CSE 227: Computer Security


Topic and Reading
Jan 5 Class Introduction: “Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses,” IEEE S&P 2008.
Jan 7 Software vulnerabilities and defenses I: “Low-Level Software Security by Example,” Handbook of Information and Communication Security 2010.
Jan 12 Software vulnerabilities and defenses II: “Control-Flow Integrity: Principles, Implementations, and Applications,” ACM CCS 2005 and “Losing Control: On the Effectiveness of Control-Flow Integrity under Stack Attacks,” ACM CCS 2015.
Jan 14 Software vulnerabilities and defenses III: “Automatic Patch-Based Exploit Generation is Possible: Techniques and Implications,” IEEE S&P 2008 and “AEG: Automatic Exploit Generation,” NDSS 2011.
Jan 19 Software vulnerabilities and defenses IV: “The Geometry of Innocent Flesh on the Bone: Return-into-Libc Without Function Calls (on the x86),” ACM CCS 2007 and “ When Good Instructions Go Bad: Generalizing Return-Oriented Programming to RISC,” ACM CCS 2008.
Jan 26 Web Security I: “Robust Defenses for Cross-Site Request ForgeryACM CCS 2008 and “Cross-Origin JavaScript Capability Leaks: Detection, Exploitation, and DefenseUSENIX Sec. 2009. Optional background reading: “Session Riding” (CSRF) and “Browser Security Handbook” (same origin policy).
Jan 28 Web Security II: “XSS-GUARD: Precise Dynamic Prevention of Cross-Site Scripting AttacksDIMVA 2008 and “Regular Expressions Considered Harmful in Client-Side XSS FiltersWWW 2012. Optional background reading: “Cross-site Scripting (XSS)”.
Feb 2 Web Security III: “A Classification of SQL Injection Attacks and CountermeasuresISSSE 2006 and “CANDID: Preventing SQL Injection Attacks using Dynamic Candidate EvaluationsCCS 2007.
Feb 4 Web Security IV: “Automatic Creation of SQL Injection and Cross-Site Scripting AttacksICSE 2009 and “Quo Vadis? A Study of the Evolution of Input Validation Vulnerabilities in Web ApplicationsFC 2011.
Feb 9 Web Security V: “Clickjacking: Attacks and DefensesUSENIX Sec. 2012 and “Fortifying Web-Based Applications AutomaticallyACM CCS 2011.
Feb 11 Web Privacy: “I Still Know What You Visited Last Summer: Leaking Browsing History via User Interaction and Side Channel AttacksIEEE S&P 2011 and “An Analysis of Private Browsing Modes in Modern BrowsersUSENIX Sec. 2010.
Feb 16 Foundations: “The Protection of Information in Computer SystemsProc. of the IEEE, 1975. Quiz will cover Section I only.
Feb 18 Mandatory Access Control: “Security Controls in the ADEPT-50 Time-Sharing System,AFIPS 1969 and “TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones,TOCS, June 2014.
Feb 23 Privacy and Anonymity: “Tor: The Second-Generation Onion Router,Tech Report, 2004 and “Off-the-Record Communication, or, Why Not to Use PGP,WPES 2004.
Feb 25 Network Security: “Exploiting Underlying Structure for Detailed Reconstruction of an Internet-Scale Event,IMC 2005 and “Before We Knew It: An Empirical Study of Zero-Day Attacks in the Real World,ACM CCS 2012.
Mar 1 Bitcoin: “Bitcoin: A Peer-to-Peer Electronic Cash System” and “Traveling the Silk Road: A Measurement Analysis of a Large Anonymous Online Marketplace,” WWW 2013.
Mar 3 Algorithmic DoS: “Backtracking Algorithmic Complexity Attacks Against a NIDS,” ACSAC 2006 and “In the Compression Hornet’s Nest: A Security Study of Data Compression in Network Services,” USENIX Security 2015.
Mar 8 Side Channels: “ Keyboard Acoustic Emanations Revisited,” CCS 2005 and “Lest We Remember: Cold Boot Attacks on Encryption Keys,” USENIX Security 2008.
Mar 10 Human Factors: “Re: CAPTCHAs — Understanding CAPTCHA-Solving Services in an Economic Context,” USENIX Sec. 2010 and “How Does Your Password Measure Up? The Effect of Strength Meters on Password Creation,” USENIX Sec. 2012.
Mar 17 Project presentations (8 to 11 am), Pepper Canyon Hall 122.