HEART: Computer Security and Privacy for the Modern World

Fall 2021

Course Instructor: Tushar Jois

Can we build reliable, secure computer systems that ensure user privacy? We'll look at three key areas of cutting-edge research -- censorship resistance, the Internet-of-Things, and electronic voting -- and see if we can start to answer this question! Every class, lecture material will be accompanied by a hands-on component designed to provide first-hand experience in computer security and privacy. (No prerequisites, 1 credit, S/U grading)

Course Goals

By the end of this course, students...

• Should understand the basics of computer security and privacy, including, but not limited to, data confidentiality, data authenticity, and secure systems design.
• Should have a high-level understanding of how to perform threat modeling in modern application domains, such as censorship resistance, secure messaging, smartphones, the Internet-of-Things, and electronic voting.
• Should have an appreciation for the societal, cultural, and political implications of security, privacy, and cryptography.
• Should have the tools and requisite background necessary to join as undergraduate researchers in computer security labs, if they so choose.

Course Work and Expectations

• There will be a weekly reading assignment that must be completed before each class.
• There will be an end-of-class presentation on a security topic of your choosing, executed in groups of 3. The presentation will be conducted in Ignite format, wherein every group member has 20 slides, which automatically advance every 15 seconds. This results in 5 minutes per person, and 15 minutes total. The slide template here includes more information. Each member is expected to contribute to the out-of-class preparation for the final presentation.
• There will be discussion activities interspersed throughout the course. Students are expected to actively listen to and encourage their classmates, and to contribute to discussions in a positive way.
• There will be an “exit ticket” handed out at the end of every class meeting. Students are expected to use the exit ticket to provide feedback as to the effectiveness of the lesson, and to ask any remaining questions on the topic directly to the Instructor.

This course is subject to the Academic Integrity Code of the Department of Computer Science.

Course Schedule

There are 10 class meetings during the semester; the first meeting will be held the week of September 9. The last meeting will be held the week of November 17. Note that this means the two sections do not have the same content in a calendar week – please double check the schedule for your section’s reading.

Reading is mandatory, and is typically introductory-level. Try your best to understand these. Optional reading is not mandatory, and typically consists of research papers in the field. They may be more difficult to read. Every session will have some kind of interactive, in-class activity -- make sure to bring your computer to class! Slides will be posted here after both class meetings.

1. Introduction'); DROP TABLE Syllabus; -- (slides)
• Meeting: 🧡️ Wed Sep 15, 💙 Thu Sep 9
• Topics: hello world, trust in the developer, Trust in the user
• Reading: USENIX 2018 Keynote Video AND Reflections on Trusting Trust
• Optional: (none)
• Activity: Group discussion: trust issues

2. It's a Unix system! I know this! (slides)
   • Meeting: 🧡️ Wed Sep 22, 💙 Thu Sep 16
   • Topics: systems security, Unix permissions, memory isolation, buffer overflow
   • Reading: What is buffer overflow?
   • Optional: Smashing the Stack for Fun and Profit
   • Activity: Smashing the stack for fun and profit learning
   • Download link for the course virtual machine
   • Instructions on how to configure the virtual machine
   • Code for today's activity

3. Better living through cryptography (slides)
   • Meeting: 🧡️ Wed Sep 29, 💙 Thu Sep 23
   • Topics: encryption, authentication, key exchange, TLS
   • Reading: Nine Algorithms That Changed The Future, Chapters 4 AND 9
   • Optional: The Illustrated TLS Connection
   • Activity: Crypto means cryptography
   • Code for today's activity

4. Trust? In my hardware? It's more likely than you think. (slides)
   • Meeting: 🧡️ Wed Oct 6, 💙 Thu Sep 30
   • Topics: protection rings, secure hardware, side-channels
   • Reading: Introduction to SGX - The ELI5
   • Optional: DOVE: A Data-Oblivious Virtual Environment
   • Activity: Execution traces as side-channels

5. Wait, I thought this was about security and privacy? (slides)
   • Meeting: 🧡️ Wed Oct 13, 💙 Thu Oct 7
   • Topics: privacy, censorship resistance, Tor, steganography
   • Reading: Tor Overview (watch video AND read website text)
   • Optional: Meteor: Cryptographically Secure Steganography for Realistic Distributions, Privacy as Contextual Integrity
   • Activity: Tor exploration & Meteor demo

6. The Signal in the noise (slides)
   • Meeting: 🧡️ Wed Oct 20, 💙 Thu Oct 14
   • Topics: threat modeling, secure messaging, Signal protocol, society
   • Reading: What Is Security Engineering?
   • Optional: Investigating the Signal Protocol
   • Activity: Security engineering for secure messaging
   • Presentation topic selection due today!

7. Sherlock Phones: Forensics and privacy in smartphones (slides)
   • Meeting: 🧡️ Wed Oct 27, 💙 Thu Oct 21
   • Topics: forensic threat model, data protections on smartphones, attacks
   • Reading: Data Security on Mobile Devices, Chapter 1: Introduction
   • Optional: SoK: Cryptographic Confidentiality of Data on Mobile Devices
   • Activity: What could a forensic adversary learn about you?

8. The “S” in “IoT” stands for “Security” (slides)
   • Meeting: 🧡️ Wed Nov 3, 💙 Thu Oct 28
   • Topics: smart home, security considerations, attacks and defenses
   • Reading: Home automation Wikipedia article
   • Optional: SoK: Security Evaluation of Home-Based IoT Deployments
   • Activity: Designing the smart home of the future
   • Presentation abstract due today!

9. Technology at the ballot box (slides)
   • Meeting: 🧡️ Wed Nov 10, 💙 Thu Nov 4
   • Topics: voting technology, remote voting
   • Reading: Election Integrity and Technology: Vulnerabilities and Solutions
   • Optional: Analysis of an Electronic Voting System
   • Activity: e-Voting discussion: can cryptography save us?

10. Group presentations
    • Meeting: 🧡️ Wed Nov 17, 💙 Thu Nov 11
    • Reading: Reflections on Trusting Trust (yes, again!)
    • Presentation slides due today! Template here.
    • Topics: Students can select from the following.
      • Speculative execution (Spectre) attacks
      • Perceptual hashing (NeuralHash, PhotoDNA)
      • Privacy in machine learning
      • Supply chain vulnerabilities (SolarWinds) and solutions
      • Medical device security
      • Web security: SQL injection and XSS
      • Student choice (must confirm with Instructor)