Introduction to Computer Security Winter 2022

This course introduces the principles and practice of computer security. It aims to teach you how to model threats to computer systems and how to think like an attacker and a defender. It presents standard cryptographic functions and protocols and gives an overview of threats and defenses for software, host systems, networks, and the Web. It also touches on some of the legal, policy, and ethical issues surrounding computer security in areas such as privacy, surveillance, and the disclosure of security vulnerabilities. The goal of this course is to provide a foundation for further study in computer security and to help you better understand how to design, build, and use computer systems more securely. See the schedule for details.

Instructors


Blase Ur
blase
@uchicago.edu

David Cash
davidcash
@uchicago.edu

TAs


Ally Nisenoff
nisenoff
@uchicago.edu

Arthur Borém
arthurborem
@uchicago.edu

Emma Peterson
eicp
@uchicago.edu

Weijia He
hewj
@uchicago.edu

Will Brackenbury
wbrackenbury
@uchicago.edu

Course Information

Prerequisites CMSC 15400 or equivalent
Lectures Lectures will be held from 2:30p - 3:20p (Section 1) or 3:30p - 4:20p (Section 2) on Mondays, Wednesdays, and Fridays. Typically, lectures will be held in Ryerson 251. However, like all courses at the university, for the first two weeks lectures will be held on Zoom. See our Canvas page for the Zoom link.
Office Hours All office hours will be held in the class Zoom room (the same as for remote lectures during the first two weeks). See our Canvas page for the Zoom link.
  • Mondays 11:00a - 12:00p (David)
  • Mondays 12:30p - 1:30p (TA help with assignments)
  • Mondays 5:00p - 6:00p (Blase)
  • Tuesdays 9:00a - 10:00a (TA help with assignments)
  • Wednesdays 10:30a - 11:30a (TA help with assignments)
  • Wednesdays 11:30a - 12:30p (Instructor help with assignments)
  • Wednesdays 5:00p - 6:00p (TA help with assignments)
  • Thursdays 11:30a - 12:30p (TA help with assignments)
Textbook We will be using Computer Security and the Internet: Tools and Jewels by Paul van Oorschot. While the book is available in print, we will be referencing the PDFs of the draft chapters available for free from that link.
Coursework The coursework for all students consists of nine assignments and nine short responses to readings (about 2 or 3 paragraphs each). There are no exams.

In addition, students enrolled in CMSC 33250 must complete a research project and submit weekly reactions to assigned reseach papers. All assignments, reading responses, and projects must be done individually.
Communication We will update the course schedule regularly throughout the course. All assignments and reading response prompts will be distributed on Canvas.

We'll use Campuswire for discussion and questions about course material, assignments, and logistics.

Please keep all course-related communication to Campuswire; please don't email any members of the course staff (except if you can't access Campuswire).
Campuswire Guidelines If you are posting general questions about an assignment (e.g., clarification questions, broad questions about an error you encountered), please post publicly (visible to everyone in the class) on Campuswire. If you are asking a question about your specific approach to an assignment (especially if you are including any code) or if you are reaching out to the instructors about a personal or logistical matter (e.g., pertaining to an illness or other events that might be impacting your performance in class), please make a post on Campuswire visible only to the instructors.

Campuswire is typically used heavily in this class; the 2021 class had 1,267 threads on Campuswire. Our whole staff is always very happy to help. Following these guidelines greatly helps us answer your questions most productively.

Before You Post:
  • Before you post we expect that you have attended all relevant lectures, carefully read the assignment, and have tried to solve the problem yourself.
  • See if the question has already been answered. We realize there are often a ton of posts (and even more private posts that you don't see), but please spend a few minutes to check if your question has already been asked.
Posting a Question:
  • Ask a specific question in your post. Your question should be about a specific problem that you are running into, a conceptual question, or other logistical issue. Just saying "Here is my code for problem X, it isn't working please help" is not actually a question. We are happy to help work through stuff but we expect you to provide clear hypotheses about which parts of your code are or are not working before asking for assistance.
  • While "Here is my code for problem X, is it right? thx" is a specific question, please do not ask that specific question. We won't answer it.
  • Post clear, specific titles for your questions. This helps the campuswire search functionality.
  • Give details in your post. More information is better. Please include as much information as possible about your approach and what you have determined is or is not causing problems. If applicable, tell us about the specific error you are running into and share terminal output or output from the JavaScript console as applicable. Tell us about what you have already attempted to do to solve your problem (if you haven't tried to solve your problem on your own you should wait before posting).
  • Format your code. If you are providing code in your post, please format your code using code blocks. To do this, surround your code with three backticks before and after the code, like this: ```.
  • Don't include screenshots of code! Including screenshots can make your posts less readable. Instructors/TAs may want to copy/paste your code to help answer your question by debugging the code themselves. Doing so is not possible from screenshots.
Responding to Posts:
  • Please respond to each other's posts! When you do respond to posts feel free to give hints or suggestions, but please don't tell people exactly how to solve one of the exercises. Of course, don't include your own code or solution in these replies.
Note: This guidance is heavily based on guidance written by 2021 course staff member Julia Hanson, which itself was partially based on the discussion board question policy from Foundations of Computer Networks by Borja Sotomayor.
Submission of work Assignments will be collected in two places: you will turn in your code on Canvas and turn in your prose write-ups on Gradescope. Coursework that only involves prose write-ups (e.g., reading responses) will only be collected on Gradescope.

Reactions to research papers (only for 33250 students) will typically be due at 11:59pm on Monday evenings. Reading responses (for all students) will typically be due at 11:59pm on Tuesday evenings. Assignments (for all students) will typically be due at 11:59pm on Thursday evenings. Please see the course schedule for exceptions.
Late policy We will accept the nine assignments and nine reading responses up to 24 hours late with a 15 point grade penalty. Assignments more than a day late will not be accepted without a previously approved extension. We will not accept late submissions of reactions to research papers or project-related deliverables (both applicable only to CMSC 33250 students).

In exceptional circumstances related to personal emergencies, illness, wellness concerns, family emergencies, and similar, you may request an extension. To request an extension, make a private Campuswire post briefly explaining your circumstance and noting the assignment/reading response for which you are requesting an extension. Use the "extension request" tag on Campuswire for that post. An extension will only be granted with an affirmative reply from a member of the course staff. At the top of your prose (PDF) write-up, you must reference the Campuswire post number on which your extension was granted so that the graders don't inadvertently deduct points for lateness. Note that we do not consider job interviews, work from other courses, or non-emergency travel to be exceptional circumstances.

Grading

Your course grade will be calculated as follows:
Undergraduate (CMSC 23200) Graduate (CMSC 33250)
Assignments (9) 91% (10.1% each) 66% (7.3% each)
Research Project --- 25%
Reading Responses (9) 9% (1% each) 4.5% (0.5% each)
Research Paper Reactions --- 4.5%

P/F Grade Policies

As outlined in UChicago's policy, this course may be taken pass/fail (P/F). Students who wish to take the course pass/fail, instead of for a letter grade, must make a Campuswire post with that request by the end of Week 9. A grade of P will be given to students who would have earned a C- or better in the course if it were taken for a letter grade. Note that classes taken pass/fail are unlikely to count toward the computer science major or other majors, so please only make a P/F request if you understand (in consultation with your advisor) how doing so will impact your ability to count this course toward your major.

Academic Integrity Policies

The University of Chicago has formal policies related to academic honesty and plagiarism, as described by the university broadly and the college specifically. We abide by these standards in this course. Depending on the severity of the offense, you risk being dismissed altogether from the course. All cases will be referred to the Dean of Students office, which may impose further penalties, including suspension and expulsion. If you have any question about whether some activity would constitute cheating, please ask. In addition, we expect all students to treat everyone else in the course with respect, following the norms of proper behavior by members of the University of Chicago community.

Student interactions are an important and useful means to master course material. We encourage you to discuss the material in this class with other students and to form study groups. It is totally acceptable to discuss assignments in general terms, such as discussing and sketching out the general approach to an assignment on a whiteboard (or the virtual equivalent thereof). However, it is not acceptable to show someone else your code, nor to look at someone else's code, even over screensharing. Similarly, it is not acceptable to turn in someone else's writing or code (or fragments thereof) as your own, with exceptions for properly cited (see below) instances of reusing a few lines (four or fewer, as a rule of thumb) of code. When the time comes to write down your answer, you should write it down yourself from your own understanding.

Moreover, you must cite any material discussions you had with another student in the course or any written sources you relied on in non-trivial ways when working on an assignment. That is, at the top of each assigment write-up (prose PDF) submission, you must include a list of all other students with whom you discussed the assignment and all resources (e.g., URLs of webpages) that materially influenced your solution. For each non-human resource, you must briefly explain how you used that resource. Typically, you will use a resource in acceptable ways for one of the following reasons: (i) to better understand some aspect of a programming language or security concept; (ii) for some assistance on coding, such as consulting a Stack Overflow post. Note that taking code from a particular resource to solve the majority of any sub-part of the assignment is not an acceptable use of a resource. For each human resource, either note which parts of the assignment you discussed with them or say that you discussed the whole assignment with them.

The disclosure at the top of your write-up should be descriptive. For example, "I discussed the whole assignment with Jane Smith, and we also discussed Part 3 with John Doe. I consulted https://www.helpfuldomain.com/helpfulpage.html to understand the JavaScript fetch() API and I used two lines of code from https://www.otherhelpfuldomain.com/otherhelpfulpage.html in Part 3."

You do not need to cite discussions with the instructors or TAs, nor do you need to cite anything from our course Campuswire page. You also do not need to cite the course textbook, slides, or any other readings/materials we provide to you. If one student "helps" another by giving them a copy of their assignment, only to have that other student copy it and turn it in, both students are culpable.

In general, for any specific questions you have about why your specific approach to a problem isn't working (and definitely for any post that includes your own code), you should default to posting privately to the course staff on Campuswire. If you have more general questions or comments about assignments that don't include code snippets, please feel encouraged to post publicly on Campuswire and/or to discuss your approach with other members of the class.

If you have any questions about what is or is not proper academic conduct, please ask an instructor. Please note that we are personally willing to pursue cheating cases and have done so in the past.

Finally, note that this description of academic honesty is derived in part from policies written by Stuart Kurtz and John Reppy.

Policies About Remote Interactions and Recordings

We expect your interactions via Zoom to be consistent with an in-person class experience. Respect the people you're working with. Enter the Zoom meetings muted if possible (pay careful attention to this if you are calling from a phone), and unmute to speak. Feel free to either interrupt the instructor or raise your hand using the "raise hand" button if you'd like to ask a question or comment on what was said. If you would rather not unmute yourself to ask a question, please feel free to use Zoom's messaging feature to either send the question to the full class ("everyone") or just to whichever of {Blase, David} is not presenting that day. Both instructors will attend all classes, and the instructor who is not presenting will be tasked with asking any questions that come in over the Zoom chat interface.

No one is required to have their video on, and you may choose not to do so for any reason, ranging from logistical difficulties to preference.

Note that in the settings page on the Zoom website, you can change the name automatically assigned to your Zoom profile. You don't have to go with whatever was assigned if you prefer a different name. If you have preferred pronouns, you can include them after your last name; you'll see an example of the instructors doing this. If you set a name that can't be easily matched to the name on record with the University, please let us know so that we don't inadvertently disconnect you from the lecture.

Our Zoom class meetings may be recorded and saved to Canvas/Panopto to allow students in this class to review the discussion. We do not intend for these recordings to be available to anyone other than class participants, nor available after the quarter. However, we don't have control over what others attending the class will do (e.g., making a recording). If you have FERPA concerns, please mask yourself accordingly (e.g., by turning off video and using an alias).

As the University temporarily transitions to a remote teaching and learning environment, instructors and students have asked for guidance on the recording of course sessions. Instructors have the discretion to record course sessions, except when recording is required to meet the needs of students granted an accommodation by the Office of Student Disability Services. Recordings and transcripts will be made available to students in the relevant course, the instructor, and other necessary University officials. Recordings in which students are personally identifiable will be managed in accordance with the Family Educational Rights and Privacy Act (FERPA).

This time-limited policy has been implemented to effectively deliver a remote education while safeguarding privacy and protecting rights in courses and instructional materials. Below is an acknowledgment for students designed to govern the use of any recordings and provide instructors and students with guidance on the use of instructional materials.

By attending course sessions, students acknowledge that:
A. They will not: (i) record, share, or disseminate University of Chicago course sessions, videos, transcripts, audio, or chats; (ii) retain such materials after the end of the course; or (iii) use such materials for any purpose other than in connection with participation in the course.
B. They will not share links to University of Chicago course sessions with any persons not authorized to be in the course session. Sharing course materials with persons authorized to be in the relevant course is permitted. Syllabi, handouts, slides, and other documents may be shared at the discretion of the instructor.
C. Course recordings, content, and materials may be covered by copyrights held by the University, the instructor, or third parties. Any unauthorized use of such recordings or course materials may violate such copyrights.
D. Any violation of this policy will be referred to the Area Dean of Students.

Wellness

If a personal emergency comes up that might impact your work in the class, please let the instructors know in a Campuswire post visible only to the instructors so that the course staff can make appropriate arrangements. University environments can sometimes be very overwhelming, and all of us benefit from support during times of struggle. You are not alone. There are many helpful resources available on campus and an important part of the college experience is learning how to ask for help. Asking for support sooner rather than later is often helpful. If you or anyone you know experiences any academic stress, difficult life events, or feelings like anxiety or depression, we strongly encourage you to seek support. The University of Chicago's counseling services are here to support you. Consider also reaching out to a friend, faculty or family member you trust for help getting connected to the support that can help.

If you or someone you know is feeling suicidal or in danger of self-harm, call someone immediately, day or night:
• Student Counseling Urgent Care: (773)702-9800 or in person.
• National Suicide Prevention Lifeline: 1-800-273-8255.