Introduction to Computer Security
nyu paris


Welcome, Spring 2019 Students!

I believe that computer security is an exciting field that combines computer science, mathematics, global politics, but also a large dose of the human elements of intrigue, curiosity and thinking outside the box. I hope that by the end of this course, you too will develop an interest in what the world of computer security has to offer.

I strongly recommend that you bookmark this website for the duration of the course and that you visit it regularly.

See you in class,
Professor Nadim Kobeissi

Course Overview

Technology increasingly permeates every aspect of our lives, including communication, finance and health. The security of the computer systems that enable these services has become a critical issue. This course will cover basic principles of computer security and security engineering. It will introduce fundamental computer security concepts, principles, and techniques. It will also cover notions of real-world cryptography, the mathematical building blocks that underlie any digital security construction. This course will focus on security from an attacker's perspective (threat modeling) and the defender's perspective (building and deploying secure systems). Specific topics will include operating system security, network security, web security, applied cryptography, security economics and security psychology. Course projects will focus both on writing secure code and exploiting insecure code.

Administrative Links

  • Instructor: Professor Nadim Kobeissi (
  • Lectures: Mondays and Wednesdays, 3:00pm to 4:30pm. Room 4.06.
  • Term Dates: February 4, 2019 until May 16, 2019.
  • Office Hours: Mondays and Wednesdays, 4:30pm to 5:00pm.
  • Online Resources: Discussion Group.

Syllabus and Calendar

A PDF copy of the Spring 2019 syllabus is available.

Part 0: Introduction and Threat Modeling

  • 0.1: Introduction and Threat Modeling (slides)
    • Security Engineering, Chapter 1
    • Serious Cryptography, Chapter 1
    • An Introduction to Approachable Threat Modeling

Part 1: Cryptography

  • 1.1: One-Way Functions and Hash Functions (slides)
    • Security Engineering, Chapter 3
    • Security Engineering, Chapter 6
  • 1.2: Symmetric Key Encryption (slides)
    • Serious Cryptography, Chapters 3, 4, 5
  • 1.3: Public Key Cryptography and Randomness (slides)
    • Serious Cryptography, Chapters 9, 11, 12, 2
  • 1.4: Transport Layer Security (slides)
    • Serious Cryptography, Chapter 13
    • Let's Encrypt: How It Works
    • The New Illustrated TLS Connection
  • 1.5: Attacking Cryptographic Systems (slides available after class)
    • Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS and Other Systems
    • Remote Timing Attacks are Practical
    • Transcript Collision Attacks: Breaking Authentication in TLS, IKE and SSH
    • On the Practical (In-)Security of 64-bit Block Ciphers
    • Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice
    • DROWN: Breaking TLS using SSLv2
  • 1.6: Usable Security and Secure Messaging (slides)
    • Security Engineering, Chapter 2
    • 15 Reasons not to Start Using PGP
    • State of Knowledge: Secure Messaging
    • Automated Verification for Secure Messaging Protocols and their Implementations: A Symbolic and Computational Approach
    • More is Less, On the End-to-End Security of Group Chats in Signal, WhatsApp and Threema
  • 1.7: Cryptocurrencies, Blockchains, Smart Contracts (slides)
    • Problem Set 1 Due
    • Bitcoin and Cryptocurrency Technologies, Chapters 1, 2
    • The Idea of Smart Contracts
  • 1.8: E-Voting and Other Modern Uses of Cryptography (slides available after class)
    • E-Voting Crypto Protocols

Part 2: Network Security

  • 2.1: Networking Basics, IP, TCP and DNS (slides available after class)
    • Security Engineering, Chapter 21
    • An Introduction to Computer Networks, Chapters 1, 22
    • An Introduction to Computer Networks, Chapter 7
    • How DNSSec Works
  • 2.2: Denial of Service (slides available after class)
    • Security Engineering, Chapter 21.2
    • Understanding the Mirai Botnet
    • How Netflix DDoSd Itself to Help Protect the Entire Internet
  • 2.3: Designing Secure Network Systems (slides available after class)
    • Capsule: A Protocol for Secure Collaborative Document Editing
    • Noise Explorer
  • 2.4: New Secure Protocols: WireGuard (slides available after class)
    • WireGuard: Next Generation Kernel Network Tunnel
    • A Cryptographic Analysis of the WireGuard Protocol
  • Practical Assignment 1 Review
  • Midterm Exam

Part 3: Software Security

  • 3.1: Understanding and Preventing Vulnerabilities (slides available after class)
    • Software Security Knowledge Area
  • 3.2: Access Control and Information Flow (slides available after class)
    • Security Engineering, Chapters 4.1, 4.2
    • Security Engineering, Chapters 8.2, 8.3
  • 3.3: Control Flow Hijacking (slides available after class)
    • Problem Set 2 Due
    • Security Engineering, Chapter 4.4
    • Low-level Software Security: Attacks and Defenses
  • 3.4: Systems Security and Isolation (slides available after class)
    • Security Engineering, Chapter 4.3
    • Security in Ordinary Operating Systems
    • iOS Security Guide
    • Apple T2 Security Chip Overview
    • Android Security: 2017 Year In Review
    • Google Blog: Titan M Makes Pixel 3 our Most Secure Phone Yet
  • 3.5: Meltdown and Spectre: Diving Into Hardware Vulnerabilities (slides available after class)
    • Meltdown: Reading Kernel Memory from User Space
    • Spectre Attacks: Exploiting Speculative Execution

Part 4: Web Security

  • 4.1: Browser Security Model (slides available after class)
    • Problem Set 3 Due
    • Browser Security Handbook, part 1
    • Browser Security Handbook, part 2
  • 4.2: Web Application Security (slides available after class)
    • OWASP Top 10 - 2017: The Ten Most Critical Web Application Security Risks
    • Introduction to Cross-Site Scripting
    • Password Storage Cheat Sheet
    • Why Don't we Follow Password Security Best Practices?
  • 4.3: Hybrid Runtimes: Electron and Node.js (slides available after class)
    • Electron Security Checklist: A Guide for Developers and Auditors
  • Practical Assignment 2 Review
  • 4.4: Web Privacy (slides available after class)
    • Tools from the EFF's Tech Team
    • Europe's New Privacy Law Will Change the Web, and More
  • 4.5: Spam and Abuse (slides available after class)
    • Click Trajectories: End-to-End Analysis of the Spam Value Chain

Part 5: Security and Society

  • 5.1: Economics, Ethics and Law (slides available after class)
    • Security Engineering, Chapter 7.5
    • Vulnerability Reporting FAQ
  • 5.2: Censorship and Mass Surveillance (slides available after class)
    • Security Engineering, Chapter 24.3
    • On the Practical Exploitability of Dual EC in TLS Implementations
  • Final Exam


Every lecture will be accompanied by outside readings that expand on what is discussed in class or present the same material in a different way. Neither the readings nor the lectures are a replacement for each other; deeply understanding the material will likely require attendance as well as reading. It is possible to read before or after class, depending on your learning style.


Especially during Part 1 of the course, we will frequently be using Serious Cryptography by Jean-Philippe Aumasson. You may purchase this book from your local NYU Bookstore: copies have been pre-ordered for students. We will also be using the freely available textbook Security Engineering by Ross Anderson.

Online Readings

Interactive Learning Tools


Problem Sets are scheduled evenly throughout the course to help you assess your understanding of the material thus far. Practical Assignments give you chances to get real-world experience in designing and breaking digital security systems.

Problem Sets

Practical Assignment 1: Designing and Breaking Cryptographic Protocols

Due March 20: Designing your own secure messaging protocol is a challenging task, full of opportunities to learn and experiment. Your professor will be working closely with you to help you determine how such systems can be constructed. Then, it's time for you to jump to the other side and try to break the systems designed by your peers!

Part 1: Designing Your Own Secure Messaging Protocol

In this first practical assignment, you will have the exciting opportunity to design your very own secure messaging protocol. Your protocol must offer end-to-end encryption between two principals, Alice and Bob, while guaranteeing:

  • Secrecy: A message sent between Alice and Bob can only be decrypted between these principals.
  • Authenticity: If Alice receive an apparently valid message from Bob, then Bob must have sent this message to Alice.
  • Replay attack resistance: If Alice receives a valid message from Bob, the attacker cannot replay that same ciphertext to Alice at a later time.

Additionally, your protocol could also include the following optional properties:

  • Indistinguishability: If Alice randomly chooses between two messages of the same size and sends only one to Bob, an attacker cannot determine which message was sent.
  • Forward secrecy: If Alice sends a message to Bob and Alice's key state at the time of this message is subsequently compromised, all previous messages retain their Secrecy property.
  • Future secrecy: If Alice sends a first message to Bob, receives a reply from Bob, and then sends a second message to Bob, Alice's second message remains secret even if her key state for the first message is compromised.
Part 2: Finding Weaknesses in Secure Messaging Protocols

In the second stage of this practical assignment, submitted secure messaging protocols will be anonymized, shuffled and then reviewed by your peers. You too will review a peer's protocol and try to find weaknesses, bugs or outright breaks.

Part 3: Understanding the General Practice of Implementing Cryptographic Protocols

In the final stage of this practical assignment, we will choose a proposed secure messaging protocol and discuss its implementation. What are the elements we must consider when turning this protocol into code? How do we design the API? How do we manage the protocol's internal state?

The final result of your participation in all three parts will be a hands-on experience in designing, breaking, and planning the software architecture of secure messaging protocols and systems.

Practical Assignment 2: Hunting for Bugs in Web Applications

Due April 24: Despite the fact that today's web applications are indispensable in our daily lives, many different kinds of bugs, errors and weaknesses can exist in their programming. In this practical assignment, you will audit a web application written specifically for this class and attempt to find and exploit five different bugs representing each of the types described above. Successfully exploiting all five bugs will grant you a perfect score.

Here are just a few different types of bugs that occur in web applications:

  • Cross-site scripting (XSS): a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.
  • Cross-site request forgery (XSRF): an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing.
  • Bad cryptography: a web application could use insufficient or outdated cryptographic constructions in order to protect user data. This can lead to passive attackers obtaining privileged information out of publicly available tokens.
  • Flawed authentication logic: a web application could neglect to impose restrictions on its login pages, which could lead to forced authentication through anything from brute force to crafting invalid input values that force the application to authenticate the user.
  • Injection: while XSS is a form of client-side injection, there also exist "server-side" injections that could permanently alter a web application's database, resulting in more severe consequences that could range from permanent database corruption to permanent alterations of key web application code or content.