Information Security

COS 432, Princeton University Fall 2016

Security issues in computing, communications, and electronic commerce. Goals and vulnerabilities; legal and ethical issues; basic cryptology; private and authenticated communication; electronic commerce; software security; viruses and other malicious code; operating system protection; trusted systems design; network security; firewalls; policy, administration and procedures; auditing; physical security; disaster recovery; reliability; content protection; privacy.


Prof. Nick Feamster
310 Sherrerd Hall
<my last name>

Sotiris Apostolakis
Qipeng Liu
Ming-Yee Tsang
William Yang

Class Location and Time:
Lectures: Mondays and Wednesdays, 11:00 am-12:20 pm, Architecture Building N101

Office Hours (subject to change; will increase around deadlines):
Nick: Mondays 1:30-2:30p (Sherrerd 310) [Wednesdays near deadlines]
Sotiris: Tuesdays 2:00-4:00p (CS 003)
Qipeng: Thursdays 1:00-3:00p (Outside CS 241)
Ming-Yee: Fridays 2:00-4:00p (Frist Galleria)
William: Wednesday 3:00-5:00p (CS 003)

Course Format

The course will meet twice a week for 80-minute lectures.

Recommended Background

Prerequisite: COS 217 and COS 226.


Grading is based on:

  • two in-class exams (40%)
  • five homework assignments (including Dean's Date assignment) (60%)

Late Policy

We understand that sometimes life events occur and that it's not always possible to meet every deadline. As such, we are willing to accept late assignments according to the following policy:

  • You start the term with a grace period "balance" of 96 hours.
  • Each assignment will be due at 6:00 p.m. (Princeton Local Time) on the due date.
  • For each assignment, every hour late (or fraction thereof) that you turn in the assignment will subtract one hour from your grace-period balance. For example, if you turn in your assignment at 7:02 p.m. on the due date, we will count this as two hours against your grace period.
  • As long as your grace period balance is positive, you can turn in any assignment late without penalty.
  • Once your grace period balance reaches zero, you will receive half credit for any assignment that you turn in, as long as you turn it in within one week of the due date. If your grace period balance is zero and you turn in an assignment more than one week late, you will receive no credit for the assignment. Important: You must still turn in all assignments to pass the course, even if you receive zero points on an assignment. Turning in all assignments is a necessary condition for passing. (Participating in Build It, Break It, Fix It exempts you from turning in one assignment.)
Excuses with medical documentation are a legitimate exception and will not count against your late period. Any other reasons for lateness---including but not limited to interviews, conferences, etc.---are not legitimate excuses and any resulting lateness will count against your grace period.

Honor Code

Students are expected to abide by the Princeton University Honor Code. Honest and ethical behavior is expected at all times. All incidents of suspected dishonesty will be reported to and handled by the office of student affairs. You are to do all assignments yourself, unless explicitly told otherwise. You may discuss the assignments with your classmates, but you may not copy any solution (or part of a solution) from a classmate.


There is no required or suggested textbook in this course, because there is no one book that covers the right material in an up-to-date fashion. The resources part of this page includes a list of good books on security.

This schedule and syllabus is preliminary and subject to change.

Slides: A draft of the lecture slides will be posted on the course Blackboard website before lecture. Slides may be updated during lecture (e.g., with drawings, notes, and real-time revisions); slides may again be updated after lecture to reflect topic coverage, in-class notes, etc.

Preparation: If any preparation (reading, videos, etc.) is required, we will post a link to the material in the "preparation" column before lecture.

Date Topic Readings Notes
September 14
Course Overview / Security in Computing
Why Cryptosystems Fail

September 19
Ethics and the Law
Salganik (Ethics), Menlo Report

Module 1: Cryptography

September 21
Message Integrity, Pseudorandom Functions
Anderson 5.3.1-5.3.3
Assignment 1: Cryptography
(Due October 12)
September 26
Stream Ciphers, Block Ciphers
Anderson 5.1-5.2, 5.4.2, 5.4.3, 5.5

September 28
Key Exchange and Key Management
Anderson, Schneier 12.1- 12.3

October 3
Public Key Cryptography
Anderson 5.7.1, Schneier 19.3; Stallings 9.1, 9.2

Module 2: Systems Security

October 5
Public Key Infrastructure
Bellovin 8

October 10
Access Control and Control Flow
Tannenbaum 4.4.1, 4.5.1-4.5.4

October 12
Buffer Overflows, Shellcode, and Malware
Smashing the Stack
Assignment 2: Application Security (Due October 28)
October 17
Enforcing Access Control:
Isolation and Sandboxing
Bellovin 10

October 19
Passwords and Biometrics

October 24
In-Class Exam

October 26
Web Security: TLS, CSS, XSRF
Kaufman 19.1-19.12, RFC 5246 7.4

November 7
Web Privacy: Tracking
Zalewski (First 2 pages of Chapter 9 on SOP for DOM)
Assignment 3: Web Security
(Due November 27)
Module 3: Network Security

November 9
Worms and Botnets
Cooke: Zombie Roundup

November 14
DDoS: Spoofing, Reflection, Amplification
Marczak: Great Cannon; Hilton: Dyn Attack

November 16
Routing, Spam, Phishing, Scams.
Global Phishing Survey

November 21

DNS Security; Defenses: IDS and Firewalls
Bellovin 5

November 28
VPNs and Anonymous Communication
(+ Philipp Winter on Tor)
Bellovin 6.5
Assignment 4: Network Security
(Due December 16; Checkpoint Dec. 7)
November 30
Internet Censorship
(+ Roya Ensafi on Measurement)

December 5
In-Class Exam

Module 4: Security in Context

December 7
Security of IoT/Cyberphysical Systems

December 12
Access ISP Security (Video Interview; No Lecture)

December 14
Human Factors and Usable Security
(Guest Lecture: Marshini Chetty)

Assignment 5: Dean’s Date Assignment

Course Resources

Optional Reading

There are many good books about cryptography, but relatively few good ones about other computer security topics.