Please ensure Javascript is enabled for purposes of website accessibility

Administrative Information

What's this course about?

CS1660 (formerly called CS166) is a course on computer systems security through a balanced mixture of theory and practice.

We’ll start out with building the foundations of security through an exploration of cryptography. From there, we’ll move to more complex, multi-faceted systems such as web applications, operating systems, and networks. Along the way, we’ll explore complementary topics such as authentication, physical security, social engineering, privacy, anonymity, usability, and the security of emergent systems such as blockchains and machine learning.

By learning about security through these multiple domains, you’ll concretely learn how various classes of attacks appear in a vast variety of scenarios and how they work in practice. You’ll also learn how to evaluate systems adversarially, from writing precise security analyses about subtle issues in protocols to discovering and exploiting vulnerabilities in concrete technical systems for yourself.

Through all of these activities, you’ll ultimately work to develop a specific kind of intuition—a “security mindset”—that will give you the knowledge, vocabulary, and confidence to critically analyze and effectively defend the software and systems you approach as a computer scientist even after the course.

CS1620/CS2660: The Lab

We encourage you to take additional half-credit “lab”, called CS1620 (for undergraduates) or CS2660 (for master’s graduate students, or concurrent master’s students). Senior undergraduates may use the lab portion to count for their capstone requirement.
Students taking the lab have the opportunity to work on advanced challenges that will provide you with a greater appreciation of systems security and the “security mindset” as a whole:

CS1620/CS2660 provides students with a deeper understanding of the material by doing advanced versions of the CS1660’s projects and advanced questions on the written assignments. These advanced versions focus on real-world skills: performing attacks that are more difficult and rely on less serious vulnerabilities, performing attacks against systems with more real-world constraints, and creating attacks that achieve a higher standard of quality than a mere proof of concept.

CS1620 vs. CS2660: Due to credit-counting logistics, the lab portion of the course has two different course numbers: CS1620 and CS2660. Undergraduate students wishing to do the half-credit lab should sign up for CS1620 in addition to CS1660. CS2660 combines both CS1660 and CS1620 in one, 2000-level course. If you are a graduate student (or an ScB student who has applied for the concurrent CS master's program), and wish to earn 2000-level credit for this course, you should sign up for CS2660 only. What’s the difference? Both CS1620 and CS2660 share the same extra course content, but only CS2660 counts for 2000-level credit. In course materials, we will refer to the lab portion simply as CS1620–this includes both CS1620 and CS2660 students.

How much work is the lab?: In previous years, students taking the lab report spending approximately 8–20 extra hours on each project throughout the semester, though they also note that the additional components are more front-loaded so the second half of the semester is much more flexible. (We anticipate that this will be the same this year.) You do not need any additional experience beyond the base prerequsites of the course to succeed with the lab-—anyone who feels comfortable taking CS1660 should also feel comfortable taking CS1620/CS2660, so long as you are comfortable with the extra time requirement. Note that students taking CS2660 are committed to completing the requirements for both the lab and main portion of the course–after the add/drop period ends, it is not possible for a CS2660 student to drop the lab portion and still get credit for CS1660 in the same semester.

How do I sign up?: If you are interested in the lab portion, undergraduates should register for CS1660 and CS1620 on CAB. Senior undergraduates are eligible to capstone with CS1620—-email the HTA list if you intend to have the lab count for your capstone credit. If you intend to take CS2660, please fill out this form and request an override code on CAB.

Registration and Waitlist

Interested in taking the course? That’s great! Since our course has multiple sections, all students require an override so that we can make sure everyone is in the correct section. See the following steps for instructions on how to request an override and (if the course is full) join the waitlist. If you are interested in registering, please do the following:

  • Request to register by filling out this form. If the course is full, this will also add you to the waitlist. If you have any particular reasons you want to take the course, please let us know on the form. Please avoid sending us email about this (it will take longer!)–the form is designed to help us process your requests efficiently. You MUST fill out the form to be considered–we will not consider requests on CAB without an accompanying form response.

  • Add the course to your shopping cart. This will grant you access to EdStem and Gradescope, when they become available at the start of the semester.

  • If possible, attend (in person or via Zoom) the first lecture on Thursday, January 25 or watch the recording as soon as is feasible.

How does the waitlist work? Once the course fills up, we will give priority to students who are unable to take the course at another time–otherwise, we admit students on a first-come, first-serve basis. If you have any strict program requirements or other constraints that limit when you can take the course, please indicate this in your form response. If you already responded and need to edit your response, you can do so by clicking on the form link again.

What are my chances? We hope to admit around 90-100 students across all sections of CS1660 and CS2660. While we cannot officially guarantee that all students on the waitlist will be able to take the course, we have typically been able to accommodate all students by the end of shopping period.

Prerequisites

You should have an intro-sequence’s worth of programming experience (0160, 0180, or 0190) and have a good understanding of systems programming (0300, 0330, 1310, or 1330). This concretely means that:

  • You should be comfortable writing programs and scripts in a language of your choice (such as Python, Ruby, Bash, Go, C++, etc.), be somewhat comfortable in a Unix command-line environment (running binaries, filesystem navigation, etc.) and have a basic understanding of systems programming concepts such as memory management and networking.
  • You also should have heard of the terms “race condition”, “packet”, “TCP”, “UDP”, “buffer overflows”, and “DNS”. (If you forget what these are, don’t worry—we’ll describe them again when they come up in the latter half of the course.)
  • You should also be willing to learn how to read code in languages that you’ve never used before. We will gain practice with this throughout the course as we learn about securing systems in many areas.

If you don’t meet the official prerequisites but still want to take the course, please consult the instructors during shopping period. We are happy to discuss your individual situation to determine if the course is right for you!

Your willingness to challenge yourself is perhaps the most important prerequsite for the course. Security can be frustrating at times, but the rewards are great. In exchange for engaging with some difficult intellectual challenges, you’ll have the opportunity to gain concrete insights about systems and security and become a better computer scientist along the way!

Lecture Policy

We will have live lecture on Tuesdays and Thursdays @ 2:30pm - 3:50pm ET in person at CIT 368 and on Zoom via this link. All lectures will be recorded and will be posted on Panopto within 24 hours of the lecture.

Attendance: Students are encouraged to attend lecture in-person or synchronously via Zoom, though this is not required. Attendance does not impact your course grade. Lecture may use TopHat questions to poll students during class–these are optional and are only used to gauge your understanding during class. TopHat responses have no impact on your course grade.

Asking Questions: We encourage students to ask questions in class, either by raising your hand (either in person, or as a reaction or chat message in Zoom). If you are participating remotely, we will ask you to unmute and ask your question.

Recordings:: All lectures will be recorded. Recordings and any notes/slides from lecture will be made available within 24 hours of the lecture date in Panopto.
During shopping period, students who are interested in CS1660 must have the course in their primary cart in order to have access to Panopto.

Office Hours

We are happy to work with you in office hours to help with understanding any course concept or homework/project work. We are happy to help with planning how to approach problems, working with tools, figuring out how to debug your work, or reviewing concepts from lectures/homework assignments.

In order to make office hours accessible to as many students as possible, we are holding hours in two formats:

  • Collaborative hours (in-person or hybrid): Most hours will be collaborative hours. In this format, simply come to the designated room and members of the course staff will circulate and take questions. Some collaborative sections can support remote students in a hybrid format, as indicated on the calendar. Remote students may join via Zoom using the (available on the Hours platform)–a dedicated staff member will talk with everyone on Zoom in parallel with in-person discussion.
    In collaborative hours, you are welcome to stay and work and ask questions as they come up–this is meant to create a space where you can meet and collaborate with your peers, while course staff is available to help you get “unstuck”, or explain a concept to a group if you encounter a problem. We can provide all forms of help during this time, including debugging or help with concepts. Some projects (notably Flag and Handin) may have certain restrictions on what can be discussed during collaborative hours–more information will be provided when these assignments are released.

  • Individual, queue-managed (remote): This is the standard format at Brown. When the hour begins, a queue will appear on the Hours platform designated for our course. Whether you are in-person or remote, simply join the queue! When your turn comes up, you will receive a Zoom link to talk with a member of the course staff. Course staff may limit the amount of time one person may spend with a TA (i.e. ~10-15 minutes), especially during peak times.

As the semester progresses, we may make adjustments to the balance of remote/in-person/hybrid hours or the mechanics of the different formats based on student and TA feedback. If you have thoughts on your experience in hours, please fill out our Anonymous Feedback Form!

Collaboration

The Collaboration Policy is available as a separate document. Please read this policy, as it may differ significantly from other courses you have taken.

By submitting any assignment, you agree to abide by the collaboration policy. If you have any questions, please ask on Edstem.

Late Policy

Students are have five (5) late passes to use on homeworks and projects, though no more than two (2) late passes may be applied to any deadline. Each late pass extends the deadline by one day.

Weekends and University holidays (long weekend, spring break, etc.) do not count towards lateness or use of late passes–in other words, a late submission for an assignment due on Friday at 11:59pm and submitted before Monday at 11:59pm is considered one day late. Accordingly, the last day the assignment could be submitted would be Tuesday at 11:59pm (which would be 2 days late).

If you have no more late passes, each day a project or homework is submitted late will subtract 20% from that assignment’s grade.

Project 4 is a partner project that contains multiple deadlines. Late passes may not be applied to the intermediate deadlines of Project 4. On the final deadline, your group will be allowed to use the minimum of you and your partner’s remaining late days (up to a maximum of two, as for all assignments).

Late passes and penalties are automatically applied at the end of the semester in an optimal fashion; that is, we will apply late passes in such a way that gives you the highest grade.

CS1620 and CS2660 students receive two additional late passes (seven total). However, students who drop CS1620 lose the additional passes and receive late penalties under the default CS1660 policy.

Extenuating circumstances: If there are extenuating circumstances preventing you from completing an assignment on time (e.g., illness), you may use to request an extension (without using late days), most preferably before the assignment is due. In these situations, please contact the instructors as soon as it is feasible for you to do so using this form. This form is not meant to be impersonal–we simply want to make sure we can keep track of any requests!

Please note that only the instructors are authorized to grant extensions for the course. The Head TAs and UTAs cannot approve, or comment on the likelihood of, extension requests.

All assignments have a due time of 11:59 PM ET.
See this section for information on the course late policy.
Logistics: Lectures take place on Tuesdays and Thursdays at 2:30pm ET in person at CIT 368 and on Zoom. Lecture recordings are available on Panopto within a few hours of the lecture time. Please note that this schedule is subject to change.
Jan 25 Lec 1. Course Intro: Logistics, Security Principles
Lecture notes

Textbook chapters: 1.1, 1.3.1, 1.3.3, 1.3.4, 1.4

w/ Nick
Jan 30 Lec 2. Cryptography I: Confidentiality (Intro) w/ Bernardo
Feb 1 Lec 3. Crypto II: Confidentiality (in practice) w/ Bernardo
Feb 6 Lec 4. Crypto III: Integrity, Authentication I w/ Bernardo
Feb 8 Lec 5. Crypto IV: Human authentication, Passwords
Lecture notes

Textbook chapters: 7.1, 7.2.3

w/ Bernardo
Feb 13 Lec 6. Crypto V: Password mechanics and password cracking w/ Bernardo
Feb 15 Lec 7. Web Security I: Intro to the web: Resources and Origins
Lecture notes

Textbook chapters: 7.1, 7.2.3-7
In-class demo: Client-Side Checks on WebGoat (w/ Bernardo)
Reading: Same-origin policy

w/ Bernardo
Feb 22 Lec 8. Web II: Securing requests: Cross-Site Request Forgery, CORS, CSP w/ Nick
Feb 20 No class, Long weekend
Feb 27 Lec 9. Web III: Code as data: SQLI, XSS w/ Nick
Feb 29 Lec 10. Web IV: More code injection and defenses w/ Nick
Mar 5 Lec 11. Web V: Modern Web Frameworks, Disclosure w/ Nick
Mar 7 Lec 12. Operating Systems: Intro, Privileges w/ Nick
Mar 12 Lec 13. OS II: Scripting and Privilege Escalation w/ Nick
Mar 14 Lec 14. OS III: Isolation and Sandboxing w/ Nick
Mar 19 Lec 15. OS IV: Supply chain and boot security w/ Nick
Mar 21 Lec 16. No lecture (replaced with office hours)

Textbook chapter: 6.1

w/ Nick
Mar 26 No class (Spring break)
Mar 28 No class (Spring break)
Apr 2 Lec 17. Storage Encryption, Cloud platform security
Lecture notes

Cloud platform security notes
Textbook chapters: 7.1.2, 8.2.4

w/ Bernardo & Nick
Apr 4 Lec 18. Networks I: Intro w/ Bernardo
Apr 9 Lec 19. Networks II: Low-level attacks w/ Bernardo
Apr 11 Lec 20. Networks III: Routing, DNS, Transport layer w/ Bernardo
Apr 16 Lec 21. Networks IV: TLS and Certificates w/ Bernardo & Nick
Apr 18 Lec 22. Networks V: Tor and Anonymization networks
Lecture notes

Preview: notes on Tor
“In-class demo: Scanning, Tor”

w/ Bernardo
Apr 23 Lec 23. Forensics w/ TBA
Apr 25 Lec 24. Physical Security and Lockpicking
Lecture notes

“In-class demo: Lockpicking, USB Rubber Ducky”

w/ Bernardo
For information about office hours formats and policies, see here.

Calendar not loading? Make sure that you are signed into your Brown University Google account in this browser, then do a hard refresh Otherwise, click here to view the calendar in another page.
All emails below have a @cs.brown.edu suffix, though please do not write to individual course staff unless they have asked you to do so. For sensitive matters, please contact the instructors cs1660-profs@lists.brown.edu.
Requests for extensions should be directed to the instructors---HTAs or UTAs cannot grant extensions.
Bernardo Palazzi
bernardo@cs - Instructor - he/him
If you look hard enough around the spaceship, you might just find a clue...
Nick DeMarinis
ndemarin@cs - Instructor - he/him
Hello! I’m a lecturer in CS, and not so long ago I was a TA and PhD student at Brown. When I’m not teaching, I like to think about how to make systems and networks more secure. Outside of work, I enjoy climbing, baking, and board games.
Rhea
rgoyal6@cs - HTA - she/her
Hi! I'm a senior studying CS, and I like baking, basketball, and video games.
Siming Feng
sfeng22@cs - HTA - he/him
I'm into gaming, photography, and cooking :P
Chen Wei
cwei24@cs - UTA - she/her
Hey! I'm a second-year master's student from Nanjing, China, studying CS. Outside of class, I love rock climbing, debating, trying different foods, and taking random city walks~ There's a chance we might meet on the street or in the rock climbing gym :).
Min Kang
mkang30@cs - UTA - he/him
Hi, I am a senior studying CS. Outside of class, I love spending time watching NBA or EPL. I am a huge Chelsea fan, so let me know if you are one of the Blues.
Oren
okohavi@cs - UTA - he/him
Hi, I'm Oren! I'm a senior from California studying focusing on systems & security. I'm usually playing board games, watching shows, or stealing cookies 😈
Rosalie Li
cli248@cs - UTA - she/her
Hi, I study CS in system track. I am a lover for movies, ice cream, and snow boarding. Excited to meet you all!
Sedong Hwang
shwang31@cs - UTA - he/him
Hello! Let's accomplish some cool things in this life.
Yuntian Yang
yyang324@cs - UTA - he/him
Hello! I'm a second-year master student in Computer Science, diving into systems. Outside of coding, I like video games and outdoor adventures. Lately, I've been capturing these moments with my camera and drone.

Resources

Course Documents

All students are responsible for the contents of the following documents and registering for the following external services used in the course:

  • Syllabus and Collaboration Policy: All students are required to read the Syllabus and Collaboration Policy. By working on any assignment in this course, you agree to the contents of both documents.

  • Textbook: The textbook for the course is Introduction to Computer Security by Michael T. Goodrich and Roberto Tamassia, 1st Edition. The lecture schedule includes supplementary readings from the textbook, which is available in the Brown University Library. Students are not required to purchase this textbook to participate in the course.

  • Gradescope: We use Gradescope for collecting certain assignments and grade distribution. We add students to our Gradescope page manually based course registration—if you’re trying to hand in but aren’t able to access the page, please email the HTA list.

  • Edstem: Join our Edstem board to ask questions about course content (see the Collaboration Policy for question guidelines). The course staff will also post announcements and assignment clarifications to this board. All Edstem questions must be posted privately by default, though the course staff will make posts public when necessary.

Forms

Extension Requests: If there are extenuating circumstances preventing you from completing an assignment on time (e.g., illness), you may use this form to request an extension (without using late days), most preferably before the assignment is due.

Anonymous Feedback: If you have feedback that you’d wish to share anonymously, you can use this form. Emails are tracked on this form, but these email addresses cannot be viewed by the course staff (including the professor) and are only viewable by Thomas Doeppner (Director of Undergraduate Studies).

Technical resources

Resources for Go

Some of projects have stencils provided in Go, which is a systems programming language that students report is relatively easy to pick up in a class setting. Learning Go is not required for this class, but, if you’re interested, this may be a good opportunity to pick it up! Here are our favorite resources about Go:

  • A Tour of Go is an interactive, concise introduction to the Go programming language. We highly recommend it for new (and inexperienced) learners of Go; it provides an overview of all of its major language features, including the unique concurrency model.

  • Go By Example is a hands-on introduction to Go with annotated example programs, with nice snippets of idiomatic Go code implementing various different programming constructs, from file I/O to channel synchronization.

  • The Go blog provides more in-depth articles on specific features within Go. We recommend it if you want to learn certain aspects of Go more in-depth; for example, we found the blogs on slices, errors, and project organization quite helpful.

  • This repository provides some examples of a “standard” package layout (note that many people, including the Go tech lead, object to this structure; we provide it here simply for inspiration). Another package layout resource is this blog post.

Department Resources

Diversity and Inclusion: In addition to the following resources, you can email the Student Advocates for Diversity & Inclusion at diversity.advocates@lists.cs.brown.edu:

Health and Wellness: In addition to the following resources, you can email the Student Advocates for Health & Wellness at wellness.advocates@lists.cs.brown.edu:

Student Groups: The department sponsors or is affiliated with several student groups:

  • CS for Social Change: Focuses on the intersection of computer science and social impact.
  • CS DUG (Department Undergraduate Group): Seeks to increase undergraduate participation in the department and continue the Brown legacy of involved undergraduates.
  • Mosaic+: Student-led diversity initiative to create an inclusive space for racially and ethnically underrepresented minority (URM) students.
  • oStem@Brown: Student group that aims to empower LGBTQ people studying or working in STEM fields to succeed personally, academically, and professionally.
  • WiCS (Women in Computer Science): Student group that aims to support and increase the participation of women in the field of Computer Science.
  • Full Stack @ Brown: A Brown University club committed to promoting the education of full stack software engineering by working on applications for the Brown community and beyond.

University Resources

Writing Center: The Writing Center offers free consultations for students who would like to improve the quality of their writing; this is relevant in CS1660 since the written components of the course involve communicating complex technical ideas clearly, concisely, and precisely. Appointments can be scheduled on the Writing Center website or by emailing writing_center@brown.edu.

CAPS (Counseling and Psychological Services): If you feel yourself falling behind, needing to talk to someone about personal problems, or, in general, want a supportive ear, you may find CAPS helpful—they provide a range of mental health services to the Brown community. The office can be reached at 401-863-3476 or counseling@health.brown.edu.

SAS (Student Accessibility Services): Brown University is committed to full inclusion of all students. Students who, by nature of a documented disability, require academic accommodations should contact the professor. The staff of the SAS office can be reached at 401-863-9588 or seas@brown.edu to discuss the process for requesting accomodations.

Ombudsperson Office: The Ombuds Office provides a safe, informal, and confidential service independent from the University administration for students involved in a University-related problem (academic or administrative), acting as a neutral complaint resolver and not as an advocate for any of the parties involved in a dispute. The Ombudsperson can provide information on policies and procedures affecting students, facilitate students’ contact with services able to assist in resolving the problem, and assist students navitgate conflicts concerning improper application of University policies or procedures. All matters referred to this office are held in strict confidence (with the exception of cases where there appears to be imminent threat of serious harm).

Student Support Services: Student Support Services assists students with a wide-range of issues and concerns that might arise during their time at Brown. The Student Support Services Deans provide 24-hour crisis services for undergraduate, graduate, and medical students with personal or family emergencies, and are available by appointment to consult with individual students about their personal questions/concerns, thus allowing students to succeed and thrive in their academic pursuits.

Administrator on Call: The Student Support Services office manages Brown’s Administrator On Call (AOC) system which provides a mechanism for Brown students to seek assistance in emergency situations after business hours. An AOC is able to respond to students, connect them with resources and referrals, consult with colleagues as needed, and gather information for additional follow-up during business hours. To reach the AOC, call 401-863-3322 and ask to speak to the Administrator-On-Call.

FAQs

What’s the difference between 1660 and {1510, 1650, 1800, 2390}?

Each of these courses cover relatively disjoint material, and you’ll learn completely different things in all of them. (If you haven’t taken any of them—great! CS1660 is a great introduction to the field, and you’ll learn a lot through this course. If you have taken a subset of these courses—also great! A lot of CS1660’s material will still be new to you, and all of these courses are useful in terms of honing your security mindset for the long-term.)

  • 1510 focuses on cryptography from a theoretical and more formal perspective by building on the concepts learned in 1010 and involves proving that cryptosystems are secure under defined, precise notions of security.
    • In comparison, 1660 looks at a small slice of applied cryptography, and we generally assume the cryptographic tools that we’re using are “secure”. We instead focus on the practical applications of conventional cryptography as it applies to computer systems.
  • 1650 is a deep-dive into software security, which focuses on low-level memory vulnerabilities (i.e. on the stack), and coursework primarily focuses on developing attacks.
    • In comparison, 1660 looks at higher-level abstractions (cryptography, browser and web applications, networks, etc.) and principles of systems security. Our coursework also focuses on a mix of discovering attacks and designing defenses. (We don’t really look at software security / stack-based code execution vulnerabilities at all.)
  • 1800 looks at cybersecurity from a more historical and policy-driven perspective.
    • In comparison, 1660 motivates much of its content with historical examples (but is primarily about technical details).
  • 2390 is about privacy engineering—making sure that the data is either not collected in the first place or, if collected, not misused.
    • In comparison, 1660 focuses on the whole of the “CIA” mnemonic of “confidentiality”, “integrity”, and “availability”; some of the techniques used in privacy engineering overlap with 1660 content, but our usage and analysis of those techniques differs.

Can I use this course as a ugrad capstone?

If you’re a 7th semester (or greater) undergraduate, then you can use CS1660 as a capstone by completing the lab. To do this, you must register for CS1620 or CS2660, and you need to email the HTA list to indicate that you want to use this course for your capstone requirement.

Can I use this course for 2000-level credit?

If you’re a graduate student, or an ScB student who has applied for the concurrent master’s program in CS, you can obtain 2000-level credit by completing the lab. To do this, you must register for CS2660: CS1620 does not count for 2000-level credit.

One caveat: note that if you are taking CS2660, you must complete both the lab and main portion of the course in order to receive a grade–after the add/drop period ends, it is not possible for a CS2660 student to drop the lab portion and still get credit for CS1660.

Do I have to attend lectures synchronously?

See Lectures. If you have a time conflict with the lectures, you may enroll by registering for the remote section (S02). If you need to do this, please indicate it on your registration form.

Can I audit the course?

Students wishing to officially audit the course (ie, to receive a grade of “Audit” on their transcript) must achieve an overall passing grade, which usually requires completing a minimum version of all projects.

Due to the time required to complete the projects (see the syllabus for a breakdown), students rarely choose to audit the course officially. If you simply want to follow along with the material, any student at Brown may do so without officially registering: all lecture materials, notes, and recordings are always available to any student with a Brown University account, even after the course ends.

If you are considering auditing, or if you have trouble accessing any course resources, please contact the instructors.