Term Taken: 2020 Fall
Remote Teaching due to COVID19
Instructor: Prof. Meng Wei
Grading Scheme
- Homework x 4 (40%)
- Midterm Exam (28%)
- Final Exam (32%)
Topics Covered
- Security Principles.
- Memory Stack.
- Control Hijack.
- OS Security.
- Cryptography (Symmetric/Asymmetric): Strong Hash, Block Ciphers, RSA, Diffie-Hellman Key Exchange, Certificates, Message Authentication Code.
- Web Security: Same-origin Policy, Cross-site Scripting, Cross-site Request Forgery, SQL Injection, UI-based Attacks.
- Network Security: Sniffing, Port Scanning, DNS Poisoning, DHCP Hijacking, ARP Spoofing, TLS/SSL, DoS.
Review
This new course was the CS version of the equivalent IERG4130 course. It served as an elective for CSE majors and surprisingly, a required course for FTEC majors. Because of this, the position of this course was pretty weird. Lower-level system security knowledge couldn’t be covered because most FTEC majors didn’t take OS (CSCI3150) and Networks (CSCI4430), but on the other hand, for people who completed OS and Networks courses, the materials were way too easy. I actually suggested the FinTech major open their own security course focusing on cryptography and high-level security principles, don’t know whether they will listen. If they listen, the professor might be able to add OS and Networks as prerequisites and teach more advanced knowledge for CS majors.
The syllabus was divided into five major parts: Security Principles, System Security, Cryptography, Web Security, and Network Security. Since each of the topic is a vast field on their own, the course only skimmed through each of them quickly. For System Security, we learned some caveats of writing C programs, how to hijack a program through the memory stack, and the preventions of such attacks. Many students felt that this part was too overwhelming because they didn’t have the background knowledge of OS/Memory. On the other hand, cryptography and web security were more friendly to students with all backgrounds. In particular, some prevalent crypto-systems such as RSA, Diffie-Hellman, AES as well as common web security measures/attacks such as Same-origin Policy, XSS, CSRF, SQL Injection were discussed. I believe these knowledge are quite useful in people’s everyday life. For example, equipped with the knowledge, we can understand whether or not we should trust a website, whether or not a messenger app encrypts your message safely, and so on. These two topics were the “good parts” of this course (even though the lecture slides were organized in a quite confusing way). The last topic, network security was, again, too overwhelming for students without computer networks background and too shallow for students who completed a networks course. The professor started with teaching the network stack, TCP, UDP, DNS, ARP, DHCP, etc all over again so it was quite tedious for people who’ve taken CSCI4430. Furthermore, since we went over all the networking basics, little time was left to really get into the security part.
For the homework, there were 4 of them. Assignment 1 required us to write a few lines of C programs, while the other ones were mostly fill-in-the-blanks. Thus, the average and median of the assignments were all around 90 out of 100 except for the first one (which had the average of 70 something). I really didn’t like the fill-in-the-blank-styled homework, since it was very underwhelming and made me feel like an elementary school student doing my exercise book. I really think they should add more programming assignments so the students could gain more practical cyber security skills.
As for the exams, we took them using a lock-down browser (insert {all_my_homies_hate_lockdown_browsers.jpg}). There were several true/false questions and some short-answer questions. I felt the selection of the tested materials were really weird in the sense that they often asked for very niche details which the lecture notes didn’t really cover much. For example, in the final exam, they tested our understandings on Content Security Policy and the SameSite attribute for cookies. These two topics occupied only two lines of text in the lecture notes but took up around 9 points each on the final exam. On the other hand, there were an entire set of lecture notes dedicated to the topic of SQL injection, but none of them were tested on the exams.
To conclude, this was a new course so there were a lot to fix. Thus, I don’t recommend CS majors take this course unless they’ve taken OS and Networks and want to fill an easy 3 credits in their schedules.