Welcome, Spring 2019 Students!
I believe that computer security is an exciting field that combines computer science, mathematics, global politics, but also a large dose of the human elements of intrigue, curiosity and thinking outside the box. I hope that by the end of this course, you too will develop an interest in what the world of computer security has to offer.
I strongly recommend that you bookmark this website for the duration of the course and that you visit it regularly.
See you in class,
—Professor Nadim Kobeissi
Technology increasingly permeates every aspect of our lives, including communication, finance and health. The security of the computer systems that enable these services has become a critical issue. This course will cover basic principles of computer security and security engineering. It will introduce fundamental computer security concepts, principles, and techniques. It will also cover notions of real-world cryptography, the mathematical building blocks that underlie any digital security construction. This course will focus on security from an attacker's perspective (threat modeling) and the defender's perspective (building and deploying secure systems). Specific topics will include operating system security, network security, web security, applied cryptography, security economics and security psychology. Course projects will focus both on writing secure code and exploiting insecure code.
Syllabus and Calendar
→ A PDF copy of the Spring 2019 syllabus is available.
Part 0: Introduction and Threat Modeling
0.1: Introduction and Threat Modeling (slides)
- Security Engineering, Chapter 1
- Serious Cryptography, Chapter 1
- An Introduction to Approachable Threat Modeling
Part 1: Cryptography
1.1: One-Way Functions and Hash Functions (slides)
- Security Engineering, Chapter 3
- Security Engineering, Chapter 6
1.2: Symmetric Key Encryption (slides)
- Serious Cryptography, Chapters 3, 4, 5
1.3: Public Key Cryptography and Randomness (slides)
- Serious Cryptography, Chapters 9, 11, 12, 2
1.4: Transport Layer Security (slides)
- Serious Cryptography, Chapter 13
- Let's Encrypt: How It Works
- The New Illustrated TLS Connection
1.5: Usable Security and Secure Messaging (slides)
- Security Engineering, Chapter 2
- 15 Reasons not to Start Using PGP
- State of Knowledge: Secure Messaging
- Automated Verification for Secure Messaging Protocols and their Implementations: A Symbolic and Computational Approach
- More is Less, On the End-to-End Security of Group Chats in Signal, WhatsApp and Threema
1.6: Attacking Cryptographic Systems (no slides)
- Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS and Other Systems
- Remote Timing Attacks are Practical
- Transcript Collision Attacks: Breaking Authentication in TLS, IKE and SSH
- On the Practical (In-)Security of 64-bit Block Ciphers
- Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice
- DROWN: Breaking TLS using SSLv2
1.7: Cryptocurrencies, Blockchains, Smart Contracts (slides)
- Bitcoin and Cryptocurrency Technologies, Chapters 1, 2
- The Idea of Smart Contracts
1.8: E-Voting and Other Modern Uses of Cryptography (slides)
- E-Voting Crypto Protocols
- The Remote Voting Minefield: from North Carolina to Switzerland
Part 2: Network Security
2.1: Networking Basics, IP, TCP and DNS (slides)
- Security Engineering, Chapter 21
- An Introduction to Computer Networks, Chapters 1, 22
- An Introduction to Computer Networks, Chapter 7
- How DNSSec Works
2.2: Denial of Service (slides)
- Security Engineering, Chapter 21.2
- Understanding the Mirai Botnet
- How Netflix DDoSd Itself to Help Protect the Entire Internet
2.3: Designing Secure Network Systems (slides)
- WireGuard: Next Generation Kernel Network Tunnel
- A Cryptographic Analysis of the WireGuard Protocol
- An Analysis of the ProtonMail Cryptographic Architecture
2.4: New Secure Protocols (slides)
- Noise Explorer
- Practical Assignment 1 Review
- Midterm Exam
Part 3: Software Security
3.1: Understanding and Preventing Vulnerabilities (slides)
- Software Security Knowledge Area
3.2: Control Flow Hijacking (slides by Cătălin Hriţcu, used with permission)
- Security Engineering, Chapter 4.4
- Low-level Software Security: Attacks and Defenses
3.3: Systems Security and Isolation (slides available after class)
- Security Engineering, Chapter 4.3
- Security in Ordinary Operating Systems
- Apple T2 Security Chip Overview
3.4: Mobile Security (slides available after class)
- iOS Security Guide
- Android Security: 2017 Year In Review
- Google Blog: Titan M Makes Pixel 3 our Most Secure Phone Yet
3.5: Meltdown and Spectre: Diving Into Hardware Vulnerabilities (slides available after class)
- Meltdown: Reading Kernel Memory from User Space
- Spectre Attacks: Exploiting Speculative Execution
Part 4: Web Security
4.1: Browser Security Model (slides available after class)
- Browser Security Handbook, part 1
- Browser Security Handbook, part 2
4.2: Web Application Security (slides available after class)
- OWASP Top 10 - 2017: The Ten Most Critical Web Application Security Risks
- Introduction to Cross-Site Scripting
- Password Storage Cheat Sheet
- Why Don't we Follow Password Security Best Practices?
4.3: Hybrid Runtimes: Electron and Node.js (slides available after class)
- Electron Security Checklist: A Guide for Developers and Auditors
- Practical Assignment 2 Review
4.4: Web Privacy (slides available after class)
- Tools from the EFF's Tech Team
- Europe's New Privacy Law Will Change the Web, and More
4.5: Spam and Abuse (slides available after class)
- Click Trajectories: End-to-End Analysis of the Spam Value Chain
Part 5: Security and Society
5.1: Economics, Ethics and Law (slides available after class)
- Security Engineering, Chapter 7.5
- Vulnerability Reporting FAQ
5.2: Censorship and Mass Surveillance (slides available after class)
- Security Engineering, Chapter 24.3
- On the Practical Exploitability of Dual EC in TLS Implementations
- Final Exam
Every lecture will be accompanied by outside readings that expand on what is discussed in class or present the same material in a different way. Neither the readings nor the lectures are a replacement for each other; deeply understanding the material will likely require attendance as well as reading. It is possible to read before or after class, depending on your learning style.
Especially during Part 1 of the course, we will frequently be using Serious Cryptography by Jean-Philippe Aumasson. You may purchase this book from your local NYU Bookstore: copies have been pre-ordered for students. We will also be using the freely available textbook Security Engineering by Ross Anderson.
- Kevin Riggle, An Introduction to Approachable Threat Modeling, Increment Magazine, 2018.
- Let's Encrypt, Let's Encrypt: How It Works, Linux Foundation, 2018.
- Paul C. Kocher, Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS and Other Systems, Cryptography Research Inc., 1996.
- David Brumley and Dan Boneh, Remote Timing Attacks are Practical, USENIX Security Symposium, 2003.
- Karthikeyan Bhargavan and Gaëtan Leurent, Transcript Collision Attacks: Breaking Authentication in TLS, IKE and SSH, Network and Distributed Systems Security Symposium, 2016.
- Karthikeyan Bhargavan and Gaëtan Leurent, On the Practical (In-)Security of 64-bit Block Ciphers, ACM Computer and Communications Security, 2016.
- David Adrian, Karthikeyan Bhargavan, Zakir Durumeric, Pierrick Gaudry, Matthew Green, J. Alex Halderman, Nadia Heninger, Drew Springall, Emmanuel Thomé, Luke Valenta, Benjamin VanderSloot, Eric Wustrow, Santiago Zanella-Béguelin and Paul Zimmermann, Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice, ACM Computer and Communications Security, 2015.
- Nimrod Aviram, Sebastian Schinzel, Juraj Somorovsky, Nadia Heninger, Maik Dankel, Jens Steube, Luke Valenta, David Adrian, J. Alex Halderman, Viktor Dukhovni, Emilia Käsper, Shaanan Cohney, Susanne Engels, Christof Paar and Yuval Shavitt, DROWN: Breaking TLS using SSLv2, USENIX Security Symposium, 2016.
- Nik Unger, Sergei Dechand, Joseph Bonneau, Sascha Fahl, Henning Perl, Ian Goldberg and Matthew Smith, State of Knowledge: Secure Messaging, IEEE Symposium on Security and Privacy, 2015.
- SecuShare, 15 Reasons not to Start Using PGP.
- Nadim Kobeissi, Karthikeyan Bhargavan and Bruno Blanchet, Automated Verification for Secure Messaging Protocols and their Implementations: A Symbolic and Computational Approach, IEEE European Symposium on Security and Privacy, 2017.
- Paul Rösler, Christina Mainka and Jörg Schwenk, More is Less: On the End-to-End Security of Group Chats in Signal, WhatsApp, and Threema, IEEE European Symposium on Security and Privacy, 2018.
- Arvind Narayanan, Joseph Bonneau, Edward Felten, Andrew Miller and Steven Goldfeder, Bitcoin and Cryptocurrency Technologies, Princeton University Press, 2016.
- Nick Szabo, The Idea of Smart Contracts, University of Amsterdam, 1997.
- Jean-Philippe Aumasson, E-Voting Crypto Protocols, Kudelski Security, 2018.
- Bryan Ford, The Remote Voting Minefield: from North Carolina to Switzerland, EPFL, 2019.
- Peter L. Dordal, An Introduction to Computer Networks, Loyola University Chicago, 2018.
- Jason A. Donenfeld, WireGuard: Next Generation Kernel Network Tunnel, Network and Distributed Systems Security Symposium, 2017.
- Benjamin Dowling and Kenny Paterson, A Cryptographic Analysis of the WireGuard Protocol, Loyola University Chicago, 2018.
- Nadim Kobeissi, An Analysis of the ProtonMail Cryptographic Architecture, IACR ePrint Archive, 2018.
- Cloudflare, How DNSSEC Works.
- Manos Antonakakis, Tim April, Michael Bailey, Matthew Bernhard, Elie Bursztein, Jaime Cochran, Zakir Durumeric, J. Alex Halderman, Luca Invernizzi, Michalis Kallitsis, Deepak Kumar, Chaz Lever, Zane Ma, Joshua Mason, Damian Menscher, Chad Seaman, Nick Sullivan, Kurt Thomas and Yi Zhou, Understanding the Mirai Botnet, USENIX Security Symposium, 2017.
- Lily Hay Newman, How Netflix DDoS'd Itself to Help Protect the Entire Internet, WIRED Magazine, 2017.
- Stanford University Applied Cryptography Group, Security in Ordinary Operating Systems, Stanford University.
- Apple Inc., iOS Security Guide, Apple Inc., 2018.
- Apple Inc., Apple T2 Security Chip Overview, Apple Inc., 2018.
- Android Team, Android Security: 2017 Year in Review, Google Inc., 2018.
- Xiaowen Xin, Google Blog: Titan M Makes Pixel 3 our Most Secure Phone Yet, Google Inc., 2018.
- Moritz Lipp, Michael Schwarz, Daniel Gruss, Thomas Prescher, Werner Haas, Anders Fogh, Jann Horn, Stefan Mangard, Paul Kocher, Daniel Genkin, Yuval Yarom and Mike Hamburg, Meltdown: Reading Kernel Memory from User Space, USENIX Security Symposium, 2018.
- Paul Kocher, Jann Horn, Anders Fogh, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz and Yuval Yarom, Spectre Attacks: Exploiting Speculative Execution, IEEE Symposium on Security and Privacy, 2019.
- Frank Piessens, Software Security Knowledge Area, University of Bristol Cyber Security Group, 2018.
- Úlfar Erlingsson, Low-level Software Security: Attacks and Defenses, Microsoft Research and Reykjavík University, 2007.
- OWASP, Password Storage Cheat Sheet, OWASP, 2018.
- Emily Cain, Why Don't we Follow Password Security Best Practices?, Increment Magazine, 2018.
- Luca Carettoni, Electron Security Checklist: A Guide for Developers and Auditors, Doyensec, 2017.
- EFF Tech Team, Tools from the EFF's Tech Team, Electronic Frontier Foundation, 2018.
- Nitasha Tiku, Europe's New Privacy Law Will Change the Web, and More, WIRED Magazine, 2018.
- OWASP, OWASP Top 10 - 2017: The Ten Most Critical Web Application Security Risks, OWASP, 2017.
- Google Application Security, Introduction to Cross-Site Scripting, Google Inc.
- Michal Zalewski, Browser Security Handbook, part 1, Google Inc., 2009.
- Michal Zalewski, Browser Security Handbook, part 2, Google Inc., 2009.
- Kirill Levchenko, Andreas Pitsillidis, Neha Chachra, Brandon Enright, Márk Félegyházi, Chris Grier, Tristan Halvorson, Chris Kanich, Christian Kreibich, He Liu, Damon McCoy, Nicholas Weaver, Vern Paxson, Geoffrey M. Voelker, Stefan Savage, Click Trajectories: End-to-End Analysis of the Spam Value Chain, IEEE Symposium on Security and Privacy, 2011.
- Kurt Thomas, Danny Yuxing Huang, David Wang, Elie Bursztein, Chris Grier, Thomas J. Holt, Christopher Kruegel, Damon McCoy, Stefan Savage, Giovanni Vigna, Framing Dependencies Introduced by Underground Commoditization, Workshop on the Economics of Information Security, 2015.
- Coder's Rights Project, Vulnerability Reporting FAQ, Electronic Frontier Foundation.
- Stephen Checkoway, Matthew Fredrikson, Ruben Niederhagen, Adam Everspaugh, Matthew Green, Tanja Lange, Thomas Ristenpart, Daniel J. Bernstein, Jake Maskiewicz and Hobab Shacham, On the Practical Exploitability of Dual EC in TLS Implementations, USENIX Security Symposium, 2014.
Interactive Learning Tools
Problem Sets are scheduled evenly throughout the course to help you assess your understanding of the material thus far. Practical Assignments give you chances to get real-world experience in designing and breaking digital security systems.
- Problem Set 1 - due February 27 before class.
- Problem Set 2 - due April 10 before class.
- Problem Set 3 - due April 23 before class.
Practical Assignment 1: Designing and Breaking Cryptographic Protocols
Due March 20: Designing your own secure messaging protocol is a challenging task, full of opportunities to learn and experiment. Your professor will be working closely with you to help you determine how such systems can be constructed. Then, it's time for you to jump to the other side and try to break the systems designed by your peers!
Part 1: Designing Your Own Secure Messaging Protocol
In this first practical assignment, you will have the exciting opportunity to design your very own secure messaging protocol. Your protocol must offer end-to-end encryption between two principals, Alice and Bob, while guaranteeing:
- Secrecy: A message sent between Alice and Bob can only be decrypted between these principals.
- Authenticity: If Alice receive an apparently valid message from Bob, then Bob must have sent this message to Alice.
- Replay attack resistance: If Alice receives a valid message from Bob, the attacker cannot replay that same ciphertext to Alice at a later time.
Additionally, your protocol could also include the following optional properties:
- Indistinguishability: If Alice randomly chooses between two messages of the same size and sends only one to Bob, an attacker cannot determine which message was sent.
- Forward secrecy: If Alice sends a message to Bob and Alice's key state at the time of this message is subsequently compromised, all previous messages retain their Secrecy property.
- Future secrecy: If Alice sends a first message to Bob, receives a reply from Bob, and then sends a second message to Bob, Alice's second message remains secret even if her key state for the first message is compromised.
Part 2: Finding Weaknesses in Secure Messaging Protocols
In the second stage of this practical assignment, submitted secure messaging protocols will be anonymized, shuffled and then reviewed by your peers. You too will review a peer's protocol and try to find weaknesses, bugs or outright breaks.
Part 3: Understanding the General Practice of Implementing Cryptographic Protocols
In the final stage of this practical assignment, we will choose a proposed secure messaging protocol and discuss its implementation. What are the elements we must consider when turning this protocol into code? How do we design the API? How do we manage the protocol's internal state?
The final result of your participation in all three parts will be a hands-on experience in designing, breaking, and planning the software architecture of secure messaging protocols and systems.
Practical Assignment 2: Hunting for Bugs in Web Applications
Due April 24: Despite the fact that today's web applications are indispensable in our daily lives, many different kinds of bugs, errors and weaknesses can exist in their programming. In this practical assignment, you will audit a web application written specifically for this class and attempt to find and exploit five different bugs representing each of the types described above. Successfully exploiting all five bugs will grant you a perfect score.
Here are just a few different types of bugs that occur in web applications:
- Cross-site scripting (XSS): a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.
- Cross-site request forgery (XSRF): an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing.
- Bad cryptography: a web application could use insufficient or outdated cryptographic constructions in order to protect user data. This can lead to passive attackers obtaining privileged information out of publicly available tokens.
- Flawed authentication logic: a web application could neglect to impose restrictions on its login pages, which could lead to forced authentication through anything from brute force to crafting invalid input values that force the application to authenticate the user.
- Injection: while XSS is a form of client-side injection, there also exist "server-side" injections that could permanently alter a web application's database, resulting in more severe consequences that could range from permanent database corruption to permanent alterations of key web application code or content.