A first course in the design and implementation of secure and private systems. Attacks against low-level programming, secure software engineering practices, and the use of Rust to develop secure systems. Detailed study of important secure systems such as TLS, messaging, and anonymity networks. Side channels and back doors in security-sensitive systems. Advanced topics and case studies in secure systems engineering. The course will culminate in a final project where students will engineer a secure system for a chosen application. (3 credits)
🛡️ EE
I7701 meets Wednesdays from 5 - 7:45p
in NAC 1/302. |
Prerequisites: EE 34400 Digital Computer Systems or
CSC 33200 Operating Systems or Program Director Approval.
Course instructor: Tushar Jois (Office hours: Wed 1p - 2p in Steinman 638)
Course text: None (zero textbook cost). We will be using publicly available materials, drawing mostly from Security Engineering, 3rd edition, by Ross Anderson.
| Date | Lecture topic | In-class activity | Reading | Deliverables |
|---|---|---|---|---|
| Wed Aug 27 | Course intro & threat modeling | Lab 0: Hello, Rust! | Security Engineering Chapter 2 | Submit Lab 0 by 5p Aug 29 |
| Wed Sep 3 | Secure programming | Lab 1: More fun with Rust | Rust Book, chapters 3-11 | Submit Lab 1 by 5p Sep 8 |
| Wed Sep 10 | Practical cryptographic systems | Lab 2: Cryptographic engineering | Security Engineering Chapter 5, Sections 5.3, 5.7.2, 5.7.4, 5.7.5 | Submit Lab 2 by 5p Sep 15 |
| Wed Sep 17 | Failure modes of secure systems | Lab 3: Trusting trust | OWASP Top 10 2021 (all files); Reflections on Trusting Trust | Submit Lab 3 by 5p Sep 22 |
| Wed Sep 24 | No class (no classes scheduled) | |||
| Wed Oct 1 | No class (no classes scheduled) | |||
| Wed Oct 8 | Exam 1 | Project Check-in 1: Getting started | Submit Check-in 1 by end of class Oct 8 | |
| Wed Oct 15 | Case study: Medical devices (online lecture) | Project Check-in 2: Implementation design | Security Engineering Chapter 27, Sections 27.1 – 27.4 | Submit Check-in 2 by 5p Oct 20 |
| Wed Oct 22 | Case study: Transport Layer Security (TLS) | Project implementation meetings | Security
Engineering Chapter 5, Sections 5.7.4, 5.7.5; The Illustrated TLS 1.2 Connection |
|
| Wed Oct 29 | Case study: E-voting | Project implementation in-class work | Security Engineering Chapter 25, Section 25.5; Optional: Analysis of an Electronic Voting System | Submit Project implementation by 5p Nov 3 |
| Wed Nov 5 | Case study: Privacy and anonymity | Project Check-in 3: Backdooring a system | Security Engineering Chapter 20, Sections 20.3 and 20.4; Optional: Security Engineering Chapter 26 | |
| Wed Nov 12 | Project in-class work | Project backdoors meetings | ||
| Wed Nov 19 | Exam 2 | Project backdoors in-class work | Submit Project backdoors code by 5p Nov 24 | |
| Wed Nov 26 | Project demo day (online) | Project Check-in 4: Analyzing a system | ||
| Wed Dec 3 | Project analysis and presentation in-class work (self-guided) | Project Check-in 5: Presenting your results | Submit Project presentation slides by 5p Dec 8 | |
| Wed Dec 10 | Project presentation day |
This course schedule is subject to change at any time. The course staff will notify students of any schedule changes as they occur. Assignment submission and grades will be on Brightspace.
Take note of the midterm exam dates. I expect all students to take these exams in person; please let the course staff know of any issues at least two weeks before any potential absences.
Take my advice: don't fall behind!
Formative assignments are designed to get you familiar with the material and try out concepts. As they are for practicing, formative assignments are graded only to ensure completion of assigned tasks. However, content from these assignments will appear on the exams. It is important to complete these assignments with full effort to truly comprehend all of the material; simply attending lectures is insufficient. The following are this course's formative assignments:
Summative assessments on the other hand, are designed to evaluate your progress in the course. These form the majority of your final grade in the course. Content on these assessments will be derived from course material. The following summative assessments will be utilized in the course:
The course will be weighted as follows:
| 30% | Midterm Exam 1 (in class) |
| 30% | Midterm Exam 2 (in class) |
| 20% | Project code & demo |
| 10% | Labs & project check-ins |
| 5% | Project presentation |
| 5% | Reading quizzes |
The following grade scales will apply to weighted scores, at a minimum:
| 100%: A+ | 99-92%: A | 91-90%: A- |
| 89-88%: B+ | 87-82%: B | 81-80%: B- |
| 79-78%: C+ | 77-72%: C | < 72%: F |
The instructor may choose to curve all class grades up at the end of the course, and the above cutoffs could shift, which might improve your grade. Note that this is not guaranteed, and would occur at the instructor's sole discretion.
In accordance with college policy, note that 4 or more absences from class sessions will result an automatic WU grade for the semester. Being more than 15 minutes late to class twice will count as one absence for this purpose. It is the responsibility of the student if they arrive late to check in with the instructor for attendance. This policy is intended to encourage attendance, as you often will be working in groups; not being there not only hurts your educational experience, but also those of your groupmates. If you are unable to keep up with the course, or expect to miss class due to extenuating circumstances, please inform the course staff as soon as possible.
Extra credit will be awarded to the reading quizzes grade for each attendance at a Cybersecurity Seminar. Details on this opportunity will be posted later.
This course will include topics related computer security and privacy. As part of this investigation we may cover technologies whose abuse could infringe on the rights of others. As computer scientists and engineers, we rely on the ethical use of these technologies. Unethical use includes circumvention of an existing security or privacy mechanism for any purpose, or the dissemination, promotion, or exploitation of vulnerabilities of these services. Any activity outside the letter or spirit of these guidelines will be reported to the proper authorities and may result in dismissal from the class and possibly more severe academic and legal sanctions.
Acting lawfully and ethically is your responsibility. Carefully read the Computer Fraud and Abuse Act (CFAA), a federal statute that broadly criminalizes computer intrusion. This is one of several laws that govern "hacking." Understand what the law prohibits. If in doubt, we can refer you to an attorney.
In addition to the law, as members of the City College of New York and users of its computer systems, you are also bound by its policies on computer use.
If you ever have concerns in this course about harassment, discrimination, or any unequal treatment, or if you seek accommodations or resources, I invite you to share directly with me, the department, or university administration. We promise that we will take your communication seriously and seek mutually acceptable resolutions and accommodations. Reporting will never impact your course grade. In handling reports, people will protect your privacy as much as possible, but faculty and staff are required to officially report information for some cases (e.g. sexual harassment).
If you are struggling with anxiety, stress, depression, or other mental health-related concerns, please consider visiting the CCNY Counseling Center. If you are concerned about a friend, please encourage that person to seek out their services.
You are welcome to bring a family member to class on occasional days when your responsibilities require it (for example, if emergency childcare is unavailable, or for the health needs of a relative). Please be sensitive to the classroom environment, and if your family member becomes uncomfortably disruptive, you may leave the classroom and return as needed.
Academic dishonesty is prohibited in The City University of New York. Penalties for academic dishonesty include academic sanctions, such as failing or otherwise reduced grades, and/or disciplinary sanctions, including suspension or expulsion.
Academic integrity is at the core of a college or university education. Faculty assign essays, exams, quizzes, projects, and so on both to extend the learning done in the classroom and as a means of assessing that learning. When students violate the academic integrity policy (i.e., “cheat”), they are committing an act of theft that can cause real harm to themselves and others including, but not limited to, their classmates, their faculty, and the caregivers who may be funding their education. Academic dishonesty confers an unfair advantage over others, which undermines educational equity and fairness. Students who cheat place their college's accreditation and their own future prospects in jeopardy.
On every exam, you will sign the following pledge: “I agree to complete this exam without unauthorized assistance from any person, materials or device.”
Note on Generative AI: This course assumes that all work (i.e., formative assignments and summative assessments) and communications (i.e., messages and emails) have been created by the student or the student's group. The use of generative AI tools (such as ChatGPT, Copilot, Gemini, and others) to complete this course is strictly prohibited, and will be treated as academic dishonesty. Please contact the instructor if you have questions.