Below is the calendar for this semester course. This is the preliminary schedule, which will be altered as the semester progresses. It is the responsibility of the students to frequently check this web-page for schedule, readings, and assignment changes. As the professor, I will attempt to announce any change to the class, but this web-page should be viewed as authoritative. If you have any questions, please contact me (contact information is available at the course homepage).
| Date | Topic | Assignments Due | Readings for Discussion (do readings before class) | |
| 08/25/15 | ( | Course syllabus link Fast and Vulnerable: A Story of Telematic Failures. Ian Foster, Andrew Prudhomme, Karl Koscher, and Stefan Savage, USENIX Workshop on Offensive Technologies, 2015. link | ||
| 08/27/15 | ( | Operating Systems Security - Chs 1 and 4 link Chapter 2: Why Systems Are Not Secure?. Morrie Gasser,
in Building a Secure Computer System, 1988. link The Risks Digest link Common Vulnerabilities and Exposures link Common Weakness Enumeration link Security Focus: BugTraq link | ||
| 09/01/15 | ( | LSM LOMAC link | Operating Systems Security - Ch 2 link Protection. Butler Lampson, Proc. 5th Princeton Conf. on Information Sciences and Systems, 1971. link Reference Monitor Concept, Trent Jaeger, Encyclopedia of Cryptography and Security, 2010. link Computer Security Archives Project, Matt Bishop. link | |
| 09/03/15 | ( | Operating Systems Security, Chapter 3 link Introduction and Overview of the Multics System F. J. Corbato and V. A. Vyssotsky, in Proceedings of the Fall Joint Computer Conference, 1965. link | ||
| 09/08/15 | ( | Operating Systems Security, Chapter 9 link Linux Security Modules: General Security Support for the
Linux Kernel. Chris Wright et al. In Proceedings of the 11th USENIX
Security Symposium, August 2002. link Using CQUAL for static analysis of authorization hook
placement. Xiaolan Zhang, Antony Edwards, Trent Jaeger. In
Proceedings of the 11th USENIX Security Symposium, August 2002. link | ||
| 09/10/15 | ( | Course Project Proposal - Due 9/25/15 | Operating Systems Security, Chapter 5 link LOMAC: Low Water-Mark Integrity Protection for COTS Environments.
Timothy Fraser. In
Proceedings of the 2000 IEEE Symposium on Security and
Privacy, 2000. link A Comparison of Commercial and Military Computer
Security Policies. David D. Clark and David R. Wilson. In
Proceedings of the 1987 IEEE Symposium on Security and
Privacy, 1987. link | |
| 09/15/15 | ( | Operating Systems Security, Chapter 8 link Integrating Flexible Support for Security Policies into
the Linux Operating System, Peter Loscocco and Stephen
Smalley. In Proceedings of the FREENIX Track: 2001 USENIX
Annual Technical Conference, 2001. link | ||
| 09/17/15 | ( | Control-flow Integrity. Martin Abadi, Mihai Budiu,
Ulfar Erlingsson, and Jay Ligatti, in Proceedings of the
12th ACM Conference on Computer and Communications Security,
2005. link Control-flow Bending: On the Effectiveness of
Control-Flow Integrity. Nicolas Carlini, Antonio Barresi,
Mathias Payer, David Wagner, Thomas R. Gross, in Proceedings
of the 24th USENIX Security Symposium, 2015. link | ||
| 09/22/15 | ( | An Analysis of Address Space Layout Randomization in
Windows Vista. O. Whitehouse. Symantec Report, 2007. link Readactor: Practical Code Randomization Resilient to
Memory Disclosure. Stephen Crane, Christopher Liebchen,
Andrei Homescu, Lucas Davi, Per Larsen, Ahmad-Reza
Sadeghi, Stefan Brunthaler, Michael Franz, IEEE Symposium
on Security and Privacy, 2015. link The Case for Less Predictable Operating System
Behavior. Ruimin Sun, Donald E. Porter, Daniela Oliveira, Matt Bishop,
Hot Topics on Operating Systems, 2015. link | ||
| 09/24/15 | ( | |||
| 09/29/15 | ( | The Confused Deputy (or why capabilities might have
been invented). Norm Hardy. Operating Systems Review,
pp. 36-38, Oct. 1988. link JIGSAW: Protecting Resource Access by Inferring
Programmer Expectations. Hayawardh Vijayakumar, Xinyang Ge,
Mathias Payer, and Trent Jaeger, 23rd USENIX Security
Symposium, 2014. link | ||
| 10/01/15 | ( | Leveraging 'Choice' in Authorization Hook Placement.
Divya Muthukumaran, Trent Jaeger, and Vinod Ganapathy. In 19th ACM
Conference on Computer and Commumications Security, 2012. link DIFC Programs by Automatic Instrumentation. William
R. Harris, Somesh Jha, and Thomas Reps, in Computer and
Communications Security (CCS), 2010. link | ||
| 10/06/15 | Fall Break - No class | |||
| 10/08/15 | Fall Break - No class | |||
| 10/13/15 | Fall Break - No class | |||
| 10/15/15 | Fall Break - No class | |||
| 10/20/15 | ( | Operating Systems Security, Chapter 10 link On the Inability of an Unmodified Capability Machine to
Enforce the *-Property. W. E. Boebert, 7th DOD/NBS Computer Security
Conference, 1984. link A Secure Identity-Based Capability System. Li Gong,
1989 IEEE Symposium Security and Privacy, May 1989. link | ||
| 10/22/15 | ( | The Art of Unpacking. Mark Vincent Yason, BlackHat 2007. link Effective and Efficient Malware Detection at the End Host. Clemens Kolbitsch, Paolo Milani Comparetti, Christopher Kruegel, Engin Kirda,
Xiaoyong Zhou, and XiaoFeng Wang, 18th USENIX Security Symposium, 2009. link Using Hardware Features for Increased Debugging
Transparency. Fengwei Zhang, Kevin Leach, Angelos
Stavrou, Haining Wang, and Kun Sun, IEEE Symposium on
Security and Privacy, 2015. link | ||
| 10/27/15 | ( | Operating Systems Security, Chapter 6 link Fault Isolation for Device Drivers. Jorrit N. Herder, Herbert Bos, Ben Gras, Philip Homburg, and Andrew S. Tanenbaum, in Proceedings of the 39th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN'09), pgs. 33-42, July 2009. link | ||
| 10/29/15 | ( | Operating Systems Security, Chapter 11 link Splitting Interfaces: Making Trust Between Applications
and Operating Systems Configurable. Richard Ta-Min, Lionel
Litty and David Lie, in Proceedings of the 7th USENIX
Symposium on Operating Systems Design and Implementation
(OSDI 2006). Pages 279-292. November 2006. link | ||
| 11/03/15 | ( | Operating Systems Security, Chapter 11 link Overshadow: A Virtualization-Based Approach to
Retrofitting Protection in Commodity Operating
Systems. Xiaoxin Chen, Tal Garfinkel, E. Christopher Lewis,
Pratap Subrahmanyam, Carl A. Waldspurger (VMware), Dan Boneh
(Stanford), Jeffrey Dwoskin (Princeton), and Dan R.K. Ports
(MIT), in Proceedings of the 2008 Conference on
Architectural Support for Programming Languages and
Operating Systems, 2008. link | ||
| 11/05/15 | ( | Midterm (Take Home - Due 11/15/15 11:59pm)link | Inevitable Failure: The Flawed Trust Assumption in the
Cloud. Yuqiong Sun, Giuseppe Petracca, Trent Jaeger, in
Cloud Computing Security Workshop, 2014. link Policy-Sealed Data: A New Abstraction for Building
Trusted Cloud Services. Nuno Santos, Rodrigo Rodrigues,
Krishna P. Gummadi, Stefan Saroiu, in Proceedings of the
21st USENIX Security Symposium, 2012. link Unicorn: Two-Factor Attestation for Data
Security. Mohammad Mannan, Beom Heyn Kim, Afshar Ganjali and
David Lie, in Proceedings of the 18th ACM Conference on
Computer and Communications Security (CCS 2011). Pages
17-28. October 2011. link | |
| 11/10/15 | ( | A Decentralized Model for Information Flow
Control. Andrew Myers and Barbara Liskov, in Proceedings of
the 16th ACM Symposium on Operating Systems Principles,
1997. link | ||
| 11/12/15 | ( | Information flow control for standard OS abstractions. Maxwell Krohn et al, in Proceedings of the ACM Symposium on Operating Systems Principles, 2007. link | ||
| 11/17/15 | ( | Information flow control for standard OS abstractions. Maxwell Krohn et al, in Proceedings of the ACM Symposium on Operating Systems Principles, 2007. link | ||
| 11/19/15 | ( | KLEE: Unassisted and Automatic Generation of
High-Coverage Tests for Complex Systems. Cristian Cadar,
Daniel Dunbar, Dawson Engler, in Proceedings of the 8th
USENIX Conference on Operating Systems Design and
Implementation, 2008. link AEG: Automatic Exploit Generation. Thanassis Avgerinos,
Sang Kil Cha, Brent Lim Tze Hao and David Brumley, in
Proceedings of the 2011 Network and Distributed System
Security Symposium, Feb. 2011. link | ||
| 11/24/15 | Thanksgiving Break - No class | |||
| 11/26/15 | Thanksgiving Break - No class | |||
| 12/01/15 | ( | SPROBES: Enforcing Kernel Code Integrity on the TrustZone Architecture. Xinyang Ge, Hayawardh Vijayakumar, and Trent Jaeger,
Mobile Security Technologies Workshop, 2014. link VC3: Trustworthy Data Analytics in the Cloud using SGX.
Felix Schuster, Manuel Costa, Cedric Fournet, Christos Gkantsidis,
Marcus Peinado, Gloria Mainar-Ruiz, Mark Russinovich, IEEE Symposium
on Security and Privacy, 2015. link | ||
| 12/03/15 | ||||
| 12/08/15 | ( | Type Casting Verification: Stopping an Emerging Attack Vector.
Byoungyoung Lee, Chengyu Song, Taesoo Kim, and Wenke Lee,
USENIX Security Symposium, 2015. link Problems with the Static Root of Trust for Measurement.
John Butterworth, Corey Kallenberg, Xeno Kovah, Amy Herzog, BlackHat, 2013. link Abusing Windows Management Instrumentation (WMI) to Build a Persistent, Asyncronous, and Fileless Backdoor.
Matt Graeber,
BlackHat, 2015. link | ||
| 12/10/15 | ( | |||
| 12/15/15 | Final Exam (10:10am-12pm 109 Walker) | |||
.