CSE 564 Computer Security and Privacy (Autumn 2008)

Course Overview

We will read, evaluate, and discuss both background materials, classic papers, and new papers from the computer security literature. The course requirements include reading the assigned materials, writing short evaluations of these materials (unless otherwise noted), and participating in class discussions. There will also be a final project and a few assignments / labs.

The following describes the course requirements in more detail:

• Reading the assigned materials

  The goal of this course is to help you prepare for research in computer security, as well as for research in other domains for which there will be a security component. We will therefore read a number of important and/or representative papers in the field. Reading the papers will help you prepare for the classroom discussions, which in turn will help you contribute to everyone's overall learning experience, including your own. You may skip any appendices.

  To complement the academic papers, when appropriate, we will also read relevant background material.

• Writing evaluations

  To help motivate the classroom discussions, everyone enrolled in the course must submit a short evaluation of each assigned reading. There will generally be at most two assigned readings per class. Your evaluations should have the following form:

  • Your name.
  • Paper title and author(s).
  • What problem does the paper address?
  • How is it different from previous work, if any?
  • What is the approach used to solve the problem?
  • How does the paper support or otherwise justify its arguments and conclusions?
  • Was the paper, in your estimation, successful in addressing the problem?
  • Two important, open research questions on the topic, and why they matter.

  The evaluations must be submitted by 8am on the day of the class. You may submit evaluations as a text or PDF file. You should upload the evaluations to the online Catalyst system (link on the class home page). If you choose to submit a PDF file, then your evaluation for each reading must be less than one page long, be single-spaced, use 12pt font, and have at least 1 inch margins; I expect for most paper evaluations to be approximately 1/2 to 3/4 pages long. If you submit a text file, then please be sure that the length of your evaluation corresponds roughly to the above criteria for PDF submissions.

  The written evaluations will be graded on a binary scale. Your primary goal should be to read, understand, and think deeply about the assigned papers. If you do that, it should be trivial to answer the above questions for each paper. Late evaluations will not be accepted.

  I realize that some times are busier for people than others, e.g., right before a conference submission deadline or a midterm in another class. Therefore, you are allowed four free reviews, meaning that you do not have to submit a review for four papers of your choice. However, you are still expected to know the materials in these four papers and to be able to discuss them in class.

• Participating in class

  One of the best ways to deeply understand a topic is to discuss the topic with others. Therefore, everyone is expected to actively participate in the classroom discussions. You may use your paper evaluations as the basis for discussion, but please do not feel a need to limit your comments to what you wrote in your evaluations. I encourage everyone to ask questions about or offer clarifications for confusing parts of the papers, and to think about the limitations of or possible extensions to the works being discussed.

  There will be an advocate and a skeptic for each paper, each to speak for 2-3 minutes about the paper. The advocate gives the elevator pitch for the paper: what is the topic of the paper, what are its main results, why the system or idea is an improvement upon the previous works (if any), why does the result matter, and so on. (The answers to these questions may be different from the ones the authors gave in the paper.) The skeptic should discuss why we should be cautious in interpreting the results of the paper. The skeptic should also suggest additional research directions that could build upon, improve, or otherwise augment the paper under discussion.

  Each person should sign up to be the advocate on one paper and the skeptic on a different paper. (The sign up sheet is on my door, and I will also take the sign up sheet to class.) When you are not the advocate or skeptic on a paper, I will still expect you to participate actively in the class discussions.

  If you expect to be absent from a class, please let me know well in advance. And please remind me again before the class that you will miss. In some cases I may ask you to answer a few additional questions about the papers over email.

• Project

  There will be a course research project. The goal of the project is to help give you a deeper understanding of how to think about and solve a real problem from a computer security perspective. A related goal is to help you mature as a researcher, independent of what research area you eventually settle in. We'll talk more about these goals in class.

  You may choose a research project related to any area of computer security, including areas not directly covered in this course. A conference-style report for your project is due at the beginning of the final exam period. You will also give a short presentation during the course final exam period. We will have several milestones along the way, just to make sure everything is going smoothly. I also encourage you to just stop by my office and talk with me about your project.

  You may work in groups of 2--3 people. You may choose your own groups, or I can form groups for you if you haven't already done so by the end of the second week of class. In rare cases it maybe possible to work a group of size 1; please contact me if you wish to explore this option.

  I strongly encourage you to be ambitious and have fun with your projects. While certainly not required, I suspect that some of the projects will evolve into conference or workshop publications; if you're interested in exploring such a possibility, please feel free to ask for options and recommendations. Also, if you have a project that might require special resources, please contact me as soon as possible.

  The following is a more detailed description of the project timeline and requirements:

  • Now: Topic selection.
    Start thinking about what kinds of projects interest you and with whom you might like to collaborate. I suggest taking a look at the course schedule and talking with other students about mutual areas of interest. You might also check out this list of sample project ideas. If you would like me to help you find a project that fits your interests, please let me know.
  • 10/6: Group selection (11:30pm)
    Send the course staff the names and email addresses of all the people in your group, as well as one or two sentences describing possible topics that you might be interested in pursuing. If you have not found someone to work with, then please send us a brief summary of your interests and, if at least two people email me with similar interests, we will "arrange" a group for you by 10/3. ("Arrange" is in quotes because we will introduce you to each other, but you are certainly not obliged to stay together as a group.)
  • 10/13: Proposal due (11:30pm)
    Each group will submit a 2--3 page proposal describing the research project that you plan to work on. I expect to see sections on:
    • Problem definition and motivation. What are the goals of your project and why are these goals important?
    • Your approach for addressing the problem that you defined above.
    • How you plan to evaluate your approach.
    • An initial discussion of related work. If appropriate, also explain how your approach is different from existing approaches.
    • A list of milestones and dates.
    If you are proposing a new system, you should briefly describe your threat model. You should submit the proposal as a PDF file. Please us the Catalyst system (link on the course front page) to upload your project proposal. Each proposal should begin with a title and the names of the group participants. Each proposal should be single-spaced, with a single column and 12pt font, and have at least 1 inch margins. Submissions not in this format will not be reviewed (this is to model program committees for conferences and workshops, which have the option to automatically reject papers if they do not comply with the submission guidelines).

  • 11/10: Project checkpoint (11:30pm)
    Upload a short progress report to the Catalyst system. The progress report should explicitly address the milestones established in your original proposal, discuss which milestones you have met, and propose a new set of milestones if it appears that your original milestones are no longer appropriate. (As a side note: don't worry too much if your new milestones are different from your original milestones -- since these are research projects, it's totally natural for milestones to change and research directions to evolve. That said, I do expect to see progress since your original proposal.)

    In your progress reports, you should reflect on what you have accomplished and draw preliminary conclusions from your results. If appropriate, you should also explicitly state any additional experiments or evaluations you may need to perform in order to strengthen your preliminary conclusions or answer open questions left by your preliminary conclusions.

  • 11/26: Draft reports (11:30pm)
    
  Each group should submit a draft of their written report. The formatting of the draft report should match that of a final report. (See below for what a final report should look like.) The draft should be uploaded to the Catalyst system.

  It's OK if you haven't completed your research by now. See the next bullet for why you're turning in a draft two weeks before the final report is due. Your draft should clearly specify what you plan to do over the next two weeks.

  • 12/3: Peer reviews due (11:30pm)
    
  We will distribute your drafts to other students in the class, with the goal of simulating a mini program committee review process. This means you will also get comments from your peers. Consequently, you will all have the opportunity to read and review drafts from other groups. This process can be very educational unto itself, much akin to a miniature "program committee meeting."

  You will be expected to read the draft reports that I give you (at most three) and write detailed reviews of those papers. You are to upload those reviews to the Catalyst system by the above-specified deadline. The reviews you write should be anonymous (i.e., not include your name or other identifying information).

  I will then collect those reviews and send them to the authors of the relevant reports. There are several reasons we're doing this, but the main goals are to (1) help you (as reviewers) gain more experience in evaluating in-progress (as opposed to completed) research and (2) help everyone improve the quality of their final written report.

  • 12/8: Final report and electronic presentation due (8:30am)
    Each group will submit a short (at most 12 page) written report, as well as a slide deck, to the Catalyst system. Please submit the report and the slide deck as separate PDF files. Your report should be in single-column format, single-spaced, with 12pt font and at least 1 inch margins. You may include an appendix beyond 12 pages, but your paper must be intelligible without it. Submissions not in this format will not be reviewed (this is to model program committees for conferences and workshops, which have the option to automatically reject papers if they do not comply with the submission guidelines).

    Your report should be structured like a conference paper, meaning that your report should contain an abstract, a well-motivated introduction, a discussion of related work (with citations), a description of your methodology, a discussion of your results, and so on.

    Everyone should also submit a short summary of their contributions to the project (not required for groups of size 1). This should be at most a page long, and can reference the final report.

  • 12/8: Presentations (8:30am)
    Each group will give a short presentation of their work during the final exam period. All group members should participate in the presentation. The length of the presentations will depend on the number of projects in the course, but I anticipate that each presentation will be 12 to 15 minutes long, and certainly no longer than 20 minutes.

  There are numerous resources on the Internet about how to write a good research paper. If you haven't already read them, you might find the following resources helpful:

  • Advice on Research and Writing
  • Writing Technical Articles
  • Armando's Paper Writing and Presentations Page
  • Mihir Bellare's Collection of Resources

  The peer reviews and final report and slide deck must be submitted on time in order to be graded; i.e., late peer reviews, final reports, and slide decks will receive a zero grade. If you submit other project materials late (proposal, checkpoint, draft), you will be marked down 25% for each day that the material is late. When computing the number of days late, we will round up; so material turned in 1.25 days late will be downgraded 50%.

  But please be aware of the following: If you do submit your draft written report late, then we will very likely not be able to distribute your draft to peer reviewers and you will not benefit from their reviews when preparing your final written report. (This is in order to be fair to the peer reviewers, who should have as much time as possible to read their assigned papers.) In short, I highly encourage all of you to submit all your materials on time.

• Attack Lab

  There will be a lab for this course. You will have an opportunity to carry out attacks against real code. See the course schedule for the specific timeline for this lab.

  As with parts of your course project, you may submit your attack lab late. However, you will be marked down 25% for each day that the material is late. When computing the number of days late, we will round up; so material turned in 1.25 days late will be downgraded 50%.

• Security Reviews

  A key goal of this course is to get you to start thinking about the world in a different way -- to develop what we call the "security mindset." Toward this goal, we will have several small assignments (called "security reviews") targeted at getting you to think about security on a regular basis, and in contexts where you might not normally think about security. For more background, we've written a little about the security mindset here: http://cubist.cs.washington.edu/Security/2007/11/22/why-a-computer-security-course-blog/.

  Your goal with the security reviews is to evaluate the potential security and privacy issues with new technologies, evaluate the severity of those issues, and discuss how those technologies could potentially address those security and privacy issues.

  You are required to submit three security reviews over the course of the quarter. The course schedule has specific due dates, but you are encouraged to submit your security reviews early. The ideal mode of operation is as follows: You might be reading Slashdot or some other news source and see the announcement for a new product or service. You immediately start thinking about the security implications and issues associated with the new technology. You then formalize your thoughts (in the framework described below) and submit your writeup to the Catalyst system.

  Each security review should contain:

  • Summary of the technology that you're evaluating. You may choose to evaluate a specific product (like the Miracle Foo) or a class of products with some common goal (like the set of all implantable medical devices). This summary should be at a high level, around one or two paragraphs in length. State the aspects of the technology that are relevant to your observations below. If you need to make assumptions about a product, then it is extremely important that you state what those assumptions are. To elaborate on the latter, if you end up making assumptions about a product like the Miracle Foo, then you are not studying the Miracle Foo but "something like the Miracle Foo," and you need to make that extremely clear in your review.
  • State at least two stakeholders (indirect or direct) associated with this technology.
  • State at least two assets and security goals. Please explain why the security goal is important. This should be around one or two sentences per asset/goal.
  • State at least two potential adversaries and threats. You should have around one or two sentences per adversary/threat.
  • State at least two potential weaknesses. Again, justify your answer using one or two sentences per weakness.
  • State potential defenses. Describe potential defenses that the system could use or might already be using to address your potential weaknesses above.
  • Evaluate the risks associated with the assets, threats, and potential weaknesses that you describe. Also discuss relevant "bigger picture" issues (ethics, likelihood that the technology will evolve, and so on).
  • Conclusions. Give some conclusions based on your discussions above. In your conclusions you should reflect thoughtfully on your results above.

  These security reviews should be short (2--3 pages). They should be submitted as PDF files, with 12pt fonts, in single-column format with 1-inch margins.

  As with parts of your course project and the attack lab, you may submit your security reviews late. However, you will be marked down 25% for each day that the material is late. When computing the number of days late, we will round up; so material turned in 1.25 days late will be downgraded 50%.

Submitting materials and checking grades

To check your grades on your MyUW page:

1. Go to http://myuw.washington.edu.
2. Login with your UW NetID (this is not the same as your CSE NetID in general).
3. At the top of your MyUW page, click "Change Content".
4. On the next page, click "Browse & Choose".
5. On the next page, check the box next to the CSE channel and click "Save".
6. Finally, reload your front page again, and you should see your 564 grades in a new box.

Grading

• 40%: Project
  • 5%: Proposal
  • 5%: Checkpoint
  • 5%: Draft
  • 15%: Final written report
  • 5%: Slides for final presentation
  • 5%: Oral portion of final presentation
• 40%: Assignments
  • 10%: Reading evaluations
  • 25%: Labs + Security Reviews
  • 5%: Peer reviews of project drafts
• 20%: Class participation