15/18-330 Introduction to Computer Security, Spring 2023

Policies

Communication

We will be using Piazza for discussions outside of class. Rather than emailing general questions to a professor or TA, we encourage you to post your questions on Piazza, so everyone can benefit from the answer and any discussions around it.

Grading

For each exam (and only for the exams), we will curve the scores (upward only) to a normal distribution.

We translate your final class percentage into a letter grade as follows:

The total points possible are allocated as follows:

Participation

Attendance is required (if not always strictly recorded). You will be responsible for all materials presented in lectures and recitations. You should not expect that all lecture or recitation materials will be given to you in written form. We strongly encourage you to be active in class discussions, in recitation, and Piazza, but your actual participation grades will be based on the quantitative measures described below. Note that these measures include a grace policy designed to accomodate the inevitable conflicts that tend to arise each semester. If you have to miss lecture or recitation, you do not need to ask to be excused; the missed participation points will be automatically deducted from your grace budget.

Recording (audio or video): Students may not independently record lectures or recitations without explicit permission in writing from the instructor. Violations will result in your failing the course. Exceptions will be granted in accordance with university guidelines for accessibility concerns, but even then such recordings may not be shared publicly or privately and must be deleted at the end of the semester.

To facilitate additional learning that might come from revisiting a previous lecture, we aim to make videos of the lectures privately available online via Canvas (look for the “Zoom” tab). The time taken to transcode the videos can vary, so they may not be available immediately after the lecture slot. These videos are only for students in the class and should not be shared.

Class Participation Score: Your class participation score will be based on the use of in-class polls. Most classes will begin with 1-2 questions about the previous lecture. These will be answered on your own. There will also be questions during the lectures. For these, you will typically be allowed to confer with a partner before answering. Overall, there will typically be 4-5 questions each class. To lower the pressure and to account for inevitable conflicts or technical glitches that cause you to miss class, we will drop the lowest 30% of your answers. In other words, if during the entire course, we have 100 questions, then if you get credit for 70 of the questions, you will receive the full 5% participation score.

Recitation Participation Score: Most recitations will involve a group activity that you should be able to complete during recitation (the goal is not to give you more homework!). If you complete the activity by the end of recitation, you will receive 5 points. If by the end of recitation, you can show us that you made substantial progress on the activity, then you will receive 4 points. Otherwise, you will receive 0 points. We will drop the lowest 25% of your recitation activity scores.

Participation Ethics: Note that class and recitation participation points are meant to provide both you and the instructors with important feedback on how well you are learning the material. In this regard, they serve the same purpose as homeworks or exams, just at a more frequent, lower-stakes level. Hence, just like on homeworks and exams, conferring with others is not permitted (unless otherwise announced) nor should you enter answers on others’ behalf. Violations will be handled in accordance with the Cheating Policy below.

Optional Bonus Homework Credit: One of the fun/scary parts of computer security is that security problems are constantly in the news!
One time during the semester, if you choose, you can add a post to Piazza about such a news item, as long as no one else has already covered that particular bit of news. In your post, succinctly and in your own words explain how the news relates to the class, what the underlying security flaw was (i.e., don’t just say “TwitBook got hacked”, say “An attacker exploited an XSS vulnerability in a library that TwitBook’s site relies on”), and how it could have been prevented, ideally using techniques we have covered in class. Include any relevant links to the news coverage, and ideally any underlying technical details (e.g., the revelant entry in a CVE database). Be sure to tag you post with the “News” folder. A good news post will be worth 10 homework points.

To spread these out during the semester, bonus credit will only be given for the first 10 news posts in any given calendar week (i.e., Monday-Sunday), and only during the regular lecture portion of the semester (i.e., not during finals period). Hence, we encourage you to post early on so that you are not shut out at the end of the semester.

Readings

Most lectures will be accompanied by optional and required readings. Optional readings provide further depth and/or explanation which can be quite helpful for improving your understanding of the topic or for approaching certain homework questions, but the material in optional readings will not be required for exams. The required readings we will expect you to have read. These readings reinforce and sometimes add depth to what’s covered in class. We won’t explicitly test you specifically on the required readings, but the content that was covered both in class and in required readings can be in quizzes and exams.

Resources

Before each lecture, we provide you with a lecture guide (see the lecture schedule for links). These include a variety of questions you should be able to answer by the end of the lecture. The notes are not a substitute for attending lecture; they are merely intended to help you focus on important topics that the lecture will cover. Note that material that does not appear in the lecture notes is still fair game for homeworks and exams.

Late Days

Late days interfere with the ability of course staff to quickly turn around assignment grades and solutions. The problem is we cannot give out solutions or graded assignments until everyone has turned in their work. However, we understand that unforseen circumstances may arise. Thus, each student has a budget of three late days for the semester, of which at most one can be used on any single assignment. To use a late day, you must register it via our Google form before the official deadline. If you ask to use a late day after the deadline, it will be too late. Once your budget of late days has been used up, no further days will be granted, and late homework will be marked as a zero.

The only exceptions will be for family emergencies and exceptional circumstances, such as hospitalization and longer-term illness. To prevent misuse, requests for such exceptions will need to be document in email with cc to your academic advisor. We do not offer exceptions for personal scheduling issues such as interviews, class load, etc.

We realize that you have a lot to juggle during the semester, and so to lower the stakes on homework, we will discount the overall homework grade by approximately 50 points. In other words, if all of the homework together is worth N points, then as long as you achieve at least N - 50 points, you will receive 100% of the homework portion of your class grade.

Ethics and Cheating

The course staff will treat all students ethically and fairly. We, in turn, expect the same from all students.

Any lapse in ethical behavior will immediately result in −1,000,000 points, as well as be immediately reported to the appropriate university disciplinary unit. Really. No matter what. The course staff looks at students who cheat or plagiarize as far beneath someone who fails the course.

This course will follow CMU’s policy on cheating and plagiarism. All submitted work must be your own and the use of AI tools like chatGPT for homeworks is not allowed. Note that the policy gives several examples of what constitutes cheating and plagiarism. If you have any questions, you should contact the instructors.

Students should behave ethically. This means obeying the law, but that is not enough. Behaving ethically means you avoid activities that do harm or may do harm to people, the environment, or other computers. In short, don’t be a nuisance.

Note just because you can do something (or you read about others doing it) does not make it ok. For example, scanning a network may not be illegal (I am not a lawyer, so I shy away from definitive statements). However, scanning can crash computers. For example, we know of several very popular commodity-grade IP cameras that crash when you scan them. Sure, the camera software is buggy. But is there any reason for you, not being a professional, to crash a camera monitoring a baby? Launching exploits, “testing” the security of a system without explicit permission from all necessary parties, and so on are all unethical for the purpose of this course.

Collaboration. Students are encouraged to talk to each other, to the course staff, or to anyone else about any of the assignments. Assistance should be limited to discussion of the problem and sketching general approaches to a solution. Each student must turn in his or her own solution, derived from his or her own thoughts. Course staff may verify a student did the prescribed work by asking for a verbal explanation, and failure to correctly re-explain a submitted solution is considered a strong indication of cheating.

Student Outcomes

The ECE department is accredited by ABET to ensure the quality of your education. ABET defines 7 Educational Objectives that are fulfilled by the sum total of all the courses you take. The following list describes which objectives are fulfilled by 18-330 and in what manner they are fulfilled. ABET numbers objectives from 1 to 7. Those objectives not fulfilled by this course have been omitted from the following list.

  1. An ability to identify, formulate, and solve complex engineering problems by applying principles of engineering, science, and mathematics. The course poses many problems (on homework, during exams, and for in-class exercises) for students to formulate and solve using good engineering practice. Students will use mathematical and engineering concepts to identify flaws in software and solve the complex problems necessary to secure it.
  2. An ability to apply engineering design to produce solutions that meet specified needs with consideration of public health, safety, and welfare, as well as global, cultural, social, environmental, and economic factors. Poor computer design and engineering are the root causes of most security vulnerabilities in deployed systems today. As society increasingly relies on software in critical situations, these vulnerabilities translate into threats to safety and economic well being. This course will examine approaches, mechanisms, and tools used to make computer systems more secure.
  3. An ability to communicate effectively with a range of audiences. Students practice their communication skills during team-based exercises in class and recitation, as well as the basic written communication of problem solutions on homework and exams.
  4. An ability to recognize ethical and professional responsibilities in engineering situations and make informed judgments, which must consider the impact of engineering solutions in global, economic, environmental, and societal contexts. As in many engineering domains, designing secure systems involves extensive tradeoffs. Students will learn to assess and weigh these tradeoffs, including the impact they have on end users.
  5. An ability to function effectively on a team whose members together provide leadership, create a collaborative and inclusive environment, establish goals, plan tasks, and meet objectives. Students will work in teams during exercises in lectures and recitations.
  6. An ability to acquire and apply new knowledge as needed, using appropriate learning strategies. In multiple homework assignments, students must analyze new systems, identify vulnerabilities, and develop custom exploits. This requires developing new knowledge, including use of the tools to perform the analysis.

Work-Life Balance

Take care of yourself. Do your best to maintain a healthy lifestyle this semester by eating well, exercising, avoiding drugs and alcohol, getting enough sleep and taking some time to relax. This will help you achieve your goals and cope with stress.

All of us benefit from support during times of struggle. You are not alone. There are many helpful resources available on campus and an important part of the college experience is learning how to ask for help. Asking for support sooner rather than later is often helpful.

If you or anyone you know experiences any academic stress, difficult life events, or feelings like anxiety or depression, we strongly encourage you to seek support. Counseling and Psychological Services (CaPS) is here to help: call 412-268-2922 and visit their website. Consider reaching out to a friend, faculty or family member you trust for help getting connected to the support that can help.

If you have questions about this or your coursework, please let us know.

Commitment to Diversity

Every individual must be treated with respect. The ways we are diverse are many and are critical to excellence and an inclusive community. They include but are not limited to: race, color, national origin, sex, disability, age, sexual orientation, gender identity, religion, creed, ancestry, belief, veteran status, or genetic information. We at CMU, will work to promote diversity, equity and inclusion because it is just and necessary for innovation. Therefore, while we are imperfect, we will work inside and outside of our classrooms, to increase our commitment to build and sustain a community that embraces these values.

It is the responsibility of each of us to create a safer and more inclusive environment. Bias incidents, whether intentional or unintentional in their occurrence, contribute to creating an unwelcoming environment for individuals and groups at the university. If you experience or observe unfair or hostile treatment on the basis of identity, we encourage you to speak out for justice and support in the moment and and/or share your experience anonymously using the following resources:

All reports will be acknowledged, documented and a determination will be made regarding a course of action. All experiences shared will be used to transform the campus climate.