Below is the calendar for this semester course. This is the preliminary schedule, which will be altered as the semester progresses. It is the responsibility of the students to frequently check this web-page for schedule, readings, and assignment changes. As the professor, I will attempt to announce any change to the class, but this web-page should be viewed as authoritative. If you have any questions, please contact me (contact information is available at the course homepage).
| Date | Topic | Assignments Due | Readings for Discussion (do readings before class) | |
| 01/09/18 | ( | Course syllabus link Fast and Vulnerable: A Story of Telematic Failures. Ian Foster, Andrew Prudhomme, Karl Koscher, and Stefan Savage, USENIX Workshop on Offensive Technologies, 2015. link | ||
| 01/11/18 | ( | Defense Design (Due 1/18/18)link | Operating Systems Security - Chs 1 and 4 link Chapter 2: Why Systems Are Not Secure?. Morrie Gasser,
in Building a Secure Computer System, 1988. link The Risks Digest link Common Vulnerabilities and Exposures link Common Weakness Enumeration link Security Focus: BugTraq link | |
| 01/16/18 | ( | Operating Systems Security - Ch 2 link Protection. Butler Lampson, Proc. 5th Princeton Conf. on Information Sciences and Systems, 1971. link Reference Monitor Concept, Trent Jaeger, Encyclopedia of Cryptography and Security, 2010. link Computer Security Archives Project, Matt Bishop. link | ||
| 01/18/18 | ( | Course Project Proposal (Due 1/31/18)link | Operating Systems Security, Chapter 3 link Introduction and Overview of the Multics System F. J. Corbato and V. A. Vyssotsky, in Proceedings of the Fall Joint Computer Conference, 1965. link | |
| 01/23/18 | ( | Operating Systems Security, Chapter 9 link Linux Security Modules: General Security Support for the
Linux Kernel. Chris Wright et al. In Proceedings of the 11th USENIX
Security Symposium, August 2002. link Using CQUAL for static analysis of authorization hook
placement. Xiaolan Zhang, Antony Edwards, Trent Jaeger. In
Proceedings of the 11th USENIX Security Symposium, August 2002. link | ||
| 01/25/18 | ( | Operating Systems Security, Chapter 5 link A Comparison of Commercial and Military Computer
Security Policies. David D. Clark and David R. Wilson. In
Proceedings of the 1987 IEEE Symposium on Security and
Privacy, 1987. link | ||
| 01/30/18 | ( | Linux Security Module (Due 3/1/18)link |
Toward Automated Information-Flow Integrity Verification for
Security-Critical Applications. Umesh Shankar, Trent Jaeger, and
Reiner Sailer. In Proceedings of the 2006 Network and Distributed
Systems Security Symposium, Feb. 2006, pp. 267-280.
link | |
| 02/01/18 | ( | An Analysis of Address Space Layout Randomization in
Windows Vista. O. Whitehouse. Symantec Report, 2007. link The Case for Less Predictable Operating System
Behavior. Ruimin Sun, Donald E. Porter, Daniela Oliveira, Matt Bishop,
Hot Topics on Operating Systems, 2015. link Readactor: Practical Code Randomization Resilient to
Memory Disclosure. Stephen Crane, Christopher Liebchen,
Andrei Homescu, Lucas Davi, Per Larsen, Ahmad-Reza
Sadeghi, Stefan Brunthaler, Michael Franz, IEEE Symposium
on Security and Privacy, 2015. link | ||
| 02/06/18 | ( | Control-flow Integrity. Martin Abadi, Mihai Budiu,
Ulfar Erlingsson, and Jay Ligatti, in Proceedings of the
12th ACM Conference on Computer and Communications Security,
2005. link Fine-Grained Control-Flow Integrity for Kernel
Software. Xinyang Ge, Nirupama Talele, Mathias Payer, Trent
Jaeger. In Proceedings of the IEEE European Symposium on
Security and Privacy, Mar. 2016,
pp. 179-194. link | ||
| 02/08/18 | ( | Operating Systems Security, Chapter 8 link Integrating Flexible Support for Security Policies into
the Linux Operating System, Peter Loscocco and Stephen
Smalley. In Proceedings of the FREENIX Track: 2001 USENIX
Annual Technical Conference, 2001. link | ||
| 02/13/18 | ( | The Confused Deputy (or why capabilities might have
been invented). Norm Hardy. Operating Systems Review,
pp. 36-38, Oct. 1988. link JIGSAW: Protecting Resource Access by Inferring
Programmer Expectations. Hayawardh Vijayakumar, Xinyang Ge,
Mathias Payer, and Trent Jaeger, 23rd USENIX Security
Symposium, 2014. link | ||
| 02/15/18 | ( | Operating Systems Security, Chapter 6 link Fault Isolation for Device Drivers. Jorrit N. Herder, Herbert Bos, Ben Gras, Philip Homburg, and Andrew S. Tanenbaum, in Proceedings of the 39th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN'09), pgs. 33-42, July 2009. link | ||
| 02/20/18 | NDSS Break - No class | |||
| 02/22/18 | NDSS Break - No class | |||
| 02/27/18 | ( | Operating Systems Security, Chapter 10 link On the Inability of an Unmodified Capability Machine to
Enforce the *-Property. W. E. Boebert, 7th DOD/NBS Computer Security
Conference, 1984. link A Secure Identity-Based Capability System. Li Gong,
1989 IEEE Symposium Security and Privacy, May 1989. link The CHERI capability model: Revisiting RISC in an age of risk.
Jonathan Woodruff et al.
2014 IEEE Symposium Security and Privacy, May 2014. link | ||
| 03/01/18 | ( | Information flow control for standard OS abstractions. Maxwell Krohn et al, in Proceedings of the ACM Symposium on Operating Systems Principles, 2007. link | ||
| 03/06/18 | Spring Break - No class | |||
| 03/08/18 | Spring Break - No class | |||
| 03/13/18 | ( | Information flow control for standard OS abstractions. Maxwell Krohn et al, in Proceedings of the ACM Symposium on Operating Systems Principles, 2007. link | ||
| 03/15/18 | ( | Midterm (Take Home - Due 3/22/18 11:59pm)link | The Art of Unpacking. Mark Vincent Yason, BlackHat 2007. link Effective and Efficient Malware Detection at the End Host. Clemens Kolbitsch, Paolo Milani Comparetti, Christopher Kruegel, Engin Kirda,
Xiaoyong Zhou, and XiaoFeng Wang, 18th USENIX Security Symposium, 2009. link Using Hardware Features for Increased Debugging
Transparency. Fengwei Zhang, Kevin Leach, Angelos
Stavrou, Haining Wang, and Kun Sun, IEEE Symposium on
Security and Privacy, 2015. link | |
| 03/20/18 | ( | Producing Hook Placements to Enforce Expected Access Control Policies.
Divya Muthukumaran, Nirupama Talele, Trent Jaeger, and Gang Tan.
In Proceedings of the 2015 International Symposium on Engineering Secure Software
and Systems (ESSoS), Mar. 2015.
link DIFC Programs by Automatic Instrumentation. William
R. Harris, Somesh Jha, and Thomas Reps, in Computer and
Communications Security (CCS), 2010. link | ||
| 03/22/18 | ( | A Decentralized Model for Information Flow
Control. Andrew Myers and Barbara Liskov, in Proceedings of
the 16th ACM Symposium on Operating Systems Principles,
1997. link Sharing Mobile Code Securely With Information Flow
Control. Owen Arden, Michael D. George, Jed Liu,
K. Vikram, Aslan Askarov, Andrew Myers. In Proceedings of
the 2012 IEEE Symposium on Security and Privacy,
2012. link | ||
| 03/27/18 | ( | KLEE: Unassisted and Automatic Generation of
High-Coverage Tests for Complex Systems. Cristian Cadar,
Daniel Dunbar, Dawson Engler, in Proceedings of the 8th
USENIX Conference on Operating Systems Design and
Implementation, 2008. link AEG: Automatic Exploit Generation. Thanassis Avgerinos,
Sang Kil Cha, Brent Lim Tze Hao and David Brumley, in
Proceedings of the 2011 Network and Distributed System
Security Symposium, Feb. 2011. link | ||
| 03/29/18 | ( |
American Fuzzy Lop. M. Zalewski.
link Driller: Augmenting Fuzzing Through Selective Symbolic
Execution. Nick Stephens, John Grosen, Christopher Salls,
Andrew Dutcher, Ruoyu Wang, Jacopo Corbetta, Yan
Shoshitaishvili, Christopher Kruegel, Giovanni
Vigna. Proceedings of the Network and Distributed System
Security Symposium (NDSS), February 2016.link | ||
| 04/03/18 | ( | Operating Systems Security, Chapter 11 link TrustShadow: Secure Execution of Unmodified Applications with ARM TrustZone.
Le Guan, Peng Liu, Xinyu Xing, Xinyang Ge, Shengzhi Zhang, Meng Yu, and Trent Jaeger.
In Proceedings of the 15th ACM International Conference on Mobile Systems, Applications, and Services (MobiSys), June 2017.link Dune: Safe User-level Access to Privileged CPU Features.
Adam Belay, Andrea Bittau, Ali Mashtizadeh, David Terei, David
Mazieres, Christos Kozyrakis. Proceedings of the 10th Symposium on Operating Systems Design and Implementation, October 2012.link | ||
| 04/05/18 | ( | Operating Systems Security, Chapter 11 link Overshadow: A Virtualization-Based Approach to
Retrofitting Protection in Commodity Operating
Systems. Xiaoxin Chen, Tal Garfinkel, E. Christopher Lewis,
Pratap Subrahmanyam, Carl A. Waldspurger (VMware), Dan Boneh
(Stanford), Jeffrey Dwoskin (Princeton), and Dan R.K. Ports
(MIT), in Proceedings of the 2008 Conference on
Architectural Support for Programming Languages and
Operating Systems, 2008. link VC3: Trustworthy Data Analytics in the Cloud using SGX.
Felix Schuster, Manuel Costa, Cedric Fournet, Christos Gkantsidis,
Marcus Peinado, Gloria Mainar-Ruiz, Mark Russinovich, IEEE Symposium
on Security and Privacy, 2015. link | ||
| 04/10/18 | ( | Hacking in Darkness: Return-oriented Programming against Secure Enclaves.
Jaehyuk Lee et al.
In Proceedings of the 26th USENIX Security Symposium. August 2017.link Inferring Fine-grained Control Flow Inside SGX Enclaves with Branch Shadowing.
Sangho Lee, Ming-Wei Shih, Prasun Gera, Taesoo Kim, and Hyesoon Kim.
In Proceedings of the 26th USENIX Security Symposium. August 2017.link | ||
| 04/12/18 | ( | SPROBES: Enforcing Kernel Code Integrity on the TrustZone Architecture. Xinyang Ge, Hayawardh Vijayakumar, and Trent Jaeger,
Mobile Security Technologies Workshop, 2014. link LMP: Light-Weighted Memory Protection with Hardware Assistance. Wei Huang, Zhen Huang, Dhaval Miyani and David Lie. In Proceedings of the 2016 Annual Computer Security Applications Conference (ACSAC 2016), December 2016.link | ||
| 04/17/18 | ||||
| 04/19/18 | ( | Inevitable Failure: The Flawed Trust Assumption in the
Cloud. Yuqiong Sun, Giuseppe Petracca, Trent Jaeger, in
Cloud Computing Security Workshop, 2014. link Policy-Sealed Data: A New Abstraction for Building
Trusted Cloud Services. Nuno Santos, Rodrigo Rodrigues,
Krishna P. Gummadi, Stefan Saroiu, in Proceedings of the
21st USENIX Security Symposium, 2012. link Unicorn: Two-Factor Attestation for Data
Security. Mohammad Mannan, Beom Heyn Kim, Afshar Ganjali and
David Lie, in Proceedings of the 18th ACM Conference on
Computer and Communications Security (CCS 2011). Pages
17-28. October 2011. link | ||
| 04/24/18 | ( | Security Analysis of Emerging Smart Home
Applications. Earlence Fernandes, Jaeyeon Jung, Atul Prakash.
Proceedings of the IEEE Symposium on Security and Privacy, 2016.link ContexIoT: Towards Providing Contextual Integrity to
Appified IoT Platforms. Yunhan Jack Jia, Qi Alfred Chen, Shiqi Wang,
Amir Rahmati, Earlence Fernandes, Z. Morley Mao, Atul Prakash.
Proceedings of the Network and Distributed Systems Symposium, 2017.link | ||
| 04/26/18 | ( | DATS: Data-centric Mandatory Access Control on Web
Applications. Lluis Vilanova, Casen Hunger, Charalampos
Papamanthou, Yoav Etsion, Mohit Tiwari. In Proceedings of
Architectural Support for Programming Languages and
Operating Systems, (ASPLOS), March 2018.link PtrSplit: Supporting General Pointers in Automatic
Program Partitioning. S. Liu, G. Tan, and T. Jaeger. In 24th
ACM Conference on Computer and Communications Security
(CCS), 2017.link | ||
| 05/01/18 | Final Exam - 2:30PM - 4:20PM - 271 Willard Bldg | |||
.