This course is an introduction to the broad field of computer and network security. We will cover software security, network security, some cryptography, and will discuss several secure applications in detail.
The prerequisites for this course are a C- or better in both CMSC 216 and CMSC 330.
This course covers a very broad range of topics within computer security, with the goal of instilling a security mindset, and teaching some of the core principles of security that will allow students to pursue research in the field upon completion.
The course comprises three broad subject areas:
Throughout the semester, you will be learning (and implementing and launching) various attacks. This is not an invitation to perform these attacks without the express written consent of all parties involved. To do otherwise would risk a violating University of Maryland policies and Maryland and U.S. laws.
The goal is to foster discovery, experimentation, and exploration, but in a safe, ethical, and respectful fashion, always. If you have any questions or concerns, then do not hesitate to contact me or your TAs directly.
The Campus Senate has adopted a policy asking students to include the following statement on each examination or assignment in every course: "I pledge on my honor that I have not given or received any unauthorized assistance on this examination (or assignment)." Consequently, you will be requested to include this pledge on each exam and project. Please also carefully read the Office of Information Technology's policy regarding acceptable use of computer accounts.
Programming projects are to be written individually, therefore cooperation or use of unauthorized materials on projects is a violation of the University's Code of Academic Integrity. Any evidence of this, or of unacceptable use of computer accounts, use of unauthorized materials or cooperation on exams or quizzes, or other possible violations of the Honor Code, will be submitted to the Student Honor Council, which could result in an XF for the course, suspension, or expulsion.
For learning the course concepts, students are welcome to study together or to receive help from anyone else. You may discuss with others the project requirements, the natures of the attacks covered, what was discussed in class and in the class web forum, and general syntax errors.
When it comes to actually writing a project assignment, other than help from the instructional staff, a project must solely and entirely be your own work. Working with another student or individual, or using anyone else's work in any way except as noted in this paragraph, is a violation of the code of academic integrity and will be reported to the Honor Council. You may not discuss design of any part of a project with anyone except the instructor or teaching assistants.
Examples of questions that would be allowed are: "Does a Java class definition end in a semicolon?" or "What does a 'class not found' error indicate?", because they convey no information about the contents of a project.
Examples of questions you may not ask others include: "How did you implement this part of the project?" or "Please look at my code and help me find my stupid syntax error!"
You may not use any disallowed source of information in creating either their project design or code. When writing projects you are free to use ideas or short fragments of code from published textbooks or publicly available information, but the specific source must be cited in a comment in the relevant section of the program. (See the section on external resources and LLMs below.)
Violations of the Code of Academic Integrity may include, but are not limited to:
💡 It is the responsibility, under the honor policy, of anyone who suspects an incident of academic dishonesty has occurred to report it to their instructor, or directly to the Honor Council.
Every semester the department has discovered a number of students attempting to cheat on project assignments, in violation of academic integrity requirements. Students' academic careers have been significantly affected by a decision to cheat. Think about whether you want to join them before contemplating cheating, or before helping a friend to cheat.
Students are welcome and encouraged to study and compare or discuss their implementations of the programming projects with any others after they are graded, provided that all of the students in question have received nonzero scores for that project assignment, and if that project will not be extended upon in a later project assignment.
If you use external sources, you must cite them. Anything you quote must be appropriately indicated (with quotation marks or block quotes), with citations. Your submission must not be substantially quotations — you must demonstrate independent thought. We do not specify a citation format, as long as it is clear.
Any response from Large Language Models (LLMs)—such as ChatGPT, GitHub Copilot, and Google Bard—must be treated as any other external reference: indicate what you are quoting or paraphrasing, and cite the LLM, including the prompt or prompts used. An LLM cannot be the sole source of information; so doing will result in a zero for the assignment: If you are going to use an LLM, you must also include supporting citations.
Please note that LLMs provide unreliable information, regardless of how convincingly they do so. If you are going to use an LLM as a research tool in your assignments, you must ensure that the information is correct and addresses the actual question asked. Also, keep in mind that exams—which account for 50% of the overall grade—are taken in-person, without the use of these tools. Relying on LLMs for your projects will likely leave you unprepared for your exams.
You are responsible for all material discussed in lecture and posted on the class web page, including announcements, additional videos, deadlines, policies, etc. During the semester we may provide ungraded practice homework exercises and solutions. While we will not collect these exercises, completing them is essential preparation for exams. You may work together on these ungraded homeworks, and you may of course come to office hours for additional help.
Your final course grade will be determined by the following tentative percentages:
| Name | Percentage | Breakdown |
|---|---|---|
| Programming Projects | 50% | 12.5% for each project. Four projects in total. |
| Midterm Exams | 25% | 12.5% for each midterm exam. Two midterm exams in total. |
| Final Exam | 25% | One final exam |
All exams will be in-person. See the Class Schedule for specific exam dates.
Final course grades will be curved as necessary, based on each student's total numeric score for all coursework at the end of the semester.
💡 Completing the programming assignments is an essential part of the course. Therefore, we may fail any student who does not make a good-faith attempt on all course projects, regardless of the student's performance or scores on the other coursework.
Any request for reconsideration of any grading on coursework must be submitted within two weeks of when it is returned. Exam regrading requests must be made in writing. Any coursework submitted for reconsideration may be regraded in its entirety, which could result in a lower score if warranted.
All projects will be due 11:59:59pm Eastern Time of the day given in the project description for full credit.
Projects may be submitted up to 24 hours late for a 10% penalty. (For example, a project that would have earned 90 points for an on-time submission will earn 81, that is, 90 times 0.90.) If you submit both on-time & late, we will grade the latest submitted version. Late submissions within 24 hours after the deadline will be subject to the same penalty, regardless of how late it is, e.g., submitting one second late and 24 hours late will be treated in the same way.
Project extensions will not be granted due to system problems, network problems, power outages, broken computers, etc., so do not wait to submit a project until the night it is due. You may submit multiple times up to the deadline, and only your last on-time submission is graded. Similarly, if you submit late, only your last submission before the late deadline will be graded. No consideration in grading will be made for errors made in transferring files or submitting the wrong version of your project. Having a working, unsubmitted version will not count; only submitted code will be be counted.
Any "hard coding" in a project assignment may result in a score of zero for that project, and is considered a bad-faith effort. Hard coding refers to attempting to make a program appear as if it works correctly, when in fact it does not. One example of hard coding would be printing the desired output instead of computing it. This is only one example, and if you have any questions as to what constitutes hard coding, be sure to ask ahead of time.
You are not required to come to class. That said, there will be a lot of material taught in class, and I may write content on the board, which may not be covered in the slides. So it is in everyone's best interest to attend and engage during lectures.
You are, however required to attend scheduled exams. There are several excused absences from an exam: illness, religious observation, participation in required university activities, or a family or personal emergency. We will work with you to make sure that you have a fair amount of time to make up for excused absences. The best way that we can help is if we know about absences as well in advance as possible.
Please note that, because exams are considered "Major Scheduled Grading Events," a self-signed note may not be sufficient: For medical absences, you must furnish documentation from the health care professional who treated you, which must verify the timeframe that the student was unable to meet academic responsibilities. In addition, it must contain the name and phone number of the medical service provider to be used if verification is needed. No diagnostic information will ever be requested.
💡 Please submit all doctors notes and requests for extensions and absences directly to the instructor, and not to a TA.
It is the University's policy to provide accommodations for students with religious observances conflicting with exams. You must inform the instructor prior to the end of the first two weeks of the class if you have a religious observation that conflicts with an exam.
For missed exams due to excused absences, the instructor will arrange a makeup exam. If you might miss an exam for any other reason other than those above, you must contact the instructor in advance to discuss the circumstances. We are not obligated to offer a substitute assignment or to provide a makeup exam unless the failure to perform was due to an excused absence.
The policies for excused absences do not apply to project assignments. Projects will be assigned with sufficient time to be completed by students who have a reasonable understanding of the necessary material and begin promptly. In cases of extremely serious documented illness of lengthy duration or other protracted, severe emergency situations, the instructor may consider extensions on project assignments, depending upon the specific circumstances.
Besides the policies in this syllabus, the University's policies apply during the semester. Various policies that may be relevant appear in the Undergraduate Catalog.
Security is a broad topic, and you are encouraged to draw from as many resources as you can (within the bounds of academic integrity, of course). We will make every effort to make all necessary topics available via lectures, slides, handouts, and readings, but as with all educational endeavors, your method of learning may benefit from drawing from other resources, as well. Below are the resources we will be making available to you throughout the semester.
💡 If you find useful resources (videos, books, lectures, etc.) that benefit you, please share them with the class on Piazza; someone else will likely benefit from them, as well, and we may incorporate them into the lecture.
Website: Various course materials will be made available on the class website, which can be accessed at https://surrealyz.github.io/classes/intro-sec-spring24/schedule.html
Piazza: Class help and details will also be posted on Piazza. This provides a forum for you to post questions (and answer those from others), as well as share insights and engage on all things security. Keep in mind, however, that even though this is a class-specific forum, cheating or facilitating cheating is not allowed there (or anywhere): do not post project code or pseudocode. The class Piazza page is available at https://piazza.com/umd/spring2024/cmsc4140201/
Most of your projects will be done within the docker containers that we will provide with the various project assignments. Your project submissions must work within the docker container as provided: some of our projects will be architecture-specific, so it is critical that you test thoroughly within the docker container provided. Thus we strongly recommend that if you develop any project on another system, you should complete it several days early to have time to address any compatibility problems.
Students who have been certified by the Accessibility and Disability Service as needing any type of special accommodations must see the instructor as soon as possible during the schedule adjustment period (the first two weeks of class). Please provide ADS's letter of accommodation and any other relevant paperwork to the instructor at that time.
All arrangements for exam accommodations as a result of disability must be made and arranged with the instructor at least five business days prior to the exam date; later requests (including retroactive ones) will be refused.
If you have a suggestion for improving this class, don't hesitate to tell me or TAs dring the semester! At the end of the semester, please don't forget to provide your feedback using the campus-wide CourseEvalUM system. Your comments will help make this class better. CourseEvalUM is generally open a few weeks before the end of the semester, but this is subject to change by campus.
Although every effort has been made to be complete and accurate, unforeseen circumstances arising during the semester could require the adjustment of any material given here. Consequently, given due notice to students, the instructor reserves the right to change any information on this syllabus or in other course materials.