CSE 227: Computer Security

Syllabus

Date
Topic
Jan 9 Introduction
Jan 11
Case study: cars (special lecturer: Stephen Checkoway)

Karl Koscher, Alexei Czeskis, Franziska Roesner, Shwetak Patel, Tadayoshi Kohno, Stephen Checkoway, Damon McCoy, Brian Kantor, Danny Anderson, Hovav Shacham, and Stefan Savage, Comprehensive Experimental Analyses of Automotive Attack Surfaces, IEEE Security and Privacy, 2010.

Stephen Checkoway, Damon McCoy, Brian Kantor, Danny Anderson, Hovav Shacham, Stefan Savage, Karl Koscher, Alexei Czeskis, Franziska Roesner, Tadayoshi Kohno, Comprehensive Experimental Analyses of Automotive Attack Surfaces , USENIX Security, 2011.

Jan 16
Cancelled MLK
Jan 18
Same Origin Policy (Guest lecture: Hovav Shacham)

Beware of Finer-Grained Origins
Collin Jackson and Adam Barth
In Proc. W2SP 2008

Cross-Origin JavaScript Capability Leaks: Detection, Exploitation, and Defense
Adam Barth, Joel Weinberger, and Dawn Song
In Proc. Usenix Security 2009

Jan 23
Software vulnerabilities background
Jan 25
Software Defenses I

Abadi, Budiu, Erlingsson and Ligatti, Control-Flow Integrity, CCS 2005.
Ratanaworbhan, Livshits and Zorn, NOZZLE: A Defense Against Heap-spraying Code Injection Attacks", USENIX Security 2009.

Jan 30
Advanced software vulnerabilities

Shacham, The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86), CCS 2007.
Daniel, Honoroff and Miller, Engineering Heap OVerflow Exploits with Javascript

Feb 1
Software Vulnerabilities: Meta Issues

You can join a class mailing list by registering here.

Rescorla, Is Finding Security Holes a Good Idea?, WEIS 2004.
Ozment and Schecter, Milk or Wine: Does Software Security Improve with Age?, USENIX Security 2008.

Feb 6
Software Vulnerabilities: Automation

Avgerinos, Cha, Hao and Brumley, AEG: Automatic Exploit Generation, NDSS 2011.
Costa, Crowcroft, Castro, Rowstron, Zhou, Zhang and Barham, Vigilante: End-to-End Containment of Internet Worms, SOSP 2005.

Feb 8
Building a safer browser (note class starts 15mins late)

Barth, Jackson, Reis, Google, The Security Architecture of the Chromium Browser, Technical report, 2008.

Feb 13
Usability I
(optional)West, The Psychology of Security, CACM, 51(4), April 2008 (short). (note need UCSD IP address)

Whitten et al, Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0, USENIX Security 1999.

Dhamija et al, Why Phishing Works, CHI 2006.

Feb 15
No class (Stefan in DC)
Feb 20
Cancelled President's Day
Feb 22
Usability II (research methods)
Egelman et al, You've Been Warned: An empirical Study of the Effectiveness of Web Browser Phishing Warnings, CHI 2010.

Schecter et al, The Emperor's New Security Indicators, IEEE Security and Privacy (Oakland), 2007.

(optional) Finn and Jakobsson, Dsigning and Conducting Phishing Experiments, IEEE Technology and Society Magazine, 2007.

(optional) Anandpara et al, Phishing IQ Tests Measure Fear, Not Ability, Usability Security 2007.

Feb 27
Measurement and economics (attackers) [Geoff Voelker special guest]
Motoyama et al, Re: CAPTCHAs -- Understanding CAPTCHA solving from an Economic Context, USENIX Security 2010.

Levchenko et al, Click Trajectories: End-to-end Analysis of the Spam Value Chain, IEEE Security and Privacy, 2011.

Feb 29
Measurement and economics II:
Moore and Clayton, Examining the Impact of Website Take-down on Phishing, APWG eCrime Summit, 2007.

Stone-Gross et al. The Underground Economy of Fake Antivirus Software, WEIS 2011.

Mar 5
Side channels: Zhuang et al, Keyboard Acoustic Emanations Revisited, CCS 2005.

Halderman et al, Lest we Remember: Cold Boot Attacks on Encryption Keys, USENIX Security 2008.

Mar 7
Covert channels:
Shah, Molina and Blaze, Keyboards and Covert Channels, USENIX Security 2006.

Provos and Honeyman, Hide and Seek: An Introduction to Steganography, IEEE Security and Privacy magazine 2003.

Mar 12
Privacy:
Aggarwal, Burzstein, Jackson and Boneh, An Analysis of Private Browsing Modes in Modern Browsers, USENIX Security 2010.

Jang, Jhala, Lerner and Schacham, An Empirical Study of Privacy-Violating Information Flows in Javascript Web Applications, CCS 2010.

Strictly optional:
Mayer, Tracking the Trackers: Where Everyobody Knows Your Username, Stanford CIS blog, 2011. Enck et al. TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones, OSDI 2010. (only need to read section 6 for privacy findings)

Mar 14
Cancelled... work on projects
Mar 19
Finaly presentations 11:30-2:50 (final papers due Friday)