.5 pages (450-700 words), be single-spaced, use 12pt font, and have at least 1 inch margins. (It's okay for the metadata (name, date, paper title) to be outside the margins, e.g., in the header of the page.) For the sake of your TAs' eyes :) please stick to 12pt font. (Longer than 700 words is acceptable, but please don't aim to fill two whole pages.)

You are welcome to, and in fact encouraged to, discuss the papers with other students in the class or the course instructors. However, you must write the summary entirely independently.

Some note about reading papers and writing about them:

If you want to use exact text from the paper, quote it. Do not copy-paste sentences or glue pieces of sentences together. Use your own words.
A paper's problem statement isn't always made explicit. If a paper's main goal is proposing a new defense, the problem is generally relatively clear. Consider to yourself "what did the author(s) believe their paper was going to improve about the state of knowledge?"
Most papers are written to an academic audience (though not all!) and it is OK for them to assume relevant background or relegate important material to citations. Depending on the content, you may want to read or skim some of the citations or look up background material.
Improvements to a paper should be specific, and should focus on the content and ideas, and rarely on adding background or context. A good improvement might be to run specific additional experiments, reframe a section of the paper in a specific way, add a specific figure to solve a specific problem, etc. It is not a good improvement suggestion to broadly as for "more graphs" or to make the paper require less background to read.
New directions should not restate the 'future work' section of the paper without significant elaboration. Applying new techniques (e.g. ML approaches) can be a reasonable suggestion if there is a specific reason you give as to why it would improve things.

You can find one version of advice on how to read a CS research paper here. You are also welcome to come discuss the reading process or the papers themselves with the course staff.

List of suggested papers Having trouble accessing a PDF for a paper? Google Scholar is your friend!

"Comprehensive Experimental Analyses of Automotive Attack Surfaces" (USENIX Security 2011)
"Computer Security and Privacy in the Interactions Between Victim Service Providers and Human Trafficking Survivors" (USENIX Security 2019)
"The Tools and Tactics Used in Intimate Partner Surveillance: An Analysis of Online Infidelity Forums" (USENIX Security 2020)
"Secure Multi-User Content Sharing for Augmented Reality Applications" (USENIX Security 2019)
"Computer Security and Privacy for Refugees in the United States" (Oakland 2018)
"Computer Security, Privacy, and DNA Sequencing: Compromising Computers with Synthesized DNA, Privacy Leaks, and More" (USENIX Security 2019)
"Site Isolation: Process Separation for Web Sites within the Browser" (USENIX Security 2019)
"The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes" (Oakland 2012)
"Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices" (USENIX Security 2012)
"Welcome to the Entropics: Boot-Time Entropy in Embedded Devices" (Oakland 2013)
"On Subnormal Floating Point and Abnormal Timing" (Oakland 2015)
"Spectre Attacks: Exploiting Speculative Execution" (Oakland 2019)
"Lawful Device Access without Mass Surveillance Risk: A Technical Design Discussion" (CCS 2018)
"When Governments Hack Opponents: A Look at Actors and Technology" (USENIX 2014)

Looking for more to read? Most of our papers are from the top computer security and privacy conferences like USENIX Security [2020, 2021, 2022] or IEEE Security and Privacy (aka Oakland) [2020, 2021, 2022] or ACM Conference on Computer and Communications Security (CCS) [2021, 2022, 2023] Non-security-centric conferences also will often have security-centric papers.