CS 261 Schedule

The following schedule is tentative and subject to change.

Topic Readings Scribe
8/29 Overview, intro
8/31 Software vulnerabilities Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns, Pincus, Baker.
Basic Integer Overflows, blexim (no paper summary).
9/5 No class!
9/7 Runtime defenses Baggy Bounds Checking: An Efficient and Backwards-Compatible Defense against Out-of-Bounds Errors, Akritidis, Costa, Castro, Hand.
Taint-Enhanced Policy Enforcement: A Practical Approach to Defeat a Wide Range of Attacks, Xu, Bhatkar, Sekar.
9/12 Static analysis and bugfinding EXE: Automatically Generating Inputs of Death, Cadar, Ganesh, Pawlowski, Dill, Engler.
MECA: an Extensible, Expressive System and Language for Statically Checking Security Properties, Yang, Kremenek, Xie, Engler.
9/14 Inline reference monitors Evaluating SFI for a CISC Architecture, McCamant, Morrisett.
Adapting Software Fault Isolation to Contemporary CPU Architectures, Sehr, Muth, Biffle, Khimenko, Pasko, Schimpf, Yee, Chen.
9/19 Sandboxing A secure environment for untrusted helper applications: confining the wily hacker, Goldberg, Wagner, Thomas, Brewer. Ian
9/21 Sandboxing (no reading) Javona
9/26 Privilege separation Wedge: Splitting Applications into Reduced-Privilege Compartments, Bittau, Marchenko, Handley, Karp.
The Security Architecture of the Chromium Browser, Barth, Jackson, Reis, Google Chrome Team.
9/28 Privilege management Extensible security architectures for Java, Wallach, Balfanz, Dean, Felten.
10/3 Capabilities Access Control (v0.1), Laurie.
Paradigm Regained: Abstraction Mechanisms for Access Control, Miller, Shapiro.
10/5 Network security A look back at Security Problems in the TCP/IP Protocol Suite, Bellovin. Mobin
10/10 Firewalls A quantitative study of firewall configuration errors, Wool.
10/12 DNS security Using the Domain Name System for System Break-Ins, Bellovin.
Reliable DNS Forgery in 2008: Kaminsky's Discovery, Matasano blog.
Optional: An Illustrated Guide to the Kaminsky DNS Vulnerability, Friedl.
10/17 Cloud computing security
(guest lecture: John Manferdelli)
Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds, Ristenpart, Tromer, Shacham, Savage.
Protecting Your Critical Assets: Lessons Learned from "Operation Aurora", McAfee.
10/19 Attacks The underground economy: priceless, Thomas, Martin.
10/24 Web security - browsers Robust Defenses for Cross-Site Request Forgery, Barth, Jackson, Mitchell.
Optional background on cross-site request forgeries: Cross-Site Request Forgeries: Exploitation and Prevention, Zeller, Felten.
10/26 Web security - servers Web Security: Are You Part Of The Problem?, Heilman.
Improving Application Security with Data Flow Assertions, Yip, Wang, Zeldovich, Kaashoek.
10/31 Usable security The psychology of security, West.
Why Phishing Works, Dhamija, Tygar, Hearst.
11/2 Usable security You've Been Warned: An Empirical Study of the Effectiveness of Web Browser Phishing Warnings, Egelman, Cranor, Hong Sunil
11/7 E-voting Security Analysis of the Diebold AccuVote-TS Voting Machine, Feldman, Halderman, Felten Eric
11/9 Cryptography primer No readings James
11/14 Kerberos Designing an Authentication System: a Dialogue in Four Scenes, Bryant. Kristin
11/16 Cryptographic protocols Prudent engineering practice for cryptographic protocols, Abadi, Needham.
11/21 Cryptography - lessons learned Why Cryptosystems Fail, Anderson. David
11/23 Untrusted platforms How to Hurt the Hackers: The Scoop on Internet Cheating and How You Can Combat It, Pritchard
On the Security of Digital Tachographs, Anderson
11/28 Privacy Privacy, economics, and price discrimination on the internet, Odlyzko
How Much is Location Privacy Worth?, Danezis et al.
Optional: Privacy Oracle: A System for Finding Application Leaks with Black Box Differential Testing, Jung et al
11/30 Economics Why Information Security is Hard - An Economic Perspective, Anderson Rohit

David Wagner, daw@cs.berkeley.edu, http://www.cs.berkeley.edu/~daw/.