| Intro + memory safety |
Thur, Aug 27 |
Course overview. Intro to systems security. Start on memory safety.
|
Notes from Grant
|
| Tue, Sept 1 |
Memory safety. Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns, Pincus, Baker, and Baggy Bounds Checking: An Efficient and Backwards-Compatible Defense against Out-of-Bounds Errors, Akritidis, Costa, Castro, and Hand.
|
Notes from Katia
|
| Basic techniques |
Thur, Sept 3 |
Privilege separation. The Security Architecture of the Chromium Browser, Barth, Jackson, and Reis.
|
Notes from Christine
|
| Tue, Sept 8 |
Capabilities. Capsicum: practical capabilities for UNIX, Watson, Anderson, Laurie, Kennaway, and
Confused deputy, Norm Hardy.
|
Notes from Riyaz
|
| Thur, Sept 10 |
Sandboxing. Native Client: A Sandbox for Portable, Untrusted x86 Native Code, Yee et al.
|
Notes from Linda
|
| Network security |
Tue, Sept 15 |
Security problems with TCP/IP. A look back at Security Problems in the TCP/IP Protocol Suite, Bellovin.
|
Notes from Derek
|
| Thur, Sept 17 |
Kerberos:
An Authentication Service for Open Network Systems, Steiger, Neuman, Schiller.
|
Notes from Rishabh
|
Building systems with crypto
&
computing on encrypted data |
Tue, Sept 22 |
Secure untrusted data repository (SUNDR), Li, Krohn, Mazieres, Shasha.
|
Notes from Michael
|
| Thur, Sept 24 |
CryptDB: Protecting confidentiality with encrypted query processing, Popa, Redfield, Zeldovich, Balakrishnan.
|
Notes from Peihan
|
| Tue, Sept 29 |
Computing on encrypted data. Read Computing arbitrary functions of encrypted data, Gentry and Techniques for computing on encrypted data in a practical system.
|
Notes from Pratyush
|
| Thur, Oct 1 |
Merkle trees, Ralph Merkle, and
Plutus: Scalable secure file sharing on untrusted storage, Kallahalla et al.
|
Notes from Tobias
|
| Tue, Oct 6 |
Bitcoin: A Peer-to-Peer Electronic Cash System, Nakamoto, and How the Bitcoin protocol actually works, Nielsen
Project proposal and teammates due by email before midnight.
|
Notes from Jacob
|
| Web security |
Thur, Oct 8 |
Introduction to web security.
Read OWASP top 10 and
The Tangled Web (2012), Chapters 9-13.
|
Notes by Rohan
|
| Tue, Oct 13 |
Web security measures. Security in Django and CSRF.
|
Notes from Jingcheng
|
| Thur, Oct 15 |
SSL+HTTPS. If you don't remember how SSL and HTTPS work, then read this chapter. Everyone should read ForceHTTPS (pay attention to the related work).
|
Notes from Chenggang
|
| Tue, Oct 20 |
Building web applications on top of encrypted data using Mylar, Popa et al.
Presenters read:
Hails: Protecting Data Privacy in Untrusted Web Applications, Giffin et al. (Tobias, Rishabh)
ShadowCrypt, He et al. (Linda)
|
Notes from Qi
|
| Anonymous communication |
Thur, Oct 22 |
Tor: The Second-Generation Onion Router, Dingledine, Mathewson, Syverson.
Presenters read:
Circuit Fingerprinting Attacks: Passive Deanonymization of Tor Hidden Services, Kwon et al. (Chenggang)
Performance and Security Improvements for Tor: A Survey, AlSabah and Goldberg (Rafael)
|
Notes from Ashkan
|
| Privacy |
Tue, Oct 27 |
Secure messaging. SoK: Secure messaging, Unger et al.
Presenters read:
Riposte, Corrigan-Gibbs et al. (Pratyush, Derek)
Vuvuzela, Van Den Hooff et al. (Peihan)
|
Notes from Arjun and Rafael
|
| Thur, Oct 29 |
Differential privacy. Differential Privacy, Dwork.
Presenters read:
Privacy Integrated Queries, McSherry. (Austin)
DJoin, Narayan and Haeberlen (Eleanor).
|
To come from Jordan
|
| Trusted computing |
Tue, Nov 3 |
SGX. Innovative Instructions and Software Model for Isolated Execution, McKeen et al.
Presenters read:
VC3: Trustworthy Data Analytics in the Cloud Using SGX, Schuster et al. (Jordan, Jacob, Marten)
Observing and Preventing Leakage in MapReduce, Ohrimenko et al. (Yi Wu)
|
Notes from Marten
|
| Thur, Nov 5 |
Haven, Baumann et al.
Presenters read:
TrInc, Levin et al. (Ben)
Bitlocker, Ferguson (Katia)
|
Notes from Nathan and Yi
|
| Symbolic execution |
Tue, Nov 10 |
Symbolic Execution for Software Testing: Three Decades Later, Cadar et al.
Presenters read:
EXE, Cadar et al. (Rohan, Ashkan)
|
Notes from Andrew
|
| Mobile security |
Thur, Nov 12 |
Understanding Android Security, Enck et al.
Presenters read:
Android Permissions: User Attention, Comprehension, and Behavior, Felt et al. (Nathan)
TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones, Enck et al. (Arjun)
PiOS: Detecting Privacy Leaks in iOS Applications, Egele et al. (Yang)
|
Notes from Ben and Eleanor
|
| Side channels |
Tue, Nov 17 |
Everyone reads the remote timing attacks paper below by Brumley and Boneh.
Presenters read:
Remote timing attacks, Brumley and Boneh (Michael)
Hey, You, Get Off of My Cloud:
Exploring Information Leakage in Third-Party Compute Clouds, Ristenpart et al. (Riyaz)
Side-Channel Leaks in Web Applications: a Reality Today, a Challenge Tomorrow, Chen et al. (Andrew)
|
Notes from Austin
|
| Security ethics and economics |
Thur, Nov 19 |
Everyone reads the underground economy paper by Thomas and Martin below.
Presenters read:
Ethics in Security Research: Which lines should not be crossed?, Schrittwieser (Christie).
The Underground Economy: Priceless, Thomas and Martin (Grant)
Spamalytics: An Empirical Analysis of Spam Marketing Conversion, Kanich et al. (Jingcheng)
|
Notes from Yang
|
| Project presentations |
Tue, Nov 24 |
Project presentations
|
-
|
| Thur, Nov 26 |
No class, academic and administrative holiday |
| Tue, Dec 1 |
Project presentations.
|
-
|
| Thur, Dec 3 |
Project presentations.
|
-
|
|
Thur, Dec 10
|
Final papers due today by midnight.
|
