CSCI 780 – IoT Security

[Overview] Syllabus [Schedule] [Research Project]

The course will cover topics related to IoT security and safety, with a focus on smart buildings (homes, offices, and campus deployments). In the process, students will also get acquainted with the relevant aspects of network security, authentication, security protocol design and analysis, security modeling, key management, program safety, intrusion detection, DDoS detection and mitigation, and operating systems security. A detailed list of lecture by lecture contents, assignments, and due dates (subject to change as semester evolves) is available on the course schedule.

Please contact Prof. Nadkarni for any questions regarding the content of the course. We will be using Piazza for class discussions. Please sign up.

Course Prerequisites

There are no formal prerequisites for this class.

Informal: You need to have a basic understanding of (1) IP networks, (2) modern operating systems (e.g., Windows, Linux), (3) discrete mathematics, (4) basics of systems theory and implementation (e.g., file systems, distributed systems, networking, operating systems, etc.). If you have questions regarding these prerequisites, please contact the instructor.

Student Learning Outcomes

By the end of this course, students will be able to:

  • Understand and evaluate security research
  • Execute research ideas in security, at least at the preliminary level
  • Explain the fundamental challenges in IoT security, reason about state-of-the-art proposals to address them, and their tradeoffs
  • Develop a fundamental understanding of core concepts in cryptography and security as they apply to commodity computing, e.g., in the domains of mobile security and IoT.

Course Structure and Grading

The course will involve paper presentations, class discussions, and a semester-long course project. The outcome of the project will be a conference-style research paper, ie., wherein students will select, define, plan, conduct, and communicate their original security research project, and in process develop or refine their research skills.

  • 45% Course Research Project
  • 10% “Bug Bounty” on readings
  • 20% Paper Presentation
  • 10% Paper Reviews
  • 15% Class Participation and Discussion

There will be no final exam.

The final letter grade will be based on the final percentage as follows:

A >= 95% > A- >= 90% > B+ >= 85% > B >= 80% > B- >= 75% > C+ >= 70% > C >= 65% > C- >= 60% > D+ >= 55% > D >= 50% > D- >= 45% > F

The grades may be interpreted according to W&M’s grading policies.

Course Project (45 points): The course project requires that students execute research in systems or software security, with a focus on IoT. The result of the project will be a conference-style paper. Project topics will be discussed in class after the introductory material is completed. Be realistic about what can be accomplished in a single semester. However, the work should reflect real thought and effort - projects executed in the closing days of the semester are unlikely to be well received. The grade will be based on the following factors: novelty, depth, correctness, clarity of presentation, and effort. See the Project for more details.

Reading Bug bounty (10 points): The assigned readings are futile unless done in depth. As reading 20+ papers in depth in the span of a semester is burdensome, this class pursues an alternative: read few papers, provided you read them in-depth, and think critically about them.

To this end, each student owes the instructor 2 non-trivial bugs/mistakes/impractical assumptions made in the peer-reviewed security papers assigned as readings, each worth 5 points on the class grade, by the last day of class. There are three conditions for a bug to be valid: (1) you must be the first in class to report it (hence, report privately to the instructor, ideally via email), (2) it must be non-trivial, e.g., an unsatisfiable assumption or logical error that impacts the claims made in the paper (i.e., minor spelling/grammar errors, or minor calculation errors that do not affect the claims made in the paper, do not count), and (3) you must be able to reason about it, i.e., explain why it is a bug. The instructor reserves the right to adjudicate the validity of a reported bug.

Paper Presentations (20 points): Students will present a select set of recent conference papers on IoT security and safety. Each presentation must be at most 30 mins, and must end with 3 insightful questions to kick-start the class discussion. These presentations will be graded for content, clarity, and the 3 questions.

Paper Reviews (10 points): Students will write conference-style paper reviews for each paper presented in class. Reviews will be submitted at the beginning of the class, and will ensure that students (1) can evaluate research in IoT security, and that they (2) know enough to participate in class discussions.

Rules for reviews:

  1. The student presenting the paper does not have to write a review
  2. The review must contain the following (the instructor will provide a review template): i) a list of strengths, ii) a list of weaknesses, and iii) a detailed justification for each strength and weaknesses, i.e., why the reviewer considers a particular aspect of the paper to be a weakness in the context of the claims the paper is making.
  3. If two reviews are assigned in a week, you only have to do one of the two.

Class Participation and Discussion (15 points): This is a discussion-based class, as opposed to one relying on lectures. Each class will begin with a 20-30 minute presentation, whether by the instructor or students, followed by 50-60 minute of discussion. To do well in this course, students must take active and regular roles in discussion and demonstrate comprehension of the reading and lecture themes. This will be closely monitored by the instructor, thereby making a student’s ability to demonstrate their comprehension of papers essential to a receiving a passing grade. A really insightful, lively, discussion is likely to motivate the instructor to take the class out for coffee right after.

Textbooks and Reading Material

This is a research-based class, and has no formal textbook. The course readings will come from online book chapters, seminal papers, and other informative sources.

Here are some useful online books that provide additional information:

  1. Ross Anderson. Security Engineering, 2nd Edition. Wiley. April 2008.
  2. Jaeger, T., Operating System Security. Morgan & Claypool, 2008.
  3. Alfred J. Menezes, Paul C. van Oorschot and Scott A. Vanstone. Handbook of Applied Cryptography. CRC Press. October 1996.

Assignment Lateness Policy

Project deadlines will be hard. Late assignments will be accepted within 24 hours with a 25% reduction in grade. Milestones submitted after 24 hours will have a 100% penalty. Students with legitimate reasons who contact the professor before the deadline may apply for an extension.

Attendance Policy

The instructor will not take any formal attendance for class meetings. However, as stated above, a portion of the grade is based on class participation. Additionally, exam material includes anything in the readings, slides, and topics discussed in class. Students missing class should consult classmates on missed material.

The university policy on excused absences will be observed (see this). The students are responsible for discussing makeup exams if they miss exams due to excused absence. The instructor will choose a mutually agreed date and time for the makeup exam. Late submission of homework assignments due to excused absences is not subject to the policies on late assignments.

This semester, the world will enter its third year with COVID. As an academic community based on faculty and students convening, Spring 2022 courses will largely consist of in-person instruction. All of us will follow W&M requirements - vaccinations and boosters, indoor masking, as well as quarantine and isolation when ill. That last is really important: for those who have tested positive, W&M’s requirements must be fulfilled before class can be attended in person, and, out of an abundance of caution, anyone with symptoms consistent with COVID- even if they don’t have a positive test- should not come to class.–>

The instructor will treat COVID-related absences as excused absences, and follow the attendance policy outlined previously. The instructor will also release slides, and hold additional office hours if required, to assist students facing COVID-related absences.

Please note that testing positive for COVID or any other temporary illness is not considered a disability as defined by ADA guidelines and is not under the purview of W&M’s Student Accessibility Services (SAS). Thus, any questions should be addressed via email to the instructor.

Academic Integrity Policy

The university, college, and department policies against academic dishonesty will be strictly enforced. You may obtain copies of the W&M Student Code from the following URL:

The instructor expects honesty in the completion of test and assignments. The instructor has a zero tolerance policy for violations of academic integrity. The instructor carefully monitors for instances of offenses such as plagiarism and illegal collaboration, so it is very important that students use their best possible judgement in meeting this policy. The instructor will not entertain any discussion on the discovery of an offense, and will assign the ‘F’ grade and refer the student to the appropriate University bodies for possible further action. It is the understanding and expectation of instructor that the student’s signature on any test or assignment means that the student neither gave nor received unauthorized aid.

Note that students are explicitly forbidden to copy anything off the Internet (e.g., source code, text) for the purposes of completing an assignment or the final project. Also, students are forbidden from discussing or collaborating on any assignment except were explicitly allowed in writing by the instructor.

Ethics Statement

This course considers topics involving personal and public privacy and security. As part of this investigation we will cover technologies whose abuse may infringe on the rights of others. As an instructor, I rely on the ethical use of these technologies. Unethical use may include circumvention of existing security or privacy measurements for any purpose, or the dissemination, promotion, or exploitation of vulnerabilities of these services. Exceptions to these guidelines may occur in the process of reporting vulnerabilities through public and authoritative channels. Any activity outside the letter or spirit of these guidelines will be reported to the proper authorities and may result in dismissal from the class.

When in doubt, please contact the course professor for advice. Do not undertake any action which could be perceived as technology misuse anywhere and/or under any circumstances unless you have received explicit permission from the instructor.

Statement on transportation

Students have to provide their own transportation for any and all class related trips.

Statement on safety and risk assumption

This course does not require activities that pose physical risk to students.

Back to the top