|
| Topic
| Readings
| Discussion Lead
| Scribe
|
| 1/20
| Intro
| Optional: How to read a paper
|
| Nidhi
|
| 1/25
| Mobile security
| TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones and PiOS: Detecting Privacy Leaks in iOS Applications.
Questions
| Karen reads AppsPlayground: Automatic Security Analysis of Smartphone Applications
| Emma
|
| 1/27
| Mobile security
| Android Permissions: User Attention, Comprehension, and Behavior and How to ask for permission.
Questions
| Lead (any volunteers?) reads Securing Embedded User Interfaces: Android and Beyond and Overhaul: Input-Driven Access Control for Better Privacy on Traditional Operating Systems
| Eric
|
| 2/1
| Network security
| A look back at Security Problems in the TCP/IP Protocol Suite.
Questions
| Eric reads SANE: A Protection Architecture for Enterprise Networks
| Karen
|
| 2/3
| Memory safety (spatial)
| Hacking Blind and
Baggy Bounds Checking: An Efficient and Backwards-Compatible Defense against Out-of-Bounds Errors.
Questions
| Alex reads: Eternal war in memory and Return-Oriented Programming: Systems, Languages, and Applications.
| Rachel
|
| 2/8
| Memory safety
| Enforcing Forward-Edge Control-Flow Integrity in GCC & LLVM and
Cling: A memory allocator to mitigate dangling pointers.
Questions
| Mariel reads Control-Flow Bending: On the Effectiveness of Control-Flow Integrity
| Alex
|
| 2/10
| Fuzzing
| AFL and
Symbolic Execution for Software Testing: Three Decades Later.
Questions
| Federico reads QSYM:A Practical Concolic Execution EngineTailored for Hybrid Fuzzing
| Michael
|
| 2/15
| Holiday
|
|
|
| 2/17
| Sandboxing
| Ostia: A Delegating Architecture for Secure System Call Interposition and Evaluating SFI for a CISC Architecture.
Questions
| Rachel reads Principles and Implementation Techniques of Software-Based Fault Isolation (skip Chapter 4)
| Itai
|
| 2/22
| Privilege separation
| The Security Architecture of the Chromium Browser.
No questions.
| Saharsh reads An Evaluation of the Google Chrome Extension Security Architecture and Some thoughts on security after ten years of qmail 1.0
| Stephan
|
| 2/24
| Language-based security
| Joe-E: A Security-Oriented Subset of Java.
Questions
| Arun reads Section 4 of The Problem with Threads
| Federico
|
| 3/1
| Web security
| Privilege separation in HTML5 applications and Securing the Tangled Web (optional: see talk or slides here)
Questions
| Emma reads LangSec Revisited: Input Security Flaws of the Second Kind and Blueprint: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers
| Saharsh
|
| 3/3
| Integrity
| Providing Authentication and Integrity in Outsourced Databases using Merkle Hash Trees and Certificate Transparency
Questions
| Mayank reads CONIKS: Bringing Key Transparency to End Users
| Rikhav
|
| 3/8
| Integrity
| Secure Untrusted Data Repository (SUNDR)
Questions
| Michael reads Secure history preservation through timeline entanglement
| Pranav
|
| 3/10
| Bitcoin
| Bitcoin: A Peer-to-Peer Electronic Cash System and How the Bitcoin protocol actually works
Questions
| Neil reads Ethereum/TheDAO hack simplified and A survey of attacks on Ethereum smart contracts
| Hanming
|
| 3/15
| Anonymity
| Tor: The Second-Generation Onion Router and Telex: Anticensorship in the Network Infrastructure
Questions
| Yuqing reads Come as You Are: Helping Unmodified Clients Bypass Censorship with Server-side Evasion
| Kelvin
|
| 3/17
| Differential privacy
| This series: 1, 2, 3, 4, 5, and Privacy Integrated Queries: An Extensible Platform for Privacy-Preserving Data Analysis
Questions
| Sidhanth reads RAPPOR: Randomized Aggregatable Privacy-Preserving Ordinal Response
| Abhishek
|
| 3/22
| Holiday
|
|
|
| 3/24
| Holiday
|
|
|
| 3/29
| Cybercrime
| Click Trajectories: End-to-End Analysis of the Spam Value Chain and Framing Dependencies Introduced by Underground Commoditization
Questions
| Itai reads Investigating Commercial Pay-Per-Install and the Distribution of Unwanted Software
| Orr
|
| 3/31
| Adversarial ML
| Towards Evaluating the Robustness of Neural Networks (skip Sections VI.B, VI.C, Section VIII)
| Fred reads Synthesizing Robust Adversarial Examples
| Arun
|
| 4/5
| Side channels
| BREACH: Reviving the CRIME attack (skip Section 2.4)
Questions
| Pranav reads Side-Channel Leaks in Web Applications: a Reality Today, a Challenge Tomorrow
| Neil
|
| 4/7
| Usable security
|
Improving SSL Warnings: Comprehension and Adherence and Conditioned-safe Ceremonies and a User Study of an Application to Web Authentication
Questions
| Orr reads SafeSlinger: Easy-to-Use and Secure Public-Key Exchange
| James
|
| 4/12
| Economics
| So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users and Measuring Security Practices and How They Impact Security
Questions
| Abhishek reads Why Information Security is Hard - An Economic Perspective
| Sidhanth
|
| 4/14
| Crypto protocols
| Prudent Engineering Practice for Cryptographic Protocols
Questions
| Stephan is lead
| Mayank
|
| 4/19
| Potpourri
| No readings.
| Rikhav (measurement), Zhihong (surveillance), Kelvin (Bitcoin)
| Yuqing
|
| 4/21
| No readings.
| No readings.
| Hanming (side channels), James (interactive proofs)
| Zhihong, Fred
|
| 4/26
| Presentations
| No readings.
| Mayank, Neil, Yuqing+Rachel+Kelvin, Arun+Sidhanth+Abhishek+Fred, James+Orr
|
|
| 4/28
| Presentations
| No readings.
| Rikhav, Pranav+Federico, Zhihong, Eric+Hanming+Alex, Saharsh+Karen, Emma+Michael+Stephan+Itai
|
|