EECS 765, Fall 2017

Introduction to Cryptography and Computer Security

Course Goals

The overall goal of the course is to provide a solid theoretical foundation and hands-on experience in applying the theory to practice for cryptography, computer and communication security. The course materials cover common attack techniques, application of cryptography in security, authentication and authorization, network security, enterprise network defense, web security, and economics of cybersecurity. Besides the mechanisms for enhancing security that will be taught, a significant part of the course is dedicated to discussions on how design flaws in a system can be exploited to compromise security and, in general, the circumstances that lead to things going wrong. Students will have the opportunity to work on course projects that cover both the defense and offense aspects in the cyber space. Interesting research topics may be derived from course projects.

Course Schedule

Aug 22, 2017 Lecture 1 Introduction slides, video
Aug 24, 2017 Lecture 2

Buffer Overflow Exploit
The source code getscore.c The sample score file score.txt
Virtual machine used in the demonstration redhat8.

Supplemental readings:
slides, video
Aug 29, 2017 Lecture 3

Buffer Overflow Exploit (continued)

Supplemental readings:
Aug 31, 2017 Programming Assignment 1 (Lecture 4) Remote Buffer Overflow Attack pa1, video
Sept 5, 2017 Lecture 5 Mitigation of Buffer Overflow Exploits slides, video
Sept 7, 2017 Lecture 6

Mitigation of Buffer Overflow Exploits (continued)

Reading Assignment Evaluation Sheet

Reading Assignment 1 (Group 1): Hacking Blind.

Reading assignment 2 (Group 2): StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks.

Reading assignment 3 (Group 4): Framing Signals - A Return to Portable Shellcode.

Reading assignment 4 (Group 5): The Geometry of Innocent Flesh on the Bone:
Return-into-libc without Function Calls (on the x86).

Reading assignment 5 (Group 6): Modeling and Discovering Vulnerabilities with Code Property Graphs.

Supplemental readings:
ra-eval, video
Sept 12, 2017 Lecture 7

Heap Buffer Overflow Attacks

Supplemental readings:
slides, video
Sept 14, 2017 Lecture 8 Basic Cryptography slides, video
Sept 19, 2017 Lecture 9 Authentication Basics slides, video
Sept 21, 2017 Programming Assignment 2 (Lecture 10)

Windows Remote Buffer Overflow Attack

Reading Assignment 6 (Group 7): ASLR-Guard: Stopping Address Space Leakage for Code Reuse Attacks.

Reading Assignment 7 (Group 8): Timely Rerandomization for Mitigating Memory Disclosures.

Reading Assignment 8 (Group 9): How to Make ASLR Win the Clone Wars: Runtime Re-Randomization.

pa2, slides, video
Sept 26, 2017 Lecture 11

Practical Authentication Protocols

Supplemental readings:
slides, video
Sept 28, 2017 Lecture 12

Man-in-the-middle Attack

Supplemental readings:
  • (Optional) Textbook: Charles P. Pfleeger, Shari Lawrence Pfleeger, and Jonathan Margulies. 2015. Security in Computing (5th Edition) - Chapter 2
slides, video
Oct 3, 2017 Homework 1
(Lecture 13)

Authentication in a Distributed Environment (Kerberos)

Supplemental readings:
hw1, slides, video
Oct 5, 2017 Lecture 14 Kerberos (continued) video
Oct 10, 2017 Programming Assignment 3 Presentations
(Lecture 15)

Reading Assignment Presentations:

Reading Assignment 1 (Group 1): slides

Reading Assignment 2 (Group 2): slides

pa3, slides, video
Oct 12, 2017 Presentations
(Lecture 16)

Reading Assignment Presentations:

Reading Assignment 3 (Group 4): slides

Reading Assignment 4 (Group 5): slides

Oct 17, 2017 Fall Break
(No Lecture)
Enjoy the break!
Oct 19, 2017 Final Report
(Lecture 17)

Public-Key Infrastructure (PKI)

Final Report - Requirements, Guidelines, and Example Topics
Report Topics Due: Thursday Nov 9, 2017
Final Report Due: Thursday Dec 7, 2017

Supplemental readings:
final-report, slides, video
Oct 24, 2017 Lecture 18

Windows Exception Overwrite Attack

Supplemental readings:
slides, video
Oct 26, 2017 Programming Assignment 4
(Lecture 19)

Windows Exception Overwrite Attack (continued)

pa4, video
Oct 31, 2017 Lecture 20

Introduction to Network Security

Supplemental readings:
slides, video
Nov 2, 2017 Lecture 21

Return Oriented Programming
Virtual machine used in the demonstration Ubuntu-16-04LTS.

Reading Assignment 9 (Group 10): Shuffler: fast and deployable continuous code re-randomization.

Supplemental readings:
slides, video
Nov 7, 2017 Programming Assignment 5
(Lecture 22)
ROP and Heap Spray pa5, slides, video
Nov 9, 2017 Presentations
(Lecture 23)

Reading Assignment Presentations:

Reading Assignment 5 (Group 6): slides

Reading Assignment 6 (Group 7): slides

Nov 14, 2017 Presentations
(Lecture 24)

Reading Assignment Presentations:

Reading Assignment 7 (Group 8): slides

Reading Assignment 8 (Group 9): slides

slides, video
Nov 16, 2017 Lecture 25

DNS Security

Supplemental readings:
slides, video
Nov 21, 2017 Homework 2
(Lecture 26)
Software Vulnerabilities hw2, slides, video
Nov 23, 2017 Thanksgiving
(No Lecture)
Happy Thanksgiving!
Nov 28, 2017 Lecture 27


slides, video
Nov 30, 2017 Presentations
(Lecture 28)

Discussion: PA5 and Final Report

Reading Assignment Presentation:

Reading Assignment 9 (Group 10): slides

slides, video
Dec 5, 2017 Lecture 29

Final Exam Review

slides, video
Dec 7, 2017 Final Report
(Lecture 29)

Advice and Q&A
Final Report Due: Today (Dec 7) at 11:59PM CDT

slides, video
Dec 11, 2017 Final Exam

1:30 - 4:00 pm in LEA1136


Instructor and Course Meeting Times

Lectures Tuesday & Thursday 1:00pm - 2:15pm, LEA1136
Instructor Alex Bardas
Office: 2040 Eaton Hall
Office Hours: Tuesday 3:00pm - 5:00pm, and by email appointment
e-mail: alexbardas ku edu


EECS 678 and (EECS 780 or EECS 563), or the instructor's approval. In other words, a basic understanding of computer systems, including operating systems, networking, compilers, data structures, etc. This is a course that is primarily targeted at graduate students and at junior/senior-level undergraduate students in computer science and computer engineering.

Optional Textbook

Charles P. Pfleeger, Shari Lawrence Pfleeger, and Jonathan Margulies. 2015. Security in Computing (5th Edition). Prentice Hall Press, Upper Saddle River, NJ, USA.


There will be on average one assignment per week, which could be a written homework, a programming project, or a reading assignment. At the end of the semester, you must also turn in a final report that focuses on a specific problem in computer and information security. The topics for the report will be seeked out by the students and approved by the instructor. There will also be a final exam. The break down of the final score of the course is:
Programming assignments & homeworks 45%
Final exam 25%
Final report 20%
Class participation
(includes reading assignments)
Grading scheme. (The instructor also intends to curve raw scores at the end of the semester)
A 90% +
A- 88% - 89%
B+ 86% - 87%
B 80% - 85%
B- 78% - 79%
C+ 76% - 77%
C 70% - 75%
C- 60% - 69%
D/F   0% - 59%

Assignment Submission

Usually assignments are due at 11:59PM CDT via Blackboard (unless otherwise specified) according to the date posted in the assignment. In general, expect a 20% per day penalty for late submissions. One minute or 23 hours still count as a whole late day. Each calendar day counts as a late day.

Student Outcomes

After successful completion of this course, students should be able to:

Academic Integrity

All work submitted for credit must be the student's own and is subject to the provisions of the University of Kansas policies. Students should review the university policy on Academic conduct. "Academic integrity is a central value in higher education. It rests on two principles: first, that academic work is represented truthfully as to its source and its accuracy, and second, that academic results are obtained by fair and authorized means. Academic misconduct occurs when these values are not respected. Academic misconduct at KU is defined in the University Senate Rules and Regulations." -- KU Student Affairs
The default in this class is that ALL work submitted for credit will be accomplished individually. See Lecture 1 slides and video for more details on the collaboration policy. If you are in doubt, please ask.

Accommodations for Students with Disabilities

The Academic Achievement & Access Center (AAAC) coordinates academic accommodations and services for all eligible KU students with disabilities. If you have a disability for which you wish to request accommodations and have not contacted the AAAC, please do so as soon as possible. They are located in 22 Strong Hall and can be reached at 785-864-4064 (V/TTY). Information about their services can be found on the Student Access Services website. Please contact the instructor privately in regard to your needs in this course.

Expectation of Classroom Conduct

The instructor, Alexandru G. Bardas, considers this classroom to be a place where you will be treated with respect as a human being - regardless of gender, race, ethnicity, national origin, religious affiliation, sexual orientation, gender identity, political beliefs, age, or ability. Additionally, diversity of thought is appreciated and encouraged, provided you can agree to disagree. Activities within the University of Kansas community, including this course, are governed by the Code of Student Rights and Responsibilities. It is the instructor's expectation that ALL students experience this classroom as a safe environment.

Concealed Carry. Individuals who choose to carry concealed handguns are solely responsible to do so in a safe and secure manner in strict conformity with state and federal laws and KU weapons policy. Safety measures outlined in the KU weapons policy specify that a concealed handgun:

Notice of Copyright

All lectures and course materials carry a copyright of several authors, including Xinming Ou and Alexandru G. Bardas. Some additional content is adapted from the BlackHat Exploit Laboratory (thanks to Saumil Shah and S.K. Chong for kindly permitting the use of those materials in this course). During this course students are prohibited from selling notes to or being paid for taking notes by any person or commercial entity without the express written permission of the instructor, Alexandru G. Bardas.


The course materials are adapted from a previous version of the course taught by Xinming (Simon) Ou together with Xiaolong (Daniel) Wang. Some additional materials are adapted from the BlackHat Exploit Laboratory (thanks to Saumil Shah and S.K. Chong who kindly permit the use of their materials). Also, thanks to Nicole Beckage for sharing her syllabi.