Sep 28 | Introduction | No Reading |
Oct 3 | Security Concepts | Ch. 1 and Ch. 4 Sections 4.1 through 4.2.6 in Ross Anderson’s Security Engineering |
Oct 5 | Multilevel Security | Ch. 8 Sections 8.1, 8.2, 8.3, and 8.6 in Ross Anderson’s Security Engineering, “TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones” by Enck et al. |
Oct 10 | Control Flow Hijacking | “Smashing The Stack For Fun And Profit” by Aleph One |
Oct 12 | Control Flow Hijacking | “Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade” by Cowan et al., ASLR and NOEXEC for Linux from the PaX project, printf manual (reference for Assignment 4) |
Oct 17 | Control Flow Hijacking | “On the Effectiveness of Address-Space Randomization” by Shacham et al., “The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86)” by Shacham, Return-oriented programming worksheet by S. Checkoway (for use in class) |
Oct 19 | Advanced Software Attacks | “Finding and Preventing Bugs in JavaScript Bindings” by Brown et al. (guest lecture by Deian Stefan) |
Oct 24 | Cryptography | Ch. 5 Sections 5.1 through 5.8 in Ross Anderson’s Security Engineering, “Cryptography 101 - The Basics” by D. Brumley (optional) |
Oct 26 | Public Key Infrastructure | “A Short Tutorial on Distributed PKI” from Isode Ltd., “PGP Web of Trust: Core Concepts Behind Trusted Communication” by K. Ryabitsev, “Ten Risks of PKI: What You're Not Being Told About Public Key Infrastructure” by C. Ellison and B. Schneier (optional), “Information Security: Before and After Public Key Cryptography” by Whitfield Diffie (optional) |
Oct 31 | No lecture | |
Nov 2 | Midterm Exam | In class |
Nov 7 | Password Authentication | “Serious Security: How to store your users‛ passwords safely” by P. Ducklin |
Nov 9 | Web Security | XSS Game, CSRF from OWASP, Same Origin Policy from Google (read through “Same-origin policy for cookies”). |
Nov 14 | SQL Injection | PHP Manual: SQL Injection |
Nov 16 | Advanced Web Attacks | From the Aether to the Ethernet - Attacking the Internet using Broadcast Digital Television by Y. Oren and A. D. Keromytis, Clickjacking by R Hansen and J. Grossman |
Nov 21 | Principles | Saltzer and Schroeder, “The Protection of Information in Computer Systems,” Section I only. |
Nov 23 | No lecture | Thanksgiving holiday |
Nov 28 | Network Security | A Look Back at Security Problems in the TCP/IP Protocol Suite by S. Bellovin |
Nov 30 | Network Security | An Illustrated Guide to the Kaminsky DNS Vulnerability by S. Friedl |
Dec 5 | Network Security | How DNSSEC Works from Cloudflare and RFC 4034 (optional, for reference) |
Dec 7 | Bitcoin | “Bitcoin: A Peer-to-Peer Electronic Cash System” by S. Nakamoto and Ch. 2 of Mastering Bitcoin (optional) |
Dec 12 | Final Exam | 8:00am to 11:59am, Location TBA |