The Invitation

Welcome guest,

This is a course on computer systems security through a balanced mixture of theory and practice. We’ll start out with building the foundations of security through an exploration of cryptography. From there, we’ll move to more complex, multi-faceted systems such as web applications, operating systems, and networks. Along the way, we’ll explore complementary topics such as authentication, trust, and social engineering, and the security of emergent systems such as cloud security and machine learning. In learning about security in these various domains, you’ll work to develop a “security mindset” that will help you to critically and adversarially analyze the software and systems you approach as a computer scientist even after the course.

We hope you enjoy your stay.

– the cs166 course staff

The Reservation
The Murder
The Assignments
All assignments have a due time of 11:59 PM EDT.


Homework 1 Jan 24 Feb 3
Homework 2 Feb 4 Feb 13
Homework 3 Feb 14 Feb 27
Homework 4 Mar 6 Apr 1
Homework 5 Mar 30 Apr 13
Homework 6 Apr 14 Apr 24
Solutions are password-protected. Passwords are available on the CS filesystem at /course/cs1660/pub/solution-passwords.txt.


Cryptography Jan 28 Feb 10
Flag Feb 11 Feb {24,27}
Handin Mar 3 Apr 1
Dropbox Mar 30 Apr {9,28}


Midterm 1 Feb 28 Mar 3
Midterm 2 Apr 29 May 5
The Lectures
Served Tue, Thur @ 1-2:20pm in CIT 368.
Jan 23 Cryptography I: Security Goals, Attacker Models, OTP w/ Roberto
Textbook chapters: 1.1, 1.3.1, 1.3.3, 8.1.1, 8.1.2, 8.1.3, 8.1.6
Jan 28 Cryptography II: Block / Stream Ciphers, Hashes w/ Roberto, Lilika
Textbook chapters: 1.3.4, 8.1.4, 8.1.7, 8.3
Jan 30 Cryptography III: Public Key Cryptography w/ Roberto
Textbook chapters: 1.3.2, 1.3.5, 8.2.1, 8.2.2, 8.4 (except 8.4.2), 7.1.2
Feb 4 Physical Security w/ Roberto
Textbook chapters: 1.2, 2.1, 2.2, 2.6, 9.1
Feb 6 Web Security I: Browser Security, SOP w/ Roberto
Textbook chapters: 7.1, 7.2.3
Feb 11 Web Security II: Session Management, CSRF w/ Roberto
Textbook chapters: 7.2.5, 7.2.7
Feb 13 Web Security III: SQL Injection, XSS w/ Lilika
Textbook chapters: 7.2.6, 7.3.3
Feb 18 Long Weekend (No Class)
Feb 20 Authentication I: Passwords w/ Roberto
Textbook chapter: 1.4.2
Feb 25 Authentication II: MFA w/ Roberto
Textbook chapter: 2.3.3
Nethanel Gelernter, Senia Kalma, Bar Magnezi, Hen Porcilan: The Password Reset MitM Attack. IEEE Symp. on Security and Privacy, 2017.
Feb 27 Malware w/ Roberto
Textbook chapter: 4
Symantec's 2019 Internet Security Threat Report
Mar 3 Operating Systems Security w/ Lilika
Textbook chapter: 3
Mar 5 Storage Encryption w/ Roberto
Textbook chapter: 9.7
Mar 10 Networks I: Introduction w/ Roberto
Textbook chapters: 5.1, 5.2.1, 5.2.2, 5.3.1, 5.3.2
Mar 12 Networks II: ARP, IP, TCP, UDP w/ Roberto
Textbook chapters: 5.2.3, 5.3.3, 5.3.4, 5.4.1, 5.4.2, 5.5.3
Mar 17 COVID-19 Break (No Class)
Mar 19 COVID-19 Break (No Class)
Mar 24 Spring Break (No Class)
Mar 26 Spring Break (No Class)
Mar 31 Networks III: DNS w/ Lilika
Textbook chapters: 6.1
Apr 2 Networks IV: SSL/TLS w/ Roberto
Textbook chapters: 7.1.2, 8.2.4
Apr 7 Cloud Security w/ Roberto
Apr 9 Blockchains and Cryptocurrencies w/ Roberto
Apr 14 Privacy and Censorship (Guest Lecture) w/ Bernardo Palazzi
Apr 16 Adversarial Machine Learning w/ Roberto
Apr 21 Social Engineering (Guest Lecture) w/ Ernesto Zaldivar
Apr 23 Usable Security w/ Olivia, Zachary
Apr 28 Reading Period: Cyber-Physical Security w/ Lilika
Apr 30 Reading Period (No Class)
May 5 Reading Period (No Class)
The Sections

Sections used to be held Wednesdays @ 8:00pm in CIT 165 (Motorola); starting after March 31, they will now be released as video lectures on the dates listed in the calendar below. They mainly cover topics that’ll be helpful on the course assignments, but we’ll also occassionally discuss other material to complement that discussed in lecture. Attendance is optional and slides will be posted, but some sections contain interactive components (such as demos and whiteboards) that aren’t posted to the website. We’ve provided estimates for how long each section will last below.

Jan 29 Cryptography (w/ Olivia) 20min
In this section, we’ll go over a few hints and tips for the Cryptography project.
Feb 12 Web Attacks A (w/ Zachary) 60min
In this section, we’ll extend our discussion of CSRF and session-focused vulnerabilities through a broad survey of some advanced web attacks. Along the way, we'll cover complementary tactics such as resource access and business logic. We'll also give some advice on how to approach the Flag project.
Feb 19 Web Attacks B (w/ Zachary) 60min
In this section, we'll focus on "code injection"-related attacks similar to the XSS and SQLI exploits we discussed in lecture. We'll also use this background to motivate discussion about client-side modification attacks. Finally, we'll give some hints and tips for the Bob's Router part of the project.
Feb 26 Review: Midterm 1 (w/ Zachary) 75min
In this section, we'll review topics from the first half of the course in preparation for Midterm 1.
Mar 4 Linux Security / Scripting (w/ Zachary) 45min
In this section, we'll give some advice on how to start working on the Handin project and, more generally, operating systems-based security pentesting. We'll also give a brief primer on Bash scripting and attack automation.
Apr 12 Security Design and Dropbox (w/ Olivia) 20min
In this section, we'll discuss the Dropbox support code and some tips for getting started with the implementation phase of the project.
Apr 26 Review: Midterm 2 (w/ Zachary) 75min
The Demos
Demos: A History
In lecture, we'll routinely show technical demonstrations and applications of some of the security concepts taught in the course. We'll post notes about each demonstration here if you'd like to try them out for yourself.
The Hours

We have two types of TA office hours in CS166—TA Hours and Homework Clinics.

In TA Hours, you can ask for help on anything related to the projects (concepts, clarifications, code, etc.), homework problems, lecture material, or general concepts.

In Homework Clinics, students collaborate on homework problems in a group-work environment under the guidance of the TAs. Homework Clinics are designed specifically to help students on the homework problems or any conceptual problems related to the homework. Any questions outside of the homework content should be directed to TA Hours or Piazza.


All students are responsible for the contents of the following documents and registering for the following external services used in the course:

  • Syllabus: All students are required to read the Syllabus and Collaboration Policy.

  • Textbook: The textbook for the course is Introduction to Computer Security by Michael T. Goodrich and Roberto Tamassia, 1st Edition.

  • Gradescope: We use Gradescope for collecting certain assignments and grade distribution. We add students to our Gradescope page manually based on waitlist signups and course registration—if you’re trying to hand in but aren’t able to access the page, please email the HTA list.

  • Piazza: Join our Piazza board to ask questions about course content (see the Collaboration Policy for question guidelines). The course staff will also post announcements and assignment clarifications to this board.

  • TopHat: We use TopHat to facilitate “clicker questions” during class. These instructions describe how to set up your personal device for TopHat usage.


Extension Requests: If there are extenuating circumstances preventing you from completing an assignment on time (e.g., illness), you may use this form to request an extension (without using late days) before the assignment is due. (Dean’s Notes and SEAS Accomodations should not go through this form—any inquires of the sort should be sent directly to Roberto.)

Anonymous Feedback: If you have feedback that you’d wish to share anonymously, you can use this form. Emails are tracked on this form, but these email addresses cannot be viewed by the course staff (including the professor) and are only viewable by Thomas Doeppner (Director of Undergraduate Studies).

Department Resources

Undergraduate Missive: The Computer Science department’s Undergraduate Missive contains lots of helpful information regarding asking for help from TAs, Sunlab Consultants, and more. (Some information is useful for graduate students as well.)

Diversity and Inclusion: In addition to the following resources, you can email the Student Advocates for Diversity & Inclusion at diversity.advocates@lists.cs.brown.edu:

Health and Wellness: In addition to the following resources, you can email the Student Advocates for Health & Wellness at wellness.advocates@lists.cs.brown.edu:

Student Groups: The department sponsors several student groups:

  • CS for Social Change: Focuses on the intersection of computer science and social impact.
  • CS DUG (Department Undergraduate Group): Seeks to increase undergraduate participation in the department and continue the Brown legacy of involved undergraduates.
  • Mosaic+: Student-led diversity initiative to create an inclusive space for racially and ethnically underrepresented minority (URM) students.
  • oStem@Brown: Student group that aims to empower LGBTQ people studying or working in STEM fields to succeed personally, academically, and professionally.
  • WiCS (Women in Computer Science): Student group that aims to support and increase the participation of women in the field of Computer Science.

University Resources

CAPS (Counseling and Psychological Services): If you feel yourself falling behind, needing to talk to someone about personal problems, or, in general, want a supportive ear, you may find CAPS helpful—they provide a range of mental health services to the Brown community.

SEAS (Student and Employee Accessibility Services): Brown University is committed to full inclusion of all students. Students who, by nature of a documented disability, require academic accommodations should contact the professor. The staff of the SEAS office can be reached at 401-863-9588 or seas@brown.edu to discuss the process for requesting accomodations.