Syllabus and Assignments

Course Overview

This is graduate course in computer security and privacy. This is a quals course in the applications area.

This course has no official prerequisites. In particular, an undergraduate computer security course is not required, though it is permitted to take both CSE 484 (or equivalent) and CSE 564. Students having taken an undergraduate computer security course may find that some material will overlap, but CSE 564 is more focused on research in computer security and privacy (methodologies, directions, areas, etc).

The course will consist of readings and discussion, a security review assignment, workshopping of projects, and an independent research project. Please see the course schedule for more detailed due dates.

General Policies

As an underlying principle, we will strive to be reasonable towards you, and we ask you to be reasonable towards us. These policies aim to give us some guidelines to make that happen. If in doubt about anything, please don't hesitate to check with the course staff.

Inclusiveness and respect. You should expect and demand to be treated by your classmates and the course staff with respect. You belong here, and we are here to help you learn and enjoy a challenging course. Likewise, I expect you to follow the UW Student Conduct Code in your interactions with your colleagues and me in this course by respecting the many social and cultural differences among us, which may include, but are not limited to: age, cultural background, disability, ethnicity, family status, gender identity and presentation, citizenship and immigration status, national origin, race, religious and political beliefs, sex, sexual orientation, socioeconomic status, and veteran status. If any incident occurs that challenges this commitment to a supportive and inclusive environment, please let me know so the issue can be addressed.

Late policy. Unless otherwise noted, late materials will be marked down 25% for each day that they are late. When computing the number of days late, we will round up; so material turned in 1.25 days late will be downgraded 50%. Reading discussion board posts will receive half-credit if they are submitted after 8am and no credit if they are submitted after the start of class (10am). If you have extenuating circumstances, such as a major research deadline or personal issue, please talk to me as soon as possible so we can make a plan for you to succeed.

Collaboration policy. You are welcome (in fact, encouraged) to discuss the course readings and content with others in the class, but reading discussion board posts and other assignments are to be done individually unless otherwise noted. Be sure to credit others for their ideas and contributions if such discussions influence your work. Projects should be done in groups of 2-3 people (please come talk to me about possible exceptions).

Grading

Course grades will be assigned as follows:

• 48%: Project
• 5%: Proposal
• 8%: Checkpoint writeup+presentation
• 5%: Draft
• 15%: Oral presentation
• 15%: Final report
• 12%: Project Workshopping
• 5%: Preparation for other teams
• 7%: Review and feedback to other teams
• 30%: Other assignments
• 10%: Security reviews
• 15%: Reading-related discussion board posts
• 5%: Discussion leading
• 10%: Class participation

Readings and Discussion

A major part of the course will be a group discussion of the various papers. The goal will be to develop your ability to uncover the broader implications of research papers, develop a historical perspective and an understanding of the context in which security research papers exist, and to bring you to the forefront of computer security and privacy research.

Prior to each class, you must post to the class discussion board about the readings. Your post should contain something original beyond what others have posted (so there is a benefit to posting early). You may post a summary of the paper, an evaluation of its merits, open research questions on the topic, questions you would like to discuss in class, or anything else you find interesting. It is easy to be critical about research, so I encourage every post that contains a criticism to also contain a positive counterperspective, or a positive perspective on some other aspect of the paper. Especially for papers you aren't fond of, consider: why was this paper accepted? What contributions does it make?

Discussion board posts must be made by 8am the day of each class. They will be graded on a scale of 0-2, where 0 means "missing", 1 means "adequate", and 2 means "good". Posts will receive half-credit if they are submitted after 8am and no credit if they are submitted after class. Throughout the quarter you may miss posts for four papers of your choice without penalty (note that there are generally two papers assigned per class). However, you are still expected to know the materials in these four papers and to be able to discuss them in class.

In addition, a group of approximately two students will lead the initial discussion of each paper, starting with a short recap of the principal results and the strengths of the paper. We will assign discussion leaders for each class at the first class of the second week of the quarter (after course enrollment fluctuation).

Security Reviews

A key goal of this course is to get you to start thinking about the world in a different way -- to develop what we call the "security mindset". Toward this goal, we will have a small assignment called a "security review" targeted at getting you to think about security on a regular basis, and in contexts where you might not normally think about security.

Submission details. You should submit two security reviews, on different topics, for this assignment. These security reviews should be short (2-3 pages each). They should be submitted as PDF files to the course Canvas, with 12pt fonts, in single-column format with 1-inch margins. You may work individually or in a group of two people. If you work in a group, then the PDF that you upload must include the names and UW NetIDs of both authors on the first page.

Your goal with the security reviews is to evaluate the potential security and privacy issues with new technologies, evaluate the severity of those issues, and discuss how those technologies could potentially address those security and privacy issues.

The ideal mode of operation is as follows: You might be reading a news source and see the announcement for a new product or service. You immediately start thinking about the security implications and issues associated with the new technology. You then formalize your thoughts (in the framework described below) and submit your writeup to the course Dropbox.

Your security review should contain:

• Summary of the technology that you're evaluating. You may choose to evaluate a specific product (like the Miracle Foo) or a class of products with some common goal (like the set of all implantable medical devices). This summary should be at a high level, around one or two paragraphs in length. State the aspects of the technology that are relevant to your observations below. If you need to make assumptions about a product, then it is very important that you state what those assumptions are (i.e., you are evaluating not exactly the Miracle Foo but "something like the Miracle Foo").
• State at least two stakeholders (indirect or direct) associated with this technology.
• State at least two assets and security goals. Please explain why the security goal is important. This should be around one or two sentences per asset/goal.
• State at least two potential adversaries and threats. You should have around one or two sentences per adversary/threat.
• State at least two potential weaknesses. Again, justify your answer using one or two sentences per weakness.
• State potential defenses. Describe potential defenses that the system could use or might already be using to address your potential weaknesses above.
• Evaluate the risks associated with the assets, threats, and potential weaknesses that you describe. Also discuss relevant "bigger picture" issues (ethics, likelihood that the technology will evolve, and so on).
• Conclusions. Give some conclusions based on your discussions above. In your conclusions you should reflect thoughtfully on your results above.

You can find some sample security reviews here.

Project

There will be a course research project, with more details on the project page. The goal of the project is to help give you a deeper understanding of how to think about and solve a real problem from a computer security perspective. A related goal is to help you mature as a researcher, independent of what research area you eventually settle in.

You may choose a research project related to any area of computer security, including areas not directly covered in this course. A conference-style report for your project is due during the final exam period. You will also give a short presentation during the course final exam period. We will have several milestones along the way, just to make sure everything is going smoothly. Please also feel free to schedule an appointment to talk with me about your project.

Additional Resources

Disability Accommodations

Embedded in the core values of the University of Washington is a commitment to ensuring access to a quality higher education experience for a diverse student population. Disability Resources for Students (DRS) recognizes disability as an aspect of diversity that is integral to society and to our campus community. DRS serves as a partner in fostering an inclusive and equitable environment for all University of Washington students. The DRS office is in 011 Mary Gates Hall.

Please see the UW resources at http://depts.washington.edu/uwdrs/current-students/accommodations/.

Religious Accommodations

It is the policy of the University of Washington to reasonably accommodate students’ religious observances in accordance with RCW 28B.137.010

Please see the UW resources at https://registrar.washington.edu/staffandfaculty/religious-accommodations-policy/.

Sexual Harassment

University policy prohibits all forms of sexual harassment. If you feel you have been a victim of sexual harassment or if you feel you have been discriminated against, you may speak with your instructor, teaching assistant, the chair of the department, or you can file a complaint with the UW Ombudsman's Office for Sexual Harassment. Their office is located at 339 HUB, (206)543-6028. There is a second office, the University Complaint Investigation and Resolution Office, who also investigate complaints. The UCIRO is located at 22 Gerberding Hall.

Please see additional resources at http://www.washington.edu/about/ombudsman/role.html and http://f2.washington.edu/treasury/riskmgmt/UCIRO.

WISE: Women In Science and Engineering

Women in Science and Engineering (WiSE) is a university-level program housed within the Center for Workforce Development, designed to increase the recruitment and retention of women of all ethnic backgrounds in science and engineering (S&E) and to create an academic and social climate at the UW which is conducive to both men and women in S&E at the undergraduate and graduate levels.

Please see additional information at http://www.engr.washington.edu/curr_students/studentprogs/wise.html.

Other Student Resources

A list of helpful links regarding all aspects of student life can be found here: http://f2.washington.edu/treasury/riskmgmt/UCIRO/links/students.