CSCI 5413: Security and Ethical Hacking

Instructor: Dr. Ahmed M. Hamza

Course Description

This is a hands-on course about several areas in computer security. Teaches basic exploit design and development through hands-on experimentation and testing. Uses a controlled environment to give students a "playground" in which to test penetration skills that are normally not allowed on live networks.

Course Texts

All course materials are digitally available and free. There are no texts, per se, but we will benefit from several references that will be posted on the Learning Management System, Canvas.

�Ұ��徱�Բ��

Two Exams: 40% Total��
Labs: 50%. (of which research paper for 5413 counts as one assignment, or around 8%)��
Quizzes: 10%

Prerequisites

Basic familiarity with the following is helpful, and to some degree assumed:

Architecture (you know assembly language and computer organization),
Networks (you know what ARP, DHCP, DNS, UDP, TCP/IP, ICMP do and how they work; you know the basics of Ethernet and 802.11, you know what NAT is, what a gateway is, what a firewall is, and the difference between a switch and a router)
Operating Systems (you know what a kernel is, you understand processes, threads, virtual memory, file systems, dynamic linkers, machine virtualization, etc)
Programming Languages (you know how high-level languages are converted into machine code, how parameters are passed; you've seen and are familiar with a wide-variety of languages)
Web technology (you know the basic set-ups for common web-technology platforms)

Ideally, you will have some exposure and experience with the following as well:

System Administration (you have administered at least your own machine and perhaps a few others; you have experience with Windows and Unix/Linux)
Security Issues (you know the basics of password strength, perhaps you know how /etc/passwd works on Unix; you know what a DoS attack is)
Application Frameworks (you know how most major network services work like SMTP, FTP, HTTP, SSH; you know web-based technology)
Polyglot (you know a few languages like Bourne/bash, C, C++, Java, Perl, Python, Ruby, PHP, HTML, Javascript, SQL)

Course Topics��

Tentative Schedule��

Module 1 (4-5 weeks) Cryptographic attacks, Network attacks and manipulation, Network discovery and mapping, Lateral Movement in the Network��

Module 2 (6 weeks) Unix security model and post-exploitation, privilege escalation and evasion.��

Module 3 (3-4 weeks) Intro to memory and memory corruption exploits, buffer overflows, vulnerability discovery & debugging, stack-based exploitation, mitigations and bypasses, disclosure and reporting, attacks on AI and the web (time permitting).

��ǲ��پ��

Graded exercises/lab work will be handed in on canvas, with the due date being the following Thursday 9PM of each week where such work is assigned.��

Computing Resources through VDI/vSphere will be provided, details posted on Canvas when ready.

Late Work��

Work submitted late makes things difficult for all (graders, etc.), and will generally not be accepted unless excused in advance of the due date. There will be a general penalty of 40% of the marks, for work submitted up to one week late. If there are any extenuating circumstances, please contact me ahead of time so we can work around it.

Guidance on LLM Usage��

This policy on generative AI/text model use with Large Language Models is meant to aid learning efforts and practical considerations while supporting academic integrity, and the overarching goal of derived value from the course.��

Use of any such tools is prohibited in all quizzes and exams, and in the production of creative written works (papers or write-ups) in natural language.��

Use is allowed in other areas, where smaller snippets and suggestions are utilized for productivity, upon careful verification and full understanding, and documentation. (e.g., a known function code for a numerical approximation, or a translation of that code from one language to another).��

In all cases where (even small) pieces of information or code is not understood enough to be documented/explained, or cannot be verified, use is prohibited. This is both to ensure high-quality learning and safe output.

��ǲԳٱ��/��𲹲��ǲԾ��Բ�:��

In the course areas where use is permitted (i.e., outside of creative works and exams), you are allowed to use online tools to help your productivity and augment your learning sources, and these tools should be thought of like any "outside source", such as a forum posting or a blog source. But generative language tools are inherently “anonymous”/nonauthoritative, and have a unique ability to present confidently detailed information that is partially or even entirely false. Which presents a challenge for us users, particularly in a learning environment. You cannot blindly depend on the info.��

As a result -- the one guiding principle I encourage when deciding on use: can it be verified? And do I understand it enough to know if it is correct (or safe, robust, reliable, etc.)?��

Make sure to only use internet sources (including Language Models) in scenarios when the information is both understood and can be verified as sound. This holds regardless of the reported “accuracy level” or benchmarked ability the tool is marketed to have. Otherwise, you will need to invest more time verifying the output than you are saving with the use of the tool, so it may be counter-productive, compared to a manual web search.

Classroom Behavior

Students and faculty are responsible for maintaining an appropriate learning environment in all instructional settings, whether in person, remote, or online. Failure to adhere to such behavioral standards may be subject to discipline. Professional courtesy and sensitivity are especially important with respect to individuals and topics dealing with race, color, national origin, sex, pregnancy, age, disability, creed, religion, sexual orientation, gender identity, gender expression, veteran status, marital status, political affiliation, or political philosophy.

For more information, see the classroom behavior policy, the Student Code of Conduct, and the Office of Institutional Equity and Compliance.

Accommodation for Disabilities, Temporary Medical Conditions, and Medical Isolation

If you qualify for accommodations because of a disability, please submit your accommodation letter from Disability Services to your faculty member in a timely manner so that your needs can be addressed. Disability Services determines accommodations based on documented disabilities in the academic environment. Information on requesting accommodations is located on the Disability Services website. Contact Disability Services at 303-492-8671 or DSinfo@colorado.edu for further assistance. If you have a temporary medical condition, see Temporary Medical Conditions on the Disability Services website.

If you have a temporary illness, injury or required medical isolation for which you require adjustment, please contact your CM and myself as soon as possible.

Preferred Student Names and Pronouns

�Ͼ�Ʒ�� recognizes that students' legal information doesn't always align with how they identify. Students may update their preferred names and pronouns via the student portal; those preferred names and pronouns are listed on instructors' class rosters. In the absence of such updates, the name that appears on the class roster is the student's legal name.

Honor Code

All students enrolled in a �Ͼ�Ʒ�� course are responsible for knowing and adhering to the Honor Code. Violations of the Honor Code may include but are not limited to: plagiarism (including use of paper writing services or technology [such as essay bots]), cheating, fabrication, lying, bribery, threat, unauthorized access to academic materials, clicker fraud, submitting the same or similar work in more than one course without permission from all course instructors involved, and aiding academic dishonesty. Understanding the course's syllabus is a vital part in adhering to the Honor Code.

All incidents of academic misconduct will be reported to Student Conduct & Conflict Resolution: StudentConduct@colorado.edu. Students found responsible for violating the Honor Code will be assigned resolution outcomes from the Student Conduct & Conflict Resolution as well as be subject to academic sanctions from the faculty member. Visit Honor Code for more information on the academic integrity policy.

Sexual Misconduct, Discrimination, Harassment and/or Related Retaliation

�Ͼ�Ʒ�� is committed to fostering an inclusive and welcoming learning, working, and living environment. University policy prohibits protected-class discrimination and harassment, sexual misconduct (harassment, exploitation, and assault), intimate partner abuse (dating or domestic violence), stalking, and related retaliation by or against members of our community on- and off campus. The Office of Institutional Equity and Compliance (OIEC) addresses these concerns, and individuals who have been subjected to misconduct can contact OIEC at 303-492-2127 or email CUreport@colorado.edu. Information about university policies, reporting options, and support resources including confidential services can be found on the OIEC website.

Please know that faculty and graduate instructors must inform OIEC when they are made aware of incidents related to these policies regardless of when or where something occurred. This is to ensure that individuals impacted receive outreach from OIEC about resolution options and support resources. To learn more about reporting and support for a variety of concerns, visit the Don’t Ignore It page.

Religious Accommodations

Campus policy requires faculty to provide reasonable accommodations for students who, because of religious obligations, have conflicts with scheduled exams, assignments or required attendance. Please communicate the need for a religious accommodation in a timely manner. In this class, one week notice is needed if an exam has been scheduled. Two days in advance needed for other assessments, notifying myself and the TA/Course Manager.

See the campus policy regarding religious observances for full details.

Mental Health and Wellness��

The �Ͼ�Ʒ�� is committed to the well-being of all students. If you are struggling with personal stressors, mental health or substance use concerns that are impacting academic or daily life, please contact Counseling and Psychiatric Services (CAPS) located in C4C or call (303) 492-2277, 24/7.��

Free and unlimited telehealth is also available through . The site also provides information about additional wellness services on campus that are available to students.

�Ͼ�Ʒ��