Assignments

Assignments and labs will be posted on this page throughout the quarter. All dates are tentative until the assignment/lab is officially posted.

In-Class Activities

We will use Gradescope "quizzes" to support in-class activities in every lecture. These form the basis of your participation grade. We will not count in-class activities during the first week of class while enrollment stabilizes.

You are required to complete all activities. We expect that you complete these activities during class, from the lecture room. However, we will accept submissions for up to half of the in-class activities a week late, to allow for illness/etc. You do not need to request an extension for these, just submit late!

You don't need to write essays here, and you don't even need to get the answer right (though you should learn the right answer from the lecture/discussion). Grading is on the basis of "did the submission attempt to answer the question?" Submissions that are unrelated to the question or say "I don't know" will not receive credit.

If you run into technical or other difficulties, please let us know!

Labs

Unless otherwise specified, submit labs through Gradescope. We will assume you are using late days unless you tell us otherwise.

Lab SSH/SCP/git Guide

Lab 1

Lab 1 is about binary exploitation. You'll need to read some C code, use gdb, and write a series of exploits!

• Lab 1 - Software Security
  • Part A: Due October 10th 11:59pm -- See Gradescope for handins
  • Part B: Due October 24th 11:59pm -- See Gradescope for handins

Strongly recommended readings:

• Smashing the Stack for Fun and Profit [Corrected and reformatted, original]
• Exploiting Format String Vulnerabilities
• Once Upon a free()
• Summary of printf exploitation (no new information).

Lab 2 -

Lab 2 is all about web application security. You'll need to write a small amount of PHP and JavaScript.

• Lab 2 - Web Security

Final Project

The final project will combine aspects of the labs and homeworks and require you to identify vulnerabilties, evaluate their severity, and patch them. It is split into 3 parts, with part A designed to introduce you to the code you'll be examining with more guidance than parts B and C.

• Final Project
  • Part A (Patch) - TODO DUE 11:59pm
  • Part B (RCA) - TODO DUE 11:59pm
  • Part C (Patch) - TODO DUE 11:59pm
• Other documents:
  • Sploit1 RCAs
  • RCA Template

Computer Security Research Readings

A core part of the course is reading, summarizing, and discussing research papers on computer security and privacy topics. For each week, we will have one paper assigned as required reading, with a writeup due before each class. During class we will have a discussion period where you will talk about questions you had while reading the paper.

What to submit for your summary:

Each security reading review should cover the following material in full sentences (not just bullets.) The summarization components are welcome to be succinct, but should capture all relevant points.:

• Paper Bibliographic Information. Paper title and author(s)
• Problem. Short summary of the problem that the paper tries to address.
• Approach. Short summary of the authors’ approach for solving the problem.
• Conclusions. Short summary of the author’s conclusions.
• The paper's new ideas. Two (or more) important new ideas this paper presents, and why they are important. (Or, if you think there are no new important ideas, an argument supporting your position.)
• Improvements. Two (or more) ideas on how the paper could be improved, and why implementing your ideas would be an improvement.
• New directions. Two important, open research questions on the topic, and why those questions matter.

You must submit evaluations as a PDF file. You should upload the evaluations to gradescope. Your evaluation for each reading should be between 1 and 1.5 pages (450-700 words), be single-spaced, use 12pt font, and have at least 1 inch margins. (It's okay for the metadata (name, date, paper title) to be outside the margins, e.g., in the header of the page.) For the sake of your TAs' eyes :) please stick to 12pt font. (Longer than 700 words is acceptable, but please don't aim to fill two whole pages.)

You are welcome to, and in fact encouraged to, discuss the papers with other students in the class or the course instructors. However, you must write the evaluations on your own.

Some note about reading papers and writing about them:

• If you want to use exact text from the paper, quote it. Do not copy-paste sentences or glue pieces of sentences together. Use your own words.
• A paper's problem statement isn't always made explicit. If a paper's main goal is proposing a new defense, the problem is generally relatively clear. Consider to yourself "what did the author(s) believe their paper was going to improve about the state of knowledge?"
• Most papers are written to an academic audience (though not all!) and it is OK for them to assume relevant background or relegate important material to citations. Depending on the content, you may want to read or skim some of the citations or look up background material.
• Improvements to a paper should be specific, and should focus on the content and ideas, and rarely on adding background or context. A good improvement might be to run specific additional experiments, reframe a section of the paper in a specific way, add a specific figure to solve a specific problem, etc. It is not a good improvement suggestion to broadly as for "more graphs" or to make the paper require less background to read.
• New directions should not restate the 'future work' section of the paper without significant elaboration. Applying new techniques (e.g. ML approaches) can be a reasonable suggestion if there is a specific reason you give as to why it would improve things.

You can find one version of advice on how to read a CS research paper here. You are also welcome to come discuss the reading process or the papers themselves with the course staff.

Looking for more to read? Most of our papers are from the top computer security and privacy conferences like USENIX Security [2020, 2021, 2022] or IEEE Security and Privacy (aka Oakland) [2020, 2021, 2022] or ACM Conference on Computer and Communications Security (CCS) [2021, 2022, 2023] Non-security-centric conferences also will often have security-centric papers.