ECE 458: Computer Security

Sources and References

Equivalent UW courses — CS 458/658 (Computer Security and Privacy, single cross-listed course), CO 487 (Applied Cryptography) Primary textbook — Pfleeger, C., S. Pfleeger, and L. Coles-Kemp. Security in Computing. 6th ed. Addison-Wesley, 2024. Supplementary references — Stallings, W. and L. Brown, Computer Security: Principles and Practice, 4th ed. (Pearson, 2017); Smith, S. and J. Marchesini, The Craft of System Security; Shostack, A., Threats: What Every Engineer Should Learn from Star Wars (Wiley, 2023); Schneier on Security blog.

Equivalent UW Courses

The most direct mapping is to CS 458/658, which is a single cross-listed undergrad/grad course in Computer Security and Privacy — same lectures, same instructor, same exams, just two numbers for different program requirements. Both ECE 458 and CS 458/658 cover the same breadth: access control, cryptography basics, software and memory security, network security, web security, and privacy. CO 487, Applied Cryptography, is the closest Math-faculty analogue on the crypto side, but it is a deep single-topic course on the mathematical and protocol foundations of symmetric and public-key cryptography and does not cover systems-level threats. An ECE 458 graduate has seen a broad systems-security survey plus a shallow slice of what CO 487 covers in depth.

What This Course Adds Beyond the Equivalents

ECE 458 in its recent offerings explicitly leans on usable security and privacy and the human factors of how people interact with security tools — a theme Kami Vaniea’s research brings into the course. It also uses STRIDE as the structured threat-modelling vocabulary and has a student-chosen applications module covering topics like IoT, blockchain, RFID, GDPR, differential privacy, or AI security.

Relative to CO 487 it omits most of the mathematical depth: no proofs of security, no number-theoretic construction of RSA / DSA / ECC, no rigorous treatment of block cipher and hash constructions. Relative to a pure crypto course, cryptography is treated as a black-box tool. Relative to CS 458/658 the breadth is similar, but the usability and human-factors framing is heavier in the ECE offering.

Topic Summary

Basics of security

Confidentiality, integrity, and availability as the foundational properties. Definition of privacy as distinct from confidentiality. Trust and threat models, STRIDE as a structured decomposition of “security” into spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege. HTTPS is used as a running example of how multiple security properties compose in one protocol. Reference: Pfleeger chapter 1.

Authentication and access control

Access-control primitives (DAC, MAC, RBAC, capabilities vs ACLs). Password-based authentication, its failure modes, and how salted hashing mitigates them. Multi-factor and passwordless authentication. Kerberos as a ticket-based single-sign-on protocol and OAuth as the modern delegated-authorization analogue. Introduction to phishing as a social-engineering attack. Pfleeger chapter 2.1-2.2.

Cryptography basics

Pseudorandom number generation, symmetric versus asymmetric cryptography, and public-key primitives for encryption and digital signatures. Presented as black-box tools with correct usage rules rather than mathematical constructions. Pfleeger chapter 2.3. Students wanting the mathematical derivations of RSA / ECDSA / AES go to CO 487.

Programming security

Common programming flaws that lead to vulnerabilities: buffer overflows, format-string bugs, integer issues, injection attacks, and time-of-check-to-time-of-use races. Malicious code and malware taxonomies. Trusted platform modules and hardware roots of trust. Memory-safety defenses including stack canaries, ASLR, DEP / NX. Pfleeger chapter 3.

Network and wireless security

Threat model of a network attacker. Security protocols (TLS / SSL) in operational detail and known attacks on TLS (downgrade, BEAST, POODLE, Heartbleed-class bugs). Firewalls and VPNs as perimeter-defense mechanisms. Wireless-specific attacks. Pfleeger chapter 6.

Web security

HTTPS and how sessions and cookies interact with authentication. Privacy attacks on browsing traffic. Classical client-side and server-side web attacks — cross-site scripting, CSRF, SQL injection, clickjacking. Email security (SPF, DKIM, DMARC) and privacy on the Internet at large. Pfleeger chapter 4.

Applications

Closing module whose topic is chosen based on student interest. Possibilities include Internet of Things security, blockchain security assumptions, RFID and contactless systems, GDPR and regulatory privacy, differential privacy, and machine-learning / AI security.