331 - Network and Web Security - 2017

Table of Contents


  • This is the web page for the course offered in Spring term 2017.
    • Please fill in the SOLE questionnaire for this module!
  • The next opportunity to take this course is in Spring term 2018.



  • Office hours: Thursday 5pm, Hux 441.
  • Please post your questions on our Piazza page!
    • Other students may benefit from your questions, or may know the answer.
    • We will do our best to answer any remaining questions quickly.
  • BYOD
    • We will have some in-class demos. You are welcome to bring your laptop if you want to be hands-on.
    • We may use mentimeter, so bring an internet-enabled device if you want to participate.
  • Slides for each lecture will be available on CATE.
  • Suggested reading will be pointed out during the lectures and then posted on this page.
  • Reminder: this course is not being recorded on Panopto.
  • Timetable:
    • Tue 11am-12pm Hux 311 (lecture)
    • Tue 12pm-1pm Hux 219 (lab)
    • Thu 2pm-4pm Hux 311 (lecture)


  • Assessed coursework
    • The exercise was made available on the 23/2 at 6pm.
    • The (electronic) submission deadline was on the 5/3 at 23:59pm.
    • Marks and personalised feedback were provided on the 7/3.
    • Exam
      • Thursday the 23rd of March at 10am in Hux 219.
      • Answer 3 questions out of 4 in 3 hours.
      • The exam is computer-based
        • Each exam question will be roughly half written, half practical.
        • You will submit the written answers electronically via a web app.
        • You will perform practical tasks such as code review, pentesting, etc on VMs that you will find already installed on the lab desktop.




./sergio.jpg Sergio Maffeis (Course Leader). Sergio is a Lecturer in Computer Security in the Department of Computing, Imperial College London. He received his Ph.D. from Imperial and his MSc from University of Pisa, Italy. Maffeis' research interests include security, formal methods, and programming languages. His recent work focuses on the application of formal methods for web security. You can find out more from his home page.

./chris.jpg Chris Novakovic (Course Support Leader). Chris is a Research Associate in the Department of Computing at Imperial College London. His research interests include quantitative information flow control, web security, and programming language security. Chris obtained his PhD from the University of Birmingham in 2014. You can find out more from his home page.

./abdulrahman.jpg Abdulrahman Alsaleh (Tutorial Helper). Abdulrahman is a PhD student at Imperial working on web security.

./thomas.jpg Thomas Wood (Tutorial Helper). Thomas is a PhD student at Imperial working on JavaScript and Testing.

Guest Lecturers

./marco.jpg Marco Cova (Guest lecturer). Marco is a senior security researcher and a member of the founding team of Lastline, a company providing anti-malware solutions. Before defecting to industry, he was a Lecturer in Computer Security with the School of Computer Science, University of Birmingham. He has received his PhD from the University of California, Santa Barbara.

./charlie.jpg Charlie Hothersall-Thomas (Guest Lecturer). Charlie graduated in 2014 with a BEng in Computing from Imperial College London, and currently works for Netcraft in Bath. His technical expertise includes web security, TLS and PKI, Linux system administration, Bitcoin, and Tor. He started BrowserAudit as his final year project at Imperial.

./antoine.jpg Antoine Delignat-Lavaud (Guest lecturer). Antoine is a researcher in the Constructive Security Group at Microsoft Research Cambridge. He completed his PhD on the formal verification of Web protocols and their implementations at Inria in Paris. He has authored several papers on the security of TLS, its implementations, and applications, focusing on HTTPS and Web security against active adversaries, and discovered many significant attacks in the process. This line of research has matured into the Everest project at Microsoft Research, which aims to implement a formally verified (both for runtime safety and cryptographic security) HTTPS stack built on the new 1.3 revision of TLS and that can be deployed on production systems such as browsers and webservers with low performance overhead.