Below is the calendar for this semester course. This is the preliminary schedule, which will be altered as the semester progresses. It is the responsibility of the students to frequently check this web-page for schedule, readings, and assignment changes. As the professor, I will attempt to announce any change to the class, but this web-page should be viewed as authoritative. If you have any questions, please contact me (contact information is available at the course homepage).
| Date | Topic | Assignments Due | Readings for Discussion (do readings before class) | |
| 08/27/13 | ( |
Course syllabus.
link
Efficient Reading of Papers in Science and Technology. M. J. Hanson, University of Washington, 1989.
link
Network Security: Private Communication in a Public World, Chapter 1.
link | ||
| 08/29/13 | ( |
Reflections on Trusting Trust. K. Thompson, Turing Award Lecture, 1983.
link
Network Security: Private Communication in a Public World, Chapters 2, 3.
link | ||
| 09/03/13 | ( | Man-in-the-Middle link |
Why Cryptosystems Fail. R. Anderson, 1st ACM Conference on Computer and Communications Security, 1993.
link
Network Security: Private Communication in a Public World, Chapter 5
link
*Advanced*
: Security Mechanisms in High-Level Network Protocols. V. Voydock and S. Kent,
ACM Computing Surveys, 15(2), June 1983.
link | |
| 09/05/13 | ( |
A Method for Obtaining Digital Signatures and Public-Key Cryptosystems. R. Rivest, A. Shamir, and L. Adleman, Communications of the ACM, 21(2):120-126, 1978.
link
Network Security: Private Communication in a Public World, Chapter 6
link
*Advanced*
: Twenty years of attacks on the RSA
cryptosystem. D. Boneh, Notices of the American
Mathematical Society (AMS), Vol. 46, No. 2, pp. 203-213,
1999), June 1983.
link | ||
| 09/10/13 | ( |
Using Encryption
for Authentication in Large Networks of Computers.
R. Needham and M. Schroeder, CACM, December 1978.
link
Network Security: Private Communication in a Public World, Chapter 11.
link
*Advanced*
: Breaking and Fixing the
Needham-Schroeder Public Key Protocol using FDR. G. Lowe,
In Tools and Algorithms for the Construction and Analysis
of Systems, Margaria and Steffen (eds.), volume 1055 of
Lecture Notes in Computer Science, Springer Verlag, pages
147-166, 1996.
link | ||
| 09/12/13 | ( |
Guess again (and again and again): Measuring password
strength by simulating password-cracking algorithms.
P. G. Kelley
et al.
, IEEE Symposium on Security and Privacy,
2012.
link
Network Security: Private Communication in a Public World, Chapter 9.
link | ||
| 09/17/13 | ( |
Kerberos: An Authentication Service for Computer Networks. B. Clifford Neuman and Theodore Ts'o, IEEE Communications, 32(9):33-38. September 1994.
link
Network Security: Private Communication in a Public World, Chapter 13
link
*Advanced*
: Pluggable Authentication Modules (PAM). NetBSD.
link | ||
| 09/19/13 | ( |
Ten Risks of PKI: What You're Not Being Told About Public Key Infrastructure, C. Ellison and B. Schneier, Computer Security Journal, v 16, n 1, 2000, pp. 1-7.
link
Network Security: Private Communication in a Public World, Chapter 15.
link
*Advanced*
: Designing and Implementing a PKI:
Part I Design and Planning. Microsoft. 2009.
link | ||
| 09/24/13 | ( |
Buffer Overflow Tutorial
link
Stackguard: Automatic Adaptive Detection and
Prevention of Buffer Overflow Attacks. C. Crispin,
et
al.
, 7th USENIX Security Symposium, 1998.
link
*Advanced*
: AEG: Automatic Exploit
Generation. T. Avgerinos, S.K. Cha, B. Lim Tze Hao,
D. Brumley. NDSS 2011.
link | ||
| 09/26/13 | ( |
Return-Oriented Programming: Systems, Languages, and
Applications. R. Roemer, E. Buchanan, H. Shacham, and
S. Savage, ACM Trans. Info. Sys. Security 15(1):2, March
2012.
link
*Advanced*
: Control-flow Integrity. Martin Abadi, Mihai Budiu,
Ulfar Erlingsson, and Jay Ligatti, in Proceedings of the
12th ACM Conference on Computer and Communications Security,
2005.
link | ||
| 10/01/13 | ( |
An Analysis of Address Space Layout Randomization in
Windows Vista. O. Whitehouse. Symantec Report, 2007.
link
*Advanced*: ILR: Where'd My Gadgets Go? J. Hiser, et
al. IEEE Symposium on Security and Privacy, 2012.
link | ||
| 10/03/13 | ( |
STING: Finding Name Resolution Vulnerabilities in Programs.
H. Vijayakumar, J. Schiffman, T. Jaeger, USENIX Security
Symposium, 2012.
link
*Advanced*
: Where Do You Want to Go Today? Escalating Privileges by Pathname Manipulation. S. Chari, S. Halevi, W. Venema. NDSS 2010.
link | ||
| 10/08/13 | ( | Format String Vulnerability link |
Reference Monitor. T. Jaeger. Encyclopedia of Cryptography and Security, 2011.
link
Operating Systems Security, Chapters 1, 2, 3
link
*Advanced*
: Computer Security Technology Planning
Study. J. P. Anderson, ESD-TR-73-51, ESD/AFSC, Hanscom AFB, Bedford, MA
(Oct. 1972) [NTIS AD-758 206]; Volume II (Sections I-IV)
link | |
| 10/10/13 | ( |
Linux Security Modules:
General Security Support for the Linux Kernel. C. Wright
et al.
, Proceedings of the 11th USENIX Security Symposium, August 2002.
link
Operating Systems Security, Chapters 4 and 9
link
*Advanced*
: Introduction to NSA's Security-Enhanced Linux. SANS Institute, 2002.
link | ||
| 10/15/13 | ( |
A lattice model of secure information flow. D. Denning, CACM, May 1976.
link
Operating Systems Security, Chapter 5
link
*Advanced*
: A Comparison of Commercial and Military Computer
Security Policies. D. Clark and D. Wilson. IEEE Symposium on
Research in Security and Privacy, 1987.
link | ||
| 10/17/13 | ( |
The Hydra System. H. Levy. Ch. 6 of Capability-Based Computer Systems (up to and including 6.4), 1984.
link
On the Inability of an Unmodified Capability Machine to
Enforce the *-Property. E. Boebert. NCSC 1984.
link
Operating Systems Security, Chapter 10
link
*Advanced*
: On Access Checking in Capability-Based Systems. R. Kain and C. Landwehr. IEEE TSE, 1987.
link | ||
| 10/22/13 | ( |
Security Problems in the TCP/IP Protocol Suite. S. M. Bellovin, in Computer Communications Review 2:19, pp. 32-48, April 1989.
link
*Advanced*
A New Approach to DNS Security (DNSSEC). G. Ateniese,
S. Mangard, Proc. of the Eighth ACM Conference on Computer
and Communications Security, 2001.
link | ||
| 10/24/13 | ( |
SSH - Secure Login Connections Over the Internet. T. Ylonen. USENIX Security 1996.
link
Network Security: Private Communication in a Public World, Chapters 17 and 19.
link | ||
| 10/29/13 | Mid-term Exam (in class) | |||
| 10/31/13 | ( |
FIREMAN: a toolkit for FIREwall Modeling and ANalysis. L. Yuan et al. IEEE Security and Privacy 2006.
link
Network Security: Private Communication in a Public World, Chapter 23.
link
*Advanced*: Linux iptables HOWTO, Rusty Russell.
link | ||
| 11/05/13 | ( | Threat Models link |
A Sense of Self for UNIX Processes. S. Forrest, S. A. Hofmeyr, A. Somayaji, T. A. Longstaff, In Proceedings of the IEEE Symposium on Security and Privacy, 1996.
link
The Base-Rate Fallacy and Its Implications for the Difficulty of Intrusion Detection. S. Axelsson, In Proceedings of the ACM Conference on Computer and Communication Security. November, 1999.
link | |
| 11/07/13 | ( |
Browser Security Handbook, Part 2 (Same origin policy,
Life Outside Same-origin rules, Third-party cookie rules).
link
Attack OWASP Top 10 - 2010. The Ten Most Critical Web Application Security Risks. Published by The Open Web Application Security Project, 2010.
link
Network Security: Private Communication in a Public World, Chapter 25.
link | ||
| 11/12/13 | ( |
The Essence of Command Injection
Attacks in Web Applications. Zhendong Su and Gary
Wassermann. In Proceedings of the ACM Symposium on
Principles of Programming Languages (POPL), 2006.
link | ||
| 11/14/13 | ( |
What Virtualization Can Do for Security. T. Garfinkel
and A. Warfield. ;login 32(6) 2007.
link
A Virtual Machine Introspection Based Architecture for Intrusion Detection. T. Garfinkel
and M. Rosenblum. NDSS 2003.
link
Operating Systems Security, Chapter 11
link | ||
| 11/19/13 | ( |
Protecting browser state from web privacy
attacks. C. Jackson, A. Bortz, D. Boneh, J. Mitchell. WWW
2006.
link
*Advanced*
: Third-Party Web Tracking: Policy
and Technology. J. R. Mayer and J. C. Mitchell, Proceedings
of the IEEE Symposium on Security and Privacy, 2012.
link | ||
| 11/21/13 | ( |
Secure Web Browsing with the OP Web Browser C. Grier, S. Tang, S. T. King, Proceedings of the IEEE Symposium on Security and Privacy, 2008.
link
*Advanced*
: Browser security: Lessons from Google Chrome. C. Reis, A. Barth, C. Pizano. CACM 52(8) 2009.
link | ||
| 11/26/13 | Thanksgiving Break - No class | |||
| 11/28/13 | Thanksgiving Break - No class | |||
| 12/03/13 | ( | Web Security link |
AmazonIA: When Elasticity Snaps Back. S. Bugiel,
T. Poppelmann, S. Nurnberger, A-R. Sadeghi, and
T. Schneider, 18th ACM Conference on Computer and
Communications Security, 2011.
link
Resource-freeing Attacks: Improve Your Cloud
Performance (at Your Neighbor's Expense). V. Varadarajan,
T. Kooburat, B. Farley, T. Ristenpart, and M. Swift,
Proceedings of the 19th ACM Computer and Communications
Security, 2012.
link | |
| 12/05/13 | ( |
Understanding Practical Application Development in
Security-Typed Languages. B. Hicks, K. Ahmadizadeh, and P.
McDaniel. 22st Annual Computer Security Applications
Conference 2006.
link
Declarative, Temporal, and Practical Programming with
Capabilities. W. R. Harris, So. Jha, T. Reps, J. Anderson, and
R. N. M. Watson. IEEE Symposium on Security and Privacy
2013.
link | ||
| 12/10/13 | ( |
Proxies for Anonymous Routing. M. Reed, P. Syverson,
D. Goldschlag. Proceedings of the 12th Annual Computer
Security Applications Conference 1996.
link
Tor: The Second-Generation Onion Router. R. Dingledine,
N. Mathewson, P. Syverson. 2011.
link
*Advanced*
: Tor: Anonymity Online.
link | ||
| 12/12/13 | ( | |||
| 12/16/13 | Final Exam, Tuesday, December 17, 2013; 10:10am-12:00pm; 215 Hammond | |||
.