CS261: Security in Computer Systems
Fall 2015

Lectures: Tuesday and Thursday, 12:30-2pm, 320 Soda
Office hours: Soda Hall #729, Tuesday 2:15-3:15pm (after class)

Contact: If you have any questions, email me at my address on my website, write on Piazza, or come talk to me during office hours.
Course overview:
Graduate survey of modern topics in computer security, including systems techniques, web security, systems based on cryptography, network security, anonymous communication, crypto currencies, trusted computing, mobile computing, privacy and others. (3 units)
Prerequisites: CS 162 or equivalent.
Sign up for this course's Piazza. Please don't hesitate to ask questions to the class and have discussions there. Moreover, you can use it to find course project teammates.

Category Date Topic + Readings Scribe notes
Intro + memory safety Thur, Aug 27

Course overview. Intro to systems security. Start on memory safety.

Notes from Grant

Tue, Sept 1

Memory safety. Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns, Pincus, Baker, and Baggy Bounds Checking: An Efficient and Backwards-Compatible Defense against Out-of-Bounds Errors, Akritidis, Costa, Castro, and Hand.

Notes from Katia

Basic techniques Thur, Sept 3

Privilege separation. The Security Architecture of the Chromium Browser, Barth, Jackson, and Reis.

Notes from Christine

Tue, Sept 8

Capabilities. Capsicum: practical capabilities for UNIX, Watson, Anderson, Laurie, Kennaway, and Confused deputy, Norm Hardy.

Notes from Riyaz

Thur, Sept 10

Sandboxing. Native Client: A Sandbox for Portable, Untrusted x86 Native Code, Yee et al.

Notes from Linda

Network security Tue, Sept 15

Security problems with TCP/IP. A look back at Security Problems in the TCP/IP Protocol Suite, Bellovin.

Notes from Derek

Thur, Sept 17

Kerberos: An Authentication Service for Open Network Systems, Steiger, Neuman, Schiller.

Notes from Rishabh

Building systems with crypto
computing on encrypted data
Tue, Sept 22

Secure untrusted data repository (SUNDR), Li, Krohn, Mazieres, Shasha.

Notes from Michael

Thur, Sept 24

CryptDB: Protecting confidentiality with encrypted query processing, Popa, Redfield, Zeldovich, Balakrishnan.

Notes from Peihan

Tue, Sept 29

Computing on encrypted data. Read Computing arbitrary functions of encrypted data, Gentry and Techniques for computing on encrypted data in a practical system.

Notes from Pratyush

Thur, Oct 1

Merkle trees, Ralph Merkle, and Plutus: Scalable secure file sharing on untrusted storage, Kallahalla et al.

Notes from Tobias

Tue, Oct 6

Bitcoin: A Peer-to-Peer Electronic Cash System, Nakamoto, and How the Bitcoin protocol actually works, Nielsen
Project proposal and teammates due by email before midnight.

Notes from Jacob

Web security Thur, Oct 8

Introduction to web security. Read OWASP top 10 and The Tangled Web (2012), Chapters 9-13.

Notes by Rohan

Tue, Oct 13

Web security measures. Security in Django and CSRF.

Notes from Jingcheng

Thur, Oct 15

SSL+HTTPS. If you don't remember how SSL and HTTPS work, then read this chapter. Everyone should read ForceHTTPS (pay attention to the related work).

Notes from Chenggang

Tue, Oct 20

Building web applications on top of encrypted data using Mylar, Popa et al.
Presenters read:
Hails: Protecting Data Privacy in Untrusted Web Applications, Giffin et al. (Tobias, Rishabh)
ShadowCrypt, He et al. (Linda)

Notes from Qi

Anonymous communication Thur, Oct 22

Tor: The Second-Generation Onion Router, Dingledine, Mathewson, Syverson.
Presenters read:
Circuit Fingerprinting Attacks: Passive Deanonymization of Tor Hidden Services, Kwon et al. (Chenggang)
Performance and Security Improvements for Tor: A Survey, AlSabah and Goldberg (Rafael)

Notes from Ashkan

Privacy Tue, Oct 27

Secure messaging. SoK: Secure messaging, Unger et al.
Presenters read:
Riposte, Corrigan-Gibbs et al. (Pratyush, Derek)
Vuvuzela, Van Den Hooff et al. (Peihan)

Notes from Arjun and Rafael

Thur, Oct 29

Differential privacy. Differential Privacy, Dwork.
Presenters read:
Privacy Integrated Queries, McSherry. (Austin)
DJoin, Narayan and Haeberlen (Eleanor).

To come from Jordan

Trusted computing Tue, Nov 3

SGX. Innovative Instructions and Software Model for Isolated Execution, McKeen et al.
Presenters read:
VC3: Trustworthy Data Analytics in the Cloud Using SGX, Schuster et al. (Jordan, Jacob, Marten)
Observing and Preventing Leakage in MapReduce, Ohrimenko et al. (Yi Wu)

Notes from Marten

Thur, Nov 5

Haven, Baumann et al.
Presenters read:
TrInc, Levin et al. (Ben)
Bitlocker, Ferguson (Katia)

Notes from Nathan and Yi

Symbolic execution Tue, Nov 10

Symbolic Execution for Software Testing: Three Decades Later, Cadar et al.
Presenters read:
EXE, Cadar et al. (Rohan, Ashkan)

Notes from Andrew

Mobile security Thur, Nov 12

Understanding Android Security, Enck et al.
Presenters read:
Android Permissions: User Attention, Comprehension, and Behavior, Felt et al. (Nathan)
TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones, Enck et al. (Arjun)
PiOS: Detecting Privacy Leaks in iOS Applications, Egele et al. (Yang)

Notes from Ben and Eleanor

Side channels Tue, Nov 17

Everyone reads the remote timing attacks paper below by Brumley and Boneh.
Presenters read:
Remote timing attacks, Brumley and Boneh (Michael)
Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds, Ristenpart et al. (Riyaz)
Side-Channel Leaks in Web Applications: a Reality Today, a Challenge Tomorrow, Chen et al. (Andrew)

Notes from Austin

Security ethics and economics Thur, Nov 19

Everyone reads the underground economy paper by Thomas and Martin below.
Presenters read:
Ethics in Security Research: Which lines should not be crossed?, Schrittwieser (Christie).
The Underground Economy: Priceless, Thomas and Martin (Grant)
Spamalytics: An Empirical Analysis of Spam Marketing Conversion, Kanich et al. (Jingcheng)

Notes from Yang

Project presentations Tue, Nov 24

Project presentations


Thur, Nov 26 No class, academic and administrative holiday
Tue, Dec 1

Project presentations.


Thur, Dec 3

Project presentations.


Thur, Dec 10

Final papers due today by midnight.

Related Courses

Security books


Building secure systems involves innovating in both systems and security. Therefore, the top conferences in this field are both systems and security conferences.

Systems conferences

Security conferences