CY 3740 / CY 5770 - Systems Security
Welcome to the landing page for CY 3740 / CY 5770. All
formal communications and course materials will be available on the
private course infrastructure. You'll get access to that after your
first class. In the meantime, here's a quick introduction.
You can reach me at the address you see on your left, but I'm
creating this page so that you don't have to go through the
scarring experience of writing a stiff email to a professor. Everything
you need to know about this course is below. Please pretend that this is
a formal syllabus.
So what's the big deal?
This course will teach you security. All of it.
I realize that's an ambitious goal for a 4-month stint. You won't have
become a leet hacker by the end, but you'll be equipped with all the
fundamentals to go down the security rabbit hole as deep as you wish.
If you pursue a career in security, you must take and
ace this course. If you want to do something else with your life, it's
still a mighty good idea to take it. Security has
become a topic you can't avoid no matter what career path you
choose. You'll thank me when you get your paycheck.
The course has two components: classes and
challenges.
Classes are just so much fun it's beyond belief, I
can't express it with words, you need to come and see for
yourself. Be absolutely sure that you make it. There is no
security book that neatly covers this material; you'll be lost if you
don't attend classes. If you can't be present, do not
sign up, you have been warned. Sporadic absence is okay.
Challenges are like homework but way more
spectacular. I give you something to break, you do that, everything gets
graded automatically, you get infinite tries until you succeed, and when
you're done you know you're done. If you do CTFs, you know the
drill. There is no report to write, no paper to submit, no stressful
wait for grades. It's fast and fun. There'll be a new challenge every
week, keeping you on your toes, but they're very lean so that you don't
waste your time with the unfun overhead.
Here comes the important part.
Classes are good fun, but merely showing up and listening to me ramble
on about security won't get you far. Challenges require
an investment on your part. The first time you see a challenge you may
experience a fleeting WTF? sensation. It won't be a mindless
application of the lecture, you'll need to research and practice the
subject matter on your own, maybe learn tools I've never shown you.
This is designed to give you a real-life security professional
experience. You'll write real exploits and break very realistic
applications. Okay, the applications are crap, but the vulnerabilities
are directly adapted from real-life cases. Many security professionals
start and end their careers without having exploited a single XSS or
buffer overflow vulnerability. This is not a knock on them, but after
completing this course, you'll be in a different league. No exploit
plays out like the examples in a textbook. The challenges capture that
well, you need to keep calm and apply your hacker toolset to the
circumstances.
We approach things from an attacker's perspective most of the time—this
is not necessarily the way to think about security, but this is
often the component missing in a typical CS curriculum. I'll make you
recognize bad code and bad design. I'll have you constantly break things
in a safe environment, so that you get sick of it by the time we're
done, and spend the rest of your life making the world secure. That last
part wasn't a joke. Ethical hacking is a concept you'll
hear a whole lot in my class. Thinking like an attacker is an asset,
acting like one is a crime. If you start getting rowdy on the Internet,
I won't hesitate to call the cops on you.
Expect 10 main challenges. Add another 5, optional, but more
quirky. There's plenty of extra points to score, but it's perfectly fine
if you don't want the extras, an "A" is very doable without
them. Bonuses give you wiggle room to get a top grade even if you miss a
few things.
There are 2 exams. Exams are often boring, and therefore I make them
fun, and in the process impose more WTF? moments on
students. To avoid that we might have a few short quizzes in the same
format, so that y'all are prepared for what's coming.
That bit about challenges and exams sounds scary. Is it
scary?
This is an easy no. My job is to make
you succeed, and most of you will succeed. If you get a B, I too get a B
in teaching. We don't want that.
You'll have 1:1 support when you get stuck. The course structure may
feel different to your typical CS courses. Different doesn't mean
difficult, I bet you'll find this less time consuming than many other
courses.
All that with one big caveat. This is a technical,
hands-on course. I expect everyone to be comfortable with using
computers professionally. In our domain that means eating coding tasks
for breakfast with a side of the Linux command line interface. I serve
bite-size refreshers for everything else like operating systems and
Internet topics and you can learn those as you go, but you must know the
meat and potatoes of computer science before you sign up. A heads up
that students with no technical background or those who are only
interested in security management topics sometimes find the material
hard to digest. Hence, the difficulty goes up significantly, and they
need to invest the eggtra thyme and effort to ketchup. If unsure, come
see the first class. Be assured that the humor is of a higher caliber.
Check out my TRACE course reviews
and Rate My
Professors page. See what other people thought. Take both positive
and negative comments with a grain of salt.
Can I take the class remotely?
No.
I try my best to accommodate sporadic absence by setting up live Zoom
sessions and recording them. I don't take attendance, and frankly I
don't mind if you choose not to show up on any given day. Skip class
when you need to, don't waste a wellness day on me, don't ask for
permission.
That being said, all accommodations are delivered on a best
effort basis. IT wrecks NUWave again? Your cat takes over the
laptop? I forget to hit the record button on Zoom? Tough luck. The onus
is on you to find a way to catch up.
Even when everything goes according to plan, consider Zoom sessions
degraded-mode lectures. This is officially an on-campus course, and we
are not guaranteed a room with remote teaching capabilities. Even when
we have tech, it rarely works. You'll miss out on my board doodles, you
won't hear classroom discussion, and I won't answer questions over
Zoom. You'll entirely miss out on 1:1 help sessions after class.
Finally, you must absolutely be present for written
exams. I only do paper exams, this is not negotiable except
under existential-caliber circumstances.
If you ask me whether I do remote, the official answer
is NO. I take zero responsibility should you ignore
that and bomb. Read the above again and make your own decision.
I'm already a 1337 hacker. What now?
Technical as it may be, this is still a class that assumes no hands-on
security experience. If you're already pwning famous CTFs left, right,
and center, you may find the material too elementary. Yes, we'll have
interesting challenges, but we'll definitely start at the basic web
injection tricks and buffer overflows without stack protections. So, if
you expect multi-stage memory exploits and VM escapes, you're probably
not the target audience. Sorry, but that's not what the course was
designed for.
If this is an elective course for your program, consider taking
something else.
Otherwise, if it's mandatory, enjoy an easy time and take the
opportunity to pick up a new hobby.
Here's an obligatory reminder that self-assessments are scientifically
shown to be biased towards overconfidence. I have students every term
that self-report as being experts, but then struggle (in a good way).
I hate my life. How can I prep for the course instead of enjoying the break?
If you absolutely must, learn Linux.
Install a sophisticated distro, learn to set it up, live in it for a few
weeks, get things done in the terminal. My recommendation for this
particular task is Arch Linux with a tiling window manager of your
choice; no desktop environment. Supplement with a Linux administration
book. All of this is stuff I will NOT teach you.
Can we get a proper syllabus now?
Topics
- Security principles
- Security architecture
- Minimum cryptography every security professional must know (yet they often don't)
- Linux security, virtualization
- Web application security
- Web application security Mk II
- Memory corruption, binary exploitation
- Algorithmic complexity attacks
- Side-channels
- Safety (which is not security!)
- Reverse engineering
- Malware
- The extremely dull stuff companies pay you $$$ for, i.e.,
information security management
- Threat modeling
- Security research, aka "Usenix Security vs. Black Hat"
Non-Topics
-
This is not a cryptography course. That's 4770, and it is highly
recommended.
-
We don't do lower network layers or Internet security
protocols. That's 4740, and you should take it. We focus on HTTP.
-
This is not a theory course. If you want formal security proofs, this
isn't it. This is hands-on aspects of systems security.
- No Windows topics. That also means no Active Directory penetration
testing material here. Otherwise everything we learn applies to all
operating systems.
- No blockchain topics. Definitely no cryptocurrencies or NFTs. Also,
"crypto" has always meant and will always stand for "cryptography."
Requirements
- Linux skills. You need to be comfortable in a
terminal.
- Programming skills. If you hate programming you'll hate this
course.
- Interest in security. This is critical for
success. Challenges require patience, self-discipline, and the drive to
keep pushing forward into uncharted territory out of sheer curiosity and
enjoyment. Here's a snapshot of what happens
otherwise.
- An understanding of computer architecture, networks, and HTTP is
great to have, but we will cover the essentials. You are required to
fill in the blanks on your own.
Grading
- Challenges, 60%
- Quizzes, 10%
- Midterm exam, 15%
- Final exam, 15%
- Bonus challenges, ?%
I curve grades harder than Shou curves lasers.
Testimonials
"How do we even review for this? Imma yolo."
"If we all get 0s we will break his grading schema."
"I think I have to do four challenges over the next week."
- Students strategizing for great success.
"Kaan is secretly a novelist bro. That was a
whole character arc and a half. Season climax of a 10 season Netflix
show."
"The entire first page is lore lmao."
- Students perusing challenge
specifications.
"I like how it's been almost 24hrs and I've
gained almost no new info."
"The only force driving me forward is sunk cost
fallacy."
- Students relishing the challenges.
"There is a suspicious lack of animemes in
today's lecture."
"I have been rickrolled for the first time in my life."
- Slice of life from the classroom.
"Honestly, the most helpful thing for the exam is
a healthy dose of bullshittery. It is possible to dig your own grave
though if you write something really stupid, so keep bullshit answers
vague. I went to maybe 70% of lectures, and for vast majority of those I
zoned out and did Networks homework."
- Senior student mentoring the newcomers.
"The Kaan work in mysterious ways."
"Shawty sometimes goes so fast during lecture I get winded."
- Proof Kaan teaches with style.
"Prolific shitposter. 5/5"
- Actual banned "Rate My Professors" review.
Can I TA this class?
I'm glad you ask the question after reading this page. I
encourage you to apply. See the FAQ for
the process.