That's me!

ECE1776 (Fall 2014)

Instructor: David Lie
Tuesdays 12PM-2PM,BA4164
ECE1776: Computer Security, Cryptography and Privacy (Fall 2014)

Course Overview

This course covers advanced topics in computer security, cryptography and privacy, with a leaning towards exploring cutting edge problems and techniques that are still the focus of academic and industrial research.  Rather than offering a generic broad course in security, this course is continually updated to focus on current and relevant security problems.

The focus this year in the course be on smartphone privacy and security.  The main course deliverable will be a project where students will design and implement a tool that will detect Android malware.  Students will initially be given a set of  malicious Android applications to develop their tool on.  Then, another set of malicious applications will be given to do final testing.  Note that the first class is September 16th!  If you are interested in taking this course, please fill in the signup form. Prerequisite: The course assumes students have taken ECE568 or equivalent.  This course provides basic background in computer security concepts, common vulnerabilities and attacks (buffer overflow, integer overflow, format string, XSS, SQL injection, CSRF, etc...), common defenses and security mechanisms (ASLR, MAC, DAC, Cookies, etc...) and basic cryptography (DES, AES, RSA, cipher modes, MAC, Hashes, etc...).  There will be a quick quiz during the first lecture to help students evaluate whether they have the appropriate background for the course.  If you are unsure, you can fill out the assessment quiz and the instructor will get back to you.

Evaluation and Deliverables

Students will be evaluated via a research project they will conduct over the course of the semester.  One of the goals of this course will be to give students a large amount of feedback in the various stages of designing, implementing and evaluating security tools and systems.  There are 5 deliverables for the course:
Students are encouraged to work in groups of 2 but may also work individually if they wish. Resources and advice on giving oral presentations and writing research papers is available in the Course Resources section below.  We also have a bulletin board where students may post and ask questions here.

In addition, students are expected to read the weekly readings and participate in class discussions.  Reading and actively participating is critical to developing the critical thinking that is necessary to becoming a good security practitioner!

Project Details

  1. Identify the class of vulnerabilities you want to detect
  2. Propose a method to detect the vulnerability
After that, the project will proceed as follows
  1. For the midterm presentation, you should have implemented your detection method.  You should have several (i.e. 5-10) vulnerable programs you have made up that demonstrate your vulnerability and your tool should be able to detect them all. 
  2. For the final presentation, we will provide you with a corpus of open source Android applications for you to run your tool on.  Your tool should be able to run on the applications without crashing.  This will also give you an opportunity to weed out any false positives or false warnings from your tool.  I don't expect you to necessarily find any bugs in real applications because the applications may or may not have the particular vulnerability you are looking for.  However, at the minimum your tool should be able to successfully analyze real applications and not have (too many) false positives.

Midterm Presentation Outline

Your presentation should:
Overall, you should aim for having between 15-20 slides and about 25-30 minutes to present.

Final Presentation Outline

Your presentation should

Final Report Outline

For the final report, I suggest following format: I suggest a length of between 5-10 pages.  You can use the paper templates located here.  Please refer to the advice on good scientific writing below.  Due date: Dec 15