CS 4413/6013 Secure Electronic Commerce Course Syllabus
Spring 2018, TTh 2:00pm-3:15pm, Keplinger M3
Course Website: https://secon.utulsa.edu/ecom/
Additionally, Harvey is used for publishing grades, turning in assignments, and making course announcements.
Instructor Information
Dr. Tyler Moore https://tylermoore.utulsa.edu
Email: tyler-moore@utulsa.edu.
Office: Rayzor Hall Rm. 2140
Office Hours: Mondays 10:30-11:30am, Thursdays 3:20-4:15pm, and by appointment
Email Hours: I strive to respond to course-related emails within 24 hours on weekdays. Inevitably I may overlook some messages; if more than 24 hours has passed, feel free to send me a reminder.
Course Description
Technologies to facilitate secure online communications, such as SSL and digital certificates, are presented. Canonical threats to web security, such as input validation, XSS and CSRF attacks, are demonstrated using hands-on experiments. Engineered defenses against these attacks are then reviewed. Mechanisms for secure payments, such as EMV, tokenization and mobile payments protocols, are discussed along with case studies of attacks on deployed systems. The technical architecture of cryptocurrencies, notably Bitcoin, are presented. Throughout the course, economic considerations, notably the incentives of system designers and attackers, are discussed.
Prerequisites
CS 2123 or permission of instructor
Student Learning Objectives
Upon completing this course, students should be able to:
- understand, implement and defend against canonical attacks on web security
- rapidly read technical descriptions of attacks, determine their severity and applicability, and identify suitable countermeasures
- understand, implement and defend against canonical attacks on payment systems
- understand and explain the architecture of cryptocurrencies
Students will demonstrate proficiency in the skills listed above through homework assignments, projects, and exams. Graduate students enrolled in CS 6013 will also demonstrate proficiency by designing and delivering an oral presentation.
Topics
- Web Security
- Basic web security model
- Web attacks (e.g., SQL injection, XSS, CSRF) and defenses
- Session management and user authentication
- Certificates and PKI
- HTTPS: Design and pitfalls
- Payments
- Legacy payment systems
- EMV protocol
- Attacks on EMV
- Securing CNP transactions and PCI compliance
- Tokenization
- Cryptocurrencies
- Early digital currencies
- Building blocks
- The Bitcoin blockchain
- Bitcoin mechanics
- Bitcoin storage and use
- Bitcoin security threats
- Regulating cryptocurrencies
Textbook
Required: Bryan Sullivan and Vincent Liu. Web Application Security, A Beginner's Guide. McGraw Hill Education, 1st Edition
Optional: Narayanan, Bonneau, Felten, Miller, Goldfeder. Bitcoin and Cryptocurrency Technologies: A Comprehensive Introduction. Princeton University Press, 1st Edition. Note: a pre-publication draft of the book is available for download at https://d28rh4a8wq0iu5.cloudfront.net/bitcointech/readings/princeton_bitcoin_book.pdf. Students are free to use either version.
Readings will be posted to the course calendar, listed on the day they are expected to have been read.
Course Calendar
See the online schedule at https://secon.utulsa.edu/ecom/admin/schedule.html for up-to-date details, slides, assignments, due dates, exam dates and reading assignments.
Coursework
Homework
There are 3 homework assignments, each equally weighted, one for each of the main thrusts of the course. Students are strongly encouraged (but not required) to work in pairs on assignments. Students working in pairs should submit a single assignment for both students. Students working in pairs may not split the problems; instead, students are expected to work jointly on each problem in the assignments. Students may not work with the same partner on consecutive assignments.
Project
There is a course project in which you will implement attacks, defenses, password-based authentication and simulated credit-card payments for a rudimentary e-commerce website. Students are required to work in pairs. One completedassignment is turned in per team, and students are expected to work together on each task. The project is divided into 3 components, each due at different points in the semester. Teams are expected to work together for the duration of the project.
Detailed information on each project assignment will be posted on the course schedule.
Attack Case Study Presentations
At the end of the semester, graduate students enrolled in CS 6013 will take turns presenting on an attack related to topics presented in the course. Students will select among a list of available topics, then research the topic and any associated papers or online material. Students will give a 20 minute presentation with slides explaining the attack. A list of topics is available. Other students are expected to actively participate in the discussion of all case study presentations.
Exams
There are two exams. The exam will be closed-book, closed-notes and closed-Internet unless otherwise announced. Exam 1 is tentatively scheduled for March 15. Exam 2 is scheduled during the final exam period for the class, which is Thursday, April 26 from 1-3:25pm.
Grading Policies
Grade Distribution
For undergraduates enrolled in CS 4413:
- Homework (15%)
- Project (45%)
- Exam 1 (20%)
- Exam 2 (20%)
For graduate students enrolled in CS 6013:
- Homework (15%)
- Project (35%)
- Exam 1 (20%)
- Exam 2 (20%)
- Attack Case Study Presentation (10%)
I use standard percentage cut-offs when determining letter grades (e.g., [90-100] is an A, [80-90) is a B, etc.). I do not use a curve in assigning grades, as I believe grading on a curve discourages collaboration among students. Occasionally, though, a particular assignment may be too difficult and so I reserve the right to adjust the score appropriately.
Attendance and Participation Policy
I expect you to attend classes and participate in class discussions. I understand that occasionally circumstances may arise so that you must miss class. This is OK, but I would appreciate if you send me an email in advance letting me know that you won't be able to attend class. Chronically missing class is not acceptable, and I reserve the right to penalize the course grade in the event of persistent absence.
I also expect that you will keep up with the reading. This means that you should have completed the reading listed on the schedule before the corresponding lecture.
Policy on Late Work
The range of topics covered in this class is substantial, and course material often builds on concepts introduced in prior assignments and exams. Consequently, it is essential that you do not fall too far behind. As a result, assignments really are due at the time stated in the course schedule. If you have not finished the assignment before it is due, please turn in what you have completed.
There are three exceptions to this policy. First, if you have an emergency (e.g., serious illness, death in the family), please let me know as soon as possible so we can work out an accommodation.
Second, students are given 3 lateness coupons for assignments, plus 3 additional lateness coupons for the projects, for use throughout the semester, with one coupon equal to a 24-hour extension. To redeem a lateness coupon, you must send an email with subject "E-Commerce Lateness Coupon" BEFORE the assignment is due. In the body of the message please let me know how many coupons you wish to redeem.
The third exception to the strict deadline policy is for unforeseen circumstances that affect everyone: the power goes out on campus two hours before an assignment is due, for example. In this case, I will extend the deadline in a reasonable manner (e.g., extend by 24 hours after power is restored). I will email the class if such a circumstance arises.
Collaboration and Attribution
I encourage collaboration between students on assignments and when studying. Collaboration is an essential skill for engineering, not to mention life in general. Unless I say otherwise, feel free to discuss assignments with your classmates, including ideas for how to solve problems. Please do not, however, share code, equations, or written answers that solve an assignment or project directly with other students. Solutions should be written from scratch and must not be pieced together from other students or from the Internet.
If you work with another student on assignments, you must turn in a single copy with both students' names.
It is also important to give credit to others when appropriate. If you implement an idea that you got from another student (or students), please say so. Furthermore, if you consult a web resource that directly assists you, please say so. As a reminder, it is also not acceptable to copy code or equations directly from a web resource that solves a problem on an assignment.
ENS College Academic Misconduct Policy
In keeping with the intellectual ideals, standards for community, and educational mission of the University, students are expected to adhere to all academic policies. Cheating on examinations, plagiarism, and other forms of academic dishonesty violate both individual honor and the life of the community, and may subject students to penalties including failing grades, dismissal, and other disciplinary actions. For full details please see the College of Engineering and Natural Sciences Academic Misconduct Policy.
Any student found to have committed academic misconduct activities will, in the first instance, receive a grade of 0 on the assignment or exam. In the second instance, the student will receive a failing grade for the course. Note that this includes copying code or writing from the Internet or other resources without attribution. Note that University policy requires me to notify the Associate Dean for Academic Affairs in the event of identifying academic misconduct.
Extra Credit
It is my policy to not offer extra credit assignments on a per-student basis. To ensure fairness, extra credit may only be offered to all students, and would most likely take the form of a modest reward for attending an optional lecture, not an extra assignment.
Special Needs
Disability Accommodations
Students needing academic accommodations for a disability must first be registered with the Center for Student Academic Support to verify the disability and to establish eligibility for accommodations. Students may call 918-631-2315, email csas@utulsa.edu, or visit http://utulsa.edu/campus-life/student-academic-support/contact/ to begin the process. Once registered, students should then schedule an appointment with the professor to make appropriate arrangements.
Religious Observance
Religiously observant students wishing to be absent on holidays that require missing class should notify their professors in writing at the beginning of the semester, and should discuss with them, in advance, acceptable ways of making up any work missed because of the absence.
Disclaimer
Please note that this syllabus is subject to change. Any changes to the syllabus will be announced in class, on the course website, and/or by email.