CS261: Security in Computer Systems
Fall 2017


Lectures: Monday and Wednesday, 10:30am-11:59am, 320 Soda
Staff:
Office hours: Tuesdays 2-3pm in Soda 729 (Raluca); Tuesdays 2-3pm in Soda 733 (David)

Piazza:
Sign up for this course's Piazza. Please don't hesitate to ask questions to the class and have discussions there. Moreover, you can use it to find course project teammates.
Contact: Got a question? Post on Piazza.
Course overview:
Graduate survey of modern topics in computer security, including systems techniques, web security, systems based on cryptography, network security, anonymous communication, crypto currencies, trusted computing, mobile computing, usable security, privacy and others. (3 units)
Prerequisites: CS 162 or equivalent.
Assignments:
Grading:




Date Topic + Readings Scribe notes
Wed, Aug 23

Course overview. Hardware enclaves.
Skim Innovative Instructions and Software Model for Isolated Execution, McKeen et al. and Haven, Baumann et al.
Tip: Haven has a summary of SGX that is a good prep for the first reading, which is less friendly.

No scriber. Refer to readings.

Mon, Aug 28

Read this overview: Techniques for computing on encrypted data in a practical system, Popa.
Presenter reads first 15 pages of A Proof of Security of Yao's Protocol for Two-Party Computation, Lindell and Pinkas.
Assignment

Scribe notes
Wed, Aug 30

Integrity for outsourced data structures. Read Merkle Hash Trees, Mykletun and Certificate Transparency, Laurie.
Presenter reads VerSum: Verifiable Computations over Large Public Logs.
Assignment

Scribe notes

Wed, Sept 6

Network security.
Read A look back at Security Problems in the TCP/IP Protocol Suite, Bellovin.
Presenter reads China's Great Cannon, Marczak et al.
Assignment

Scribe notes

Mon, Sept 11

Encrypted databases.
Read Opaque, Zheng et al.
Presenter reads Controlled-Channel Attacks: Deterministic Side Channels for Untrusted Operating System.
Assignment

No scriber. Raluca's slides.

Wed, Sept 13

Privilege separation.
Read The Security Architecture of the Chromium Browser, Barth et al.
Presenter reads Privilege separation in HTML5 applications.
Assignment

Scribe notes

Mon, Sept 18

Language-based security.
Read Joe-E: A Security-Oriented Subset of Java, Mettler et al.
Presenter reads JFlow: practical mostly-static information flow control, Myers.
Assignment

Scribe notes

Wed, Sept 20

Mobile security.
Read Android Permissions: User Attention, Comprehension, and Behavior, Felt et al and How To Ask For Permission, Felt et al.
Presenter reads User-driven access control: Rethinking permission granting in modern operating systems, Roesner et al and Overhaul: Input-Driven Access Control for Better Privacy on Traditional Operating Systems, Onarlioglu et al.
Assignment

Scribe notes

Mon, Sept 25

Machine learning security topics: hiding data or models.
Read Privacy-Preserving Ridge Regression on Hundreds of Millions of Records, Nikolaenko et al. You do not need to read IV.E-IV.G (malicious security); focus on understanding IV.A-IV.D.
Presenter reads Machine Learning Classification over Encrypted Data, Bost et al.
[Optional reading: the state-of-the-art in this space is SecureML, Mohassel and Zhang.]
Assignment

Scribe notes

Wed, Sept 27

Differential privacy.
Read Privacy integrated queries, McSherry.
Presenter reads: Differentially Private Password Frequency Lists, Blocki et al.
Optional: Dwork's original paper on DP
Assignment

Scribe notes

Mon, Oct 2

Proposal due date. SUNDR. Authenticated data structures. Read Secure Untrusted Data Repository (SUNDR), Li et al.
Presenter reads Verifying Completeness of Relational Query Results, Pang et al.
Assignment

Scribe notes

Wed, Oct 4

Bitcoin.
Read How the Bitcoin protocol actually works, Nielsen.
Optional: Bitcoin: A Peer-to-Peer Electronic Cash System, Nakamoto.
Presenter reads Secure multiparty computations on Bitcoin, Andrychowicz and A scalable verification solution for blockchains, Teutsch.
Assignment

Scribe notes

Mon, Oct 9

Advanced blockchain-based concepts: Ethereum, Smart contracts
Read Ethereum Whitepaper.
Presenter reads Zerocash: Decentralized Anonymous Payments from Bitcoin, Ben-Sasson et al.
Assignment

Scribe notes

Wed, Oct 11

Security of Internet of things.
Read AoT: Authentication and Access Control for the Entire IoT Device Life-Cycle, Neto et al.
Presenter reads IoT Goes Nuclear: Creating a ZigBee Chain Reaction, Ronen et al.
Assignment

Scribe notes

Mon, Oct 16

Web security 1: same-origin policy, DOM model, cookies policy
Read The Tangled Web (2012), Chapters 9-11.
Presenter reads Busting Frame Busting: a Study of Clickjacking Vulnerabilities on Popular Sites, Rydstedt et al.
Assignment

Lecture Slides
Scribe notes

Wed, Oct 18

Symbolic execution.
Symbolic Execution for Software Testing: Three Decades Later, Cadar et al.
Presenter reads Coverage-based Greybox Fuzzing as Markov Chain, Bohme et al.
Assignment

Scribe notes

Mon, Oct 23

Sandboxing.
Ostia: A Delegating Architecture for Secure System Call Interposition, Garfinkel.
Presenter reads Native Client: A Sandbox for Portable, Untrusted x86 Native Code, Yee et al.
Assignment

Wed, Oct 25

Usable security.
Conditioned-safe Ceremonies and a User Study of an Application to Web Authentication, Karlof et al.
Presenters read Improving SSL Warnings: Comprehension and Adherence, Felt et al. and The Emperor's New Security Indicators, Schechter et al.
Assignment

Mon, Oct 30

Side-channel attacks.
Remote Timing Attacks are Practical, Brumley et al.
Presenter reads Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds, Ristenpart et al.
Assignment

Wed, Nov 1

Exam.

Mon, Nov 6

Web security 2: XSS and CSRF attacks
Read CSRF, OWASP and XSS, OWASP
Presenter reads Robust Defenses for Cross-Site Request Forgery, Barth et al.
Assignment

Lecture slides
Scribe notes

Wed, Nov 8

Underground economy.
Read The Underground Economy: Priceless, Thomas and Martin.
Presenter reads Click Trajectories: End-to-End Analysis of the Spam Value Chain, Levchenko et al., and Ethics in Security Research: Which Lines Should Not Be Crossed? + their slides.
Assignment

Mon, Nov 13

Anonymous messaging via mixnets.
Read the original paper on mixnets by D. Chaum.
Presenter reads Vuvuzela.
Assignment

Wed, Nov 15

Design day: securing email.
No reading for the class.
Presenter reads Signal's private contact discovery.
No assignment.

Mon, Nov 20

Project presentations.

Mon, Nov 27

Project presentations

-

Wed, Nov 29

Project presentations

-




Related Courses

Security books

Conferences

Building secure systems involves innovating in both systems and security. Therefore, the top conferences in this field are both systems and security conferences.

Systems conferences

Security conferences