CSE 227: Computer Security

Syllabus

nn
Date
Topic
Jan 8 Introduction
Jan 10
Project Info and sample project ideas

Risk analysis

  • Neumann, Security Criteria for Electronic Voting, National Computer Security Conference, 1993.
  • Halperin, Heydt-Benjamin, Fu, Kohno, and Maisel, Security and Privacy for Implantable Medical Devices, IEEE Pervasive Computing, 2008.

    Optional:
  • Kohno, Stubblefield, Rubin, and Wallach. Analysis of An Electronic Voting System. IEEE Symposium on Security and Privacy, 2004.
  • Karlof, Sastry, and Wagner. Cryptographic Voting Protocols: A Systems Perspective. USENIX Security, 2005.
  • Kelsey. Strategies for Software Attacks on Voting Machines. NIST Threats to Voting Systems, 2005.
  • Jan 15
    Threats
  • Franklin, Paxson, Perrig and Savage, An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants, CCS 2007.
  • Jackson, Boneh, and Mitchell, Transaction Generators: Root Kits for the Web, USENIX HotSec, 2007.
  • Jan 17
    Groups formed (send me e-mail)

    Usability I

  • Adams and Sasse, Users are not the enemy, CACM, v42 n12, 1999.
  • Whitten and Tygar, Why Johnny Can't Encrypt. A Usability Evaluation of PGP 5.0, USENIX Security 1999.
  • Jan 22
    Usability II
  • Balfanz, Durfee, Smetters and Grinter, In Search of Useable Security: Five Lessons from the Field, IEEE Security and Privacy, Sept/Oct 2004.
  • Schecgter, Dhamija, Ozment and Fischer, The Emperor's New Security Indicators: An evaluation of website authentication and the effects of roll playing in usability studies, IEEE Security and Privacy, 2007.
  • Jan 24
    Project proposals due

    25 Years of Security Design Principles

  • Saltzer and Schoeder, The Protection of Information in Computer Systems, Proceedings of the IEEE, 1975 (earlier version in 4th SOSP).
  • Viega and McGraw, Software Security Principles, Part1, Part2, Part3, Part4, Part5
  • , IBM DeveloperWorks, 2000.
    Jan 29
    Code Security I
  • Cowan, Wagel, Pi, Beattie and Walpole, Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade, DARPA DISCEX 2000.
  • Pincus and Baker, Beyond Stack Smashing: Recent Advances in Buffer Overruns, IEEE Security & Privacy, 2004.
  • (optional) Nagy, Generic Anti-Exploitation Technology for Windows, eEye white paper
  • Jan 31
    Guest lecture: Hovav Shacham

    Code Security II

  • Schacham, Page, Pfaff, Goh, Modadugu and Boneh, On the Effectiveness of Address-Space Randomization, CCS 2004.
  • Schacham, The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86), CCS 2007.
  • Feb 5
    Code Security III
  • Wagner, Foster, Brewer and Aiken, A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities, NDSS 2000.
  • Ozment and Schecter, Milk or Wine: Does Software Security Improve with Age?, USEINX Security 2006.
  • Feb 7
    Malware I
  • Carey Nachenberg, Computer virus-antivirus coevolution, CACM 1997.
  • Stuart Staniford, Vern Paxson and Nicholas Weaver, How to 0wn the Internet in Your Spare Time, USENIX Security 2002.
  • Feb 12
    Class cancelled.
    Instead, go see Collin Jackson (Stanford) talk on "Securing Frame Communication in Browsers", 2pm-3pm in EBU3B room 4140.

    Also, project discussion sign up sheet is on my door (EBU3B 3106). sign up for a time slot.

    Feb 14
    Malware II: evasion
  • Peter Szor and Peter Ferrie, Hunting for Metamorphic, Virus Bulletin Conference, 2001.
  • James Newsome, Brad Karp and Dawn Song, Polygraph: Automatically Generating Signatures for Polymorphic Worms, IEEE Security & Proviacy, 2005.
  • Feb 19
    Intrusion Detection I
  • Vern Paxson, Bro: A System for Detecting Network Intruders in Real-Time, Computer Nteworks, 31(23-24), 1999.
  • Thomas Ptackek and Timothy Newsham, Insertion, Evasion and Denial of Service: Eluding Network Intrusion Detection, Secure Networks white paper, 1998.
    It has been pointed out to me that this paper is 63 pages long. This is true, althogh it has enormous margins so the reality is that its not as big as it looks. However, you should feel free to not care about sections 7 and 8 if its getting overwhelming.
  • Feb 21
    Protocol attacks
  • Stefan Savage, Neal Cardwell, David Wetherall and Tom Anderson, TCP Congestion Control with A Misbehaving Receiver, CCR 29(5), 1999.
  • Michael Piatek, Tomas Isdal, Tom Anderson, Arvind Krishnamurthy and Arun Venkataramani, Do inventives build Robustness in BitTorrent?, NSDI 2007.
  • Feb 26
    Privacy I: Anonymity
  • R. Dingledine, N. Mathewson and P. Syverson, Tor: The Second Generation Onion Router, USENIX Security, 2004.
  • K. Bauer, D. McCoy, D. Grunwald, T. Kohno, D. Sicker, Low-Resource Routing Attacks Against Tor, Workshop on Privacy in the Electronic Society, 2007.
  • Feb 28
    Privacy II: Side Channels
  • L. Zhuang, F. Zhou and D. Tygar, Keyboard Acoustic Emanations Revisited, ACM CCS 2005.
  • T. Kohno, A. Brodio, K. Claffy, Remote physical device fingerprinting, IEEE TDSC, 2005.
  • Mar 4
    Information hiding/covert channels
  • Shah, Molina and Blaze, Keyboards and Covert Channels, USENIX Security 2006.
  • Craver, Wu, Liu, Stubblefield, Swartzlander, Wallach, Dean and Felten, Reading Between the Lines: Lessons from the SDMI Challaenge, USENIX Security 2001.
  • Mar 6
    Denial-of-service
  • Moore, Voelker and Savage, Inferring Internet Denial-of-Service Activity, USENIX Security 2001.
  • Andersen, Mayday: Distributed Filtering for Internet Services, USITS 2003.
  • Mar 11
    TBA
    Mar 13
    Class Presentations
    Mar 20
    Instructions for downloading and completing the final are now available here. It can be completed during any three hour period until midnight on Saturday the 22nd. The exam will be open papers/notes, etc but please no general use of search engines (where particular information may be useful I have provided links which you can visit).

    Here is a pointer to a sample final from last year. Bear in mind that the construction of the class was different so the final will be different as well (last year I did alot more generic "presentations", ala 127, covering details of various methods/techniques, wihle this year I've tried to use the papers as more of a guide.