CSE 564: Computer Security and Privacy (Winter 2015)


Course Overview

This is graduate course in computer security and privacy. This is a quals course in the applications area.

This course has no official prerequisites. In particular, an undergraduate computer security course is not required, though it is permitted to take both CSE 484 (or equivalent) and CSE 564. Students having taken an undergraduate computer security course may find that some material will overlap, but CSE 564 is more focused on cutting-edge research in computer security and privacy.

The course will consist of readings and discussion, two security review assignments, an attack lab, and an independent research project. Please see the course schedule for more detailed due dates.


Grading

Course grades will be assigned as follows:

Submitting materials. Reading discussion board posts should be submitted to the Catalyst forum. All other materials should be submitted in PDF form to the Catalyst dropbox. Security reviews should be submitted to both the forum and the dropbox.

Late policy. Unless otherwise noted, late materials will be marked down 25% for each day that they are late. When computing the number of days late, we will round up; so material turned in 1.25 days late will be downgraded 50%. Reading discussion board posts will receive half-credit if they are submitted after 8am and no credit if they are submitted after class.

Collaboration policy. Reading discussion board posts are to be done individually. Security reviews may be done individually or in groups of two people. The attack lab (TBD) may be done individually or in groups of two people; please do not discuss the solutions directly with other groups, although feel free to point each other to any relevant documentation. Projects should be done in groups of 2-3 people (please come talk to me about possible exceptions). If you work with someone else on any assignment, please include their name and UW NetID on the materials that you turn in.

Checking grades. Grades will be posted to the Catalyst gradebook.


Readings and Discussion

A major part of the course will be a group discussion of the various papers. The goal will be to develop your ability to uncover the broader implications of research papers, and to bring you to the forefront of computer security and privacy research.

Prior to each class, you must post to the class discussion board about the readings. Your post should contain something original beyond what others have posted (so there is a benefit to posting early). You may post a summary of the paper, an evaluation of its merits, open research questions on the topic, questions you would like to discuss in class, or anything else you find interesting.

Discussion board posts must be made by 8am the day of each class. They will be graded on a scale of 0-2, where 0 means "missing", 1 means "adequate", and 2 means "good". Posts will receive half-credit if they are submitted after 8am and no credit if they are submitted after class. Throughout the quarter you may miss posts for four papers of your choice without penalty (note that there are generally two papers assigned per class). However, you are still expected to know the materials in these four papers and to be able to discuss them in class.

In addition, a group of three students will lead the initial discussion of each paper, starting with a short recap of the principal results. We will assign discussion leaders for each class at the beginning of the quarter.


Security Reviews

A key goal of this course is to get you to start thinking about the world in a different way -- to develop what we call the "security mindset". Toward this goal, we will have several small assignments (called "security reviews") targeted at getting you to think about security on a regular basis, and in contexts where you might not normally think about security.

Your goal with the security reviews is to evaluate the potential security and privacy issues with new technologies, evaluate the severity of those issues, and discuss how those technologies could potentially address those security and privacy issues.

You are required to submit two security reviews over the course of the quarter. The course schedule has specific due dates, but you are encouraged to submit your security reviews early. The ideal mode of operation is as follows: You might be reading Slashdot or some other news source and see the announcement for a new product or service. You immediately start thinking about the security implications and issues associated with the new technology. You then formalize your thoughts (in the framework described below) and submit your writeup to the Catalyst dropbox.

Each security review should contain:

These security reviews should be short (2-3 pages). They should be submitted as PDF files, with 12pt fonts, in single-column format with 1-inch margins.

You work individually or in a group of two people. If you work in a group, then the PDF that you upload to the Catalyst dropbox must include the names and UW NetIDs of both authors on the first page.

Late security reviews will be marked down 25% for each day that the material is late. When computing the number of days late, we will round up; so material turned in 1.25 days late will be downgraded 50%.


Attack Lab

This course will contain an attack lab, details TBD. You may work individually or in groups of two people.

Late attack labs will be marked down 25% for each day that the material is late. When computing the number of days late, we will round up; so material turned in 1.25 days late will be downgraded 50%.


Project

There will be a course research project. The goal of the project is to help give you a deeper understanding of how to think about and solve a real problem from a computer security perspective. A related goal is to help you mature as a researcher, independent of what research area you eventually settle in. We'll talk more about these goals in class.

You may choose a research project related to any area of computer security, including areas not directly covered in this course. A conference-style report for your project is due during the final exam period. You will also give a short presentation during the course final exam period. We will have several milestones along the way, just to make sure everything is going smoothly. I also encourage you to just stop by my office and talk with me about your project.

The project will be due in six steps:

(1) Form project groups by 01/15/2015 at 11:59pm: You may work in groups of 2-3 people. You may use the class discussion board to connect with potential group members. In rare cases it maybe possible to work a group of size 1; please contact me if you wish to explore this option. Please submit your project groups to me via email.

(2) Project proposals due by 01/22/2015 at 11:59pm: Each group will submit a 2-3 page project proposal, including a problem definition, motivation, planned approach and evaluation, and a list of milestones and dates. For a list of project ideas, visit this page. I encourage you to come talk to me about your ideas.

(3) Project checkpoints due by 02/19/2015 at 11:59pm: Each group should submit a short (2-3 page) progress report. The progress report should explicitly address the milestones established in your original proposal, discuss which milestones you have met, and propose a new set of milestones if it appears that your original milestones are no longer appropriate. In your progress reports, you should reflect on what you have accomplished and draw preliminary conclusions from your results.

(4) Project draft due by 03/05/2015 at 11:59pm: Each group should submit a draft of their written report. The formatting of the draft report should match that of a final report. (See below for what a final report should look like.) The draft may include placeholders for new results, but should have as complete as possible, including related work.

(5) Projects presentations on 03/16/2015 between 8:30am-12:20pm: All group members should participate in the presentation. The length of the presentations will depend on the total number of projects in the course, but I anticipate that each presentation will be 10 to 15 minutes long, and certainly no longer than 20 minutes. The presentation time is scheduled during this course's final exam slot, plut the two hours before the final exam slot. If not everyone can be accomodated in this timeframe, we will make alternate arrangements. You will be asked to attend at least two presentations other than your own.

(6) Final project reports due by 03/16/2015 at 11:59pm: Each group will submit a short (at most 12 page) written report to the Catalyst dropbox. Please submit the report as a PDF file. Your report should be in single-column format, single-spaced, with 12pt font and at least 1 inch margins. Separately, each group member should also submit a short (up to 1 page) summary of their contributions to the project.

All materials should be submitted in PDF form to the Catalyst dropbox. You will be marked down 25% for each day that the material is late. When computing the number of days late, we will round up; so material turned in 1.25 days late will be downgraded 50%.