This course is CMPT 403: System Security and Privacy. It is also cross-listed as CMPT 980 G3.

Classes are held in WMC 3260 on:

• Tu 2:30 - 4:20 B9201
• Th 2:30 - 3:20 SWH 10041

Zoom recordings are available here.

Office hours will be held each Thursday 11:00 to 11:30 am, extended to 12:00 am if there are questions, on Zoom.

https://sfu.zoom.us/s/8146113895

Please e-mail me if you need to meet me at other times or in person.

Grading

Your mark will consist of the following:

• Assignment: 45% (3 assignments, 15% each)
• Blog post: 5%.
• Self-Assessment: 5%.
• Mid-term: 20%. During class, Jun 25th, Modules 1 to 3. Includes A1 and demos.
  • 2023 mid-term's written question
  • Self-assessment quiz answers, addendum
• Final: 25%

You may bring any non-electronic materials to the exams.

Course slides

• Module 1: Introduction
• Module 2: Software Security
• Module 3: Cryptography and Security
• Module 4: Network Security
• Module 5: Data Security and Privacy
• Deniable messaging
• Notes on differential privacy

Blog post details

Start a new thread on the discussion forum in CourSys and make a post about your investigation into a security related topic. For example, the topic can be:

• A malware attack, with details, results and solutions
• An explanation of heap overflow techniques
• An investigation into static analysis
• A crypto algorithm, how it works, what it achieves, and why
• Privacy techniques to protect web communications
• How a k-anonymity technique succeeds or fails

Other security-related topics are of course allowed. This is similar in nature to a survey paper, but shorter. Aim for around 1,000-2,000 words.

Your blog post will be graded on:

• Integration of sources. Your post should successfully integrate information from multiple sources (with citations), and will be graded especially highly if it includes your own investigation. It should not be based on just one article, especially Wikipedia.
• Writing. Do not be vague; be concise. Be personal: find your own words, use your own language, and relate what you learned to your own experience. You will not be graded on grammar and vocabulary. Reliance on AI to help you write will score lowly as AI is vague and not concise.
• Technical details. Successfully conveying technical details is a valuable skill and will score highly. For example, if you are talking about malware, tell me about what vulnerability it exploited, and show me the code.

As usual, do not commit plagiarism.

The blog post is due on July 12 (Friday).

Comment on at least 3 other students' blog posts. Your comment can be a question, or it can be further elaboration/details on what you know about the topic of the blog post. It should indicate you have read the blog post. You are encouraged to comment on blog posts that have no comments yet. You are also encouraged to respond to comments on your own post. The comments are due on July 19 (Friday).

Submission instructions: By July 19, submit a text file containing just the links to your blog post and comments, with no other text. The 1st line is a link to the blog post, and 2nd to 4th lines are links to three comments.

Assignments

For programming, three languages are allowed: C++, Java, and Python3. Assignments will be posted when released.

• Assignment 1, login.cpp, password.txt
• Assignment 2, vignere.txt, vignere_encrypt.py, ciphertext_gen.py, oracle.py, ciphertext, ttp-snippet.py, ttp-citext.zip
• Assignment 3, packets.txt, solutions

Other resources

printf.zip - format string vulnerability demo code and instructions

cribdrag.py

Some details of the course are given below.

Course description

Starting from cybersecurity principles, students will learn to protect systems from attacks on data confidentiality, integrity, system availability, and user privacy. By modeling system security, students will learn to find weaknesses in software, hardware, networks, data storage systems, and the Internet, and identify current security practices to protect these systems. Prerequisite: CMPT 300 with a minimum grade of C-.

Note that this course was offered as CMPT 479 in Summer 2022.

Textbook

There are no required textbooks for this course. As a reference, students may find "Security in Computing, 5th Edition" by Shari Lawrence Pfleeger, Charles P. Pfleeger, Jonathan Margulies to be helpful.

However, this course is constantly updated to reflect the ongoing security and privacy landscape - the book is relatively old (2015) and would not cover the newer topics in this course.

Grading

There is no specific minimum grade to pass this course. A 50 is a guaranteed pass. The assignments each have a written and a programming portion, with the programming portion expected to take longer. The exams are open-book and are mainly multiple choice, with some longer written questions. (This means that you should not expect to find the answer directly in the slides - some deduction and learning is necessary.)

Other resources

I've found that Arc Technica has good, detailed reporting on computer system attacks, and I often use it as a source for my material.

Bruce Schneier runs an informative and fascinating blog commenting on security (and also CS). He will be able to give you insights into the current security landscape beyond the textbook.

Hooking tutorial by Kyle Halladay: https://kylehalladay.com/blog/2020/11/13/Hooking-By-Example.html