Syllabus - CSE 365 Fall 2023

Course Info

Course Numbers: CSE 365 (88662) and CSE 365 (94333)
Meeting Times: Monday and Wednesday, 1:30pm--2:45pm (LSA 191)
Course Discord: Join the pwn.college discord

Recitation Location: BYENG 210
Recitation Time: Daily (Monday/Tuesday/Wednesday/Thursday/Friday) 4:30pm--5:20pm
Recitation Start Date: 8/28/23
Recitation attendance optional, and you may attend any recitation.

Instructors

Instructor: Prof. Adam Doupé
Email: doupe@asu.edu
Office: BYENG 472
Office Hours: Monday 11:00am--12:00pm (Zoom or in person). No Office Hours 10/16/23.

Instructor: Prof. Jaejong Baek
Email: jaejong@asu.edu
Office: BYENG M1-38
Office Hours: Wednesday 5:00pm--6:00pm (Zoom or in person)

TAs

TBA

Course Description

This course will provide students with a basic and comprehensive understanding of the problems of information assurance (IA) and the solutions to these problems, especially the security of information on computers and networks. This course will focus on the IA technology as well as IA policy, management, legal, and ethical aspects¹.

Enrollment Requirements

Prerequisites: Computer Information Systems BS major, Computer Systems Engineering BSE major, Computer Science BS major, or Industrial Engineering BSE major; CIS 235, CSE 220, or CSE 240 with C or better.

Course Objectives

Students will gain an understanding of the following topics in this course:

• Security Objectives
• Security Policies and Mechanisms
• Security Attacks and Threats
• Web Security
• System Security
• Access Control
• Cryptography
• Authentication
• Network Security
• Privacy and Anonymity
• Legal and Ethical Issues

Expected Learning Outcomes

This course yields several valuable learning outcomes for individuals. Capture The Flag (CTF)s are hands-on competitions that simulate real-world cybersecurity scenarios, allowing participants to enhance their practical skills, problem-solving abilities, and understanding of security concepts. Participating in CTF challenges centered around cybersecurity or information assurance offers a range of valuable learning outcomes. By engaging in CTF-based learning, individuals can acquire:

• Practical Skills: Participants gain hands-on experience in network analysis, cryptography, and more, using actual security tools and techniques.
• Problem-Solving: CTFs present intricate problems that demand creative thinking and analytical prowess for effective resolution.
• Hands-On Experience: The challenges bridge the gap between theory and application, enabling participants to apply classroom knowledge to real-world situations.
• Collaboration: Team-based CTFs foster teamwork, enhancing communication, cooperation, and task delegation.
• Time Management: Time-bound challenges teach effective time management amidst multitasking.
• Critical Thinking: Participants learn to assess challenges from an adversarial perspective, anticipating vulnerabilities and attack vectors.
• Attack and Defense Insight: Understanding both offensive and defensive strategies enriches participants' ability to identify vulnerabilities and bolster security measures.

Course Communication

All announcements and communications for the class will take place through the pwn.college discord in the #announcements channel.

Students may use the discord to ask questions or clarifications, and the TAs, Instructors, or other students can answer. Note that the advice in "How to Ask Questions the Smart Way" will increase the chances of getting your question answered. While I highly encourage students to help each other, please do not go overboard and send your fellow student code (this will be considered cheating). It is better to point out their mistake or direct them to a resource that can help solve their problem, rather than giving them the answer. Note that sharing solutions or answers is expressly prohibited and will result in academic sanctions.

Questions meant for the professors and/or TAs can be sent directly to their emails.

Before emailing your question, please consider asking it on the discord instead. This way, the entire class will benefit from your question.

Recorded Lectures

Links to the recorded lectures:

• 8/21/23 "Course Introduction and Overview"
• 8/23/23 "Overview pt. 2"
• 8/28/23 "Web Basics"
• 8/30/23 "Assembly Basics Pt. 1"
• 9/6/23 "Assembly Basics Pt. 2"
• 9/11/23 "Assembly Basics Pt. 3"
• 9/13/23 "Assembly Demo and Building a Web Server Pt. 1"
• 9/18/23 "Building a Web Server Pt. 2"
• 9/20/23 "Building a Web Server Pt. 3"
• 9/25/23 "Building a Web Server Pt. 4"
• 9/27/23 "Reverse Engineering Pt. 1"
• 10/2/23 "Reverse Engineering Pt. 2"
• 10/4/23 "Reverse Engineering Pt. 3"
• 10/11/23 "Intercepting Communication Pt. 1"
• 10/16/23 "Intercepting Communication Pt. 2"
• 10/18/23 "Intercepting Communication Pt. 3"
• 10/23/23 "Intercepting Communication Pt. 4"
• 10/24/23 "Cryptography Pt. 1"
• 10/30/23 "Cryptography Pt. 2"
• 11/1/23 "Cryptography Pt. 3"
• 11/6/23 "Cryptography Pt. 4"
• 11/8/23 "Access Control Pt. 1"
• 11/13/23 "Access Control Pt. 2"
• 11/15/23 "Web Security Pt. 1"
• 11/20/23 "Web Security Pt. 2"
• 11/22/23 "Web Security Pt. 3"
• 11/22/23 "Binary Security Pt. 1"
• 11/27/23 "Binary Security Pt. 2"
• 11/29/23 "Binary Security Pt. 3"

Lecture Slides

Links to the slides:

• 01-Introduction-to-Cybersecurity-F23.pptx
• 02-Overview-F23.pptx
• 03-Web-Basics-F23.pptx
• Assembly Crash Course: Computer Architecture
• Assembly Crash Course: Assembly
• Assembly Crash Course: Data
• Assembly Crash Course: Registers
• Assembly Crash Course: Memory
• Assembly Crash Course: Control Flow
• Building a Web Server: Introduction
• Building a Web Server: Linux Processes
• Building a Web Server: Network System Calls
• Building a Web Server: HTTP
• Building a Web Server: Multiprocessing
• Reverse Engineering: Introduction
• Reverse Engineering: Functions and Frames
• Reverse Engineering: Data Access
• Reverse Engineering: Static Tools
• Reverse Engineering: Dynamic Tools
• Reverse Engineering: Real-world Applications
• Intercepting Communication Pt. 1
• Intercepting Communication Pt. 2
• 04-Cryptography-F23.pptx
• Access Control Pt. 1
• Access Control Pt. 2
• Web_Security_1_Introduction.pptx
• Web_Security_2_Structured_Query_Language.pptx
• Web_Security_3_Injection.pptx
• Web_Security_4_Same-Origin_Policy.pptx

Grade Policies

Modules

Module 0: OverTheWire's Bandit

This module is not for credit, but, if you have no experience using the Linux command line you will significantly struggle with the rest of the class.

Therefore, take this week (8/21/23--8/25/23) to do the first 10 levels of the OverTheWire Bandit challenges: https://overthewire.org/wargames/bandit/

Because there is no credit, feel free to look at walkthroughs (if you're stuck) or ask in the discord.

Module 1: Talking Web

Talking directly to web servers using the language of the web: HyperText Transfer Protocol (HTTP). https://pwn.college/cse365-f2023/talking-web

Dates
Start	Monday, August 28, 2023 @ 11:00:00
Due	Monday, September 4, 2023 @ 11:59:59pm

Module 2: Assembly Crash Course

Learning how to directly talk to the CPU using x86-64. https://pwn.college/cse365-f2023/assembly-crash-course

Dates
Start	Tuesday, September 5, 2023 @ 00:00:00
Due	Friday, September 15, 2023 @ 11:59:59pm

Module 3: Building a Web Server

Combining the previous modules to learn how to write an HTTP server in x86-64. https://pwn.college/cse365-f2023/building-a-web-server

Dates
Start	Monday, September 18, 2023 @ 15:00:00pm
Due	Tuesday, September 26, 2023 @ 11:59:59pm

Module 4: Reverse Engineering

Now we'll apply all that knowledge of x86-64 assembly to reverse engineering binaries, first with an overview of debugging with gdb. https://pwn.college/cse365-f2023/reverse-engineering

Important note for this due date: the module is due at the end of Fall Break (10/7--10/10). We will not have office hours, recitation, or help on Discord during Fall Break. Therefore, it is up to you finish before 10/6 if you feel that you'll need help from us. Otherwise you're on your own.

Dates
Start	Wednesday, September 27, 2023 @ 21:00:00pm
Due	Tuesday, October 10, 2023 @ 11:59:59pm Wednesday, October 11, 2023 @ 11:59:59pm

Module 5: Intercepting Communication

Let's go back to understand the networking stack so that we can understand how this knowledge can be used by attackers. https://pwn.college/cse365-f2023/intercepting-communication

Dates
Start	Wednesday, October 11, 2023 @ 22:00:00pm
Due	Tuesday, October 24, 2023 @ 11:59:59pm

Module 6: Cryptography

Now that we've learned how to break network security, let's turn our attention to how that can be secured, using math, and also how that can break!. https://pwn.college/cse365-f2023/cryptography

Dates
Start	Wednesday, October 25, 2023 @ 22:00:00pm
Due	Tuesday, November 7, 2023 @ 11:59:59pm

Module 7: Access Control

Much of what we do in security is controlling who can access what, and in this module you'll break some access control. https://pwn.college/cse365-f2023/access-control

Dates
Start	Wednesday, November 8th, 2023 @ 15:00:00pm
Due	Tuesday, November 14th, 2023 @ 11:59:59pm

Module 8: Web Security

Rounding out our knowledge of how the web works with web applications, let's break some web applications. https://pwn.college/cse365-f2023/web-security

Dates
Start	Wednesday, November 15th, 2023 @ 18:30:00pm
Due	Sunday, December 10th, 2023 @ 11:59:59pm

Note: Due to the late due date of this module, absolutely no extensions will be given.

Module 9: Binary Exploitation

In our last module, let's apply all the knowledge we've gained about x86-64 to exploit binary programs. https://pwn.college/cse365-f2023/binary-exploitation

Dates
Start	Wednesday, November 15th, 2023 @ 18:30:00pm
Due	Sunday, December 10th, 2023 @ 11:59:59pm

Note: Due to the late due date of this module, absolutely no extensions will be given.

Extra Credit: NSA Codebreaker Challenge 2023

The 2023 NSA Codebreaker Challenge is a series of escalating real-world tasks that apply the techniques/ideas that we learn in this course.

Therefore, we will offer 0.3% EC for every task solved (10 tasks, total of 3% EC).

To be eligible, you must do the following:

1. Register for an account at the 2023 NSA Codebreaker Challenge using your ASU address.
2. Share your progress with doupe@asu.edu (go to the dropdown in the upper right, select "Sharing", then add doupe@asu.edu as a follower.
3. Solves will be taken at December 10th @ 11:59:59pm and applied to your grade.

Extra Credit: Memes

To foster a community, and encourage creative thinking around the material, you may receive extra credit for sharing educational memes in the course discord. It is important to note that memes must be relevant, educational, and non-offensive. No excessively spicy memes please. The course discord bot will acknowledge credited memes with the approval of course staff. Good memes might be reviewed in class. Meme extra credit will be at most 1% of your grade.

Extra Credit: Helpfulness

This course encourages collaboration. If you are thanked in the course discord for helping someone, you receive extra credit. Extra credit for receiving thanks is logarithmic (2 * log_100_(thanks)), for up to 2% extra credit. The course discord bot will acknowledge thanks. Abuse of this system is considered a violation of academic integrity.

Extra Credit: Bug Bounty Program.

Any responsibly-disclosed serious security issues in course infrastructure will earn up to 10% extra credit, depending on the severity of the issue. Blatantly spurtious reports may earn a negative penalty of up to -5%. Allowances will be made for honest mistakes leading to a spurtious bug bounty filing, but please don't waste our time on purpose.

Grade Thresholds

The preliminary thresholds for assigning a letter grade are the following:

Letter Grade	Threshold
A+	100
A	93
A-	90
B+	86
B	83
B-	80
C+	74
C	70

We reserve the right to curve the grades (by lowering the thresholds), depending on the circumstances.

Late Submission Policy

Late solves on challenges (solves done after the module deadline) will incure a 50% penalty. Only those challenges that are solved after the deadline will be woth 50%. Any solves after 12/10/23 at 11:59:59 AZ time will not count.

Absence Policies

CSE 365 is a hybrid course. The content/lectures covered in both classes will be available to attend online, as well as recorded and posted online after. In-person class attendance is not mandatory. Excused absences for classes will be given without penalty to the grade in the case of (1) a university-sanctioned event ACD 304-02; (2) religious holidays ACD 304-04; a list of religious holidays can be found here https://eoss.asu.edu/cora/holidays; (3) work performed in the line-of-duty according [SSM 201-18]. Excused absences do not relieve students of responsibility for any part of the course work required during the period of absence.

Faculty Recording of Class Sessions

All class sessions will be recorded, and recordings provided to enrolled students, instructors, instructional support personnel and the public. If you have concerns about being recorded, please contact the course instructor. Recordings may be used to accommodate student absences. Recordings of all class sessions will be posted online for all students (current and future) to access for reviewing course materials.

Course Content

Optional Textbook

All material for the course will be provided in lecture, however we will use an excellent textbook as supplementary material.

Introduction to Computer Security.
Matt Bishop
ISBN: 0321247442

Assessment

Students will be evaluated on their performance on assignment pwn.college modules, which will contain hands-on security exercises. The weight of each module will be determined later, and will be announced ahead-of time.

Structure

Both sections of this course will be treated as one big course (that's why they are hybrid). The content/lectures covered in both classes will be available to attend online, as well as recorded and posted online after. Students in both classes will be responsible for the content taught in both (as it builds on each other).

Expected Student Behavior

Students in this class are expected to acknowledge and embrace the FSE student professionalism expectation located at: https://engineering.asu.edu/professionalism/

Academic Integrity

Plagiarism or any form of cheating in assignments or projects is subject to serious academic penalty. To understand your responsibilities as a student read: [ASU Student Code of Conductanuals/usi/usi104-01.html) and ASU Student Academic Integrity Policy. All engineering students are expected to adhere to the ASU Student Honor Code. There is a zero tolerance policy in this class: any violation of the academic integrity policy will result in a zero on the assignment and the violation will be reported to the Dean’s office. Withdrawing from this course will not absolve you of responsibility for an academic integrity violation and any sanctions that are applied. The AIO maintains a record of all violations and has access to academic integrity violations committed in all other ASU college/schools. Plagiarism is taken very seriously in this course.

Posting your assignment solutions online is expressly forbidden, and will be considered a violation of the academic integrity policy. Note that this includes working out of a public Github repository. The Github Student Developer Pack provides unlimited private repositories while you are a student, so use that and never make it public.

You may use generative AI tools in this course.

Collaboration Policy

Collaboration is highly encouraged in this course. However, there is a delicate balance between being excessively helpful, and learning. The purpose of course collaboration is understanding concepts. As such, questions and answers should be focused on concepts, and not how to solve challenge X.

The challenges explore important concepts, and so it is fine to discuss the challenges. However, you may not discuss full or significant portions of a challenge's solution. Furthermore, you may not intentionally solve challenges as a group. The assignments must still be solved individually.

Feel free to discuss ideas important to the challenge, or tools which may be useful.

If there is any confusion, just ask! We will try to assume good intentions, but egregious violations are an academic integrity violation.

Collaboration Policy

You must refrain from uploading to any course shell, discussion board, or website used by the course instructor or other course forum, material that is not the student's original work, unless the student first complies with all applicable copyright laws; faculty members reserve the right to delete materials on the grounds of suspected copyright infringement.

The contents of this course, including lectures and other instructional materials, are copyrighted materials. Unless otherwise directed, students may not share outside the class, including uploading, selling or distributing course content or notes taken during the conduct of the course. Any recording of class sessions is authorized only for the use of students enrolled in this course during their enrollment in this course. Recordings and excerpts of recordings may not be distributed to others. (see ACD 304–06, "Commercial Note Taking Services" and ABOR Policy 5-308 F.14 for more information).

Policy against threatening behavior, per the Student Services Manual, SSM 104–02

Students, faculty, staff, and other individuals do not have an unqualified right of access to university grounds, property, or services (see SSM 104-02). Interfering with the peaceful conduct of university-related business or activities or remaining on campus grounds after a request to leave may be considered a crime. All incidents and allegations of violent or threatening conduct by an ASU student (whether on- or off-campus) must be reported to the ASU Police Department (ASU PD) and the Office of the Dean of Students.

Warning of Offensive Class Materials

If your class materials posted to the class discord are considered offensive to the class, they will be removed and reported without notification depending on the situation.

Disability Accommodations

Suitable accommodations are made for students having disabilities. Students needing accommodations must register with the ASU Student Accessibility and Inclusive Learning Services office and provide documentation of that registration to the instructor. Students should communicate the need for an accommodation in enough time for it to be properly arranged. See ACD 304-08 Classroom and Testing Accommodations for Students with Disabilities.

Harassment and Sexual Discrimination

Arizona State University is committed to providing an environment free of discrimination, harassment, or retaliation for the entire university community, incluculty members, staff employees, and guests. ASU expressly prohibits discrimination, harassment, and retaliation by employees, students, contractors, or agents of the university based on any protected status: race, color, religion, sex, national origin, age, disability, veteran status, sexual orientation, gender identity, and genetic information.

Title IX is a federal law that provides that no person be excluded on the basis of sex from participation in, be denied benefits of, or be subjected to discrimination under any education program or activity. Both Title IX and university policy make clear that sexual violence and harassment based on sex is prohibited. An individual who believes they have been subjected to sexual violence or harassed on the basis of sex can seek support, including counseling and academic support, from the university. If you or someone you know has been harassed on the basis of sex or sexually assaulted, you can find information and resources at https://sexualviolenceprevention.asu.edu/faqs.

As a mandated reporter, I am obligated to report any information I become aware of regarding alleged acts of sexual discrimination, including sexual violence and dating violence. ASU Counseling Services, https://eoss.asu.edu/counseling is available if you wish to discuss any concerns confidentially and privately. ASU online students may access 360 Life Services, https://goto.asuonline.asu.edu/success/online-resources.html.

Photo Requirement

Arizona State University requires each enrolled student and university employee to have on file with ASU a current photo that meets ASU's requirements (your "Photo"). ASU uses your Photo to identify you, as necessary, to provide you educational and related services as an enrolled student at ASU. If you do not have an acceptable Photo on file with ASU, or if you do not consent to the use of your Photo, your access to ASU resources, including access to classes (online or in person) may be negatively affected or denied.

Syllabus Update

Any information in this syllabus (other than grading and absence policies) may be subject to change with reasonable advance notice.

¹: © Copyright 2023 Adam Doupé and Jaejong Baek as to this syllabus, all lectures, and course-related written materials (all others used with permission). During this course students are prohibited from making audio, video, digital, or other recordings during class, or selling notes to or being paid for taking notes by any person or commercial firm without the express written permission of the faculty member teaching this course.