CS 453/698 - Software and Systems Security
Overview: This page has (tentative) basic info about the course itself and is subject to change with sufficient notice. The official course outline can also be viewed by enrolled students. Check the course LEARN site for more.
Time & Place: Class will occur from 8:30-9:50 am every Monday and Wednesday. We will have in-person lectures. See the LEARN site for the in-person location (see Course Information page under the Content tab).
Grading
| Component | Number | Total Weight |
| Assignments | 3 | 30% |
| Quizzes | 4 | 40% |
| Research Project | 1 | 30% |
| Project Proposal | 1 | 5% |
| Midterm Progress | 1 | 10% |
| Final Project | 1 | 15% |
Assignments
There are three graded assignments; each is take-home, self-contained, and individually-graded. Their goals are to: (1) warm you up for and deepen your understanding of the course material; (2) show how the concepts apply to real-world software; and (3) give you practical, working examples of technologies that you may use in your project, if applicable. Each assignment has 10% weight on the final grade. The assignment topics are below:
Assignment 1: Automated software bug discovery
Assignment 2: Attacks and defenses on compartmentalization
Assignment 3: TEE-based security services
Quizzes
Students are also evaluated based on quizzes of lecture content. Four quizzes will be given, each marking the end the of content for a particular course sub-topic. The best 3 quiz grades count towards the final grade. Therefore, makeup quizzes are only offered for students who have missed two or more quizzes. Each quiz occurs during the first 15-20 minutes of the scheduled class date. Below are the details about the topics evaluated in each quiz:
Quiz 1: Program/system abstractions, memory errors, race conditions
Quiz 2: Fuzzing, symbolic execution, memory safety, software diversification, run-time integrity
Quiz 3: OS Security & malware, compartmentalization, access control
Quiz 4: Attestation vs. Authentication, Supply-chain security, TPMs, Intel SGX, TrustZone, Side channel attacks
Research Projects
Students will form teams of 4-5 students (TBD based on final enrollment) to complete a research project related to the course topics. Acceptable topics can be discussed with the instructor and TA(s) in class and during office hours. The research project should follow (and will be evaluated according to) the following guidelines:
Project Proposal: A 1-page project proposal must be submitted to LEARN and briefly presented in class by the group. This will be an opportunity to receive feedback from the instructor and classmates on the proposed project. The project proposal should include at least an introduction, a statement about the problem being addressed, an initial review of the related literature.
Midterm progress: A 4-page midterm project report should be submitted to LEARN. The midterm report should extend the project proposal to have a comprehensive literature review and a plan of action along with the plan's rationale. Successful midterm reports must demonstrate substantial progress since the project proposal submission - specifically as it relates to actual design, implementation, and evaluation.
Final: Teams will be asked to present their final results and are welcome to demo any prototype/implementation (if applicable). A written final report (6-8 pages) describing the project idea, design, implementation, challenges, and results should be delivered by the end of the term. The report should be structured as a typical research paper and contain at least: (1) introduction & motivation; (2) appropriately cited references and a discussion on relevant prior work on the field; (3) clearly discuss the idea rationale; (4) describe any implementation and/or security analysis (including figures); (5) report on any experimental results (including figures); (6) outline lessons learned, limitations, and potential future directions.
Ideally, these project components all build on each other. For example, (1-3) from the final report ideally are completed after completing the project proposal. The midterm report contains a refined (1-3) based on instructor feedback and a partially completed (4-5). By the time the final presentation and report arrive, it ideally only involve extending the midterm report to complete (4-5) and add (6).
I am not strict about templates/formats. However, you should not use a format for the report that totally abuses white space or font sizes. I recommend USENIX conference template, but an ACM or IEEE template will do as well.
Tentative Schedule
Key: Important date Class Meeting Assignment due Quiz/Presentation Holiday
| Week | Mon. | Tues. | Wed. | Thurs. | Fri. |
| 1 |
Jan. 5 Classes start Topic: Course Intro. |
Jan. 6 . . |
Jan. 7 . Topic: Crypto Background |
Jan. 8 . . |
Jan. 9 . . |
| 2 |
Jan. 12 . Topic: Program Abstractions |
Jan. 13 . . |
Jan. 14 . Topic: Memory Errors |
Jan. 15 . . |
Jan. 16 Add period ends . |
| 3 |
Jan. 19 . Topic: Race Conditions |
Jan. 20 . . |
Jan. 21 Quiz 1 Topic: Fuzzing |
Jan. 22 . . |
Jan. 23 Drop period ends . |
| 4 |
Jan. 26 . No Class (Weather) |
Jan. 27 . . |
Jan. 28 . Topic: Symbolic Execution |
Jan. 29 . List of project members due |
Jan. 30 . Assignment 1 Due |
| 5 |
Feb. 2 . Topic: Memory safe architectures |
Feb. 3 . . |
Feb. 4 . Topic: Software Diversification |
Feb. 5 . . |
Feb. 6 . . |
| 6 |
Feb. 9 . Topic: Run-time Integrity |
Feb. 10 . . |
Feb. 11 . Topic: Proposal Presentations |
Feb. 12 . . |
Feb. 13 . Proposal Report Due |
| 7 |
Feb. 16 Reading Week Topic: No Class |
Feb. 17 Reading Week . |
Feb. 18 Reading Week Topic: No Class |
Feb. 19 Reading Week . |
Feb. 20 Reading Week . |
| 8 |
Feb. 23 Quiz 2 Topic: OS Security & Malware |
Feb. 24 . . |
Feb. 25 . Topic: Compartmentatlization |
Feb. 26 . . |
Feb. 27 . . |
| 9 |
Mar. 2 . Topic: Access Control |
Mar. 3 . . |
Mar. 4 Quiz 3 Topic: Authentication & Attestation |
Mar. 5 . . |
Mar. 6 . Assignment 2 Due |
| 10 |
Mar. 9 . Topic: Supply-chain security |
Mar. 10 . . |
Mar. 11 .Topic: TPMs |
Mar. 12 . . |
Mar. 13 . . |
| 11 |
Mar. 16 . Topic: TEEs and Intel SGX |
Mar. 17 . . |
Mar. 18 . Topic: TrustZone & Android |
Mar. 19 . . |
Mar. 20 Midterm report Due . |
| 12 |
Mar. 23 . Topic: Side channel attacks |
Mar. 24 . . |
Mar. 25 Quiz 4 Topic: Ethics & Law |
Mar. 26 . . |
Mar. 27 Assignment 3 Due . |
| 13 |
Mar. 30 . Topic: Project Presentations |
Mar. 31 . . |
Apr. 1 Last lecture Topic: Project Presentations |
Apr. 2 . . |
Apr. 3 Good Friday . |
| 14 |
Apr. 6 Make up day Follows friday Schedule |
Apr. 7 . . |
Apr. 8 . . |
Apr. 9 Final exams begin . |
Apr. 10 . . |
| 15 |
Apr. 13 . . |
Apr. 14 . . |
Apr. 15 . . |
Apr. 16
. . |
Apr. 10 . . |
| 16 |
Apr. 20 . . |
Apr. 21 . . |
Apr. 22 . . |
Apr. 23
Final exams end Final Project Report Due |
Apr. 24 . . |
Instructor Contact & Office Hours
Students are welcome to contact me any time via email. Office hours are once a week (see the LEARN site for time and location). If you cannot meet at the allotted time and would like to meet, it is no problem- just shoot me an email to set it up.
Late or Missed Content
For quizzes, the best 3 out of 4 are considered for grading. If a student misses two quizzes, they can make up the second quiz up to 1 week after the administered time if students have presented a valid Verification of Illness Form to their corresponding faculty/department (e.g., for students in the Math faculty, please follow instructions here).
Assignment Screening
No automated assignment screening will be utilized within this course.
Generative AI Policy
Generative artificial intelligence (GenAI) trained using large language models (LLM) or other methods to produce text, images, music, or code, like Chat GPT, DALL-E, or GitHub CoPilot, may be used under specific conditions in this course with proper documentation, citation, and acknowledgement. Permitted uses of and expectations for using GenAI will discussed in class and outlined on assignment instructions.Administrative Policy
Mental Health: At the University of Waterloo, we are dedicated to supporting your mental and emotional well-being. Our Counselling Services offer confidential support, including individual counselling, workshops, and crisis intervention. If you're struggling, please reach out for help at 519-888-4096 or visit their website for more information.
Academic integrity: In order to maintain a culture of academic integrity, members of the University of Waterloo community are expected to promote honesty, trust, fairness, respect and responsibility. Check the Office of Academic Integrity webpage for more information.
Grievance: A student who believes that a decision affecting some aspect of their university life has been unfair or unreasonable may have grounds for initiating a grievance. Read Policy 70, Student Petitions and Grievances, Section 4. When in doubt, please be certain to contact the department’s administrative assistant who will provide further assistance.
Discipline: A student is expected to know what constitutes academic integrity to avoid committing an academic offence, and to take responsibility for their actions. Check the Office of Academic Integrity for more information. A student who is unsure whether an action constitutes an offence, or who needs help in learning how to avoid offences (e.g., plagiarism, cheating) or about “rules” for group work/collaboration should seek guidance from the course instructor, academic advisor, or the undergraduate associate dean. For information on categories of offences and types of penalties, students should refer to Policy 71, Student Discipline. For typical penalties, check Guidelines for the Assessment of Penalties.
Appeals: A decision made or penalty imposed under Policy 70, Student Petitions and Grievances (other than a petition) or Policy 71, Student Discipline may be appealed if there is a ground. A student who believes they have a ground for an appeal should refer to Policy 72, Student Appeals.
Note for students with disabilities and disabling conditions: The University of Waterloo recognizes its obligations under the Ontario Human Rights Code to accommodate students with known or suspected disabilities and disabling conditions (e.g. medical conditions, injuries, impacts of trauma such as from violence or discrimination) to the point of undue hardship. To support this obligation, AccessAbility Services (AAS) collaborates with all academic departments and schools to facilitate academic accommodations for students with disabilities and disabling conditions without compromising the academic integrity of the curriculum. If you believe you may require academic accommodations (e.g., testing accommodations, classroom accommodations), register with AAS as early in the term as possible by completing the online application. Students already registered with AAS must activate their accommodations for each of their courses at the beginning of each term using AAS' online system. If you require assistance, contact AAS by phone (519-888-4567 ext. 35082), email (access@uwaterloo.ca) or in-person (Needles Hall North, 1st Floor, Room 1401).