Important: All students are required to read the Syllabus, which outlines the major course policies. Please make sure you understand these policies well! (The section below elaborates more on some additional policies that aren’t covered in either of those documents.)
CS1660 (formerly called CS166) is a course on computer systems security through a balanced mixture of theory and practice.
We’ll start out with building the foundations of security through an exploration of cryptography. From there, we’ll move to more complex, multi-faceted systems such as web applications, operating systems, and networks. Along the way, we’ll explore complementary topics such as authentication, physical security, social engineering, privacy, anonymity, usability, and the security of emergent systems such as blockchains and machine learning.
By learning about security through these multiple domains, you’ll concretely learn how various classes of attacks appear in a vast variety of scenarios and how they work in practice. You’ll also learn how to evaluate systems adversarially, from writing precise security analyses about subtle issues in protocols to discovering and exploiting vulnerabilities in concrete technical systems for yourself.
Through all of these activities, you’ll ultimately work to develop a specific kind of intuition—a “security mindset”—that will give you the knowledge, vocabulary, and confidence to critically analyze and effectively defend the software and systems you approach as a computer scientist even after the course.
We encourage you to take additional half-credit “lab”, called CS1620 (for undergraduates) or CS2660 (for master’s and graduate students). Senior undergraduates may use the lab portion to count for their capstone requirement.
Students taking the lab have the opportunity to work on advanced challenges that will provide you with a greater appreciation of systems security and the “security mindset” as a whole:
CS1620/CS2660 provides students with a deeper understanding of the material by doing advanced versions of the CS1660’s projects and advanced questions on the written assignments. These advanced versions focus on real-world skills: performing attacks that are more difficult and rely on less serious vulnerabilities, performing attacks against systems with more real-world constraints, and creating attacks that achieve a higher standard of quality than a mere proof of concept.
CS1620 vs. CS2660: Due to credit-counting logistics, the lab portion of the course has two different course numbers: CS1620 and CS2660. Undergraduate students wishing to do the half-credit lab should sign up for CS1620 in addition to CS1660. CS2660 combines both CS1660 and CS1620 in one, 2000-level course. If you are a graduate student (or an ScB student who has applied for the concurrent CS master's program), and wish to earn 2000-level credit for this course, you should sign up for CS2660 only. What’s the difference? Both CS1620 and CS2660 share the same extra course content, but only CS2660 counts for 2000-level credit. In course materials, we will refer to the lab portion simply as CS1620–this includes both CS1620 and CS2660 students.
How much work is the lab?: In previous years, students taking the lab report spending approximately 8–20 extra hours on each project throughout the semester, though they also note that the additional components are more front-loaded so the second half of the semester is much more flexible. (We anticipate that this will be the same this year.) You do not need any additional experience beyond the base prerequsites of the course to succeed with the lab-—anyone who feels comfortable taking CS1660 should also feel comfortable taking CS1620/CS2660, so long as you are comfortable with the extra time requirement. Note that students taking CS2660 are committed to completing the requirements for both the lab and main portion of the course–after the add/drop period ends, it is not possible for a CS2660 student to drop the lab portion and still get credit for CS1660 in the same semester.
How do I sign up?: If you are interested in the lab portion, undergraduates should register for CS1660 and CS1620 on CAB. Senior undergraduates are eligible to capstone with CS1620—-email the HTA list if you intend to have the lab count for your capstone credit. If you intend to take CS2660, please fill out this form and request an override code on CAB.
The waitlist closes at Friday, January 27, 2023 at 11:59pm EST.
Interested in taking the course? The course commonly fills up during pre-registration, but to have the best chances of getting a spot in the course, you should do the following:
Register for the waitlist by filling out this form. We actually do read and evaluate the responses that are submitted, so if you have any particular reasons you want to take the course, do let us know!
Add the course to your shopping cart. This will grant you access to EdStem and Gradescope.
Read about the lab component of the course, and consider if you want to take it. If you’re interested in taking the lab, make sure to note that in the waitlist form! (If you already submitted the form, don’t worry, you can visit the link again to edit your response!)
If possible, attend (in person or via Zoom) the first lecture on Thursday, January 26 or watch the recording as soon as is feasible.
Every day during shopping period, we will admit students from the waitlist, prioritizing those who were unable to register previously due to CAB issues, and students with strict program requirements or who are otherwise unable to take the course at another time. If you fall into one of these categories, please briefly state it on the form (please avoid email–it will take longer!). If you already responded and need to edit your response, you can do so by clicking the form link again.
While we cannot guarantee that all students on the waitlist will be able to take the course, all students who were registered for the waitlist in Spring 2018 were given an override code by the last day of shopping period; in Spring 2019, all students on the waitlist were given an override code by the 10th day of shopping period; in Spring 2020, all students on the waitlist were given an override by the 9th day of shopping period.
You should have an intro-sequence’s worth of programming experience (0160, 0180, or 0190) and have a good understanding of systems programming (0300, 0330, 1310, or 1330). This concretely means that:
If you don’t meet the official prerequisites but still want to take the course, please feel free to ask the instructors–we are happy to discuss your individual situation to determine if the course is right for you!
Your willingness to challenge yourself is perhaps the most important prerequsite for the course. Security can be frustrating at times, but the rewards are great. In exchange for engaging with some difficult intellectual challenges, you’ll have the opportunity to gain concrete insights about systems and security and become a better computer scientist along the way!
We will have live lecture on Tuesdays and Thursdays @ 1pm - 2:20pm ET in person at CIT 368 and on Zoom via this link. All lectures will be recorded and will be posted on Panopto following the lecture.
NOTE: We are encountering an issue with the recording for the first lecture. An update will be posted on Ed soon.
Attendance policy: Students are encouraged to attend lecture in-person or synchronously via Zoom, though this is not required. Attendance does not impact your course grade. Lecture may use TopHat questions to poll students during class–these are optional and are only used to gauge your understanding during class. TopHat responses have no impact on your course grade.
Asking Questions:: We encourage students to ask questions in class, either by raising your hand (either in person, or as a reaction or chat message in Zoom). If you are participating remotely, we will ask you to unmute and ask your question.
Recording Policy:: All lectures will be recorded. Recordings and any notes/slides from lecture will be made available within 24 hours of the lecture date in Panopto.
During shopping period, students who are not officially registered should have CSCI1660 in your primary cart on CAB in order to have access to Panopto.
The Collaboration Policy details the rules surrounding collaboration on all aspects of the course.
The most important points are as follows:
Projects: Whenever you’re actively interacting with project systems, you must do so entirely independently. “Actively interacting” includes having the project systems (binary, website, etc.) within sight or interacting with them, exploring system source code, writing your deliverables (solutions, writeup, exploit code, video, etc.), and so on. You also may not share your deliverables with others, and you may not read others’ deliverables.
That said, we allow discussion of projects with other students as long as no student in the discussion is actively interacting with the project systems. You should treat project-based discussions like going to TA hours—that is, focus on high-level hints, prodding questions, and occasional debugging help on narrowly scoped technical issues, but don’t give away full answers. Finally, when you talk to other students about projects, you must cite those students in your handin. See the Policy for more details.
Homeworks: You’re permitted to (and encouraged to) discuss any aspect of the homework problems with other students currently in CS1660. In this course, the homework problems generally will require you to approach problems from different angles and are designed to encourage discussion amongst students.
However, you must write your homework solutions entirely independently. You may not share your solutions with anyone (or read solutions written by others). You should not write your solutions while working with other students, and when you’re writing your solutions, you should ensure that you independently understand and can reproduce your answers without referring to notes from collaboration sessions and consulting with other students. (Homework Clinics are not exempt from this policy.) Finally, when you talk to other students about homeworks, you must cite those students in your handin. See the Policy for more details.
Even if you’ve read the above summary, please read the remainder of the Collaboration Policy, since it covers more policies on referencing external sources, how to cite other students in your submissions, etc. If you have any questions about the Policy, please ask on Edstem.
/course/cs1660/pub/solution-passwords.txt
. Homeworks | Out | In |
---|---|---|
Homework 0 | Jan 26 | Jan 31 |
Homework 1 | Feb 14 | Feb 23 |
Homework 2 | Mar 3 | Mar 14 |
Homework 3 | Apr 4 | Apr 12 |
Homework 4 | Apr 12 | Apr 21 |
Projects | Out | In |
---|---|---|
Cryptography | Feb 2 | Feb 13 |
Flag | Feb 22 | Mar 6 |
Handin | Mar 10 | Mar 24 |
Dropbox | Apr 3 | May 3 |
/lectureLog.exe | |||
Jan 26 | Course Intro: Logistics, Security Principles Textbook chapters: 1.1, 1.3.1, 1.3.3, 1.3.4, 1.4 | w/ Bernardo | |
Jan 31 | Cryptography I: Symmetric Crypto, OTP, Hash Functions Textbook chapters: 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.6, 8.1.7, 8.3 | w/ Bernardo | |
Feb 2 | Cryptography II: Block / Stream Ciphers, Public Key Crypto, Signatures Textbook chapters: 1.3.2, 1.3.5, 8.2.1, 8.2.2, 8.4 (except 8.4.2), 7.1.2 | w/ Bernardo | |
Feb 7 | Cryptography III: Digital Signatures, MACs, IND-CPA, AAA Textbook chapters: 1.4.2 | w/ Bernardo | |
Feb 9 | Cryptography IV: Authentication, Authorization, and Accounting Textbook chapters: 7.1, 7.2.3 | w/ Bernardo | |
Feb 14 | Passwords and MFA | w/ Bernardo | |
Feb 16 | Web Security I: Web Security Models, Browser Security, Web Technologies and Protocols Textbook chapters: 7.1, 7.2.3 | w/ Bernardo | |
Feb 23 | Web Security II: Session Management, SOP JavaScript and iframes, CSRF (Cross-Site Request Forgery) Textbook chapters: 7.2.5, 7.2.7 | w/ Bernardo | |
Feb 28 | Web Security III: Cross-Site Request Forgery SQL Injection and XSS | w/ Bernardo | |
Mar 2 | Web Security IV: Injection Mitigations, XSS, Web Frameworks Textbook chapter: 3.3.2 | w/ Bernardo | |
Mar 7 | Web Security IV: XSS mitigations, Web Frameworks & OS Intro | w/ Bernardo | |
Mar 9 | Operating Systems Security Textbook chapter: 3 | w/ Bernardo | |
Mar 14 | Operating Systems Security II | w/ Bernardo | |
Mar 16 | Networks I Textbook chapters: 5.1, 5.2.1, 5.2.2, 5.3.1, 5.3.2 | w/ Bernardo | |
Mar 21 | Networks II: ARP, IP, TCP, UDP Textbook chapters: 5.2.3, 5.3.3, 5.3.4, 5.4.1, 5.4.2, 5.5.3 | w/ Bernardo | |
Mar 23 | Networks III: DoS, DNS, TLS Textbook chapter: 6.1 | w/ Bernardo | |
Apr 4 | Networks IV: SSL/TLS, Malware Textbook chapters: 7.1.2, 8.2.4 | w/ Bernardo | |
Apr 6 | Cloud Security (Guest Lecture) Textbook chapters: 7.1.2, 8.2.4 | w/ Bernardo & Lilika & Kaki | |
Apr 11 | Networks V: TOR; Storage Encryption Textbook chapter: 9.7 | w/ Bernardo | |
Apr 13 | Networks VI: Pen Testing, Heartbleed In-class demo: Pentesting, Heartbleed | w/ Bernardo | |
Apr 18 | Networks VII: Firewall, BGP, Forensics | w/ Bernardo | |
Apr 20 | TBA | w/ TBA | |
Apr 25 | TBA | w/ TBA | |
Apr 27 | TBA | w/ TBA |
We are happy to work with you in office hours to help with understanding any course concept or homework/project work. We are happy to help with planning how to approach problems, working with tools, figuring out how to debug your work, or reviewing concepts from lectures/homework assignments.
In order to make office hours accessible to as many students as possible, we are holding hours in two formats:
Collaborative hours (hybrid or fully-remote): Most hours will be collaborative hours. In this format, simply come to the designated room and members of the course staff will circulate and take questions. Students participating remotely can join a zoom link (available on the Hours platform)–a dedicated staff member will talk with everyone on Zoom in parallel with in-person discussion.
In collaborative hours, you are welcome to stay and work and ask questions as they come up–this is meant to create a space where you can meet and collaborate with your peers, while course staff is available to help you get “unstuck”, or explain a concept to a group if you encounter a problem. We can provide all forms of help during this time, including debugging or help with concepts. Some projects (notably Flag and Handin) may have certain restrictions on what can be discussed during collaborative hours–more information will be provided when these assignments are released.
Individual, queue-managed (remote): This is the standard format at Brown. When the hour begins, a queue will appear on the Hours platform designated for our course. Whether you are in-person or remote, simply join the queue! When your turn comes up, you will receive a Zoom link to talk with a member of the course staff. Course staff may limit the amount of time one person may spend with a TA (i.e. ~15 minutes), especially during peak times.
Depending on which assignments are out at a given time, we will hold specific hours sections to help with homeworks or projects. These sections will use slightly different formats:
As the semester progresses, we may make adjustments to the balance of remote/in-person/hybrid hours or the mechanics of the different formats based on student and TA feedback. If you have thoughts on your experience in hours, please fill out our Anonymous Feedback Form!
Issues viewing the calendar?
Make sure that you are signed into your Brown University Google account in this browser, then do a hard refresh. Otherwise, click here to view the calendar in another page.)
@cs.brown.edu
suffix, though please do not write to individual course staff unless they have asked you to do so. For sensitive matters, please contact the instructors cs1660-profs@lists.brown.edu
. Note that HTAs or UTAs cannot grant extensions. All students are responsible for the contents of the following documents and registering for the following external services used in the course:
Syllabus and Collaboration Policy: All students are required to read the Syllabus and Collaboration Policy. By working on any assignment in this course, you agree to the contents of both documents.
Textbook: The textbook for the course is Introduction to Computer Security by Michael T. Goodrich and Roberto Tamassia, 1st Edition. The lecture schedule includes supplementary readings from the textbook, which is available in the Brown University Library. Students are not required to purchase this textbook to participate in the course.
Gradescope: We use Gradescope for collecting certain assignments and grade distribution. We add students to our Gradescope page manually based course registration—if you’re trying to hand in but aren’t able to access the page, please email the HTA list.
Edstem: Join our Edstem board to ask questions about course content (see the Collaboration Policy for question guidelines). The course staff will also post announcements and assignment clarifications to this board. All Edstem questions must be posted privately by default, though the course staff will make posts public when necessary.
Extension Requests: If there are extenuating circumstances preventing you from completing an assignment on time (e.g., illness), you may use this form to request an extension (without using late days) before the assignment is due. (Dean’s Notes and SEAS Accomodations should not go through this form—any inquires of the sort should be sent directly to Bernardo.)
Anonymous Feedback: If you have feedback that you’d wish to share anonymously, you can use this form. Emails are tracked on this form, but these email addresses cannot be viewed by the course staff (including the professor) and are only viewable by Thomas Doeppner (Director of Undergraduate Studies).
Undergraduate Missive: The Computer Science department’s Undergraduate Missive contains lots of helpful information regarding asking for help from TAs, Sunlab Consultants, and more. (Some information is useful for graduate students as well.)
Diversity and Inclusion: In addition to the following resources, you can email the Student Advocates for Diversity & Inclusion at diversity.advocates@lists.cs.brown.edu
:
Health and Wellness: In addition to the following resources, you can email the Student Advocates for Health & Wellness at wellness.advocates@lists.cs.brown.edu
:
Student Groups: The department sponsors or is affiliated with several student groups:
Writing Center: The Writing Center offers free consultations for students who would like to improve the quality of their writing; this is relevant in CS1660 since the written components of the course involve communicating complex technical ideas clearly, concisely, and precisely. Appointments can be scheduled on the Writing Center website or by emailing writing_center@brown.edu
.
CAPS (Counseling and Psychological Services): If you feel yourself falling behind, needing to talk to someone about personal problems, or, in general, want a supportive ear, you may find CAPS helpful—they provide a range of mental health services to the Brown community. The office can be reached at 401-863-3476 or counseling@health.brown.edu
.
SAS (Student Accessibility Services): Brown University is committed to full inclusion of all students. Students who, by nature of a documented disability, require academic accommodations should contact the professor. The staff of the SAS office can be reached at 401-863-9588 or seas@brown.edu
to discuss the process for requesting accomodations.
Ombudsperson Office: The Ombuds Office provides a safe, informal, and confidential service independent from the University administration for students involved in a University-related problem (academic or administrative), acting as a neutral complaint resolver and not as an advocate for any of the parties involved in a dispute. The Ombudsperson can provide information on policies and procedures affecting students, facilitate students’ contact with services able to assist in resolving the problem, and assist students navitgate conflicts concerning improper application of University policies or procedures. All matters referred to this office are held in strict confidence (with the exception of cases where there appears to be imminent threat of serious harm).
Student Support Services: Student Support Services assists students with a wide-range of issues and concerns that might arise during their time at Brown. The Student Support Services Deans provide 24-hour crisis services for undergraduate, graduate, and medical students with personal or family emergencies, and are available by appointment to consult with individual students about their personal questions/concerns, thus allowing students to succeed and thrive in their academic pursuits.
Administrator on Call: The Student Support Services office manages Brown’s Administrator On Call (AOC) system which provides a mechanism for Brown students to seek assistance in emergency situations after business hours. An AOC is able to respond to students, connect them with resources and referrals, consult with colleagues as needed, and gather information for additional follow-up during business hours. To reach the AOC, call 401-863-3322 and ask to speak to the Administrator-On-Call.
Each of these courses cover relatively disjoint material, and you’ll learn completely different things in all of them. (If you haven’t taken any of them—great! CS1660 is a great introduction to the field, and you’ll learn a lot through this course. If you have taken a subset of these courses—also great! A lot of CS1660’s material will still be new to you, and all of these courses are useful in terms of honing your security mindset for the long-term.)
If you’re a 7th semester (or greater) undergraduate, then you can use CS1660 as a capstone by completing the lab. To do this, you must register for CS1620 or CS2660, and you need to email the HTA list to indicate that you want to use this course for your capstone requirement.
If you’re a graduate student, or an ScB student who has applied for the concurrent master’s program in CS, you can obtain 2000-level credit by completing the lab. To do this, you must register for CS2660: CS1620 does not count for 2000-level credit.
One caveat: note that if you are taking CS2660, you must complete both the lab and main portion of the course in order to receive a grade–after the add/drop period ends, it is not possible for a CS2660 student to drop the lab portion and still get credit for CS1660.
Please read the Lecture Policy. If you are looking to request Simultaneous Enrollment Permission on ASK to register for another class in the same timeslot as CS1660, please email the instructor—we will approve such requests, but please note that lecture attendance and class participation in CS1660 can help your final grade in borderline cases.