CS361: Spring 2017
Introduction to Computer Security

Instructor: Dr. Bill Young; Unique number: 52163
Class time: TT 3:30pm-5pm; Location: GDC 2.216
Office: GDC 7.810; Office Hours: Tuesdays 1:30-3:30pm and by appt.
Office Phone: 471-9782; Email: byoung at cs.utexas.edu
TA: Zhao Song; Email: zhaos at utexas.edu
TA Office Hours: Monday, 8-11am, GDC 4.440
TA: Tianyi Zhang; Email: tyz at utexas.edu
TA Office Hours: Wednesdays 9am-noon, GDC 1.302 desk 4
Proctor: Nick Aguirre; Email: nicholasaguirre at utexas.edu;
Proctor Hours: Fridays 11am-1pm, GDC 1.302 desk 4
This website: www.cs.utexas.edu/users/byoung/cs361/syllabus361.html

Important Class Announcements:

Breaking news important to the class will be posted here. Consult this spot often.

Disregard this; this was a mistake because the speaker has already come and gone. A faculty candidate is giving a security-related talk. The announcement is here: Speaker.

You can get 2 extra credit points toward the final exam grade for filling out the electronic course survey. You should have gotten a message with a link. You must submit via Canvas a .png screenshot of the page that shows you've completed the survey. I think it closes end of the day on May 5.

Our final exam is Thursday, May 4 at our regular class time and place. Here's the sample final: Sample Final and tentative vocabulary list: Vocabulary. This sample test is not very representative of the test you'll be given; your test has more short answer questions and very few "essay" type questions. The final will be cumulative. You can bring two handwritten 3x5 index cards of material to the exam. The vocabulary sheet will be made available with the exam.

If your name is on this list, you haven't picked up one or more of your quizzes. Please pick them up: Quizzes to Collect

Here are the four quizzes we had this semester (the year is wrong on several of them): Quiz1, Quiz2, Quiz3, Quiz4

Here's programming assignment 6: Assignment 6 Due Friday, 4/28. This is your last programming assignment. There may be some minor tweaks, but it's basically complete.

Weekly questions are posted in the Assignments section below.

Feel free to email me (Send me an email message), but please put "CS361" in the header, since I'm also teaching CS429 this semester.

Course Description:

CS 361 is an introduction to foundations of computer security, one of the "hottest" and most relevant areas of computing today. The student will develop an intuition about what computer security means, both in the abstract and in the context of real systems; be able to recognize potential threats to confidentiality, integrity and availability; be aware of some of the underlying formalisms and technologies that attempt to address these challenges; and be conversant with current security-related issues in the field.

Topics to be covered will include:

  1. Scope of the security problem;
  2. Various views of computer security;
  3. Security policies;
  4. Formalizing security properties;
  5. Elementary information theory;
  6. Elementary cryptography;
  7. Cryptographic protocols;
  8. Authentication;
  9. Risk assessment;
  10. Malicious logic;
  11. System evaluation and certification.
Very important: This course has a blended format (as of Fall, 2011). "Blended" means that a large portion of the course content is delivered on-line. Videotaped mini-lectures will be made available on-line via UT's Quest system: Quest system. You will view these prior to coming to class and answer a series of questions on-line. The class will meet twice a week, but most meetings won't last for the entire 1.5 hours. We'll meet to discuss the material and assignments, and possibly have a short quiz to ensure that you've viewed the lectures and done the required preparation. A paper that describes the blended course is available here: Blended class. We'll also have two exams on 3/9 and 5/4. The complete schedule of meeting dates for the semester is here: Class Dates.

Note: This is not a self-paced course. A chart of the material for each week is here: Log of lectures. You must view the mini-lectures and do the on-line portions as they are assigned, and you must attend class. You will have 5-6 programming assignments over the course of the semester. If you don't have the self-discipline to keep up, you shouldn't take this course.

Here are some general hints for succeeding in this and other classes: Hints for Success.

Using Piazza: We will be using Piazza for class communication. The Piazza system is highly catered to getting you help quickly and efficiently from classmates, the TAs, and myself. Rather than emailing questions to the teaching staff, I encourage you to post your questions on Piazza. If you turn off the announcements from Piazza you might miss an important announcement. Don't do it! If you have any problems or feedback for the developers, email team@piazza.com. You will be automatically enrolled in Piazza; but you can also enroll yourself.

Using Canvas: Assignments are accepted and grades posted on Canvas. It is your responsibility to check grades on Canvas and verify their correctness. If you think there is an issue or omission, call it to our attention immediately. However, I don't use Canvas to compute your grade. If you consult the running average on Canvas, you'll just be confused, so I advise you not to do it.

InfoSec Certification: CS students at UT have the option of completing a number of security-related courses and receiving a government-sanctioned certification in security. See the following link for information: Security certification. Our security offerings are in flux, so the specific requirements may vary somewhat. If you have questions about that, feel free to contact me.


You are expected to have taken and passed the following courses (or equivalent) with a grade of at least C-: Computer Science 429 (or 310) or 429H (or 310H). If you don't have the prerequisites, be sure to clear it with the CS department or risk being dropped from the class.


There is no textbook. If you would like a book for reference purposes, ask me and I can suggest one. All of the lectures, slides, and supplementary materials are on-line. Note that there is a required fee for the use of the Quest system. This is very cheap compared to the cost of a textbook.

Fee for Quest System:

This course makes use of the web-based Quest content delivery system maintained by the UT College of Natural Sciences. Go to Quest system to log in to the Quest system for this class. This service requires a charge per student for its use, which goes toward the maintenance and operation of the resource. At some point during the semester, when you log into Quest you will be required to pay via credit card on a secure payment site. You may have the option to wait some time to pay while still continuing to use Quest for your assignments. But, at some point, you will be kicked off the system and not able to continue in our course; so be sure to pay up. If you are taking more than one course using Quest, there is a maximum Quest fee per semester you will have to pay. For payment questions, email quest.fees@cns.utexas.edu.

BTW: Quest doesn't record that you've viewed the videos. Don't worry about that. No one will be checking.

Class Notes:

All of the class slides will be available via links below. They will be made available as we cover new material and you are welcome to print them out or view them on-line. Slides are in PDF format (full size and in 4-ups). The PDF files can be viewed with Acroread.

A listing of the lectures for each week is here: Log of lectures. Slides are grouped into lectures, which are grouped into modules. Each week, you will cover one or more modules. Note that you must view the video associated with each lecture. It is not adequate to just read the slides.

Overview Talk:

Stakes of Cyber Insecurity: PDF-4up  PDF

Week 1: Module 1:

Lecture 1: Introduction PDF-4up  PDF

Lecture 2: Why Security is Hard PDF-4up  PDF

Lecture 3: Security as Risk Management PDF-4up  PDF

Lecture 4: Aspects of Security PDF-4up  PDF

Week 2: Module 2:

Lecture 5: Policies and Metapolicies PDF-4up  PDF

Lecture 6: A Policy Example: MLS PDF-4up  PDF

Lecture 7: MLS Example: Part II PDF-4up  PDF

Lecture 8: MLS Example: Part III PDF-4up  PDF

Lecture 9: MLS Example: Part IV PDF-4up  PDF

Lecture 10: Tranquility and BLP PDF-4up  PDF

Week 3: Module 3:

Lecture 11: Access Control Policies PDF-4up  PDF

Lecture 12: Lattice Based Security PDF-4up  PDF

Lecture 13: Covert Channels I PDF-4up  PDF

Lecture 14: Covert Channels II PDF-4up  PDF

Lecture 15: Covert Channels III PDF-4up  PDF

Lecture 16: Detecting Covert Channels PDF-4up  PDF

Week 4: Module 4:

Lecture 17: Non-Interference PDF-4up  PDF

Lecture 18: Non-Interference II PDF-4up  PDF

Week 4: Module 5:

Lecture 19: What is Integrity? PDF-4up  PDF

Lecture 20: Modeling Integrity PDF-4up  PDF

Lecture 21: Modeling Integrity: Biba PDF-4up  PDF

Lecture 22: Biba's Other Models PDF-4up  PDF

Week 5: Module 6:

Lecture 23: Lipner's Model PDF-4up  PDF

Lecture 24: The Clark-Wilson Model PDF-4up  PDF

Lecture 25: The Chinese Wall Policy PDF-4up  PDF

Lecture 26: Role-Based Access Control PDF-4up  PDF

Lecture 27: Storing the ACM PDF-4up  PDF

Week 6: Module 7:

Lecture 28: Information Theory PDF-4up  PDF

Lecture 29: Information Content PDF-4up  PDF

Lecture 30: Exploring Encodings PDF-4up  PDF

Lecture 31: Languages and Encodings PDF-4up  PDF

Lecture 32: Entropy PDF-4up  PDF

Lecture 33: Entropy II PDF-4up  PDF

Week 7: Module 8:

Lecture 34: Fundamental Theorems PDF-4up  PDF

Lecture 35: Entropy of English PDF-4up  PDF

Lecture 36: Entropy Odds and Ends PDF-4up  PDF

The midterm will only cover through here.

Week 7: Module 9:

Lecture 37: Cryptography PDF-4up  PDF

Lecture 38: Cryptography II PDF-4up  PDF

Lecture 39: Properties of Ciphers PDF-4up  PDF

Week 8: Module 10:

Lecture 40: Substitution Ciphers PDF-4up  PDF

Lecture 41: Using Information PDF-4up  PDF

Lecture 42: A Perfect Cipher PDF-4up  PDF

Lecture 43: Transposition Ciphers PDF-4up  PDF

Lecture 44: Symmetric vs. Asymmetric Encryption PDF-4up  PDF

Lecture 45: Stream and Block Encryption PDF-4up  PDF

Week 9: Module 11:

Lecture 46: Advanced Encryption Standard PDF-4up  PDF

Lecture 47: Modes of Usage PDF-4up  PDF

Lecture 48: Public Key Encryption PDF-4up  PDF

Lecture 49: Public Key Encryption II PDF-4up  PDF

Lecture 50: Cryptographic Hash Functions PDF-4up  PDF

Lecture 51: Key Exchange PDF-4up  PDF

Lecture 52: Diffie-Hellman Key Exchange PDF-4up  PDF

Week 10: Module 12:

Lecture 53: Digital Signatures PDF-4up  PDF

Lecture 54: Certificates PDF-4up  PDF

Lecture 55: Certificates II PDF-4up  PDF

Week 10: Module 13:

Lecture 56: Cryptographic Protocols PDF-4up  PDF

Lecture 57: Cryptographic Protocols II PDF-4up  PDF

Lecture 58: Cryptographic Protocols Abstractly PDF-4up  PDF

Week 11: Module 14:

Lecture 59: Attacks on Cryptographic Protocols PDF-4up  PDF

Lecture 60: The Needham-Schroeder Protocol PDF-4up  PDF

Lecture 61: Attacks on Needham-Schroeder PDF-4up  PDF

Lecture 62: The Otway-Rees Protocol PDF-4up  PDF

Lecture 63: Protocol Verification PDF-4up  PDF

Lecture 64: The BAN Logic PDF-4up  PDF

Lecture 65: The BAN Logic: Needham-Schroeder PDF-4up  PDF

Week 12: Module 15:

Lecture 66: PGP PDF-4up  PDF

Lecture 67: PGP Services PDF-4up  PDF

Lecture 68: PGP Services II PDF-4up  PDF

Lecture 69: PGP Key Management PDF-4up  PDF

Lecture 70: PGP Key Management II PDF-4up  PDF

Week 13: Module 16:

Lecture 71: Availability PDF-4up  PDF

Lecture 72: Availability II PDF-4up  PDF

Lecture 73: Intrusion Detection PDF-4up  PDF

Lecture 74: Anatomy of an Attack: CodeRed PDF-4up  PDF

Lecture 75: CodeRedII PDF-4up  PDF

Week 14: Module 17:

Lecture 76: Certification PDF-4up  PDF

Lecture 77: The Common Criteria PDF-4up  PDF

Lecture 78: Protection Profile Example PDF-4up  PDF

Lecture 79: Security Target Example PDF-4up  PDF

Lecture 80: CC Evaluations PDF-4up  PDF

That's all, folks!


There will very likely be 6 programming assigments over the course of the semester. They should be done in the Java programming language. If you don't know Java, discuss it with me and I may allow an alternative arrangement. Each student may work on programming assignments in collaboration with one other student. You don't have to choose a partner, but I suggest that you do, mainly to reduce the grading burden on the TAs. Make sure that all submissions clearly identify which students contributed to the project. You can switch partners between assignments.

You have another standing assignment: For each video you view, there are several short essay questions to be answered. Collectively, these questions are counted as equal to two programming assignments. They are linked below. It is expected that you will do these on your own; do not collaborate on these or access other students' work on GitHub or elsewhere. Doing so is cheating and will be dealt with harshly. The questions are typically due at 4pm on the Friday of the week they are assigned. You are strongly encouraged to attempt them before you come to class on Thursday so you can ask any questions you may have, and be prepared for a possible quiz. Weekly questions typically will not be accepted late.

Programs will be graded on a 10 point scale, and will be accepted up to two days late with a deduction of one point per day late (but only up to 2 days late). The number of days late is purely a function of the timestamp recorded when you submit the assignment. That means that you have until midnight on the due date to turn it in. If you turn it in one minute after midnight, it's a day late. So leave yourself plenty of time. BTW: "midnight" here means the end of the day, not the beginning of the day.

The TAs may turn off the turnin program after the due date, and accept late assignments by email. Please coordinate with the TAs regarding late submissions, or if you desire to re-submit an assignment following the due date.

Here are some general instructions for programming assignments: General Instructions. You should follow these for all programming assignments along with the instructions associated with each individual program.

After an assignment has been graded, it is your responsibility to check Canvas to see that your assignment grades have been posted correctly. It's not OK to complain at the end of the semester that some grades weren't posted or were posted incorrectly.

Instructions for turnin: Programs and question assignments will be submitted on Canvas.

Links to all assignments will appear below. Check this page often and be sure to check that any particular assignment or due date has not been changed. Each week expect one set of questions on the lectures. Programming assignments will come about every other week.

Questions Week 1: Week 1: Due 1/30

Questions Week 2: Week 2: Due 2/3. Please use this template for your answers Week2 Template and submit as a text file on Canvas.
Assignment 1: Due Friday, 2/10 by midnight

Questions Week 3: Week 3: Due 2/11. The template for your answers is here: Week 3 Template

Assignment 2: Due Friday, 2/24 by midnight

Questions Week 4: Week 4: Due 2/18 The template for your answers is here: Week 4 Template

Questions Week 5: Week 5: Due 2/25 The template for your answers is here: Week 5 Template

Questions Week 6: Week 6: Due 3/3 The template for your answers is here: Week 6 Template

Assignment 3: Due Friday, 3/10 by midnight

Questions Week 7: Week 7: Due 3/10

Questions Week 8: Week 8: Due 3/24

Questions Week 9: Week 9: Due 3/31

Assignment 4: Due Friday, 3/31

Questions Week 10: Week 10: Due 4/7

Assignment 5 Due Friday, 4/15

Questions Week 11: Week 11: Due 4/14

Questions Week 12: Week 12: Due 4/21

Questions Week 13: Week 13: Due 4/28

Questions Week 14: Week 14: Due 5/5

Assignment 6: Due Friday, 4/28


Short in-class quizzes may be given at any time. These will cover material previously covered or material in the mini-lectures you were expected to view. Material for a week is fair game for a Thursday quiz. The goal of quizzes is to test your understanding of the material and to give you an idea of the types of questions that will appear on tests. There will be no makeups for quizzes you miss, but any single quiz is only a small proportion of your final grade.


There will be two major tests during the semester: one just before Spring Break and another the final week of classes. Tests are closed-book, closed-notes tests, except that you may bring a single handwritten 3 x 5 inch index card of notes (both sides) for the midterm, and two such cards for the final. Your best study strategy is to review the class notes and ensure that you understand thoroughly the topics we have covered. Sample tests and vocabulary lists will be posted. The vocabulary list will also be passed out with the test.

The two exams will take place at our regular class time and location on March 9 and May 4. There will be no final exam during the finals period.

Our final exam is Thursday, May 4 at our regular class time and place. Here's the sample final: Sample Final and tentative vocabulary list: Vocabulary. This sample test is not very representative of the test you'll be given; your test has more short answer questions and very few "essay" type questions. The final will be cumulative. You can bring two handwritten 3x5 index cards of material to the exam. The vocabulary sheet will be made available with the exam.

No laptops:

Students should not have laptops or other electronic devices open during class discussions. Copies of all slides are provided. Please just listen, ask questions, participate and absorb the material.

Grading policies:

Class attendance is mandatory for our two weekly meetings, and will be checked. Excessive unexcused absences will result in a reduced grade. If you don't plan to come to class regularly, please don't register for this class. Signing in for another student not present will be considered cheating by both students.

Grades are averaged using the weighting below:

Component Percent
Attendance, Quizzes10%
Assignments 40%
Midterm Exam 25%
Final Exam 25%

Course grades are assigned on the scale: A = 90-100; B = 80-90; etc. (I don't grade on the +/- grading system.) However, I reserve the right to be more generous than these ranges indicate. That is, I may enlarge any of these ranges; I will not shrink any range.

Scholastic Dishonesty:

Academic dishonesty will not be tolerated. See http://www.cs.utexas.edu/academics/conduct for an excellent summary of expectations of a student in a CS class.

All work must be the student's own effort (with the exception of paired effort on programs). Work by students in previous semesters is not your own effort. Don't even think about turning in such work as your own, or even using it as a basis for your work. We have very sophisticated tools to find such cheating and we use them routinely. Numerour students didn't heed this warning in past semesters and paid a heavy price. It's far better to get a 0 on an assignment than to cheat.

No deviation from the standards of scholastic honesty or professional integrity will be tolerated. Scholastic dishonesty is a serious violation of UT policy; and will likely result in an automatic F in the course and may result in further penalties imposed by the department or by the university. Don't do it. If you are caught, you will regret it. And if you're not caught, you're still a cheater.

Students with Disabilities:

Students with disabilities may request appropriate academic accommodations from the Division of Diversity and Community Engagement, Services for Students with Disabilities, 471-6259, http://www.utexas.edu/diversity/ddce/ssd. Be sure to provide me your accommodation letter as early as possible; setting up testing takes a bit of time.

Some Interesting Links:

As I find articles or websites that seem of interest to this class, I'll post them below. The most recent are at the top.

Live Map of Cyber Attacks
Top Certifications for 2017
Pretty good material on AES
Top Paying Certifications 2016
Top Paying CS Certifications
Which Engineers Make the Most
Navy Teaches Navigation as Backup
Hottest Tech Jobs 2016
Certificaions Worth Having
Hottest Career Track: Cybersecurity
Value of a College Degree?
Could Google Rig the Election
Lessons from Larry Page
Demand for Cybersecurity pros booming
Freak Flaw Serious
Preserving Digital Data
Encrytion Make Reverse Engineering Difficult
Selling Vulnerabilities
Vulnerabilities Persist
Cyberwarriors Needed
Cyberattacks and Jobs
Great time to start a cybersecurity career
CS Enrollments Rocket
Chinese Hack
Untrusted Certificate
Attacks in 2014
Demand for Cybersecurity pros booming
Freak Flaw Serious
Preserving Digital Data
Encrytion Make Reverse Engineering Difficult
Selling Vulnerabilities
Vulnerabilities Persist
Cyberwarriors Needed
Cyberattacks and Jobs
Short of Cyberwarriors
Hackers Wanted
Health Hack Inevitable
Top IT Job Salaries
CS Enrollments Soaring
Cyberwarriors Needed
Security: A Higher Calling?
Covert Channels in Acoustical Networks
Homomorphic Encryption
Government doesn't follow best practice.
Adobe Encrypts Passwords
Women needed in Cybersecurity
Morris Worm at 25
Women in CS
Rijndael animation
Scholars for Service program
$1M Cyber challenge
Cybersecurity jobs
NSA breaking encryptions
Blocking Malware
Security jobs hot
Attracting security pros
Hacking Airplanes
Human side of cybercrime
IT Jobs Up, Degrees Down
Is RSA Obsolete?
Preventing Cyber Pearl Harbor

Cyberjobs Hot
Covert Channel between VMs
Anti-Virus Failures
Info on AES mixColumns
Peter Neumann
Experts needed
Govt wants hackers
Women, minorities in Security
This site contains a nice animation of AES-128: AES-128
Cute cartoon about Feistel ciphers
Encryption for the masses
Fully Secure OS?
iPad as Secure Device
protecting passwords
DoD Money for Hackerspaces
Cities with Most CS Jobs
Have Hackers Won?
Malware Pre-installed
Smother Cyber Attacks
Sale of Zero-day exploits
Algorithms rule the world
Hotel locks hacked
Cyber attacks
Flaw in AES
Zodiac Message
One Time Pad
Cyber Camp
Hot Skills for 2011
Cyber attack threat