CSE 227: Computer Security

Course Syllabus

Jan 7 Teaser Lecture (Levchenko): “Exploiting Underlying Structure for Detailed Reconstruction of an Internet-scale Event,” IMC 2005, and “Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses,” IEEE S&P 2008.
Jan 9 Class Introduction (Savage): Slides.
Jan 14 Software Vulnerabilities (Savage): “Low-Level Software Security by Example,” Handbook of Information and Communication Security 2010. Slides.
Jan 16 Software Defenses (Levchenko): “Control-Flow Integrity: Principles, Implementations, and Applications,” ACM CCS 2005 and “NOZZLE: A Defense Against Heap-spraying Code Injection Attacks,” USENIX Sec. 2009.
Jan 21 Martin Luther King, Jr. Day (no class)
Jan 23 Software Vulnerabilities II (Levchenko): “AEG: Automatic Exploit Generation,” NDSS 2011 and “Vigilante: End-to-End Containment of Internet Worms,” ACM SOSP 2005.
Jan 28 Software Vulnerabilities III (Savage): “Is finding security holes a good idea?IEEE S&P 2005 and “Milk or Wine: Does Software Security Improve with Age?USENIX Sec. 2006.
Jan 30 Web Security: Cross-Site Request Forgery and the Same-Origin Policy (Levchenko): Background:Session Riding2004 and “Browser Security Handbook2008.
Papers:Robust Defenses for Cross-Site Request ForgeryACM CCS 2008 and “Cross-Origin JavaScript Capability Leaks: Detection, Exploitation, and DefenseUSENIX Sec. 2009.
Feb 4 Web Security: Cross-Site Scripting (Levchenko): Warm-up: Pick a cross-site scripting vulnerability from xssed.com to discuss in class. Papers:XSS-GUARD: Precise Dynamic Prevention of Cross-Site Scripting AttacksDIMVA 2008 and “Regular Expressions Considered Harmful in Client-Side XSS FiltersWWW 2012.
Feb 6 Web Security: SQL Injection (Levchenko): History (optional):NT Web Technology Vulnerabilities1998. Papers:A Classification of SQL Injection Attacks and CountermeasuresISSSE 2006 and “CANDID: Preventing SQL Injection Attacks using Dynamic Candidate EvaluationsCCS 2007.
Feb 11 Web Security: XSS and SQL Injection (Levchenko): “Automatic Creation of SQL Injection and Cross-Site Scripting AttacksICSE 2009 and “Quo Vadis? A Study of the Evolution of Input Validation Vulnerabilities in Web ApplicationsFC 2011.
Feb 13 Web Security: Clickjacking (Levchenko): “Clickjacking: Attacks and DefensesUSENIX Sec. 2012 and “Fortifying Web-Based Applications AutomaticallyACM CCS 2011.
Feb 18 Presidents Day (no class)
Feb 20 Phishing (Levchenko): “Large-Scale Automatic Classification of Phishing PagesNDSS 2010 and “You've Been Warned: An Empirical Study of the Effectiveness of Web Browser Phishing WarningsCHI 2008.
Feb 25 Mobile Security (Levchenko): “TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on SmartphonesOSDI 2010 and “A Survey of Mobile Malware in the WildSPSM 2011.
Feb 27 Privacy (Levchenko): “I Still Know What You Visited Last Summer: Leaking Browsing History via User Interaction and Side Channel AttacksIEEE S&P 2011 and “An Analysis of Private Browsing Modes in Modern BrowsersUSENIX Sec. 2010.
Mar 4 Side Channels (Savage): “Keyboard Acoustic Emanations RevisitedACM CCS 2005 and “Lest we Remember: Cold Boot Attacks on Encryption KeysUSENIX Sec. 2008.
Mar 6 Economics (Levchenko): “Click Trajectories: End-to-End Analysis of the Spam Value ChainIEEE S&P 2011 and “Re: CAPTCHAs -- Understanding CAPTCHA-Solving from an Economic ContextUSENIX Sec. 2010.
Mar 11 Zero Days and APTs (Savage): “Before We Knew It: An Empirical Study of Zero-Day Attacks In The Real WorldACM CCS 2012 and “Tracking GhostNet: Investigating a Cyber Espionage NetworkInformation Warfare Monitor 2009.
Mar 13 Cyberphysical Security (Savage): “Experimental Security Analysis of a Modern Automobile IEEE S&P 2010 and “W32.Stuxnet DossierSymantec 2011.
Mar 22 Project presentations (9 to 11 am) in room 4109.