Syllabus: CSE 365, Fall 2024

IMPORTANT: PLEASE COMPLETE COURSE SETUP ASAP.

Course Numbers: CSE 365 (Sections 86366, 86367, 76113, 79795)
Meeting Times: Monday, 1:30pm--2:45pm (COOR170)
Meeting Times: Wednesday, 1:30pm--2:45pm (COOR170)
Course Discord: Join the pwn.college discord (requires completion of course setup).
Course Twitch: follow this channel
Course YouTube: follow this channel

A Typical Week in This Course

Monday:

1. Come to Yan's Office Hours at BYENG 480 or on discord at 11am AZ time.
2. Come to COOR170 or stream our twitch lecture at 1:30pm AZ time.
3. Come to recitation in BYENG 209 at 4:30pm AZ time.
4. Work on challenges.
5. Discuss, help, get help on our discord.

Tuesday:

1. Catch up on any lectures you missed on our twitch or our youtube.
2. Come to recitation in BYENG 209 at 4:30pm AZ time.
3. Work on challenges.
4. Discuss, help, get help on our discord.

Wednesday:

1. Come to COOR170 or stream our twitch lecture at 1:30pm AZ time.
2. Come to recitation in BYENG 209 at 4:30pm AZ time.
3. Work on challenges.
4. Discuss, help, get help on our discord.

Thursday:

1. Catch up on any lectures you missed on our twitch or our youtube.
2. Come to recitation in BYENG 209 at 4:30pm AZ time.
3. Work on challenges.
4. Discuss, help, get help on our discord.

Friday:

1. Come to recitation in BYENG 209 at 4:30pm AZ time.
2. Work on challenges.
3. Discuss, help, get help on our discord.

Saturday:

1. Come to recitation on discord at 4:30pm AZ time.
2. Work on challenges.
3. Discuss, help, get help on our discord.

Sunday:

1. Work on challenges.
2. Discuss, help, get help on our discord.

Instructors

Instructor: Connor Nelson Discord Handle: kanak Email: connor.d.nelson@asu.edu

Instructor: Yan Shoshitaishvili Discord Handle: zardus Email: yans@asu.edu Office: BYENG 480

TAs

--------------------------------------------
| Name                | Discord Handle     |
--------------------------------------------
| Michael Kofman      | mikeluigi64.       |
| Arjun Khetan        | renaudally         |
| Vishal Juneja       | hackolympus        |
| Alexander Ng        | nobody.pm          |
| Jude O'Kain         | F4_U57             |
| Eric Rodriguez      | 2.eric             |
| Steven Wirsz        | stwirsz            |
| Zachary Jeantete    | InkaDinka          |
| Tanay Jaiman        | darthvaderiscool   |
| Aadithya Bharadwaj  | aad45              |
| Sukhmanjot Khangura | DulcetDelirium     |
| Jared Chiaramonte   | jchiara            |
| Carter Yin          | caunderscore       |
| Neeharika Mandadapu | neeharikamandadapu |
--------------------------------------------

Graduate TAs

Name: Pulkit Singaria Discord Handle: x3ero0

Name: Xiang Mei Discord Handle: n132

Name: Steven Wirsz Discord Handle: stwirsz

Name: Pratham Gupta Discord Handle: Alchemy1729 Discord Handle: stwirsz

Course Description

This course will introduce students to the fundamentals of cybersecurity. Security is a complicated thing: it is only as strong as its weakest link, and a small, single mistake can often bring down otherwise extremely secure software.

In this course, we will explore security from the perspective of the web, following the entire technology stack from the CPU, to the kernel, userspace, networking, cryptography, and finally, all the way up to the browser and http server. Each lecture will consist of an introduction to a new topic and an assignment for students to explore these concepts.

These assignments will be very thorough, and by the end, students will have an intuitive understanding of how to exploit these vulnerabilities, and will have the building blocks needed to prevent them, both in the lab and in the real world.

Recommended Textbook

There is no recommended textbook for this course. Any reading material assigned will be from publicly-available sources on the internet.

Course Structure

This course will be delivered using the pwn.college platform.

All sections of this course will be treated as one big course. Most lectures will be prerecorded and posted on the course's pwn.college dojo and on the pwncollege YouTube channel. All live lectures covered in any sections will be available to attend online, as well as recorded and posted online after.

Students in all sections classes will be responsible for all content taught in all lectures, regardless of which scheduled slots of which sections that content overlaps. It is not necessary to consume this content live: asynchronously consuming any content outside of your course's scheduled slot is acceptible.

Schedule

This is a TENTATIVE schedule.

• Assignment 01: Linux Luminarium. 8/23 – 9/1
• Assignment 02: Talking Web. 8/23 – 9/3
• Assignment 03: Web Security. 9/2 – 9/15
• Assignment 04: Network Security. 9/16 – 9/29
• Assignment 05: Cryptography. 9/29 – 10/17
• Assignment 06: Access Control. 10/14 – 10/20
• Assignment 07: Computing 101. 10/21 – 11/3
• Assignment 08: Reverse Engineering. 11/4 – 11/17
• Assignment 09: Binary Security. 11/18 – 12/2
• Assignment 10: Exploitation. 12/2 – 12/15

See the grades page for precise dates and times.

Course Communication

All announcements and communications for the class will take place on the discord, with announcements in the #announcements and discussion in the #text class-specific channel. Students are required to be on this discord. It is not possible to pass this course otherwise.

Student may use the discord to ask questions or clarifications, and the TA, Instructor, or other students can answer. Note that sharing full solution scripts or answers is expressly prohibited, but otherwise, collaboration on the way to the solution is allowed.

Questions may be directly messaged to the instructors.

Name	Discord Handle
Yan Shoshitaishvili	zardus
Connor Nelson	kanak

Before directly messaging your question, please consider asking it on the discord instead. This way, the entire class will benefit from your question.

Recitations

This course has optional daily recitations during the week from 4:30 to 5:45 in BYENG 209. If the room overflows, we will announce an overflow room on discord! All students are encouraged to attend recitation for in-person assistance.

Students that cannot make it to the recitations can receive help on the course discord synchronously and asychronously. Helping on discord is part of our TA and instructor team's duties.

Office hours will be held online weekly and in person. Yan's office hours are Monday at 11am in BYENG 480 and on discord, and Connor's are Thursday at TODO.

Assessment

Assignments only, no exams or quizzes.

Students performance will be evaluated on (tentatively) 10 equally weighted assignments (the modules), where each assignment will consist of between 10 and 100 (yes) challenge problems, plus extra credit.

Component	Weight
Assignment 1 - checkpoint	3%
Assignment 1 - challenges	7%
Assignment 2 - checkpoint	3%
Assignment 2 - challenges	7%
Assignment 3 - checkpoint	3%
Assignment 3 - challenges	7%
Assignment 4 - checkpoint	3%
Assignment 4 - challenges	7%
Assignment 5 - checkpoint	3%
Assignment 5 - challenges	7%
Assignment 6 - checkpoint	3%
Assignment 6 - challenges	7%
Assignment 7 - checkpoint	3%
Assignment 7 - challenges	7%
Assignment 8 - checkpoint	3%
Assignment 8 - challenges	7%
Assignment 9 - checkpoint	3%
Assignment 9 - challenges	7%
Assignment 10 - checkpoint	3%
Assignment 10 - challenges	7%
Extra Credit (maximum)	15%

Challenge-based assignments with flags as rewards.

Each assignment will consist of a large amount of varied, but related challenges, and will be live for between one and two weeks. Solving these challenges may require the use or implementation of fairly complex hacking tools. Solving each individual challenge will grant a challenge-specific passcode, called a "flag". The maximum number of flags possible to score for an assignment is equal to the maximum number of challenges in the assignment.

The existence of flags means that there is no wrong way to solve a challenge. If you tricked the challenge into giving you the valid flag, good job.

You grade for each assignment is two parts:

The Checkpoint

The checkpoint is worth 30% of the total assignment grade, and is granted if you have solved 30% of the challenges (rounded down) before the checkpoint deadline. After the checkpoint has passed, there is no way to earn this 30% --- it is gone forever.

The checkpoint will be due a week after the assignment is assigned (see the grades page for precise dates and times). This may line up with the assignment's deadline if the assignment is only one week long.

The Challenges

The remaining 70% of your assignment grade is simply the percentage of how many flags you managed to capture. If the assignment has 84 challenges, and you solve 79 of them, you will score 79/84 == 94%. Note that this flag percentage only has meaning within an individual assignment: no matter how many flags you capture in Assignment A, it will not directly affect your score in Assignment B (though, of course, the knowledge that you solidify while solving the challenges will absolutely help you throughout the course).

After the assignment deadline passes, solves will still count for 50% credit (so if you solve none of the challenges before the deadline, and complete all challenges after the assignment deadline, you will lose out on 30% of the assignment for the checkpoint and on a further 35% for the late penalty, for a total of 35% on the assignment).

Extension Request

Please understand that we believe deadlines to be an important mechanism for ensuring success in this class. In our experience, extensions often hurt students: they snowball into several assignments pulling up, which is probably both stressful, and a situation that does not end well. Steady progress in the course is critical to success.

Regardless, let us know what's going on. We (hopefully) aren't unreasonable people, and we understand that there is a time and a place for a deadline extension on a case-by-case basis. If your case warrants an extension, we're going to grant you an extension. If you're just asking for an extension because you're behind, unfortunately we're going to say no. Start early on the assignments!

In order to collect all extension requests into a single location, please make your request here, instead of email, discord, or canvas.

Extra Credit

This course offers four main ways to earn extra credit to an aggregate maximum of 15% of your grade. These are: memes, helpfulness, CTFs, and bug bounties.

Making Memes

Are you a meemer? Meme, and earn grades! In order to foster a good learning community, and encourage creative thinking around the material, you may receive extra credit each week for sharing educational memes in the course discord. If you post good and on-topic meme in the #memes channel and we emoji-react to acknowledge it, you will get 0.5% extra credit, to your final grade, per week.

It is important to note that memes must be relevant, educational, and non-offensive. No excessively spicy memes please. The course discord bot will acknowledge credited memes with a "good_meme" emoji if the meme is approved by the course staff. Good memes will be reviewed in class on Meme Mondays.

Over the 16 or so weeks of the semester, you can earn a total of 8% meme EC. Once a week is gone, it's gone. Weeks count as starting on Monday.

NOTE: There are over 1,000 students in this class. If everyone makes a terrible meme every week, the #memes channel will be unusable. Thus, you get one strike: if you post a bad meme (not just a miss, but a really bad meme), as judged solely by our discretion, you will be BANNED from memeing for the rest of the semester (e.g., your posting privileges to the #memes channel will be revoked). This includes memes that are unrelated to the course/material/etc, such as generic hacking or programming memes reposted from twitter. There will be plenty of other ways to hit the EC cap, don't worry. So, make good memes.

Helping Others

This course encourages collaboration. We have recruited the help of a reputation bot on the discord to this end. Whenever you get thanked by a student in a public discord channel, the reputation bot will react with a thanks emoji and log the interaction. Extra credit for receiving thanks is logarithmic (1.337**log2(thanks)). This means that, if you help students on 256 occasions through the semester, you will earn 10.21% extra credit.

Abuse of this system, including receiving thanks for help offered via DM, "thanks" inflation via superfluous thanking, and so on, is considered a violation of academic integrity.

Surveys

At the end of each module, we will send out a brief survey to gather feedback on how the course is progressing, understand your experience, and help us improve. The survey, which will be posted on the course Discord, should only take a few minutes to complete. If you submit it within 72 hours, you’ll earn 0.3% extra credit per survey. Additionally, there will be a short, five-question multiple-choice quiz to help us gauge your understanding (your quiz score will not impact your grade or extra credit). Your feedback is optional but highly valuable in shaping the course for both current and future students.

CTF Challenges

Want to apply your budding skills in tougher scenarios? pwn.college has an archive of CTF challenges. Each CTF challenge that you solve in this archive will give you 0.5% of extra credit. Your solution will need to be accompanied by a detailed, original writeup submitted to us, and we reserve the right to follow up with you on your solution. You can submit these writeups here.

pwn.college Bug Bounty Program

Any responsibly-disclosed serious security issues in course infrastructure will earn an amount of extra credit up to 15%, depending on severity! Blatantly spurious reports may earn a negative percentage report of up to -5 percentage points (just to your EC grade; this will not reduce your non-EC grade). Allowances will be made for honest mistakes leading to a spurious bug bounty filing, but please don't waste our time on purpose.

Letter Grade Calculation

The final grade will be calculated by averaging the grades of each homework assignment, equally weighted, then adding extra credit. Percentages will be translated to letter grades with the following initial cutoffs:

Percentage Grade	Letter Grade
>= 100	A+
>= 90	A
>= 88	B+
>= 80	B
>= 78	C+
>= 70	C
< 70	E

With the exception of the cutoff for A+, these cutoffs can be curved to be more generous in the event that students do worse than expected.

Honors Contracts

This course offers honors contracts! Honors students must create a custom pwn.college module on a computing topic of their choice. There should be 4-10 challenges progressively teaching the concept, as well as either accompanying text or lecture videos (at least 10 minutes per challenge) to help explain ideas. This interested should contact the instructors over email.

Collaboration Policy

Collaboration is HIGHLY encouraged in this course, within the bounds of the rules.

How Much to Collaborate

There is a delicate balance between being excessively helpful, and learning. The purpose of course collaboration is understanding concepts. As such, questions and answers should be focused on concepts, and not how to solve challenge X.

The challenges explore important concepts, and so it is fine to discuss the challenges. However, you may not discuss full or significant portions of a challenge's solution. Furthermore, you may not intentionally solve challenges as a group. The assignments must still be solved individually.

Feel free to discuss ideas important to the challenge, or tools which may be useful.

If there is any confusion, just ask! We try to assume good intentions, but egregious violations are an Academic Integrity Violation. Note that, in the entire history of pwn.college, no one has received an AIV for any public activity or help on our discord. Don't worry, be reasonable, and help your peers!

Where to Collaborate

This one is more strict. You may ONLY collaborate on the official pwn.college discord, and in CSE 365 recitations and live course sessions. Any discussion of course material on ANY other discord, even quasi-official discords such as the ASU Hacking Club, will be considered an Academic Integrity Violation.

Using Generative AI

This course allows you to use generative AI. In fact, we provide SENSAI, a GPT-4 instance augmented with data from your running challenge. You can use it to your heart's content (as long as our budget does not run out).

Please keep in mind that "the AI did it" is not a valid excuse for academic integrity violation. If you use SENSAI and the AI gives you a solution that matches another student's, we can check logs and clear you. If you use other generative AI platforms outside of our control and run into this scenario, you will be liable for the Academic Integrity Violation.

Plagiarism and Cheating

Plagiarism or any form of cheating in assignments or projects is subject to serious academic penalty. To understand your responsibilities as a student read: ASU Student Code of Conduct and ASU Student Academic Integrity Policy. There is a zero tolerance policy in this class: any violation of the academic integrity policy will result in a zero on the assignment and the violation will be reported to the Dean’s office. Plagiarism is taken very seriously in this course.

Examples of academic integrity violations include (but are not limited to):

• Sharing code with a fellow student (even if it’s only a few lines).
• Collaborating on code with a fellow student.
• Using another student's solution to solve a challenge and get a flag.
• Sharing a flag with another student (NEVER ALLOWED UNDER ANY CIRCUMSTANCES).

Posting your assignment solutions online is expressly forbidden, and will be considered a violation of the academic integrity policy. Note that this includes working out of a public Github repository. The Github Student Developer Pack provides unlimited private repositories while you are a student, making it easy to begin with a private GitHub repository.

Special Accommodations

Students requesting disability accommodations should register with the Disability Resource Center (DRC) and present the instructor with appropriate documentation from the DRC.

Syllabus Update

Information in the syllabus may be subject to change with reasonable advance notice and an announcement on discord.

Misc

Syllabus copyright 2024, along with all lectures and course-related written materials. During this course students are prohibited from making audio, video, digital, or other recordings during class, or selling notes to or being paid for taking notes by any person or commercial firm without the express written permission of the faculty member teaching this course. Be reasonable.

Title IX is a federal law that provides that no person be excluded on the basis of sex from participation in, be denied benefits of, or be subjected to discrimination under any education program or activity. Both Title IX and university policy make clear that sexual violence and harassment based on sex is prohibited. An individual who believes they have been subjected to sexual violence or harassed on the basis of sex can seek support, including counseling and academic support, from the university. If you or someone you know has been harassed on the basis of sex or sexually assaulted, you can find information and resources at https://sexualviolenceprevention.asu.edu/faqs.

As mandated reporters, we am obligated to report any information we become aware of regarding alleged acts of sexual discrimination, including sexual violence and dating violence. ASU Counseling Services, https://eoss.asu.edu/counseling, is available if you wish discuss any concerns confidentially and privately.