CIS 5930, Spring 2017
Department of Computer Science, Florida State University
Monday,
5:15-7:45pm, Room 151, Love Building.
http://www.cs.fsu.edu/~liux/courses/ctf/index.html.
This web site contains the
up-to-date information related to this class such as news, announcements,
assignments, lecture notes, and useful links to resources that are helpful to
this class. Besides the web pages, Blackboard will be used to communicate
changes and updates and post grades for this class; in particular, we will send
emails using email addresses in the Blackboard system and please make sure that
your email address on record is current.
Computers and communication technologies have been incorporated into many applications and have fundamentally changed many aspects of the human activities. Unfortunately, the changes have also created new problems, from spyware to steal data, computer viruses and worms to destroy data, to network-enabled weapons, to cyber wars that can disable companies and even countries (such as Stuxnet). All these problems are related to computer security. Due to its paramount importance, computer security is not just one academic research area. Many security products are installed on typical computers; in the United States, there are multiple federal agencies dedicated to computer security; the computer security is a multi-billion industry that is estimated to grow steadily. Computer security related issues have been widely recognized in software development companies. As computer security techniques evolve continuously along with product improvements and new service opportunities, computer security is and will remain to be an important and valuable area in the perceivable future with new career opportunities. Due to the proactive nature of hackers and malicious users and weak links in securing systems (such as phishing email and social engineering attacks target unsuspecting users), it is unavoidable that some computers will be infected by malware and some will be infiltrated and compromised; according to a new study, 38.3% of all users were attacked while their owners were online and in total, 23% of all computers were attacked at least once in 2014. When such activities are sensed, cyber security professionals must act quickly and accurately as shut downing all the servers can affect many normal users while not stopping cyber-attacks as early as possible can have serious consequences in terms of data and other losses. Furthermore, nullifying such attacks can involve many practical cyber security skills that are not covered in security courses. In addition, to prevent such attacks, one may have to understand offensive techniques used by malicious groups. This course is designed to cover the basic principles and techniques for solving cyber-attacks, covering cryptography, web, binary reversing, binary exploitation, forensics, and firmware analysis with the emphasis on practical skill development and problem solving in the context of the cyber Catch-The-Flag (CTF) competitions so that you can develop the skills and techniques that are ready to be used.
This course covers fundamental problems, principles,
and practical problem solving techniques in cryptography, web, binary
reversing, binary exploitation, forensics, and firmware analysis; many of the
techniques will be demonstrated and practiced using commonly used and
customized tools using Python. It also involves opportunities to solve new CTF
challenges and develop new tools to help solve such problems.
CDA 3100 – Computer Organization I; having a
good understanding of instruction set architectures (registers, instruction
encoding and decoding, and memory organization) and basic data types, data
structures, function calls (calling conventions), and memory layout of programs;
be able to understand x86 and other assembly (assuming that instruction
reference manuals are available); having a general understanding of computer
security.
Upon successful
completion of this course of study, the student will:
There is no required
textbook for this course and we will provide lecture slides, written notes, and
worked out examples from previous relevant CTF competitions. The following
books can be helpful to understand some of the basic concepts thoroughly.
Recommended reading: “Hacking: The Art of Exploitation, 2nd Edition” by Jon Erickson: this is a book with accurate and detailed descriptions and
commands of common vulnerabilities and corresponding exploits. It is an
excellent book for understanding buffer overflow vulnerabilities, string format
vulnerabilities, and shellcode, and other exploitation development.
“The Web Application Hacker's Handbook: Finding and Exploiting Security
Flaws” by Dafydd Stuttard and Marcus Pinto. The book provides a
comprehensive and thorough coverage of web security mechanisms, and web
vulnerabilities.
“Information Security,” 2nd Edition, (ISBN 978-0-470-62639-9),
Wiley, 2011, by Mark Stamp. The book provides a good coverage on commonly used
cryptographic algorithms and cryptanalysis techniques, and security protocols.
In addition to the textbooks, papers and documents from the
literature will be distributed along the lectures.
Attendance is required for this class. Unless
you obtain prior consent of the instructors, missing classes will be used as
bases for attendance grading. Excused absences include documented
illness, deaths in the family and other documented crises, call to active
military duty or jury duty, religious holy days, and official University
activities. These absences will be accommodated in a way that does not
arbitrarily penalize students who have a valid excuse. Consideration will also
be given to students whose dependent children experience serious illness. In case that it is necessary to skip a class,
students are responsible to make up missed materials. Participation in in-class
discussions and activities is also required. All submitted assignments and
projects must be done by the author(s). It is a violation of the Academic Honor
Code to submit other’s work and the instructor of this course takes the
violations very seriously.
As this course will cover certain techniques
to exploit and break down known systems in order to demonstrate their
vulnerabilities, it is illegal,
however, to practice these techniques on others' systems. The students will be liable for their behaviors and
therefore consequences.
About ten homework assignments (most of them involve solving CTF problems) will be given along the lectures and they need to be done individually and turned in. There will be a term project, where a tool needs to be developed that can help solve a certain family of CTF problems. There will be a CTF competition-style final in the last week of the classes and the write-ups are due during the final exam week.
Grades will be
determined as follows:
Assignment |
Points |
Assignment |
Points |
Class Attendance & Participation |
10 % |
Final CTF Competition |
20 % |
Homework Assignments |
50 % |
Term Project |
10 % |
In-class
Presentations |
10 % |
|
|
Grading will be based on the weighted average as specified
above and the following scale will be used (S is the weighted average on a 100-point
scale):
Score |
Grade |
Score |
Grade |
Score |
Grade |
93 £ S |
A |
80
£ S < 83 |
B- |
67 £
S < 70 |
D+ |
90
£ S < 93 |
A- |
77
£ S < 80 |
C+ |
63
£ S < 67 |
D |
87
£ S < 90 |
B+ |
73
£ S < 77 |
C |
60
£ S < 63 |
D- |
83
£ S < 87 |
B |
70
£ S < 73 |
C- |
S < 60 |
F |
Assignments are due at the beginning of the class on the due date. Assignments turned in late, but before the beginning of the next scheduled class will be penalized by 10 %. Assignments that are more than one class period late will NOT be accepted.
All tests/assignments/projects/homework will be returned as soon as possible after grading but no later than two weeks from the due date.
o
Fundamentals
o
Practice
o
Fundamentals
o
Practice
o
Fundamentals
o
Practice
o
Fundamentals
o
Practice
o
Fundamentals
o
Practice
o
Fundamentals
o
Practice
o
Fundamentals
o
Practice
o
Fundamentals
o
Practice
o
Fundamentals
o
Practice
o
Fundamentals
o
Practice
o
Fundamentals
o
Practice
o
Fundamentals
o
Practice
o
Fundamentals
o
Practice
o
Fundamentals
o
Practice
o
The
final CTF competition is scheduled from 5:15pm,
April 21st to 7:30pm,
April 24th, 2017.
o
Fundamentals
o
Practice
The Florida State University Academic Honor Policy outlines the University’s expectations for the integrity of students’ academic work, the procedures for resolving alleged violations of those expectations, and the rights and responsibilities of students and faculty members throughout the process. Students are responsible for reading the Academic Honor Policy and for living up to their pledge to “…be honest and truthful and … [to] strive for personal and institutional integrity at Florida State University.” (Florida State University Academic Honor Policy, found at http://fda.fsu.edu/Academics/Academic-Honor-Policy).
Assignments/projects/exams are to be done individually, unless specified otherwise. It is a violation of the Academic Honor Code to take credit for the work done by other people. It is also a violation to assist another person in violating the Code (See the FSU Student Handbook for penalties for violations of the Honor Code). The judgment for the violation of the Academic Honor Code will be done by the instructor and a third party member (another faculty member in the Computer Science Department not involved in this course). Once the judgment is made, the case is closed and no arguments from the involved parties will be heard. Examples of cheating behaviors include:
v Discuss the solution for a homework question.
v Copy programs for programming assignments.
v Use and submit existing programs/reports on the world wide web as written assignments.
v Submit programs/reports/assignments done by a third party, including hired and contracted.
v Plagiarize sentences/paragraphs from others without giving the appropriate references. Plagiarism is a serious intellectual crime and the consequences can be very substantial.
Penalty for violating the Academic Honor Code: A 0 grade for the particular assignment /exam and a reduction of one letter grade in the final grade for all parties involved for each occurrence. A report will be sent to the department chairman for further administrative actions.
Students with disabilities needing academic accommodation should: (1) register with and provide documentation to the Student Disability Resource Center; and (2) bring a letter to the instructor indicating the need for accommodation and what type. This should be done during the first week of class. This syllabus and other class materials are available in alternative format upon request. For more information about services available to FSU students with disabilities, contact the: Student Disability Resource Center 874 Traditions Way 108 Student Services Building Florida State University Tallahassee, FL 32306-4167 (850) 644-9566 (voice) (850) 644-8504 (TDD) sdrc@admin.fsu.edu http://www.disabilitycenter.fsu.edu/.
Free Tutoring from FSU: On-campus tutoring and writing assistance is available for many courses at Florida State University. For more information, visit the Academic Center for Excellence (ACE) Tutoring Services' comprehensive list of on-campus tutoring options at http://ace.fsu.edu/tutoring or contact tutor@fsu.edu. High-quality tutoring is available by appointment and on a walk-in basis. These services are offered by tutors trained to encourage the highest level of individual academic success while upholding personal academic integrity.
Syllabus Change Policy: Except for changes that substantially affect
implementation of the evaluation (grading) statement, this syllabus is a guide
for the course and is subject to change with advance notice.
© 2017 Florida State University.
Updated on January 9, 2017.