Date |
Topic |
| Jan 8 |
Introduction |
Jan 10 |
Project Info and sample project ideas
Risk analysis
Neumann, Security Criteria for Electronic Voting, National Computer Security Conference, 1993.
Halperin, Heydt-Benjamin, Fu, Kohno, and Maisel, Security and Privacy for Implantable Medical Devices, IEEE Pervasive Computing, 2008.
Optional:
Kohno, Stubblefield, Rubin, and Wallach. Analysis of An Electronic Voting System. IEEE Symposium on Security and Privacy, 2004.
Karlof, Sastry, and Wagner. Cryptographic Voting Protocols: A Systems Perspective. USENIX Security, 2005.
Kelsey. Strategies for Software Attacks on Voting Machines. NIST Threats to Voting Systems, 2005.
|
Jan 15 |
Threats
Franklin, Paxson, Perrig and Savage, An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants, CCS 2007.
Jackson, Boneh, and Mitchell, Transaction Generators: Root Kits for the Web, USENIX HotSec, 2007.
|
Jan 17 |
Groups formed (send me e-mail)
Usability I
Adams and Sasse, Users are not the enemy, CACM, v42 n12, 1999.
Whitten and Tygar, Why Johnny Can't Encrypt. A Usability Evaluation of PGP 5.0, USENIX Security 1999.
|
Jan 22 |
Usability II
Balfanz, Durfee, Smetters and Grinter, In Search of Useable Security: Five Lessons from the Field, IEEE Security and Privacy, Sept/Oct 2004.
Schecgter, Dhamija, Ozment and Fischer, The Emperor's New Security Indicators: An evaluation of website authentication and the effects of roll playing in usability studies, IEEE Security and Privacy, 2007.
|
Jan 24 |
Project proposals due
25 Years of Security Design Principles
Saltzer and Schoeder, The Protection of Information in Computer Systems, Proceedings of the IEEE, 1975 (earlier version in 4th SOSP).
Viega and McGraw, Software Security Principles, Part1, Part2, Part3, Part4, Part5 , IBM DeveloperWorks, 2000.
|
Jan 29 | nn
Code Security I
Cowan, Wagel, Pi, Beattie and Walpole, Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade, DARPA DISCEX 2000.
Pincus and Baker, Beyond Stack Smashing: Recent Advances in Buffer Overruns, IEEE Security & Privacy, 2004.
(optional) Nagy, Generic Anti-Exploitation Technology for Windows, eEye white paper
|
Jan 31 |
Guest lecture: Hovav Shacham
Code Security II
Schacham, Page, Pfaff, Goh, Modadugu and Boneh, On the Effectiveness of Address-Space Randomization, CCS 2004.
Schacham, The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86), CCS 2007.
|
Feb 5 |
Code Security III
Wagner, Foster, Brewer and Aiken, A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities, NDSS 2000.
Ozment and Schecter, Milk or Wine: Does Software Security Improve with Age?, USEINX Security 2006.
|
Feb 7 |
Malware I
Carey Nachenberg, Computer virus-antivirus coevolution, CACM 1997.
Stuart Staniford, Vern Paxson and Nicholas Weaver, How to 0wn the Internet in Your Spare Time, USENIX Security 2002.
|
Feb 12 |
Class cancelled.
Instead, go see Collin Jackson (Stanford) talk on "Securing Frame Communication in Browsers", 2pm-3pm in EBU3B room 4140.
Also, project discussion sign up sheet is on my door (EBU3B 3106). sign up for a time slot.
|
Feb 14 |
Malware II: evasion
Peter Szor and Peter Ferrie, Hunting for Metamorphic, Virus Bulletin Conference, 2001.
James Newsome, Brad Karp and Dawn Song, Polygraph: Automatically Generating Signatures for Polymorphic Worms, IEEE Security & Proviacy, 2005. |
Feb 19 |
Intrusion Detection I
Vern Paxson, Bro: A System for Detecting Network Intruders in Real-Time, Computer Nteworks, 31(23-24), 1999.
Thomas Ptackek and Timothy Newsham, Insertion, Evasion and Denial of Service: Eluding Network Intrusion Detection, Secure Networks white paper, 1998.
It has been pointed out to me that this paper is 63 pages long. This is true, althogh it has enormous margins so the reality is that its not as big as it looks. However, you should feel free to not care about sections 7 and 8 if its getting overwhelming.
|
Feb 21 |
Protocol attacks
Stefan Savage, Neal Cardwell, David Wetherall and Tom Anderson, TCP Congestion Control with A Misbehaving Receiver, CCR 29(5), 1999.
Michael Piatek, Tomas Isdal, Tom Anderson, Arvind Krishnamurthy and Arun Venkataramani, Do inventives build Robustness in BitTorrent?, NSDI 2007.
|
Feb 26 |
Privacy I: Anonymity
R. Dingledine, N. Mathewson and P. Syverson, Tor: The Second Generation Onion Router, USENIX Security, 2004.
K. Bauer, D. McCoy, D. Grunwald, T. Kohno, D. Sicker, Low-Resource Routing Attacks Against Tor, Workshop on Privacy in the Electronic Society, 2007.
|
Feb 28 |
Privacy II: Side Channels
L. Zhuang, F. Zhou and D. Tygar, Keyboard Acoustic Emanations Revisited, ACM CCS 2005.
T. Kohno, A. Brodio, K. Claffy, Remote physical device fingerprinting, IEEE TDSC, 2005.
|
Mar 4 |
Information hiding/covert channels
Shah, Molina and Blaze, Keyboards and Covert Channels, USENIX Security 2006.
Craver, Wu, Liu, Stubblefield, Swartzlander, Wallach, Dean and Felten, Reading Between the Lines: Lessons from the SDMI Challaenge, USENIX Security 2001.
|
Mar 6 |
Denial-of-service
Moore, Voelker and Savage, Inferring Internet Denial-of-Service Activity, USENIX Security 2001.
Andersen, Mayday: Distributed Filtering for Internet Services, USITS 2003.
|
Mar 11 |
TBA |
Mar 13 |
Class Presentations |
Mar 20 |
Instructions for downloading and completing the final are now available here. It can be completed during any three hour period until midnight on Saturday the 22nd. The exam will be open papers/notes, etc but please no general use of search engines (where particular information may be useful I have provided links which you can visit).
Here is a pointer to a sample final from last year. Bear in mind that the construction of the class was different so the final will be different as well (last year I did alot more generic "presentations", ala 127, covering details of various methods/techniques, wihle this year I've tried to use the papers as more of a guide.
|
