|
| Topic
| Readings
| Scribe
|
| 8/29
| Overview, intro
|
|
|
| 8/31
| Software vulnerabilities
| Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns, Pincus, Baker.
Basic Integer Overflows, blexim (no paper summary).
| Thurston
|
| 9/5
|
| No class!
|
|
| 9/7
| Runtime defenses
| Baggy Bounds Checking: An Efficient and Backwards-Compatible Defense
against Out-of-Bounds Errors, Akritidis, Costa, Castro, Hand.
Taint-Enhanced Policy Enforcement: A Practical Approach to Defeat a Wide Range of Attacks, Xu, Bhatkar, Sekar.
| Nicholas
|
| 9/12
| Static analysis and bugfinding
| EXE: Automatically Generating Inputs of Death, Cadar, Ganesh, Pawlowski, Dill, Engler.
MECA: an Extensible, Expressive System and Language for Statically Checking Security Properties, Yang, Kremenek, Xie, Engler.
| Alex
|
| 9/14
| Inline reference monitors
| Evaluating SFI for a CISC Architecture, McCamant, Morrisett.
Adapting Software Fault Isolation to Contemporary CPU Architectures, Sehr, Muth, Biffle, Khimenko, Pasko, Schimpf, Yee, Chen.
| Tom
|
| 9/19
| Sandboxing
| A secure environment for untrusted helper applications: confining the wily hacker, Goldberg, Wagner, Thomas, Brewer.
| Ian
|
| 9/21
| Sandboxing
| (no reading)
| Javona
|
| 9/26
| Privilege separation
| Wedge: Splitting Applications into Reduced-Privilege Compartments, Bittau, Marchenko, Handley, Karp.
The Security Architecture of the Chromium Browser, Barth, Jackson, Reis, Google Chrome Team.
|
|
| 9/28
| Privilege management
| Extensible security architectures for Java, Wallach, Balfanz, Dean, Felten.
|
|
| 10/3
| Capabilities
| Access Control (v0.1), Laurie.
Paradigm Regained: Abstraction Mechanisms for Access Control, Miller, Shapiro.
| Jon
|
| 10/5
| Network security
| A look back at Security Problems in the TCP/IP Protocol Suite, Bellovin.
| Mobin
|
| 10/10
| Firewalls
| A quantitative study of firewall configuration errors, Wool.
|
|
| 10/12
| DNS security
| Using the Domain Name System for System Break-Ins, Bellovin.
Reliable DNS Forgery in 2008: Kaminsky's Discovery, Matasano blog.
Optional: An Illustrated Guide to the Kaminsky DNS Vulnerability, Friedl.
|
|
| 10/17
| Cloud computing security
(guest lecture: John Manferdelli)
| Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds, Ristenpart, Tromer, Shacham, Savage.
Protecting Your Critical Assets: Lessons Learned from "Operation Aurora", McAfee.
| Kyle
|
| 10/19
| Attacks
| The underground economy: priceless, Thomas, Martin.
|
|
| 10/24
| Web security - browsers
| Robust Defenses for Cross-Site Request Forgery, Barth, Jackson, Mitchell.
Optional background on cross-site request forgeries: Cross-Site Request Forgeries: Exploitation and Prevention, Zeller, Felten.
| Warren
|
| 10/26
| Web security - servers
| Web Security: Are You Part Of The Problem?, Heilman.
Improving Application Security with Data Flow Assertions, Yip, Wang, Zeldovich, Kaashoek.
|
|
| 10/31
| Usable security
| The psychology of security, West.
Why Phishing Works, Dhamija, Tygar, Hearst.
| Wontae
|
| 11/2
| Usable security
| You've Been Warned: An Empirical Study of the Effectiveness of Web Browser Phishing Warnings, Egelman, Cranor, Hong
| Sunil
|
| 11/7
| E-voting
| Security Analysis of the Diebold AccuVote-TS Voting Machine, Feldman, Halderman, Felten
| Eric
|
| 11/9
| Cryptography primer
| No readings
| James
|
| 11/14
| Kerberos
| Designing an Authentication System: a Dialogue in Four Scenes, Bryant.
| Kristin
|
| 11/16
| Cryptographic protocols
| Prudent engineering practice for cryptographic protocols, Abadi, Needham.
|
|
| 11/21
| Cryptography - lessons learned
| Why Cryptosystems Fail, Anderson.
| David
|
| 11/23
| Untrusted platforms
| How to Hurt the Hackers: The Scoop on Internet Cheating and How You Can Combat It, Pritchard
On the Security of Digital Tachographs, Anderson
| Kurt
|
| 11/28
| Privacy
| Privacy, economics, and price discrimination on the internet, Odlyzko
How Much is Location Privacy Worth?, Danezis et al.
Optional: Privacy Oracle: A System for Finding Application Leaks with Black Box Differential Testing, Jung et al
| Saung
|
| 11/30
| Economics
| Why Information Security is Hard - An Economic Perspective, Anderson
| Rohit
|