24f-2550: Introduction to Cybersecurity
Welcome to CY 2550 Fall 2024.
First steps
- You have a few actions items before class:
- Enroll in the course Piazza to get answers to your questions. Note: make sure you are in my section’s Piazza.
- Enroll in gradescope using the registration code from Canvas or the first day of class.
Course Basics
-
Instructors: abhi shelat
-
TF 9:50–11:30, 1:35–3:15
-
We have
- TAs: Manav Gupta, Patrick Lioanag, Schuyler Rosefield, Sanjana Singhania
- The best way to engage the course staff is via piazza and office hours.
-
Office hours:
- Zoom links will be posted in Canvas and Piazza.
Goals
This is an introductory (first-year) course that presents an overview of basic cybersecurity principles and concepts. The high-level goal is to introduce main topics in security, introduce adversarial thinking mindset, threat modelling, and design of defense mechanisms.
In my own interpretation, a large part of the field is understanding different expectations of behavior for a systen and then failures to achieve those expectations critical systems. I think of four categories of failures:
- Failure in operation:
- Human model of usage
- Inadvertently leaking secret keys, etc
- Failures of implementation:
- improperly handling untrusted input
- time of use and time of check
- error handling leaks implementation
- linux scheduling
- Failures of design:
- MD5, SHA1 hash function
- wifi pwd protocol
- Failures of abstraction: when the assumed abstraction does not hold, which leads to catastropic flaws in security. (These are sometimes the most interesting cases to study.)
- side-channels: power, acoustical, spectre, meltdown
- adversary is stronger than expected
- Unintended consequenses: privacy loss
As we study these failures, and hopefully understand how to design better systems, the field also considers practical defenses against unforseen attacks and adversaries:
- Defense in depth
- reducing attack surface (e.g., point-to-point instead of perimeter security)
- least privilege
- advanced cryptography
The course will cover most of the required background, and so we encourage wide participation.
Concepts will be illustrated with practical tools, systems, and applications that exemplify them. Hands-on projects will introduce students to key security tools and libraries.
Course Schedule
| Lecture | Topic | Due | |
|---|---|---|---|
| L1 | Intro, Linux | ||
| L2 L3 | Passwords, 2FA, biometrics | P0 | |
| L4 L5 | 2FA, Distributed Password Models, Access control | ||
| L6 L7 | Access control (capabilities, mandatory) | P1 | |
| L8 L9 | Manditory access control, Crypto intro | ||
| L10 L11 | Crypto: Symmetric encryption | P2 | |
| L12 L13 | Public key cryptography | ||
| L14 L15 | Anonymous data isnt! | P3 | |
| L16 L17 | System security and Exploits | ||
| L18 L19 | Buffer Exploits lab, SQL | P4 | |
| L20 L21 | SQL & Web security (injection, xss, csrf) | P5 | |
| L22 L23 | Web security | ||
| L24 | Network security & Wireless networking | P6 | |
| L25 | Wireless & Review | P7, P8 | |
| Extra | Extra topics for the curious that we couldn’t cover |
Ethics
You will learn about security techniques and tools that can potentially be used for offensive purposes; “hacking” in other words. It is imperative that students only use these tools and techniques on systems they own (your personal computers) or systems that are sanctioned by the instructor. NEVER perform attacks against public systems that you do not control. As we will discuss in class, it is both ethically problematic to attack systems that you do not own and may violate the law.
Grading
Your final grade is computed as a weighted sum of your project scores and your quiz scores.
- Projects (8):
- Quizzes (10):
Each assignment will include a breakdown of how it will be graded. Some projects may include extra credit components that can boost your grade above the maximum score.
We assign final letter grades on a standard curve with roughly half the grades in the A/A- category; we may take into account special factors like the number of late days you have used when assigning letter grades.
Projects
There will be eight projects throughout the semester.
Projects must be submitted before 11:59:59pm on the specified date.
You can submit as many times as you like through gitlab.
Your last commit timestamp on your files will be used to determine lateness.
| Assignment | Description | Due Date | Piazza Tag | % of Final Grade |
|---|---|---|---|---|
| Project 0 | Linux Basics | 9/16 | #project0 | 5% |
| Project 1 | Passwords | 9/27 | #project1 | 10% |
| Project 2 | Access controls | 10/11 | #project2 | 10% |
| Project 3 | Cryptography | 10/25 | #project3 | 10% |
| Project 4 | De-anonymization | 11/4 | #project4 | 10% |
| Project 5 | Forensics | 11/12 | #project5 | 10% |
| Project 6 | Capture The Flag | 11/26 | #project6 | 10% |
| Project 7 | Web Capture the Flag | 12/4 | #project7 | 10% |
| Project 8 | Bonus | 12/4 | #project8 | 0% |
Quizzes
Quizes will be posted and answered through Gradescope; you will have the day on which the quiz is announced to submit your answer. If you miss class, it is your responsibility to ensure that you submit these quizzes on time, and there are no extensions.
Late Policy
If the grading for your project is automated by script (i.e., it uses the gradescope autograder), then the deadlines have little to no flexibility. Within a few hours after the posted deadline, we will turn off the grader and post the grades, after which you will not be able to submit. We do not know exactly when we will cut off the grader, so your best strategy is to aim to finish all projects by the posted deadlines to guarantee you get credit. Extensions beyond this policy will not be given unless you have health issues that are supported by a doctor’s note. Do your best to satisfy the posted deadlines.
Cheating Policy
-
Collaborating with other students in the class on homework problems is encouraged, though we urge you to first attempt working out all of the problems by yourself. It’s ok to ask your peers about the concepts, algorithms, or approaches needed to do the assignments. We encourage you to do so; both giving and taking advice will help you to learn.
-
However, you must write up, prepare, submit your solutions, in your own words. Looking at or copying code or homework solutions from other people or the Web is strictly prohibited. In particular, looking at other solutions (e.g., from other groups or students who previously took the course) is a direct violation. Projects must be entirely the work of the students turning them in, i.e. you and your group members. If you have any questions about using a particular resource, ask the course staff or post a question to the class forum.
Example: If you have copied and pasted any text from someone else, you have violated this policy even if the two of you were working together on an assignment. Type your own keystrokes that lead you to a solution; do not copy commands that you do not understand or that you were given to you by someone else.
-
All students are subject to the Northeastern University’s Academic Integrity Policy. Per Khoury College policy, all cases of suspected plagiarism or other academic dishonesty must be referred to the Office of Student Conduct and Conflict Resolution (OSCCR). This may result is deferred suspension, suspension, or expulsion from the university.
-
If you violate this policy, you receive a 0. There will be no leeway on enforcement of this policy.
Textbook
You do not need a textbook for this course. I am not aware of a great textbook on cybersecurity that aligns with my approach to the topic. However, there are many online resources that cover the topics of this course.
Here is a free online textbook on security that might help you; you will have to find the relevant topics that correspond to class.