CSE 509 – Computer System Security


Instructor: Long Lu
Location: JAVITS LECTR 109
Meeting Times: Mon Wed 4:00 p.m. – 5:20 p.m. (Fall 2014)
Prerequisites: Solid background in OS and low-level programming; Basic knowledge about security.
Office Hours: Mon Wed 5:20 p.m. – 6:00 p.m.
TA and Office Hours:


  • Course Description

    This is a newly designed course that aims to equip graduate students with in-depth knowledge on systems security, hands-on experience with offense and defense techniques, and insights into the latest advances in security research.

    Students should expect an average reading load of 2-3 papers (or equivalent) per week, bi-weekly assignments, three projects requiring a LARGE amount of system-level programming, and a final exam.

    Reading Materials and Text Books

    Pre-class readings consist of academic papers, book chapters, and articles, whose digital copies will be provided before class. After each lecture, a handout will be posted for reviewing content covered in class. These materials, as they become available, will be linked from the course schedule (SBU NetID login needed for access). Materials provided in this course should be used for educational purposes only and not be distributed without permissions. 

    The following text books are recommended, but NOT required:

    • [OSS] Operating System Security, ISBN: 9781598292121
    • [SH] The Shellcoder’s Handbook: Discovering and Exploiting Security Holes, ISBN: 9780470080238

    Learning and Teaching

    For effective in-class learning, students must finish the required readings before coming to classes. This course is taught primarily using whiteboard with occasional uses of slides for demonstrations. Note-taking is strongly encouraged, so is active participation in discussions. In addition to the standard lecturing, this course contains several hands-on sessions, where students are given opportunities to present real-world case studies, demonstrate coding assignments, and conduct live experiments.

    For assigned readings, students are asked to write and submit short paper summaries before class. Please use this form to format and submit paper summaries.

    Lecture notes taken by students are available on this page.


    • Paper summaries, assignments, and presentations – 20%
    • Final exam – 20%
    • Projects – 60%

    Honor Code

    Students are required to follow the university honor code and guidelines on academic conduct at all times. Failing to do so will result in instant reports to the university.

  • Schedule (tentative)

    Students must check this schedule regularly as new materials are frequently added without separate announcements. 

    Date Topic Content
    (readings & handouts)
    8/25 Course Intro & Quiz
    8/27 Access Control Access control fundamentals; Role-based access control Project 1 is posted, due in 12 days.
    9/1 NO CLASS Happy Labor Day!
    9/3 Secure system Principles The Protection of Information in Computer SystemsComputer Security in the Real World
    Memory Corruption and Exploitation
    9/8 Stack & heap overflow Smashing The Stack For Fun And ProfitHeap Overflows; Heap spray Project 1 due; Last day to withdraw w/o “w”
    9/10 Remote code injection attacks in the wild Presentations and demos by students, signup here.
    9/15 Return Oriented Programming ROP Late registration ends
    9/17 Exploiting data corruption and leaks Non-control data attacks; Use-after-free;
    Language, Compiler, and Runtime Enforcement
    9/22 Memory protection overview Eternal War in Memory Guest lecture by Laszlo Szekeres
    9/24 Java security Beyond sandbox; Overview (Ch2, 3, and 8)
    9/29 Type-safe C Cyclone; CCured (optional) Project 2 release
    10/1 Information flow Language-based information flow security
    10/6 Project 1 demo/presentation Presentations and demos by students, signup here.
    10/8 Sandbox native code Native Client
    10/13 Inline reference monitor IRM for Java Stack
    10/15 Proving untrusted code Proof-Carrying Code
    10/20 Control flow Control-Flow Integrity
    OS- and Virtualization-based Security 
    10/22 OS-level mitigations  DEP, ASLR, etc.
    10/27 A historial view
    10/29 Rootkits for good and bad  Inside Windows Rootkits
    11/3 Virtual machine introspection  Introspections on the Semantic Gap: magazine article, SoK paper (choose one to read) Guest lecture by Bhushan Jain
    11/5 OS Security Guest lecture by Prof. Mike Ferdman
    Wild Web and Mobile
    11/26 NO CALSS  Happy Thanksgiving!
    12/9 Final Exam 8:30-11:00 PM, same room, covering all materials.