Secure Systems Engineering

Spring 2024

A first course in the design and implementation of secure and private systems. Attacks against low-level programming, secure software engineering practices, and the use of Rust to develop secure systems. Detailed study of important secure systems such as TLS, messaging, and anonymity networks. Side channels and back doors in security-sensitive systems. Advanced topics and case studies in secure systems engineering. The course will culminate in a final project where students will engineer a secure system for a chosen application. (3 credits)

🛡️ EE G7701 meets Tuesdays from 6:30 - 9:15p in Shepard 20.

Prerequisites: EE 34400 Digital Computer Systems or CSC 33200 Operating Systems or Program Director Approval.

Course instructor: Tushar Jois (Office hours: Thu 4:30 - 5p in Steinman 638)

Course text: None (zero textbook cost). We will be using publicly available materials.

Course Schedule

The schedule for the course is available below, and includes links to course materials and key dates.

Date Lecture topic In-class activity Reading Deliverables
Jan 30, 2024 Course intro & Unix security basics (slides) Course virtual machine setup Security Engineering book chapter Assignment 1 out, due by 10p Feb 12 Feb 14
Feb 6, 2024 Buffer overflows (slides) Intro to GDB & Assignment 1 in-class work Book chapter (see Blackboard)
Feb 13, 2024 Rust programming (slides) Lab 1: Hands-on with Rust Rust Book, chapters 1, 3-6 Assignment 2 out, due by 10p Mar 4
Feb 20, 2024 Practical cryptography (slides) Lab 2: More fun with Rust Rust Book, chapters 7-11
Feb 27, 2024 Case study: Transport Layer Security (TLS) (slides) Lab 3: Wireshark & TLS The Illustrated TLS 1.2 Connection
Mar 5, 2024 Exam 1 Project introduction & group assignment Project description out (note due dates)
Mar 12, 2024 Case study: electronic voting (slides) Project check-in 1 & in-class work Blaze law review paper
Mar 19, 2024 Backdoors in secure systems (slides) Assignment 3 in-class work Reflections on Trusting Trust Assignment 3 out, due by 10p Apr 1
Mar 26, 2024 Case study: medical device security (recorded lecture on Blackboard) Project check-in 2 & in-class work
DIYAPS review paper, pages 1217-1222 and 1227-1232
Apr 2, 2024 Case study: privacy & anonymity systems (slides) Lab 4: Privacy Double Ratchet specification, sections 1, 2; optional: Tor paper
Apr 9, 2024 Advanced topics: side channels & trusted hardware (slides) Project check-in 3 & in-class work DOVE research paper Submit Project code by 10p Apr 15
Apr 16, 2024 Exam 2 Project check-in 4 & in-class work
Apr 23, 2024 Spring recess (no class)
Apr 30, 2024 Spring recess (no class)
May 7, 2024 Project code demos In-class work Submit Project presentation slides by 10p May 13
May 14, 2024 Project presentations

This course schedule is subject to change at any time. The course staff will notify students of any schedule changes as they occur. Assignment submission and grades will be on Blackboard.

Take note of the midterm exam dates. I expect all students to take these exams in person; please let the course staff know of any issues at least two weeks before any potential absences.

If you are unable to keep up with the course, or expect to miss class due to extenuating circumstances, please inform the course staff as soon as possible.

Take my advice: don't fall behind!

Course Goals

At the completion of this course, students will be able to:
  1. Know the core concepts of computer security, both in theory and practice
  2. Apply the proper defenses to common attacks on systems
  3. Understand the societal, cultural, and political implications of the field
  4. Be prepared for research in computer security, if they so choose

Coursework and Grading

This course makes a distinction between formative and summative coursework.

Formative assignments are designed to get you familiar with the material and try out concepts. As they are for practicing, formative assignments are graded only to ensure completion of assigned tasks. However, content from these assignments will appear on the exams. It is important to complete these assignments with full effort to truly comprehend all of the material; simply attending lectures is insufficient. The following are this course's formative assignments:

Summative assessments on the other hand, are designed to evaluate your progress in the course. These form the majority of your final grade in the course. Content on these assessments will be derived from course material. The following summative assessments will be utilized in the course:

The course will be weighted as follows:

20% Midterm Exam 1 (in class)
20% Midterm Exam 2 (in class)
15% In-class labs (completion, 4 total)
15% Assignments (3 total)
15% Project code & demo
10% Project presentation
5% Project check-ins (completion, 4 total)

The following grade scales will apply to weighted scores, at a minimum:

100%: A+ 99-92%: A 91-90%: A-
89-88%: B+ 87-82%: B 81-80%: B-
79-78%: C+ 77-70%: C < 70%: F

The instructor may choose to curve all class grades up at the end of the course, and the above cutoffs could shift, which might improve your grade. Note that this is not guaranteed, and would occur at the instructor's sole discretion.

There will be no extra credit assignments in the course.

Warning

This section has been adapted from a similar warning used by Chris Fletcher.

This course will include topics related computer security and privacy. As part of this investigation we may cover technologies whose abuse could infringe on the rights of others. As computer scientists and engineers, we rely on the ethical use of these technologies. Unethical use includes circumvention of an existing security or privacy mechanism for any purpose, or the dissemination, promotion, or exploitation of vulnerabilities of these services. Any activity outside the letter or spirit of these guidelines will be reported to the proper authorities and may result in dismissal from the class and possibly more severe academic and legal sanctions.

Acting lawfully and ethically is your responsibility. Carefully read the Computer Fraud and Abuse Act (CFAA), a federal statute that broadly criminalizes computer intrusion. This is one of several laws that govern "hacking." Understand what the law prohibits. If in doubt, we can refer you to an attorney.

In addition to the law, as members of the City College of New York and users of its computer systems, you are also bound by its policies on computer use.

Class Climate

I am committed to creating a classroom environment that values the diversity of experiences and perspectives that all students bring. Everyone here has the right to be treated with dignity and respect. I believe fostering an inclusive climate is important because research and our experiences show that students who interact with peers who are different from themselves learn new things and experience tangible educational outcomes. Please join me in creating a welcoming and vibrant classroom climate. Note that you should expect to be challenged intellectually by myself and your peers, and at times this may feel uncomfortable. Indeed, it can be helpful to be pushed sometimes in order to learn and grow. But at no time in this learning process should someone be singled out or treated unequally on the basis of any seen or unseen part of their identity.

If you ever have concerns in this course about harassment, discrimination, or any unequal treatment, or if you seek accommodations or resources, I invite you to share directly with me, the department, or university administration. We promise that we will take your communication seriously and seek mutually acceptable resolutions and accommodations. Reporting will never impact your course grade. In handling reports, people will protect your privacy as much as possible, but faculty and staff are required to officially report information for some cases (e.g. sexual harassment).

Accessibility

Students with disabilities (including those with psychological conditions, medical conditions, and temporary disabilities) can request accommodations for this course by providing an Accommodation Memo issued by the AccessAbility Center/Student Disability Services (AAC/SDS).

If you are struggling with anxiety, stress, depression, or other mental health-related concerns, please consider visiting the CCNY Counseling Center. If you are concerned about a friend, please encourage that person to seek out their services.

You are welcome to bring a family member to class on occasional days when your responsibilities require it (for example, if emergency childcare is unavailable, or for the health needs of a relative). Please be sensitive to the classroom environment, and if your family member becomes uncomfortably disruptive, you may leave the classroom and return as needed.

Academic Integrity

This course is subject to the Academic Integrity Policy of the City University of New York, quoted partially below.
Academic dishonesty is prohibited in The City University of New York. Penalties for academic dishonesty include academic sanctions, such as failing or otherwise reduced grades, and/or disciplinary sanctions, including suspension or expulsion.

Academic integrity is at the core of a college or university education. Faculty assign essays, exams, quizzes, projects, and so on both to extend the learning done in the classroom and as a means of assessing that learning. When students violate the academic integrity policy (i.e., “cheat”), they are committing an act of theft that can cause real harm to themselves and others including, but not limited to, their classmates, their faculty, and the caregivers who may be funding their education. Academic dishonesty confers an unfair advantage over others, which undermines educational equity and fairness. Students who cheat place their college's accreditation and their own future prospects in jeopardy.

On every exam, you will sign the following pledge: “I agree to complete this exam without unauthorized assistance from any person, materials or device.”