This website has been updated for the Fall 2020 pre-registration period—check back in Spring 2021 for updated course materials.

This is a course on computer systems security through a balanced mixture of theory and practice.

We’ll start out with building the foundations of security through an exploration of cryptography. From there, we’ll move to more complex, multi-faceted systems such as web applications, operating systems, and networks. Along the way, we’ll explore complementary topics such as authentication, physical security, social engineering, privacy, anonymity, and the security of emergent systems such as blockchains and machine learning.

By learning about security through these multiple domains, you’ll concretely learn how various classes of attacks appear in a vast variety of scenarios and how they work in practice. You’ll also learn how to evaluate systems adversarially, from writing precise security analyses about subtle issues in protocols to discovering and exploiting vulnerabilities in concrete technical systems for yourself.

Through all of these activities, you’ll ultimately work to develop a specific kind of intuition—a “security mindset”—that will give you the knowledge, vocabulary, and confidence to critically analyze and effectively defend the software and systems you approach as a computer scientist even after the course.


Interested in taking the course? The course commonly fills up during pre-registration, but to have the best chances of getting a spot in the course, you should do the following:

Make sure to submit your waitlist requests via our form—we don't use or look at the Courses@Brown override request feature.
  1. Register for the waitlist by filling out this form. We actually do read and evaluate the responses that are submitted, so if you have any particular reasons you want to take the course, do let us know!
  2. Read the note below on the lab component of the course, and consider taking it. If you’re interested in taking the lab, make sure to note that in the waitlist form!
  3. Show up to the first Zoom lecture on Thursday, January 21.
  4. Submit the first written homework.

While we cannot guarantee that all students on the waitlist will be able to take the course, here’s some historical statistics about your likelihood of receiving an override code:

  • In Spring 2018, all students on the waitlist were given an override by the 14th day of shopping period.
  • In Spring 2019, all students on the waitlist were given an override by the 10th day of shopping period.
  • In Spring 2020, all students on the waitlist were given an override by the 9th day of shopping period.

In summary, we’ve historically never turned anyone away on the waitlist—as long as you’re willing to be patient during shopping.

A Note on the Lab

We strongly encourage you to consider taking CS162, the half-credit laboratory component of the course. If you take CS162, you’ll have the opportunity to work on advanced challenges that will provide you with a greater appreciation of systems security and the “security mindset” as a whole:

CS162 is intended to be taken concurrently with CS166 and provides students with a deeper understanding of the material by doing advanced versions of the CS166’s projects. These advanced versions focus on real-world skills: performing attacks that are more difficult and rely on less serious vulnerabilities, performing attacks against systems with more real-world constraints, and creating attacks that achieve a higher standard of quality than a mere proof of concept.

In previous years, CS162 students report spending approximately 10 to 20 extra hours on each project throughout the semester. (We anticipate that this will be the same this year.) You do not need any additional experience on the base prerequsites of the course to succeed in CS162—anyone who feels comfortable taking CS166 and is able to put in the extra time should also feel comfortable taking CS162.

CS162 has no assigned meeting time.

If you’re interested, undergraduate and PhD students should register for CS162 as normal on Courses@Brown. (Senior undergraduates are eligible to capstone with CS162.) Masters students should not register for CS162, but instead may earn 2000-level credit for CS166 by completing the CS162 requirements.


This is not an official syllabus, and information is subject to change. Check back in Spring 2021 for the official syllabus, collaboration policy, etc., which will cover these administrative topics more in-depth.

Here’s some important information to know if you’re considering taking this course.


In this course, we will primarily cover topics including:

  • Security principles (confidentiality, integrity, availability) and attacker models
  • Cryptography (block / stream ciphers, hash functions, public key cryptography, symmetric / asymmetric, commitment schemes)
  • Web security (browsers, same-origin-policy, sessions, cookies, fingerprinting, and many, many web attacks)
  • Operating systems security (malware, storage encryption, physical attacks, processes, race conditions, Unix concerns with permissions, file links, setuid)
  • Network security (ARP, IP, TCP, UDP, DNS, DNSSEC, SSL, TLS, anonymization networks, side-channels)
  • Cloud security (leakage, deduplication, computing on encrypted data)

We also spend a good amount of time on complementary topics such as authentication (passwords, MFA), access control, trust and social engineering, anonymity, physical security, and security for emerging technologies such as blockchains and machine learning. For almost all of these technologies and techniques, we’ll also look at various ethical and social considerations and see how they impact real-world applications.


If you don't meet the prereqs, but still want to take the course, talk to the HTAs—we can advise you on your particular situation.

You should have an intro-sequence’s worth of programming experience (016, 018, or 019) and have a good understanding of systems programming (030, 033, 131, or 133). This concretely means that:

  • You should be comfortable writing programs and scripts in the language of your choice (such as Python, Ruby, Bash, Go, C++, etc.), be comfortable in a Unix command-line environment (running binaries, filesystem navigation, etc.) and using SSH with the Brown CS filesystem, have a basic understanding of systems programming concepts such as memory management and networking.
  • You also should have heard of the terms “race condition”, “packet”, “TCP”, “UDP”, “buffer overflows”, and “DNS”. (If you forget what these are, don’t worry—we’ll describe them again when they come up in the latter half of the course.)
  • You should also be at least somewhat comfortable (and very willing) to learn new programming languages and reading code in languages and programs that you’ve never used before. (You’ll get lots of practice with this in this course!)

Your willingness to challenge yourself is perhaps the most important prerequsite for the course. Security can be frustrating at times, but the rewards are great—in exchange for engaging with some difficult intellectual challenges, you’ll have the opportunity to gain concrete insights about systems and security and become a better computer scientist by the end of the course.


The textbook for the course is Introduction to Computer Security by Michael T. Goodrich and Roberto Tamassia, 1st Edition. You’ll find the textbook directly helpful on most assignments in this course.

Lectures and Sections

Lectures are held on Tuesdays and Thursdays from 1pm–2:20pm on Zoom. This course is “synchronous encouraged”, which means that we strongly encourage you to attend synchronously (due to our use of in-class technical demos and discussion), but, with instructor permission, you may watch the recorded lectures instead. (Class participation also helps the instructor better assess your understanding of the topics in the determination of the final grade.)

We also host a weekly section (times TBA; on Zoom) that covers a variety of topics, from tips for approaching course assignments, to other material to complement that discussed in lecture, to problem-solving sessions in preparation for the midterms. Attendance to sections is optional, but we think they’re helpful and we highly recommend that you attend.

Time Commitment

Security is all about adversarial thinking—reasoning about systems in a way that others haven’t. As such, the work times on homeworks and project times can vary—sometimes insights will take a while to find; in other cases, insights come very quickly and you’ll find yourself done faster than you think.

  • For CS166, students will spend about 3 hours per week in lecture (36 hours total), 8 hours per homework (48 hours total), and 10–30 hours per project (average 80 hours total). Additionally, combined preparation and active work time on each midterm is expected to take 8 hours (16 hours total), for a total expected course workload of 180 hours.
  • For CS162 (the half-credit lab), the advanced components add about 90 extra hours of material throughout the course (standard half-credit course workload). In general, students find that the CS162 workload tends to be heavier in the first half of the semester in comparison to the second half.


Coursework consists of homeworks, projects, and midterms.

  • Homeworks ask you and your peers to collectively and critically think about systems security questions that extend various topics covered in lecture. Through analyzing protocols, devising attacks, developing defenses, and considering ethical issues that are heavily tied to the material, the homeworks are designed to reinforce your skills in security analysis, discussing complex security topics with your peers, and precise written communication of attacks and defenses.
  • Projects ask you to get down into the mud—hacking, scripting, breaking, and fixing—provide you with the opportunity to engage with real-world vulnerabilities in computer systems, developing exploits, and designing countermeasures.
  • Midterms distill the systems security knowledge from the semester to encourage you to identify and apply the “big ideas” in systems security that we’ll see throughout the course. Midterms are take-home, open-note, zero-collaboration exams that you have several days to complete.

If you want a more concrete idea of some of the work you’ll be doing, here’s an overview of the projects from Spring 2020 (projects are subject to change from year-to-year):

Project Description
Cryptography Break into “cryptographically secure” systems by taking advantage of subtle, yet devastating flaws in their implementation.
Flag Find and exploit vulnerabilities in an obfuscated web application, then fix the security of the website by writing patches for those exploits.
Handin Use your knowledge of systems vulnerabilities to compromise a CS course’s grading infrastructure on a shared Linux filesystem via a setgid command-line handin service (much like the one used in Brown CS).
Dropbox Securely design and develop a complex file sharing service, then pentest other people’s implementations of that service.

In Spring 2021, the projects will focus on the same areas—cryptography, web security, operating system security, and building systems with robust security properties in multi-user contexts.


Have any other questions about the course? You can contact the Head TAs, William Schor (wschor) and Zachary Espiritu (zespirit), at You can also contact the professor, Bernardo Palazzi (bernardo), at


How do I get on the waitlist?

See Waitlist.

What’s the difference between 166 and {165, 180, 239}?

Each of these courses cover relatively disjoint material, and you’ll learn completely different things in all of them. (If you haven’t taken any of them—great! CS166 is a great introduction to the field, and you’ll learn a lot through this course. If you have taken a subset of these courses—also great! A lot of CS166’s material will still be new to you, and all of these courses are useful in terms of honing your security mindset for the long-term.)

  • 165 is a deep-dive into software security, which focuses on low-level memory vulnerabilities (i.e. on the stack), and coursework primarily focuses on developing attacks.
    • In comparison, 166 looks at higher-level abstractions (cryptography, browser and web applications, networks, etc.) and principles of systems security. Our coursework also focuses on a mix of discovering attacks and designing defenses. (We don’t look at stack-based code execution vulnerabilities at all.)
  • 180 looks at cybersecurity from a more historical and policy-driven perspective.
    • In comparison, 166 motivates much of its content with historical examples (but is primarily about technical details).
  • 239 is about privacy engineering—making sure that the data is either not collected in the first place or, if collected, not misused.
    • In comparison, 166 is more about protecting data from unauthorized access (i.e. from usually-external adversaries); some of the techniques used in privacy engineering overlap with 166 content, but our usage and analysis of those techniques differs.

Can I use this course as a ugrad capstone?

Yes—you’ll need to register for CS162 as well. See A Note on the Lab for details.