CSE 227: Computer Security

Course Syllabus

Sept 28 Class Introduction: Slides.
Oct 3 Low-level control-flow Vulnerabilities:
Low-Level Software Security by Example,” (just this chapter) Handbook of Information and Communication Security 2010.
Oct 5 Low-level Software Defenses: (Kirill Levchenko guest lecture)
Control-Flow Integrity: Principles, Implementations, and Applications,” ACM CCS 2005 and “NOZZLE: A Defense Against Heap-spraying Code Injection Attacks,” USENIX Sec. 2009.

Related papers [not assigned]:
Counterfeit Object-oriented Programming IEEE Security and Privacy '15 and ROP is Still Dangerous: Breaking Modern Defenses, USENIX Sec '14.

Oct 10 Cancelled
Oct 12 Software vulnerabilities in aggregate
Milk or Wine: Does Software Security Improve with Age?USENIX Sec. 2006. and Before We Knew It: An Empirical Study of Zero-Day Attacks in the Real World, ACM CCS 2012.

Related papers [not assigned]:
An Empirical Study of Vulnerability Rewards Programs, USENIX Sec '13, Zero Days, Thousands of Nights: The Life and Times of Zero-Day Vulnerabilities and Their Exploits, RAND report and Is finding security holes a good idea?IEEE S&P 2005.

Oct 17 Usability and human factors in security
A Framework for Reasoning about the Human in the Loop, UPSec '08, and Allice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness, USENIX Security '13.

Related papers [not assigned]:
Users are not the Enemy, CACM v42no12, and So Long, and No Thanks for the Externalities: The Rational Rejection of Security Advice by Users, NPSW '09, and The Psychology of Security, CACM v51no4.

Oct 19 Usability II
Network-in-a-Box: How to Set Up A Secure Wireless Network in Under a Minute, USENIX Security '04, and Why Johnny Can't Encrypt: a Usability Evaluation of PGP 5.0, USENIX Sec '99

Related papers [not assigned]:
The Emperor's New Security Indicators: An evaluation of website authentication and the effect of role playing on usability studies, IEEE Security and Privacy '07

Oct 24 Side Channels I: Keyboard Acoustic Emanations Revisited, CCS 2005 and Lest we Remember: Cold Boot Attacks on Encryption Keys, USENIX Security 2008.
Oct 26 Other Channels II: Exploioting the DRAM rowhammer bug to gain kernel privileges, ?Google Project Zero Blog post and Neuroscience Meets Cryptography: Designing Crypto Primitives Secure against Rubber Hose Attacks, USENIX Security '12.
Oct 31 Ecosystem I: Click Trajectories: End-to-End Analysis of the Spam Value Chain IEEE S&P 2011 and Re: CAPTCHAs -- Understanding CAPTCHA-Solving from an Economic Context USENIX Sec. 2010.
Nov 2 Ecosystem II: Examining the Impact of Website Take-down on Phishing, APWG eCrime Summit, 2007. and The Underground Economy of Fake Antivirus Software, WEIS 2011.

Related papers [not assigned]:
Pricless: the Role of Payments in Adbuse-advertised Goods, CCS 2012 and Empirically Characterizing Domain Abuse and the Revenue Impact of Blacklisting, WEIS 2014.

Nov 7 Cancelled due to illness

Nov 9 SSL/TLS I: The Most Dangerous Code in the World: Validating SSL Certificates in Non-Browser Software, CCS 2012 and Analysis of the HTTPS Certificate Ecosystem, IMC 2013.
Nov 14 SSL/TLS II: The Security Impact of HTTPS Interception, NDSS 2017 and DROWN: Breaking TLS using SSLv2, USENIX Security '16.
Nov 16 Cyber-Physical Security: Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses, IEEE Security and Privacy '08 and Comrehensive Experimental Analyses of Automative Attack Surfaces, USENIX Security '11.
Nov 21 Web Privacy I: I Still Know What you Visited Last Summer: Leaking browsing history via user interaction and side channel attacks and XRay: Enhancing the Web's Transparency with Differential Correlation
Nov 23 Thanksgiving! Class cancelled

Nov 28 Web Privacy II: An Analysis of Private Browsing Modes in Modern Browsers, USENIX Sec '10 and Internet Jones and the Raiders of the Lost Trackers: An Archaelogical Study of Web Tracking from 1996 to 2016, USENIX Sec '16
Nov 30 Web Security: XSS-Guard: Precise Dynamic Prevention of Cross-Site Scripting Attacks, DIMVA '08 and Robust defenses for cross-site request forgery, CCS '08

Background (not required) reading on XSS and CSRF

Dec 5 Bitcoin: SOK: Research Perspectives and Challenges for Bitcoin and Cryptocurrencies, IEEE Security and Privacy, 2015.
Dec 7 Science of Security: Science, Security and the Elusive Goal of Security as a Scientific Pursuit, IEEE Security and Privacy '17
Dec 14 Final presentations

10 minutes max. Send me slides by 1pm same day (ppt, odp, or pdf accepted) so we can use one laptop. Presentations from 3pm-6pm.

Presentation order:

  • Memauth: Implicit memory based authentication schemes
  • Classifying Software Changes: Safe or Vulnerable
  • Voice As an Attack: Using Browser Extensions to Access Voice-Controlled Intelligent Personal Assisstants
  • Extending a Native Library Sandbox to 64-bit
  • Defense Mechanisms against Adversarial Machine Learning for Malware Classifiers
  • Firefox: Security Vulnerability Analysius
  • Fool the malware: Malware code inspection using VM Cloning
  • Exploring strategies for disincentivizing minimum-wage CAPTCHA solvers
  • An AWS Lambda-based HTTP Flooding Attack