CS 361: Spring, 2020
Introduction to Computer Security

Instructor: Dr. Bill Young

Unique number: 50578; Class time: MWF 9-10am; Location: PAR 301
Unique number: 50579; Class time: MWF 10-11am; Location: PAR 301
Office: GDC 7.810; Office Hours: Monday 1-3pm and by appointment
Office Phone: 471-9782; Email: byoung at cs.utexas.edu
TA: Vaibhav Sinha; Email: vaibhavsinha at utexas.edu
TA Office Hours: M 11am-12:30pm, GDC 1.302 Desk 4; W 11am-12:30pm, Desk 5
Proctor: Yikang Wang; Email: yikang.wang at utexas.edu;
Proctor Hours: Wed. 12:30-2pm, GDC 1.302 Desk 4 and 2-2:30pm: Desk 1
Proctor: Vivek Ramanathan; Email: vivekramanathan at utexas.edu;
Proctor Hours: Tues. 11am-noon (Desk 2) and noon-12:30PM (Desk 3), Fri. 11am-12:30pm (Desk 5)
This website: www.cs.utexas.edu/users/byoung/cs361/syllabus361.html

Important Class Announcements:

Breaking news important to the class will be posted here. Consult this spot often.

Your final test for the class will be next Wednesday, May 6 at class time. It will be conducted just like the midterm. At 9am or 10am, depending on which class you're registered for, I will send you the exam and a plain text answer sheet. You should fill in the answer sheet and return via email to me within an hour of receiving it. If you don't get it when you're expecting it, please send me an email. If this won't work for you for some reason, send me an email ASAP. Also, please just edit the text answer sheet I send; I don't want PDF, docx, Google Docs, or any other format that I have to open to print.

If you have given me an SSD letter allowing 1.5X time on the test, you can have 1.5 hours to return it to me. Please include a note in the email reminding me that you're allowed extra time.

The Final Exam will be held on Wednesday, May 6. It will be given in the same way as the Midterm, sent via email during your class period. A sample final is here: Sample Final. A vocabulary list is here: Vocabulary. You are allowed one 8 1/2 x 11 handwritten sheet of notes and the vocabulary sheet. That's more than the two cards previously indicated. You are not allowed any additional resources whether human, on paper, or electronic. I am trusting you to be honorable and honest in taking the exam.

You should have received email indicating that the electronic course evaluation is now available for you to complete. This has been a crazy semester, so please don't blame us for stuff outside our control. Upload on Canvas a screen shot of the page showing you've done it, and you'll receive 1% toward the final exam score. That means that your final exam score will be raised by 1%.

All office hours will be held via Zoom meetings. See the Zoom page under Canvas for the hours.

I hope you are all well. We are moving to an entirely new schedule for the remainder of the semester, due to the Covid-19 situation. There will be no more in-class meetings. All of the instruction will be electronic. Please read carefully the information below under the new section: Important New Information on Online Instruction. It will explain how the course will be conducted.

Lab6 is here: Assignment 6. It's due May 7, which is the day after your Final Exam. This one should be kind of fun.

Lab5 is here: Lab5: due 4/24. This asks you to implement the AES encryption algorithm. There's a pretty good animation here: AES Animation, but there's lots of others on YouTube. The hardest step is mixColumns. If you try it and can't get it, ask me and I'll give you some code, but try it first.

Here's a draft of Lab4:Assignment 4. It's due April 10. You can work with another student or alone.

Here's a draft of Lab3: Lab3. Note that it's due the Friday before Spring Break, so you may want to start early so you can finish early. We also have our midterm exam on Wed. of that week.

Dr. Young's office is GDC 7.810 in the south wing. You have to take the south elevator, because the two towers don't connect on the 7th floor.

Feel free to email me (Send me an email message), but please put "CS361" in the header. I'm also teaching CS429 this semester and it gets confusing.

Course Description:

CS 361 is an introduction to foundations of computer security, one of the "hottest" and most relevant areas of computing today. This is a course in the foundational aspects of security; not a course giving you practice in hacking. The student will develop an intuition about what computer security means, both in the abstract and in the context of real systems; be able to recognize potential threats to confidentiality, integrity and availability; be aware of some of the underlying formalisms and technologies that attempt to address these challenges; and become conversant with current security-related issues in the field.

Topics to be covered may include:

  1. Scope of the security problem;
  2. Various views of computer security;
  3. Security policies;
  4. Formalizing security properties;
  5. Elementary information theory;
  6. Elementary cryptography;
  7. Cryptographic protocols;
  8. Authentication;
  9. Risk assessment;
  10. Malicious logic;
  11. System evaluation and certification.

Important New Information on Online Instruction

Several times previously, I taught this course with a blended format; we're moving to that format for the rest of the semester. "Blended" means that a large portion of the course content is delivered on-line. Videotaped mini-lectures will be made available on-line via UT's Quest system: Quest system. You will view these instead of coming to class and answer a series of questions on-line. There will be no in-person class meetings, but I will be available to answer questions via Piazza. I plan also to set up a Zoom meeting for office hours, but haven't done that yet.

We'll also have two exams. Those will be given remotely at class time. More info on that will be forthcoming.

Note: This is not a self-paced course. A chart of the material for each week is here: Log of lectures. Note that we are beginning this schedule in Week 9. You must view the mini-lectures and do the on-line portions as they are assigned. You will have 2-3 more programming assignments over the remainder of the semester.

BTW: Quest doesn't record that you've viewed the videos. Don't worry about that. No one will be checking.

A listing of the lectures for each week is here: Log of lectures. Slides are grouped into lectures, which are grouped into modules. Each week, you will cover one or more modules. Note that you must view the video associated with each lecture. It is not adequate to just read the slides.

I'm including some earlier weeks here just for some context, but we're actually starting Week 9 after the break.

Week 7: Module 9:

Lecture 37: Cryptography PDF-4up  PDF

Lecture 38: Cryptography II PDF-4up  PDF

Lecture 39: Properties of Ciphers PDF-4up  PDF

Week 8: Module 10:

Lecture 40: Substitution Ciphers PDF-4up  PDF

Lecture 41: Using Information PDF-4up  PDF

Lecture 42: A Perfect Cipher PDF-4up  PDF

Lecture 43: Transposition Ciphers PDF-4up  PDF

Lecture 44: Symmetric vs. Asymmetric Encryption PDF-4up  PDF

Lecture 45: Stream and Block Encryption PDF-4up  PDF

Week 9: Module 11:

Lecture 46: Advanced Encryption Standard PDF-4up  PDF

Lecture 47: Modes of Usage PDF-4up  PDF

Lecture 48: Public Key Encryption PDF-4up  PDF

Lecture 49: Public Key Encryption II PDF-4up  PDF

Lecture 50: Cryptographic Hash Functions PDF-4up  PDF

Lecture 51: Key Exchange PDF-4up  PDF

Lecture 52: Diffie-Hellman Key Exchange PDF-4up  PDF

Week 10: Module 12:

Lecture 53: Digital Signatures PDF-4up  PDF

Lecture 54: Certificates PDF-4up  PDF

Lecture 55: Certificates II PDF-4up  PDF

Week 10: Module 13:

Lecture 56: Cryptographic Protocols PDF-4up  PDF

Lecture 57: Cryptographic Protocols II PDF-4up  PDF

Lecture 58: Cryptographic Protocols Abstractly PDF-4up  PDF

Week 11: Module 14:

Lecture 59: Attacks on Cryptographic Protocols PDF-4up  PDF

Lecture 60: The Needham-Schroeder Protocol PDF-4up  PDF

Lecture 61: Attacks on Needham-Schroeder PDF-4up  PDF

Lecture 62: The Otway-Rees Protocol PDF-4up  PDF

Lecture 63: Protocol Verification PDF-4up  PDF

Lecture 64: The BAN Logic PDF-4up  PDF

Lecture 65: The BAN Logic: Needham-Schroeder PDF-4up  PDF

Week 12: Module 15:

Lecture 66: PGP PDF-4up  PDF

Lecture 67: PGP Services PDF-4up  PDF

Lecture 68: PGP Services II PDF-4up  PDF

Lecture 69: PGP Key Management PDF-4up  PDF

Lecture 70: PGP Key Management II PDF-4up  PDF

Week 13: Module 16:

Lecture 71: Availability PDF-4up  PDF

Lecture 72: Availability II PDF-4up  PDF

Lecture 73: Intrusion Detection PDF-4up  PDF

Lecture 74: Anatomy of an Attack: CodeRed PDF-4up  PDF

Lecture 75: CodeRedII PDF-4up  PDF

Week 14: Module 17:

Lecture 76: Certification PDF-4up  PDF

Lecture 77: The Common Criteria PDF-4up  PDF

Lecture 78: Protection Profile Example PDF-4up  PDF

Lecture 79: Security Target Example PDF-4up  PDF

Lecture 80: CC Evaluations PDF-4up  PDF

That's all, folks!

Below are the questions that you'll be answering each week. Questions should be turned in on Friday that same as you've been doing previously. Collectively, these questions are counted as equal to two programming assignments. They are linked below. It is expected that you will do these on your own; do not collaborate on these or access other students' work on GitHub or elsewhere. Doing so is cheating and will be dealt with harshly. The questions are typically due at midnight Friday of the week they are assigned. Weekly questions typically will not be accepted late.

Questions Week 9: Week 9

Questions Week 10: Week 10

Questions Week 11: Week 11

Questions Week 12: Week 12

Questions Week 13: Week 13

Questions Week 14: Week 14

InfoSec Certification:

Notice that CS students at UT have the option of completing a number of security-related courses and receiving a certification in security. Our security offerings are in flux, so the specific requirements may vary somewhat. If you have questions about that, feel free to contact me.

Using Piazza:

We will be using Piazza for class communication. The Piazza system is highly catered to getting you help quickly and efficiently from classmates, the TAs, and myself. Rather than emailing questions to the teaching staff, I encourage you to post your questions on Piazza. If you turn off the announcements from Piazza you might miss an important announcement. Don't do it! If you have any problems or feedback for the developers, email team@piazza.com. You will be automatically enrolled in Piazza; but you can also enroll yourself.

Using Canvas:

You will submit most assignments on Canvas and that's where assignment, quiz and test grades will be posted. It is your responsibility to check grades on Canvas and verify their correctness. If you think there is an issue or omission, call it to our attention immediately. However, I don't use Canvas to compute your course grade. If you consult the running average on Canvas, you'll just be confused, so I advise you not to do it. Information on how to compute your class average is given below.


You are expected to have taken and passed the following courses (or equivalent) with a grade of at least C-: Computer Science 311, 311H, 313H, or 313K; Computer Science 314, 314H, 315, or 315H; Computer Science 310, 310H, 429, or 429H; and Mathematics 408C, 408K, or 408N. If you don't have the prerequisites, be sure to clear it with the CS department or risk being dropped from the class.


There is no textbook. If you would like a book for reference purposes, ask me and I can suggest one. All of the lectures, slides, and supplementary materials are on-line.

Class Notes:

All of the class slides and lecture slides will be available via links below. They will be made them available as we cover new material and you are welcome to print them out or view them on-line. Slides are available in 4-up PDF and full size PDF. These PDF files can be viewed with Acroread. I suggest that if you plan to print them, print the 4ups and save some trees.

Slide set 1: What is Security? PDF-4up  PDF

Slide set 2: Policies and Channels, Part I PDF-4up  PDF

Slide set 2b: Covert Channels and Non-Interference PDF-4up  PDF

Proof of Unwinding Theorem: PS  PDF

Slide set 3: Policies and Channels, Part II PDF-4up  PDF

Slide set 4: Information Theory PDF-4up PDF

Slide set 5: Cryptography I PDF-4up PDF

Slide set 6: Cryptography II PDF-4up PDF

Programming Assignments:

There will be several (probably 6) programming assigments over the course of the semester. These should be done in the Java programming language. Each student may work on programming assignments individually or in collaboration with one other student. Make sure that all submissions clearly identify which students contributed to the project.

The TA will mainly be responsible for grading programs. Concerns about your program grades should be addressed first with the TA, and only with Dr. Young if you can't obtain satisfaction there. Programs will be graded on a 10 point scale with 1 point deducted for each day the program is late. The number of days late is purely a function of the timestamp recorded when you submit the assignment.

Links to the assignments will appear below. Check this page often and be sure to check that any particular assignment or due date has not been changed.

Your first lab is here: Lab1: due Wednesday, 2/12 by 11:59pm.

Lab2: Lab2

Lab3: Lab3

Lab4:Assignment 4.

Lab5: Assignment 5

After an assignment has been graded, it is your responsibility to check Canvas to see that your assignment grades have been posted correctly. It's not OK to complain at the end of the semester that some grades weren't posted or were posted incorrectly.

Until recently, I was unaware that FERPA prohibits instructors from discussing grades with students over email. However, I can do so if you give me explicit permission. So, if you ask me via email for an update on your grades or how you're doing in the class, I will have to decline unless you explicitly say that you're OK with me providing an email response. Otherwise, you can always see me in person.

Weekly Homeworks:

In addition to the programming assignments, there will also be weekly written homeworks. These will be short written questions to ensure that you're following the material in class. These will be submitted on Canvas. The weekly homeworks count collectively the same as one lab.

Here is your first set of weekly questions: Week1 Questions: due 2/5 by midnight.

Week2 Questions: Due 2/10 by midnight.

Week3 Questions: Due 2/14 by midnight.

Week4 Questions: Due 2/21.

Week5 Questions: Due 2/28.


Short in-class quizzes may be given at any time. These will cover material previously covered or material in the lectures. The goal of quizzes is to test your understanding of the material and to give you an idea of the types of questions that will appear on tests. There will be no makeups for quizzes you miss so please don't ask, but any single quiz is only a small proportion of your final grade.


There will be two major tests during the semester: a midterm and final. Tests are closed-book, closed-notes tests, except that you may bring a single handwritten 3 x 5 inch index card of notes (both sides) for the midterm, and two such cards for the final. Your best study strategy is to review the class notes and ensure that you understand thoroughly the topics we have covered. Sample tests and vocabulary lists will be posted.

The midterm is tentatively re-scheduled for Wednesday, April 8. The final test will be the last week of classes. There will be no final during the final exam period.

No laptops:

Students should not have laptops or other electronic devices open during class discussions. Copies of all slides are provided. Please just listen, ask questions, participate and absorb the material.

Grading policies:

Class attendance is mandatory for our three weekly meetings, and will be checked. Excessive unexcused absences will result in a reduced grade. If you don't plan to come to class regularly, please don't register for this class. Signing in for another student not present will be considered cheating by both students.

Grades for the entire course tentatively will be averaged using the weighting below:

Component Percent
Attendance, Quizzes and Participation10%
Labs and Homeworks 40%
Midterm Exam 25%
Final Exam 25%

Your course grade is then assigned according to the following:

Course score Grade
[90... 93)A-
[87... 90)B+
[83... 87)B
[80... 83)B-
[77... 80)C+
[73... 77)C
[70... 73)C-
[65... 70)D+
[60... 65)D
[ 0... 60)F

This is tentative. The grades may be curved and may be a bit more generous than this. They will not be less generous. That is, if you have a 93 you are guaranteed an A; but somone who gets an 92 might also get an A, depending on the final distribution of grades in the class.

A course grade of at least C- is required for this course to count toward a UT CS degree.

Scholastic Dishonesty:

Academic dishonesty will not be tolerated. See http://www.cs.utexas.edu/academics/conduct for an excellent summary of expectations of a student in a CS class.

All work must be the student's own effort, except that students may work in pairs on programs. Work by students in previous semesters or code that you find on-line is not your own effort. Don't even think about turning in such work as your own, or even using it as a basis for your work. We have very sophisticated tools to find such cheating and we use them routinely. It's far better to get a 0 on an assignment than to cheat.

Apparently, many students begin every assignment by immediately going to Google, trying to find something that might keep them from having to solve the problem for themself. That is an incredibly stupid thing to do. If you as much as Google "solution to XXXLab," you're already starting down a slippery slope that's liable to send you over the edge. Suppose you find something up to and including a complete solution that some idiot has posted on GitHub; it will be too tempting not to use it. You may naively believe that changing variable names and reordering code will keep you from being caught. With very high likelihood, that's not true. Every semester, students learn this the hard way. It's just not worth it!

Remember the lesson of Virginia Attorney General Mark Herring. In 1980, as a 19 year old college student, Herring wore blackface to a party. In 2019, 39 years later, that one stupid adolescent decision almost cost him his career. Stupid things you do now can affect you for the rest of your life! Getting caught cheating is one of those things that can haunt you forever. Don't do it!

Also, don't post your work on any publicly available site, such as GitHub or Course Hero. It's understandable that you're proud of your work, but this just invites copying for students this semester and in subsequent semesters. If someone copies your work, even without your knowledge, you will both be liable to punishment, even in subsequent semesters. Here's what Mike Scott said when I mentioned this issue to him:

I have submitted cases to Student Judicial Services for past students who have posted code from CS314 and CS312 to public repos and current students used it to cheat. Not much SJS can do grade wise, but it is recorded and they often have to write an essay about the matter.
I plan to follow Mike's lead here. There are other services such as BitBucket that have private repositories; you can grant selective access to instructors and to potential employers.

Also, don't repost my slides or any other class materials on CourseHero or any other public repository. Consider all course materials to be copyright. You can get into serious legal problems violating copyright laws, and you will certainly have problems with me if you do this.

No deviation from the standards of scholastic honesty or professional integrity will be tolerated. Scholastic dishonesty is a serious violation of UT policy; and will likely result in an automatic F in the course and in further penalties imposed by the department and/or by the university. Don't do it! If you are caught, you will deeply regret it. And even if you're not caught, you're still a cheating low-life.

Students with Disabilities:

Students with disabilities may request appropriate academic accommodations from the Division of Diversity and Community Engagement, Services for Students with Disabilities, 471-6259, http://www.utexas.edu/diversity/ddce/ssd.

Typically, students allowed extra time or a quiet testing environment will take exams in a conference room on GDC 7 South at the same time as the regular exam. The TA or proctor will supervise the exam. If you are allowed such accommodations, be sure to get me your SSD letter well in advance of the test since I will need to arrange someone to proctor your test. Please be flexible with respect to time, etc.

Some Interesting Links:

As I find articles or websites that seem of interest to this class, I'll post them below. The most recent are at the top.

Traits for Cybersecurity Job Candidates
What Makes a Strong Password
Password Complexity
Russia's Cyberwar on Ukraine
Most Critical Skills Gap
Covert Channel Example
New Randomness Method
Typosquatting Package Managers
Skill in Demand: Incident Response Manager
Tips on Resume Writing
Pretty good material on AES
Top Paying Certifications 2016
Public Key Encryption
Top Paying CS Certifications
Which Engineers Make the Most
Navy Teaches Navigation as Backup
Hottest Tech Jobs 2016
Certifications Worth Having
Hottest Career Track: Cybersecurity
Value of a College Degree?
Could Google Rig the Election
Lessons from Larry Page
Demand for Cybersecurity pros booming
Freak Flaw Serious
Live Map of Cyber attacks
Preserving Digital Data
Encrytion Make Reverse Engineering Difficult
Selling Vulnerabilities
Vulnerabilities Persist
Cyberwarriors Needed
Cyberattacks and Jobs
Great time to start a cybersecurity career
CS Enrollments Rocket
Chinese Hack
Untrusted Certificate
Attacks in 2014
Demand for Cybersecurity pros booming
Freak Flaw Serious
Live Map of Cyber attacks
Preserving Digital Data
Encrytion Make Reverse Engineering Difficult
Selling Vulnerabilities
Vulnerabilities Persist
Cyberwarriors Needed
Cyberattacks and Jobs
Short of Cyberwarriors
Hackers Wanted
Health Hack Inevitable
Top IT Job Salaries
CS Enrollments Soaring
Cyberwarriors Needed
Security: A Higher Calling?
Covert Channels in Acoustical Networks
Homomorphic Encryption
Government doesn't follow best practice.
Adobe Encrypts Passwords
Women needed in Cybersecurity
Morris Worm at 25
Women in CS
Rijndael animation
Scholars for Service program
$1M Cyber challenge
Cybersecurity jobs
NSA breaking encryptions
Blocking Malware
Security jobs hot
Attracting security pros
Hacking Airplanes
Human side of cybercrime
IT Jobs Up, Degrees Down
Is RSA Obsolete?
Preventing Cyber Pearl Harbor

Cyberjobs Hot
Covert Channel between VMs
Anti-Virus Failures
Info on AES mixColumns
Peter Neumann
Experts needed
Govt wants hackers
Women, minorities in Security
This site contains a nice animation of AES-128: AES-128
Cute cartoon about Feistel ciphers
Encryption for the masses
Fully Secure OS?
iPad as Secure Device
protecting passwords
DoD Money for Hackerspaces
Cities with Most CS Jobs
Have Hackers Won?
Malware Pre-installed
Smother Cyber Attacks
Sale of Zero-day exploits
Algorithms rule the world
Hotel locks hacked
Cyber attacks
Flaw in AES
Zodiac Message
One Time Pad
Cyber Camp
Hot Skills for 2011
Cyber attack threat