Readings
Paper Response Guidelines
Write a ~400 word critical response and comments to each required paper. Focus on the following:
- State the problem that they try to solve and the main contributions.
- Describe the key insight or novelty of their proposed work or approach.
- What are the limitations of the paper? Write the criticisms.
- Any improvements or related ideas that you can suggest?
Your most important task is to demonstrate that you've read the paper and thought carefully about the topic. No copy and paste of the original paper text!
Paper responses are due at the beginning of the class (bring paper copies to class). A response for each paper will be graded and returned back with a check-, check, or check+.
Bring a copy of the paper in each lecture with your notes about what you find interesting and want to know more about (they can be questions, critics, etc.).
Discussion Lead and Extra Points
Please take a look at the papers in each session. If you are interested in leading the discussion of any session, you should sign up on the web sheet published through ilearn and get extra points for doing so. As a discussion lead, two tasks are expected: 1) You will summarize the papers in class (with or without slides) for 10-min each. 2) You should prepare yourself by reading the technical details carefully and coming up with a list of discussion points. The discussion points should be designed to engage students in critical and creative thinking. Think about the points ahead of time and be prepared to answer questions other students may throw at you. Email ahead of time your discussion points to cs255@cs.ucr.edu and get feedback from me. Please allow 2 days to receive the feedback. This will be a good opportunity for you to learn to discuss ideas around a research topic and it generally helps your presentation and communication skills.Reading List
Most papers should be publicly accessible. If any links are broken, please search for them. If any of them require paid subscription, you can access them for free when connecting on campus. For off-campus access, try UCR VPN.
Week 1
Monday, January 9
- Introduction.
- The Security Mindset, Bruce Schneier. 2008.
Wednesday, January 11 – Software Security
- Guest lecture.
- Smashing the Stack for Fun and Profit. Aleph One. Phrack 49(14), Nov. 1996.
Week 2
Monday, January 16 – Holiday
- No readings!
Wednesday, January 18 – Software Security
- StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks. Cowan, Pu, Maier, Hinton, Walpole, Bakke, Beattie, Grier, Wagle, and Zhang. Usenix Security 1998.
Friday, January 20 – Software Security
- The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86). Hovav Shacham. CCS 2007.
- N-Variant Systems: A Secretless Framework for Security through Diversity, Cox, Evans, Filipi, Rowanhill, Hu, Davidson, Knight, Nguyen-Tuong, Hiser. USENIX Security 2006
- Control Flow Integrity for COTS Binaries. Zhang and Sekar. Usenix Security 2013.
Week 3
Monday, January 23 – Software/System Security
- Prefetch Side-Channel Attacks: Bypassing SMAP and Kernel ASLR. Gruss, Maurice, Fogh, Lipp, Mangard. CCS 2016.
- On the Effectiveness of ASLR. Shacham, Page, Pfaff, Goh, Modadugu, and Boneh. CCS 2004.
- Practical Timing Side Channel Attacks Against Kernel Space ASLR, Hund, Willems, and Holz. Oakland 2013
Wednesday, January 25 – Operating System Security
- ret2dir: Rethinking Kernel Isolation. Kemerlis, Polychronakis, Keromytis. USENIX Security 2014.
- From Collision To Exploitation: Unleashing Use-After-Free Vulnerabilities in Linux Kernel. Xu, Li, Shu, Yang. CCS 2015.
Friday, January 27 – Operating System Security
- SubVirt: implementing malware with virtual machines. King, Chen, Wang, Verbowski, Wang, and Lorch. Oakland 2006.
- The Security Architecture of the Chromium Browser. Barth, Jackson, Reis, and The Google Chrome Team. 2008.
- Stealthy Malware Detection Through VMM-Based "Out-of-the-Box" Semantic View Reconstruction. Jiang, Wang, and Xu. CCS 2008.
Week 4
Monday, January 30 – Operating System Security
- Backtracking Intrusions. King and Chen. SOSP 2003.
- ProTracer: Towards Practical Provenance Tracing by Alternating Between Logging and Tainting. Ma, Zhang, Xu. NDSS 20016.
Wednesday, Feburary 1 – Pre-Proposal Presentation
- No readings!
Friday, Feburary 3 – Pre-Proposal Presentation
- No readings!
Week 5
Monday, February 6 – Network Security
-
A Look Back at "Security Problems in the TCP/IP Protocol Suite".
Steven M. Bellovin.
ACSAC 2009.
- Amplification Hell: Revisiting Network Protocols for DDoS Abuse. Christian Rossow. NDSS 2014
- Understanding the Efficacy of Deployed Internet Source Address Validation Filtering. Beverly, Berger, Hyun, and claffy. IMC 2009.
- Black Ops 2008: It's the End of the Cache as We Know It. Dan Kaminsky. Blackhat 2008.
Wednesday, February 8 – Network Security
- Off-Path TCP Exploits: Global Rate Limit Considered Dangerous. Cao, Qian, Wang, Dao, Krishnamurthy, Marvel. USENIX Security 2016.
- Off-Path TCP Injection Attacks. Gilad and Herzberg. ACM Transactions on Information and System Security 2014.
Friday, February 10 – Attack and Tool Presentation
- No readings!
Week 6
Monday, February 13 – Internet Censorship
- ConceptDoppler: A Weather Tracker for Internet Censorship. Crandall, Zinn, Byrd, Barr, and East. CCS 2007.
- Telex: Anticensorship in the Network Infrastructure. Wustrow, Wolchok, Goldberg, and Halderman. Usenix Security 2011.
- Large-scale Spatiotemporal Characterization of Inconsistencies in the World's Largest Firewall. Ensafi, Winter, Mueen, and Crandall. 2014.
- Tor: The Second-Generation Onion Router. Dingledine, Mathewson, and Syverson. USENIX Security 2004.
Wednesday, February 15 – Security of Mobile Networks
- Real Threats to Your Data Bills - Security Loopholes and Defenses in Mobile Data Charging. Peng, Li, Wang, Tu, and Lu. CCS 2014.
- On Attack Causality in Internet-Connected Cellular Networks. Traynor, McDaniel, La Porta. USENIX Security 2007.
- On Cellular Botnets: Measuring the Impact of Malicious Devices on a Cellular Network Core. Traynor, Lin, Ongtang, Rao, Jaeger, McDaniel, La Porta, and Fernandez-Kelly. CCS 2009.
Friday, February 17 – Attack and Tool Presentation
- No readings!
Week 7
Monday, February 20 – Holiday
- No readings!
Wednesday, February 22 – Special Topic: IoT Security
- Security Analysis of Emerging Smart Home Applications. Fernandes, Jung, and Prakash. Oakland 2016.
Friday, February 24 – Attack and Tool Presentation
- No readings!
Week 8
Monday, February 27 – Special Topic: Reverse Engineering
- OpenConflict: Preventing Real Time Map Hacks in Online Games. Bursztein, Hamburg, Lagarenne, and Boneh. Oakland 2011.
- Your Botnet is My Botnet: Analysis of a Botnet Takeover. Stone-Gross, Cova, Cavallaro, Gilbert, Szydlowski, Kemmerer, Kruegel, and Vigna. CCS 2009.
- Reverse-Engineering a Cryptographic RFID Tag. Nohl, Evans, and Plotz. Usenix Security 2008.
Wednesday, March 1 – Special Topic: Program Analysis
- Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software. Newsome and Song. NDSS 2005.
- All You Ever Wanted to Know About Dynamic Taint Analysis and Forward Symbolic Execution (but might have been afraid to ask). Schwartz, Avgerinos, and Brumley. Oakland 2010.
- Finding Security Vulnerabilities in Java Applications with Static Analysis. Livshits and Lam. USENIX Security 2005.
Friday, March 3 – Special Topic: Formal Methods
- Idle Port Scanning and Non-interference Analysis of Network Protocol Stacks Using Model Checking. Ensafi, Park, Kapur, and Crandall. USENIX Security 2010.
- Viola: Trustworthy Sensor Notifications for Enhanced Privacy on Mobile Systems. Mirzamohammadi and Sani. Mobisys 2016.
Week 9
Monday, March 6 – Special Topic: Trusted/Private Computing
- Flicker: An Execution Infrastructure for TCB Minimization. McCune, Parno, Perrig, Reiter, and Isozaki. Eurosys 2008.
- PRIVEXEC: Private Execution as an Operating System Service. Onarlioglu, Mulliner, Robertson, and Kirda. Oakland 2013.
- The ten-page introduction to Trusted Computing. Andrew Martin. 2008.
Wednesday, March 8 – Special Topic: Automobile Security
- Experimental Security Analysis of a Modern Automobile. Koscher, Czeskis, Roesner, Patel, Kohno, Checkoway, McCoy, Kantor, Anderson, Shacham, and Savage. Oakland 2010.
- Comprehensive Experimental Analyses of Automotive Attack Surfaces. Checkoway, McCoy, Kantor, Anderson, Shacham, Savage, Koscher, Czeskis, Roesner, and Kohno. Usenix Security 2011.
- Remote Exploitation of an Unaltered Passenger Vehicle. Miller and Valasek. DEF CON 23, Aug. 2015.
Friday, March 10 – Special Topic: Human Factor
- reCAPTCHA: Human-Based Character Recognition via Web Security Measures. von Ahn, Maurer, McMillen, Abraham, and Blum. Science, 2008
- Honeywords: Making Password-Cracking Detectable. Juels and Rivest. CCS 2013.
- Why Eve and Mallory Love Android: An Analysis of Android SSL (In)Security Fahl, Harbach, Muders, Smith, Baumgartner, and Freisleben. CCS 2012.
Week 10
Monday, March 13 – Project Presentation
- No readings!
Wednesday, March 15 – Project Presentation
- No readings!
Friday, March 17 – Project Presentation
- No readings!