CS 261: Systems Security

Lectures: Tuesday and Thursday, 12:30-2pm, 320 Soda

Staff:

Instructor: Raluca Ada Popa
Special guests: Alice, Bob and the adversary

Office hours: Soda Hall #729, Tuesday 2:15-3:15pm (after class)

Contact: If you have any questions, email me at my address on my website, write on Piazza, or come talk to me during office hours.

Course overview:

Graduate survey of modern topics in computer security, including systems techniques, web security, systems based on cryptography, network security, anonymous communication, crypto currencies, trusted computing, mobile computing, privacy and others. (3 units)

Prerequisites: CS 162 or equivalent.

Assignments:

Readings: Each class will have a set of assigned readings. Please summarize each reading into 1-2 paragraphs and submit the summaries at cs261.f15@gmail.com before the start of the corresponding lecture (12,30pm). Send all summaries in one email (in the body, plaintext), whose subject should be the date of the lecture they are about "Reading MM/DD". Your full name should be apparent in the from field or in the email. Exemplary responses: I will select some very good reading assignment response(s) and post that as a sample of a good response, to benefit the other students. If you do not wish to have your assignment posted, please indicate in the first line of the email that you are opting out of this.
Scribe notes: Each student will scribe at least one lecture. Here is the LaTeX template to use.
Class discussions: Students are expected to engage actively in class discussions.
In-class presentations/discussions are described here.
Final project: The final project is an important component of the class. The final project is described further on the final project page.

Piazza:

Sign up for this course's Piazza. Please don't hesitate to ask questions to the class and have discussions there. Moreover, you can use it to find course project teammates.

Grading:

reading assignments 25%
final project (presentation and writeup) 40%
in-class presentation 15%
in-class participation 10%
scribe notes 10%

Category	Date	Topic + Readings	Scribe notes
Intro + memory safety	Thur, Aug 27	Course overview. Intro to systems security. Start on memory safety.	Notes from Grant
Intro + memory safety	Tue, Sept 1	Sample summaries Memory safety. Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns, Pincus, Baker, and Baggy Bounds Checking: An Efficient and Backwards-Compatible Defense against Out-of-Bounds Errors, Akritidis, Costa, Castro, and Hand.	Notes from Katia
Basic techniques	Thur, Sept 3	Assignment Sample responses Privilege separation. The Security Architecture of the Chromium Browser, Barth, Jackson, and Reis.	Notes from Christine
	Tue, Sept 8	Assignment Sample responses Capabilities. Capsicum: practical capabilities for UNIX, Watson, Anderson, Laurie, Kennaway, and Confused deputy, Norm Hardy.	Notes from Riyaz
	Thur, Sept 10	Assignment Sample responses Sandboxing. Native Client: A Sandbox for Portable, Untrusted x86 Native Code, Yee et al.	Notes from Linda
Network security	Tue, Sept 15	Assignment Sample responses Security problems with TCP/IP. A look back at Security Problems in the TCP/IP Protocol Suite, Bellovin.	Notes from Derek
Network security	Thur, Sept 17	Assignment Sample responses Kerberos: An Authentication Service for Open Network Systems, Steiger, Neuman, Schiller.	Notes from Rishabh
Building systems with crypto & computing on encrypted data	Tue, Sept 22	Assignment Sample responses Secure untrusted data repository (SUNDR), Li, Krohn, Mazieres, Shasha.	Notes from Michael
	Thur, Sept 24	Assignment Sample responses CryptDB: Protecting confidentiality with encrypted query processing, Popa, Redfield, Zeldovich, Balakrishnan.	Notes from Peihan
	Tue, Sept 29	Assignment Sample responses Computing on encrypted data. Read Computing arbitrary functions of encrypted data, Gentry and Techniques for computing on encrypted data in a practical system.	Notes from Pratyush
	Thur, Oct 1	Assignment Sample responses Merkle trees, Ralph Merkle, and Plutus: Scalable secure file sharing on untrusted storage, Kallahalla et al.	Notes from Tobias
	Tue, Oct 6	Assignment Sample responses Bitcoin: A Peer-to-Peer Electronic Cash System, Nakamoto, and How the Bitcoin protocol actually works, Nielsen Project proposal and teammates due by email before midnight.	Notes from Jacob
Web security	Thur, Oct 8	Assignment Sample responses Introduction to web security. Read OWASP top 10 and The Tangled Web (2012), Chapters 9-13.	Notes by Rohan
	Tue, Oct 13	Assignment Sample responses Web security measures. Security in Django and CSRF.	Notes from Jingcheng
	Thur, Oct 15	Assignment Sample responses SSL+HTTPS. If you don't remember how SSL and HTTPS work, then read this chapter. Everyone should read ForceHTTPS (pay attention to the related work).	Notes from Chenggang
	Tue, Oct 20	Assignment Sample responses Building web applications on top of encrypted data using Mylar, Popa et al. Presenters read: Hails: Protecting Data Privacy in Untrusted Web Applications, Giffin et al. (Tobias, Rishabh) ShadowCrypt, He et al. (Linda)	Notes from Qi
Anonymous communication	Thur, Oct 22	Assignment Sample responses Tor: The Second-Generation Onion Router, Dingledine, Mathewson, Syverson. Presenters read: Circuit Fingerprinting Attacks: Passive Deanonymization of Tor Hidden Services, Kwon et al. (Chenggang) Performance and Security Improvements for Tor: A Survey, AlSabah and Goldberg (Rafael)	Notes from Ashkan
Privacy	Tue, Oct 27	Assignment Sample responses Secure messaging. SoK: Secure messaging, Unger et al. Presenters read: Riposte, Corrigan-Gibbs et al. (Pratyush, Derek) Vuvuzela, Van Den Hooff et al. (Peihan)	Notes from Arjun and Rafael
Privacy	Thur, Oct 29	Assignment Sample responses Differential privacy. Differential Privacy, Dwork. Presenters read: Privacy Integrated Queries, McSherry. (Austin) DJoin, Narayan and Haeberlen (Eleanor).	To come from Jordan
Trusted computing	Tue, Nov 3	Assignment SGX. Innovative Instructions and Software Model for Isolated Execution, McKeen et al. Presenters read: VC3: Trustworthy Data Analytics in the Cloud Using SGX, Schuster et al. (Jordan, Jacob, Marten) Observing and Preventing Leakage in MapReduce, Ohrimenko et al. (Yi Wu)	Notes from Marten
Trusted computing	Thur, Nov 5	Assignment Haven, Baumann et al. Presenters read: TrInc, Levin et al. (Ben) Bitlocker, Ferguson (Katia)	Notes from Nathan and Yi
Symbolic execution	Tue, Nov 10	Assignment Symbolic Execution for Software Testing: Three Decades Later, Cadar et al. Presenters read: EXE, Cadar et al. (Rohan, Ashkan)	Notes from Andrew
Mobile security	Thur, Nov 12	Assignment Understanding Android Security, Enck et al. Presenters read: Android Permissions: User Attention, Comprehension, and Behavior, Felt et al. (Nathan) TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones, Enck et al. (Arjun) PiOS: Detecting Privacy Leaks in iOS Applications, Egele et al. (Yang)	Notes from Ben and Eleanor
Side channels	Tue, Nov 17	Assignment Everyone reads the remote timing attacks paper below by Brumley and Boneh. Presenters read: Remote timing attacks, Brumley and Boneh (Michael) Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds, Ristenpart et al. (Riyaz) Side-Channel Leaks in Web Applications: a Reality Today, a Challenge Tomorrow, Chen et al. (Andrew)	Notes from Austin
Security ethics and economics	Thur, Nov 19	Assignment Everyone reads the underground economy paper by Thomas and Martin below. Presenters read: Ethics in Security Research: Which lines should not be crossed?, Schrittwieser (Christie). The Underground Economy: Priceless, Thomas and Martin (Grant) Spamalytics: An Empirical Analysis of Spam Marketing Conversion, Kanich et al. (Jingcheng)	Notes from Yang
Project presentations	Tue, Nov 24	Project presentations	-
	Thur, Nov 26	No class, academic and administrative holiday
	Tue, Dec 1	Project presentations.	-
	Thur, Dec 3	Project presentations.	-
	Thur, Dec 10	Final papers due today by midnight.

Related Courses

CS 261N: Internet/network security
CS 276: Cryptography
CS 294: This is a special topics class that may cover security in some semesters

Security books

Ross Anderson, Security Engineering, John Wiley & Sons, 2001. A book on security in real world systems.
Jonathan Katz and Yehuda Lindell, Introduction to Modern Cryptography, CRC Press, 2007.
Niels Ferguson, Bruce Schneier, and Tadayoshi Kohno, Cryptography Engineering, Wiley, 2010.
Mark Stamp, Information Security: Principles and Practice, John Wiley & and Sons, 2006.
Alfred Menezes, Paul van Oorschot, Scott Vanstone, Handbook of Applied Cryptography, CRC Press, 1997. This is a very comprehensive book. You can download this book online!
Simson Garfinkel, Gene Spafford, Web Security, Privacy & Commerce, O'Reilly, 2002. It's hard to keep up with all the security software out there. But these authors do a good job documenting it all.
Charlie Kaufman, Radia Perlman, Mike Speciner, Network Security: Private Communication in a Public World, 2nd Edition, Prentice Hall, 2002. The authors discuss network security from a very applied approach. There is a lot of discussion about real systems, all the way down to the IETF RFCs and the on-the-wire bit representations.
Bruce Schneier, Applied Cryptography, 2nd Edition, John Wiley & Sons, 1996. This is the best book to read for an introduction to applied security and cryptography. There is much less math than the book by Menezes et al. The bibliography is very comprehensive too.
Eric Rescorla, SSL and TLS: Designing and Building Secure Systems, Addison-Wesley, 2001. A book about the evolution, politics, and bugs in the development of SSL.
Jakob Nielsen, Usability Engineering, Academic Press, 1993. There are a lot of non-intuitive GUIs out there for security products. Anyone making a security product for use by humans should learn about the principles of smart GUIs.
Phillip Hallam-Baker, The dotCrime Manifesto: How to Stop Internet Crime, Addison-Wesley, 2008.
Jonathan Katz, Yehuda Lindell, Introduction to Modern Cryptography, Chapman & Hall/CRC Press, 2007. This book contains a broad coverage of cryptography.

Conferences

Building secure systems involves innovating in both systems and security. Therefore, the top conferences in this field are both systems and security conferences.

Related Courses

Security books

Conferences

Systems conferences

Security conferences