Introduction to Computer Security Winter 2024
This course introduces the principles and practice of computer security. It aims to teach how to model threats to computer systems and how to think like a potential attacker. It presents standard cryptographic functions and protocols and gives an overview of threats and defenses for software, host systems, networks, and the Web. It also touches on some of the legal, policy, and ethical issues surrounding computer security in areas such as privacy, surveillance, and the disclosure of security vulnerabilities. The goal of this course is to provide a foundation for further study in computer security and to help better understand how to design, build, and use computer systems more securely. See the schedule for details.
Instructors
TAs
Course Information
| Prerequisites | CMSC 14400, CMSC 15400, or equivalent |
| Lectures | Lectures will be held either 1:30p - 2:50p (Section 1) or 3:00p - 4:20p (Section 2) on Mondays and Wednesdays in the Henry Hinds Laboratory for Geophysical Sciences, Room 101. |
| Office Hours | All office hours will be held in person unless announced otherwise on Ed. If you cannot attend the scheduled office hours in person or at all, please make a private ed post to schedule alternate office hours with the course staff.
|
| Textbook | We will be using the second edition of Computer Security and the Internet: Tools and Jewels by Paul van Oorschot. While the book is available in print, we will be referencing the PDFs of the chapters available for free from that link. |
| Coursework | The coursework for all students consists of eight assignments, nine short responses to readings, and a closed-book final exam (during exam period). All assignments, reading responses, and exams must be completed individually, though general discussion about assignments among students is permitted (and encouraged) within the bounds of the academic integrity policy below. |
| Communication |
We will update the course schedule regularly throughout the course.
All assignments and reading response prompts will be distributed on Canvas. We'll use Ed for discussion and questions about course material, assignments, and logistics. Please keep all course-related communication to Ed; please do not email any members of the course staff (except if you can't access Ed). |
| Ed Question-Asking Guidelines |
If you are posting general questions about an assignment (e.g., clarification questions, broad questions about an error you encountered), please post publicly (visible to everyone in the class) on Ed. If you are asking a question about your specific approach to an assignment (especially if you are including any code), or if you are reaching out to the instructors about a personal or logistical matter (e.g., pertaining to an illness or other events that might be impacting your performance in class), please make a post on Ed visible only to the course staff. Ed is typically used heavily in this class; for example, the 2022 class had 2,168 threads on Campuswire (our previous discussion forum). Our whole staff is always very happy to help. Following these guidelines greatly helps us answer your questions most productively. Before You Post:
|
| Submission of work |
Assignments will be collected in two places: you will turn in your code on Canvas and turn in your prose write-ups on Gradescope. Coursework that only involves prose write-ups (e.g., reading responses) will of course only be collected on Gradescope.
Reading responses (with the exception of the first) will typically be due at 11:59pm on Tuesday evenings. Assignments will typically be due at 11:59pm on Thursday evenings. Please see the course schedule for exceptions. |
| Late policy |
We will accept the nine assignments and nine reading responses up to 24 hours late with a 15 point grade penalty. Assignments more than a day late will not be accepted without a previously approved extension. In exceptional circumstances related to personal emergencies, illness, wellness concerns, family emergencies, and similar, you may request an extension. To request an extension, make a private Ed post briefly explaining your circumstance and noting the assignment/reading response for which you are requesting an extension. Use the "extension request" tag on Ed for that post. An extension will only be granted with an affirmative reply from a member of the course staff. Note that we do not consider job interviews, work from other courses, or non-emergency travel to be exceptional circumstances. |
Grading
Your course grade will be calculated as follows:| Category | Percentage |
|---|---|
| Assignments (8) | 64% (8% each) |
| Reading Responses (9) | 9% (1% each) |
| Final Exam | 27% |
P/F Grade Policies
As outlined in UChicago's policy, this course may be taken pass/fail (P/F). Students who wish to take the course pass/fail, instead of for a letter grade, must make an Ed post with that request by the end of Week 9. A grade of P will be given to students who would have earned a C- or better in the course if it were taken for a letter grade. Note that classes taken pass/fail are unlikely to count toward the computer science major or other majors, so please only make a P/F request if you understand (in consultation with your advisor) how doing so will impact your ability to count this course toward your major.Academic Integrity Policies
The University of Chicago has formal policies related to academic honesty and plagiarism, as described by the university broadly and the college specifically. We abide by these standards in this course. Depending on the severity of the offense, you risk being dismissed altogether from the course. All cases will be referred to the Dean of Students office, which may impose further penalties, including suspension and expulsion. If you have any question about whether some activity would constitute cheating, please ask. In addition, we expect all students to treat everyone else in the course with respect, following the norms of proper behavior by members of the University of Chicago community.Student interactions are an important and useful means to master course material. We encourage you to discuss the material in this class with other students and to form study groups. It is totally acceptable to discuss assignments in general terms, such as discussing and sketching out the general approach to an assignment on a whiteboard (or the virtual equivalent thereof). However, it is not acceptable to show someone else your code, nor to look at someone else's code, even over screensharing. Similarly, it is not acceptable to turn in someone else's writing or code (or fragments thereof) as your own, with exceptions for properly cited (see below) instances of reusing a few lines (four or fewer, as a rule of thumb) of code. When the time comes to write down your answer, you should write it down yourself from your own understanding.
Moreover, you must cite any material discussions you had with another student in the course or any written sources you relied on in non-trivial ways when working on an assignment. That is, as the first Gradescope item of your prose submission, you must include a list of all other students with whom you discussed the assignment and all resources (e.g., URLs of webpages) that materially influenced your solution. For each non-human resource, you must briefly explain how you used that resource. Typically, you will use a resource in acceptable ways for one of the following reasons: (i) to better understand some aspect of a programming language or security concept; (ii) for some assistance on coding, such as consulting a Stack Overflow post. Note that taking code from a particular resource to solve the majority of any sub-part of the assignment is not an acceptable use of a resource. For each human resource, either note which parts of the assignment you discussed with them or say that you discussed the whole assignment with them.
The disclosure at the top of your Gradescope submission must be descriptive. For example, "I discussed the whole assignment with Jane Smith, and we also discussed Part 3 with John Doe. I consulted https://www.helpfuldomain.com/helpfulpage.html to understand the JavaScript fetch() API and I used two lines of code from https://www.otherhelpfuldomain.com/otherhelpfulpage.html in Part 3."
You do not need to cite discussions with the instructors or TAs, nor do you need to cite anything from our course Ed discussion page. You also do not need to cite the course textbook, slides, or any other readings/materials we provide to you. If one student "helps" another by giving them a copy of their assignment, only to have that other student copy it and turn it in, both students are culpable.
In general, for any specific questions you have about why your specific approach to a problem isn't working (and definitely for any post that includes your own code), you should default to posting privately to the course staff on Ed. If you have more general questions or comments about assignments that don't include code snippets, please feel encouraged to post publicly on Ed and/or to discuss your approach with other members of the class.
If you have any questions about what is or is not proper academic conduct, please ask an instructor. Please note that we are personally willing to pursue cheating cases and have done so in the past.
(Clarification from 1/31/24) We'd also like to discuss the use of generative AI. Cheating and plagiarism can include presenting the outputs of generative machine learning models (e.g., GPT-4, ChatGPT, Github Copilot, OpenAI Codex) as one's own work without explicit citation and acknowledgment of what specifically was used from such models. In this course, we do not permit the use of any generative models for any parts of written responses (e.g., reading responses) even with citation and acknowledgment. In coding tasks, however, these models can be used and cited similar to a StackOverflow post. Whereas you would provide a URL to document your use of StackOverflow, for generative models your should include at the top of your assignment the prompt you provided the model and the parts of the model's output that meaningfully influenced your submission. The same rules apply to generative models as they would for code reuse. Using a generative model to turn natural language into a few lines of code for a minor part of the assignment is permitted. Using more than 5 lines of code at a time from a generative model, using a generative model to solve the main intellectual aspects of an assignment, or using a generative model to produce a substantial amount of your code (even if it's just a series of small snippets of code spliced together) are not permitted. For coding assignments, using a chatbot to replace a Google query to find resources on the relevant syntax of a language is permitted as long as this use is properly attributed.
This description of academic honesty is derived in part from policies written by Stuart Kurtz and John Reppy.
Ethical Hacking Policy
In this course, you will learn hacking techniques that can actually compromise some systems. You may only use these techniques on systems with the explicit knowledge and explicit consent from everyone who owns and uses that system. Further note that you must stay within the bounds of each assignment. Do not use outside attacks not specified in the assignment. To make assignments more tractable and educational, we need to intentionally disable some security mechanisms on certain systems, and doing so can open up these systems to other types of attack. You may not use attacks except those specified in the assignments. Finally, do not use any techniques you learn in this class or from other resources on any machine, network, or system not specified in the relevant assignment. If you find the things you learn in class exciting, please speak to the instructors, who can point you towards productive avenues for your enthusiasm.Livestream Policy
If you are feeling ill, please stay home from lecture to avoid spreading the illness. You may make a private Ed post using the "livestream request" tag (and noting whether you're in the 1:30 or 3:00 section) at least an hour before class. Grant or Blase will, if they are able, livestream that day's lecture for you on the class Zoom link (see Canvas).Wellness
If a personal emergency comes up that might impact your work in the class, please let the instructors know in a Ed post visible only to the instructors so that the course staff can make appropriate arrangements. University environments can sometimes be very overwhelming, and all of us benefit from support during times of struggle. You are not alone. There are many helpful resources available on campus and an important part of the college experience is learning how to ask for help. Asking for support sooner rather than later is often helpful. If you or anyone you know experiences any academic stress, difficult life events, or feelings like anxiety or depression, we strongly encourage you to seek support. The University of Chicago's counseling services are here to support you. Consider also reaching out to a friend, faculty or family member you trust for help getting connected to the support that can help.If you or someone you know is feeling suicidal or in danger of self-harm, call someone immediately, day or night:
• Student Counseling Urgent Care: (773)702-9800 or in person.
• National Suicide Prevention Lifeline: 1-800-273-8255.