CS 42600: Computer Security

TR 13:30-14:45

SC 239

Chris Clifton

Email: clifton_nospam@cs_nojunk.purdue.edu

Course Outline

Course Topics

A survey of the fundamentals of information security. Risks and vulnerabilities, policy formation, controls and protection methods, database security, encryption, authentication technologies, host-based and network-based security issues, personnel and physical security issues, issues of law and privacy.

Teaching Assistants

Discussions during office hours will be held in HAAS G050, or if that fills up, in 143 or G072. If you don't find the TA in the discussion locations, check G018.

PSO Schedule

Note: You are assigned to a particular PSO, and the PSOs (and course) are full. Please go to your assigned PSO, for two reasons:

  1. Some of the rooms will hold only the assigned people. If people show up who aren't assigned to that PSO, there won't be places to sit.
  2. In most cases, your assigned PSO instructor will also be grading your work. What they know about your understanding of the material plays a big part in the Evaluation of instructors portion of the grade. If you go to a different PSO, it will be hard for them to say things like this student really knows the material better than their test scores would indicate.

That said, if you can't make a particular PSO some week, it is okay to go to another PSO with the permission of that PSO instructor, but please make sure that there is room for those assigned to the PSO before you take a seat.

Instructor Office Hours

By arrangement, LWSN 2142F. I am available by appointment, email some good times and I'll pick what works. Or you can just drop by, I'm often in, and if not tied up with something that has be be finished right away I'll be happy to talk with you. Due to trying to meet with many of the faculty candidates, and the number of interviews scheduled, it has been very difficult to set aside any sort of regular times for office hours this semester - but I am available, just not at the same time every week.

Mailing List

There will be a course email list used for high-priority announcements. This will use your @purdue.edu email address; make sure this is forwarded to someplace you look on a regular basis.

We will be using Gradescope to turn in and comment on assignments; Blackboard will be used for recording and distributing grades, as well as for any other student-specific information about the course.

Course Methodology

The course will be taught through lectures, supplemented with reading. The PSO sections will provide an additional opportunity to ask questions and work through problems, and will be the primary venue where the projects will be introduced and discussed. The primary reading will be from the text. The written assignments and projects are also a significant component of the learning experience.

For review (and if you miss a lecture), you can pick them up as an Kaltura vodcast/podcast (accessible through Blackboard.) Be warned that the audio isn't great; you only see what is on the screen, not what is written on the chalkboard; and you can't ask (or answer) questions; so it isn't really a viable alternative to attending lecture.

We will be using Piazza to facilitate discussions; this will enable you to post questions as well as respond to questions posted by others.


The formal prerequisite is CS 25200: Data Structures and Algorithms (or ECE 46900). While not enforced as well as we would like, you should also have CS 25100 or equivalent. (Exercise: Figure out how you could meet the CS 25200 prerequisite requirement without having passed CS 25100. This is an example of the type of flaw that results in information security violations...)


Evaluation is a somewhat subjective process (see my grading standards), however it will be based on your understanding of the material as evidenced in:

Exams will be open note, with two 8.5x11 or A4 pages allowed (e.g., one piece of paper, double-sided) allowed for the first exam, four for the second, and six for the final. If any additional notes are allowed, these will be announced per exam. To avoid a disparity between resources available to different students, and the possibility of using communication-equipped devices in unethical ways, electronic aids are not permitted.

Late work will be penalized 15% per day (24 hour period or fraction thereof). You are allowed five extension days, to be used at your discretion throughout the semester (illness, job interviews, etc.) You must explicitly note that you are using these in the header of the assignment or it will be considered late (i.e., using extension days 2 and 3 for this assignment.) Fractional use is not allowed, and this may not be used to extend submission past the last day of class.

Blackboard will be used to record/distribute grades.

Policy on Intellectual Honesty

Please read the departmental academic integrity policy above. This will be followed unless I provide written documentation of exceptions. You should also be familiar with the Purdue University Code of Honor and Academic Integrity Guide for Students. You may also find Professor Spafford's course policy useful - while I do not apply it verbatim, it contains detail and some good examples that may help to clarify the policies above and those mentioned below.

In particular, I encourage interaction: you should feel free to discuss the course with other students. However, unless otherwise noted work turned in should reflect your own efforts and knowledge.

For example, if you are discussing an assignment with another student, and you feel you know the material better than the other student, think of yourself as a teacher. Your goal is to make sure that after your discussion, the student is capable of doing similar work independently; their turned-in assignment should reflect this capability. If you need to work through details, try to work on a related, but different, problem.

If you feel you may have overstepped these bounds, or are not sure, please come talk to me and/or note on what you turn in that it represents collaborative effort (the same holds for information obtained from other sources that provided substantial portions of the solution.) If I feel you have gone beyond acceptable limits, I will let you know, and if necessary we will find an alternative way of ensuring you know the material. Help you receive in such a borderline case, if cited and not part of a pattern of egregious behavior, is not in my opinion academic dishonesty, and will at most result in a requirement that you demonstrate your knowledge in some alternate manner.

Policy on Commercial Note-Taking or otherwise selling or reposting course materials

Other Issues and Resources

If you have other issues please feel free to talk to me - if I can't help, I'll try to point you in the right direction. Be aware that due to Title IX and state law, there are some things for which I can't promise confidentiality (but see CARE below).

University Emergency Preparedness instructions

Student Mental Health and Wellbeing: Purdue University is committed to advancing the mental health and wellbeing of its students. If you or someone you know is feeling overwhelmed, depressed, and/or in need of support, services are available. For help, such individuals should contact Counseling and Psychological Services (CAPS) at (765)494-6995 and http://www.purdue.edu/caps/ during and after hours, on weekends and holidays, or through its counselors physically located in the Purdue University Student Health Center (PUSH) and the Psychology building (PSYC) during business hours.

Sexual Violence: Purdue University is devoted to fostering a secure, equitable, and inclusive community. If you or someone you know has been the victim of sexual violence and are interested in seeking help, there are services available. Reporting the incident to any Purdue faculty and certain other employees, including resident assistants, will lead to reference to the Title IX Coordinator, as these individuals are mandatory reporters. The Title IX office can investigate report of sex-based discrimination, sexual harassment, or sexual violence. Title IX ensures that both parties in a reported event have equal opportunity to be heard and participate in a grievance process. To file an online report visit https://cm.maxient.com/reportingform.php?PurdueUniv&layout_id=15 or contact the Title IX coordinator at 765-494-7255.

The Center for Advocacy, Response, and Education (CARE) offers confidential support and advocacy that does not require the filing of a report to the Title IX office. The CARE staff helps each survivor assess their reporting options and access resources that meet personal needs. The CARE office can be found at 205 North Russell Street in Duhme Hall (Windsor), room 143 Monday - Friday 8:00 AM to 5:00 PM. They can also be reached at their 24/7 hotline 765-495-CARE or at CARE@purdue.edu.

And you should always feel free to call, email, or drop by and talk to me (or, if you have an issue with me, to the department head.)


The basic text for this course is:

For those who want a deeper treatment of theory, you may want to look at: Matthew Bishop Computer Security: Art and Science, Addison-Wesley, 2003. ISBN 0-201-44099-7
If you use this book, you'll want the appropriate Errata pages.

Course Outline (numbers correspond to week):

To access some of the material, you need to be on-campus, or use a VPN to make it appear that you are on campus.

  1. Introduction. Issues of terminology and underlying themes. Included are issues of basic threats, vulnerabilities, and goals.
    Reading: Pfleeger Chapter 1.
    Monday PSO will not be held this week. Thursday and Friday PSOs will be held.
    Assignment 1 released, due 16 January 11:59pm in Gradescope. Solutions.
  2. Software Vulnerabilities and Exploits. Secure Programming.
    Reading: Pfleeger Chapter 3-3.1, CWE/SANS Top 25 (see also the SANS discussion), Classes of Vulnerabilities and Attacks
    1. Overview, buffer overflow
      Advanced reading/exercices on memory vulnerabilities/exploits from Prof. Antonio Bianchi.
    2. Other vulnerabilities, Mitigations
      Project 1 released, due 30 January 11:59pm (solutions)
  3. January 21: Martin Luther King, Jr. Day: No Monday PSO.
    Personnel and Physical Security. Issues of how to protect physical information infrastructure, and how to select and protect personnel involved with security.
    1. Personnel Security
    2. Training, Physical Security
      Reading: NIST 800-50: Building an Information Technology Security Awareness and Training Program
  4. Encryption Basics. Substitution and permutation ciphers. Attacks on encryption. Block vs. stream ciphers. Public key cryptography, digital signatures, escrowed and multi-keyed algorithms.
    Reading: Pfleeger Chapters 2.3, 12.
    Assignment 2 released, due 6 February 11:59pm in Gradescope. Solutions.
  5. February 4: Last day to add a course, or to drop without the possibility of a WF
    1. Applying encryption. Key management, electronic commerce and digital cash, end-to-end arguments.
      Reading: Why does cryptographic software fail?
    2. Risk Analysis
      Reading: Pfleeger Chapter 10.4.
    1. February 12, in class: First Midterm. (Solutions)
    2. Audit and Logging
    Reading: Best practices for audit, log review for IT security investigations, Berkeley Security Audit Logging Guideline.
    Advanced reading: Bishop Chapter 25, NIST 800-92: Guide to Computer Security Log Management.
  6. Models of security. Defining security. Multi-level security. Labeling.
    1. Formal Access Control Models
    2. Access Control Policy Models
    Reading: Pfleeger Chapter 2.2.
    Assignment 3 released, due 1 March 11:59pm in Gradescope. Solutions.
  7. Authentication and identification. Who are you and how do we know that?
    1. Identity
    2. Guest Lecture: Prof. Jeremiah Blocki: Authentication
    Reading: Pfleeger Chapter 2.1.
  8. Malicious code. Viruses, worms, etc. Message digests and scanning as protection methods.
    1. Guest Lecture: Prof. Ninghui Li
    2. Guest Lecture: Prof. Christina Garman
    Reading: Pfleeger Chapter 3.2-3
    March 8: Last day to drop a course. Note that Prof. Clifton will be hard to reach this week, don't put this off until the last minute.
    Spring Vacation March 11-16
  9. Network Security I. This is coverage of problems related to computing in a network, including eavesdropping and intrusion.
    Assignment 4 released, due 27 March 11:59pm in Gradescope. (solutions)
    1. Network Security II. Higher-level problems of security, including secure time, authentication, quality of service, etc.
    2. Basic DB security. Coverage of locking, inference protection, and auditing.
    Project 2 released, due 10 April 11:59pm in Gradescope.
    1. April 2, in class: Second Midterm. (Solutions)
    2. Basic DB security: Inference Protection. Web Application Security.
      Reading: Pfleeger Chapters 7, 4
  10. CERIAS Annual Security Symposium April 9-10
    1. Class on April 9 will be at the Symposium, STEW 302-306: Baiju Patel, Research Fellow, Intel, Lessons from designing Security ISA over 20 years
    2. Assurance methods
  11. Project 3 released, due 17 April 11:59pm in Gradescope.
    1. Assurance: Formal evaluation, Formal methods
      Reading: Common Criteria Part 1 Chapters 1, 6.1, 6.3, 6.4, 7; Part 2 Chapters 1, 6; Part 3 Chapter 6.
    2. Privacy
      Reading: Pfleeger Chapter 9.
    Assignment 5 released, due 25 April 11:59pm in Gradescope. (solutions)
  12. Issues of law and ethics. Discussion of legal issues relating to intellectual property, computer abuse, and law enforcement. Also discussion of additional ethical issues not discussed previously in the semester.
    Reading: Pfleeger Chapter 11, ACM Code of Ethics.
    Thursday and Friday PSOs will not be held this week, however, there will be extended office hours.

You may also want to see the canonical syllabus, previous offerings of the course from Profs. Spafford and Kate, or my offering of the graduate information security course. If you see something there you like (content, policies, etc.), let me know.

Final Exam Thursday, May 2, 7:00pm-9:00pm, WTHR 172.
If you have another exam scheduled at that time or you have three or more exams scheduled that day and would like to reschedule this exam, please let me know as soon as possible. Note that conflicting exams are pretty much the only reason for rescheduling, I bought a ticket to go home earlier is not an accepted reason for an exam to be rescheduled.

Valid XHTML 1.1