CS 5/7403
	Secure Electronic Comerce
	University of Tulsa, Spring 2016
	Instructor: Tyler Moore
	Home	Course Info	Schedule	Resources

CS 5/7403 Secure Electronic Commerce Course Syllabus

Spring 2016, MW 9:30am-10:45am, Rayzor Hall 2235, CS Conference Room

Course Website: http://secon.utulsa.edu/ecom/

Piazza Course Discussion: http://piazza.com/utulsa/spring2016/cs7403/home

Instructor Information

Dr. Tyler Moore http://tylermoore.ens.utulsa.edu

Email: tyler-moore@utulsa.edu. Please send course-related inquiries as private messages to me via Piazza. This helps me keep track of course communications.

Office: Rayzor Hall Rm. 2140

Office Hours: Mondays 11am-12pm, Tuesdays 9:30-10:30am, and by appointment

Email Hours: I strive to respond to course-related emails within 24 hours on weekdays. Inevitably I may overlook some messages; if more than 24 hours has passed, feel free to send me a reminder.

Course Description

Technologies to facilitate secure online communications, such as SSL and digital certificates, are presented. Canonical threats to web security, such as input validation, XSS and CSRF attacks, are demonstrated using hands-on experiments. Engineered defenses against these attacks are then reviewed. Mechanisms for secure payments, such as EMV, tokenization and mobile payments protocols, are discussed along with case studies of attacks on deployed systems. The technical architecture of cryptocurrencies, notably Bitcoin, are presented. Throughout the course, economic considerations, notably the incentives of system designers and attackers, are discussed.

Prerequisites

CS 2123 or permission of instructor

Learning Outcomes

Upon completing this course, students should be able to:

• understand, implement and defend against canonical attacks on web security
• rapidly read technical descriptions of attacks, determine their severity and applicability, and identify suitable countermeasures
• understand, implement and defend against canonical attacks on payment systems
• understand and explain the architecture of cryptocurrencies

Topics

1. Web Security
   • Basic web security model
   • Web attacks (e.g., SQL injection, XSS, CSRF) and defenses
   • Modern web improvements
   • Session management and user authentication
   • Certificates and PKI
   • HTTPS: Design and pitfalls
2. Payments
   • Legacy payment systems
   • EMV protocol
   • Attacks on EMV
   • API attacks
   • Securing CNP transactions and PCI compliance
   • Tokenization
   • Mobile payments
3. Cryptocurrencies
   • Early digital currencies
   • Building blocks
   • The Bitcoin blockchain
   • Bitcoin mechanics
   • Bitcoin storage and use
   • Bitcoin security threats
   • Regulating cryptocurrencies

Textbook

No textbook. Readings will be posted to the course calendar, listed on the day they are expected to have been read.

Course Calendar

See the online schedule for up-to-date details and reading assignments.

Coursework

Homework

There are approximately 3 homework assignments, each equally weighted, one for each of the main thrusts of the course. Students are strongly encouraged (but not required) to work in pairs on assignments. Students working in pairs should submit a single assignment for both students. Students working in pairs may not split the problems; instead, students are expected to work jointly on each problem in the assignments, including any coding. Students may not work with the same partner on consecutive assignments.

Project

There is a course project in which you will implement attacks, defenses, and security features for a rudimentary e-commerce website. Students are required to work in pairs, to be assigned by the instructor. One completed assignment is turned in per team, and students are expected to work together on each task. The project will be divided into approximately 4 components, each due at different points in the semester. Teams are expected to work together for the duration of the project.

See the course project page for more information.

Attack Case Study Presentations

Throughout the semester, students will take turns presenting on an attack related to topics presented in the course. Students will select among a list of available topics, then research the topic and any associated papers or online material. Students will give a 20-25 minute presentation with slides explaining the attack. A list of topics is available. Other students are expected to actively participate in the discussion of all case study presentations.

Final Exam

There is one comprehensive final exam. The exam will be closed-book, closed-notes and closed-Internet unless otherwise announced.

Piazza

http://piazza.com/utulsa/spring2016/cs7403/home

Piazza is an online Q&A system designed by computer scientists to encourage better course feedback and support. To facilitate collaboration and quick responses to your questions, you are encouraged to post questions to Piazza, as well as answer your classmates' questions on Piazza.

All course-related correspondence should take place on Piazza. When you have a question, consider whether it should be addressed only to the instructor, or if can be shared with your classmates. As a guide, most questions about homework assignment could be shared with your classmates, as many could have the same question. Private correspondence, such as information about when you are sick, personal circumstances, etc., should be sent via private message on Piazza. I may not respond to your emails, but I will respond to private messages sent via Piazza.

Grading Policies

Grade Distribution

• Homework (15%)
• Project (40%)
• Attack Case Study Presentation (20%)
• Final Exam (25%)

I use standard percentage cut-offs when determining letter grades (e.g., [90-100] is an A, [80-90) is a B, etc.). I do not use a curve in assigning grades, as I believe grading on a curve discourages collaboration among students. Occasionally, though, a particular assignment may be too difficult and so I reserve the right to adjust the score appropriately.

Attendance and Participation Policy

I expect you to attend classes and participate in class discussions. I understand that occasionally circumstances may arise so that you must miss class. This is OK, but I would appreciate if you send me a private message on Piazza in advance letting me know that you won't be able to attend class. Chronically missing class is not acceptable, and I reserve the right to penalize the course grade in the event of persistent absence.

I also expect that you will keep up with the reading. This means that you should have completed the reading listed on the schedule before the corresponding lecture.

Policy on Late Work

The range of topics covered in this class is substantial, and course material often builds on concepts introduced in prior assignments and exams. Consequently, it is essential that you do not fall too far behind. As a result, assignments really are due at the time stated in the course schedule. If you have not finished the assignment before it is due, please turn in what you have completed.

There are three exceptions to this policy. First, if you have an emergency (e.g., serious illness, death in the family), please let me know as soon as possible so we can work out an accommodation.

Second, students are given 4 lateness coupons for assignments (but not exams) for use throughout the semester, with one coupon equal to a 24-hour extension. To redeem a lateness coupon, you must send a Piazza private message with subject "CS 7403 Lateness Coupon" BEFORE the assignment is due. In the body of the post please let me know how many coupons you wish to redeem.

The third exception to the strict deadline policy is for unforeseen circumstances that affect everyone: the power goes out on campus two hours before an assignment is due, for example. In this case, I will extend the deadline in a reasonable manner (e.g., extend by 24 hours after power is restored). I will post an announcement to Piazza if such a circumstance arises.

Collaboration and Attribution

I encourage collaboration between students on assignments and when studying. Collaboration is an essential skill for engineering, not to mention life in general. Unless I say otherwise, feel free to discuss assignments with your classmates, including ideas for how to solve problems. Please do not, however, share code, equations, or written answers that solve an assignment directly with other students. Solutions to homeworks should be written from scratch and must not be pieced together from other students.

If you work with another student on assignments, you must turn in a single copy with both students' names.

It is also important to give credit to others when appropriate. If you implement an idea that you got from another student (or students), please say so. Furthermore, if you consult a web resource that directly assists you, please say so. As a reminder, it is also not acceptable to copy code or equations directly from a web resource that solves a problem on an assignment.

ENS College Academic Misconduct Policy

In keeping with the intellectual ideals, standards for community, and educational mission of the University, students are expected to adhere to all academic policies. Cheating on examinations, plagiarism, and other forms of academic dishonesty violate both individual honor and the life of the community, and may subject students to penalties including failing grades, dismissal, and other disciplinary actions. For full details please see the College of Engineering and Natural Sciences Academic Misconduct Policy.

Any student found to have committed academic misconduct activities will, in the first instance, receive a grade of 0 on the assignment or exam. In the second instance, the student will receive a failing grade for the course. Note that this includes copying code or writing from the Internet or other resources without attribution. Note that University policy requires me to notify the Associate Dean for Academic Affairs in the event of identifying academic misconduct.

Extra Credit

It is my policy to not offer extra credit assignments on a per-student basis. To ensure fairness, extra credit may only be offered to all students, and would most likely take the form of a modest reward for attending an optional lecture, not an extra assignment.

Special Needs

Disability Accommodations

Students needing academic accommodations for a disability must first be registered with the Center for Student Academic Support to verify the disability and to establish eligibility for accommodations. Students may call 918-631-2315, email csas@utulsa.edu, or visit http://utulsa.edu/campus-life/student-academic-support/contact/ to begin the process. Once registered, students should then schedule an appointment with the professor to make appropriate arrangements.

Religious Observance

Religiously observant students wishing to be absent on holidays that require missing class should notify their professors in writing at the beginning of the semester, and should discuss with them, in advance, acceptable ways of making up any work missed because of the absence.

Disclaimer

Please note that this syllabus is subject to change. Any changes to the syllabus will be announced in class, on the course website, and/or on Piazza.

---