CSE 227: Computer Security


Mar 30 Introduction
April 1
Softare Vulnerabilities I (getting a sense for the basics)

Pincus and Baker, Beyond Stack Smashing: Recent Advances in Buffer Overruns, IEEE Security & Privacy, 2004. (note: requires UCSD IP address to access)
Ahmad, The Rising Threat of Vulnerabilities Due to Integer Errors, IEEE Security & Privacy, 2003. (note: requires UCSD IP address to access)

(optional) SANS Top 20 Internet Security Problems
(optional) Sotirov, Heap Feng Shui in Javascript, Blackhat Europe 2007.
(optional) Daniel, Honoroff, Miller, Engineering Heap Overflow Exploits with Javascript, USENIX WOOT 2008.

April 6th
April 8th
Software Defenses I

Ratanaworbhan, Livshits and Zorn, NOZZLE: A Defense Against Heap-spraying Code Injection Attacks", USENIX Security 2009.
Erlingsson, Abadi, Vrable, Budiu and Necula, XFI: Software Guards for System Address Spaces, OSDI 2006.

April 13th
Software Vulnerabilities II

Please join the class mailing list by registering here.

Rescorla, Is Finding Security Holes a Good Idea?, WEIS 2004.
Ozment and Schecter, Milk or Wine: Does Software Security Improve with Age?, USENIX Security 2008.

April 15th
Vulnerability automation

Brumley, Poonsankam, Song and Zheng, Automatic Patch-Based Exploit Generation is Possible: Techniques and Implications, IEEE Symposium on Security and Privacy, 2008.
Costa, Crowcroft, Castro, Rowstron, Zhou, Zhang and Barham, Vigilante: End-to-End Containment of Internet Worms, SOSP 2005.

April 20th
Web Security I

Barth, Jackson, Reis, Google, The Security Architecture of the Chromium Browser, Technical report, 2008.
Barth, Jackson and Mitchell, Robust Defenses for Cross-Site Request Forgery, CCS 2008.

April 22nd
Network Security

Bellovin, A Look Back at the Security Problems in the TCP/IP Protocol Suite, ACSAC, 2004.
Bellovin, Using the Domain NAme System for System Break-ins, USENIX Security 1995.
Friedl, An Illustrated Guide to the Kaminsky DNS Vulnerability, Unix Wiz blog, 2008.
(optional) Savage et al. TCP Congestion Control with a Misbehaving Receiver, CCR 1999.

April 27th
Cancelled (Stefan at LEET)
April 29th
Hovav Shacham guest lecture on e-voting.
Calandrino, Halderman and Felten, Machine-Assisted Election Auditing, EVT 2007.
Halderman, Rescorla, Shacham and Wagner, You Go to Elections with the Voting System You Have: Stop-Gap Mitigations for Deployed Voting Systems, EVT 2008.
Rescorla, Understanding the Security Properties of Ballot-Based Verification Techniques, EVT 2009.

(optional) Hall et al, Implementing Risk-Limiting Post-Election Audits in California, EVT 2009.

May 4th
Usability I
(optional)West, The Psychology of Security, CACM, 51(4), April 2008 (short). (note need UCSD IP address)

Whitten et al, Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0, USENIX Security 1999.

Dhamija et al, Why Phishing Works, CHI 2006.

May 6th
Usability II (research methods)
Egelman et al, You've Been Warned: An empirical Study of the Effectiveness of Web Browser Phishing Warnings, CHI 2010.

Schecter et al, The Emperor's New Security Indicators, IEEE Security and Privacy (Oakland), 2007.

(optional) Finn and Jakobsson, Dsigning and Conducting Phishing Experiments, IEEE Technology and Society Magazine, 2007.

(optional) Anandpara et al, Phishing IQ Tests Measure Fear, Not Ability, Usability Security 2007.

May 11th
Security measurements
Moore et al, Inferring Internet Denial-of-Service Activity, USENIX Security 2001.

Ramachandran and Feamster, Understanding the Network-Level Behavior of Spammers, SIGCOMM 2006.

May 13th
Security measurements II
Moore and Clayton, Examining the Impact of Website Take-down on Phishing, APWG eCrime Summit, 2007.

Kanich et al. Spamalytics: An Empirical Analysis of Spam Marketing Conversion, CCS 2008.

May 18th
Hovav guest lecture on side-channels
Halderman et al, Lest we Remember: Cold Boot Attacks on Encryption Keys, USENIX Security 2008.

Zhuang et al, Keyboard Acoustic Emanations Revisited, CCS 2005.

May 20th
May 25th
Smart cards
Murdoch et al, Thinking Inside the Box: System-level Failures of Tamper Proofing, IEEE Security and Privacy, 2008.

Murdoch et al, Chip and PIN is Broken, IEEE Security and Privacy 2010.

May 27th
Security in the embedded domain
Halperin et al, Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses, IEEE Security and Privacy 2008.

Koscher et al, Experimental Security Analysis of a Modern Automobile, IEEE Security and Privacy 2010.

June 1st
Measuring security (short papers)
Bellovin, On the Brittleness of Software and the Infeasibility of Security Metrics, IEEE Security adn Privacy Magazine, 2006

Lie and Satyanarayanan, Quantifying the Strength of Security Systems, HotSec 2007.

(optional) Bozorgi et al. Beyond Heuristics: Learning to Classify Vulnerabilities and Predict Exploits, KDD 2010.

June 3rd
Wrapping up

Just skim... not required to read deeply... but think about mindset in this document and come with questions
CSIS, Securing Cyberspace for the 44th Presidency, 2008.

June 7th
Project presentations