Wed, Aug 23 |
Course overview. Hardware enclaves.
Skim Innovative Instructions and Software Model for Isolated Execution, McKeen et al. and Haven, Baumann et al.
Tip: Haven has a summary of SGX that is a good prep for the first reading, which is less friendly.
|
No scriber. Refer to readings.
|
Mon, Aug 28 |
Read this overview:
Techniques for computing on encrypted data in a practical system, Popa.
Presenter reads first 15 pages of
A Proof of Security of Yao's Protocol for Two-Party Computation, Lindell and Pinkas.
Assignment
|
Scribe notes
|
Wed, Aug 30 |
Integrity for outsourced data structures.
Read Merkle Hash Trees, Mykletun and
Certificate Transparency, Laurie.
Presenter reads
VerSum: Verifiable Computations over Large Public Logs.
Assignment
|
Scribe notes
|
Wed, Sept 6 |
Network security.
Read A look back at Security Problems in the TCP/IP Protocol Suite, Bellovin.
Presenter reads
China's Great Cannon, Marczak et al.
Assignment
|
Scribe notes
|
Mon, Sept 11 |
Encrypted databases.
Read Opaque, Zheng et al.
Presenter reads Controlled-Channel Attacks: Deterministic Side Channels for Untrusted Operating System.
Assignment
|
No scriber. Raluca's slides.
|
Wed, Sept 13 |
Privilege separation.
Read The Security Architecture of the Chromium Browser, Barth et al.
Presenter reads
Privilege separation in HTML5 applications.
Assignment
|
Scribe notes
|
Mon, Sept 18 |
Language-based security.
Read Joe-E: A Security-Oriented Subset of Java, Mettler et al.
Presenter reads
JFlow: practical mostly-static information flow control, Myers.
Assignment
|
Scribe notes
|
Wed, Sept 20 |
Mobile security.
Read Android Permissions: User Attention, Comprehension, and Behavior, Felt et al and How To Ask For Permission, Felt et al.
Presenter reads
User-driven access control: Rethinking permission granting in modern operating systems, Roesner et al and Overhaul: Input-Driven Access Control for Better Privacy on Traditional Operating Systems, Onarlioglu et al.
Assignment
|
Scribe notes
|
Mon, Sept 25 |
Machine learning security topics: hiding data or models.
Read
Privacy-Preserving Ridge Regression on Hundreds of Millions of Records, Nikolaenko et al. You do not need to read IV.E-IV.G (malicious security); focus on understanding IV.A-IV.D.
Presenter reads Machine Learning Classification over Encrypted Data, Bost et al.
[Optional reading: the state-of-the-art in this space is
SecureML, Mohassel and Zhang.]
Assignment
|
Scribe notes
|
Wed, Sept 27 |
Differential privacy.
Read Privacy integrated queries, McSherry.
Presenter reads: Differentially Private Password Frequency Lists, Blocki et al.
Optional: Dwork's original paper on DP
Assignment
|
Scribe notes
|
Mon, Oct 2 |
Proposal due date. SUNDR. Authenticated data structures.
Read Secure Untrusted Data Repository (SUNDR), Li et al.
Presenter reads
Verifying Completeness of Relational Query Results,
Pang et al.
Assignment
|
Scribe notes
|
Wed, Oct 4 |
Bitcoin.
Read How the Bitcoin protocol actually works, Nielsen.
Optional: Bitcoin: A Peer-to-Peer Electronic Cash System, Nakamoto.
Presenter reads
Secure multiparty computations on Bitcoin, Andrychowicz and
A scalable verification solution for blockchains, Teutsch.
Assignment
|
Scribe notes
|
Mon, Oct 9 |
Advanced blockchain-based concepts: Ethereum, Smart contracts
Read Ethereum Whitepaper.
Presenter reads Zerocash: Decentralized Anonymous Payments from Bitcoin, Ben-Sasson et al.
Assignment
|
Scribe notes
|
Wed, Oct 11 |
Security of Internet of things.
Read AoT: Authentication and Access Control for the Entire IoT Device Life-Cycle, Neto et al.
Presenter reads IoT Goes Nuclear: Creating a ZigBee Chain Reaction, Ronen et al.
Assignment
|
Scribe notes
|
Mon, Oct 16 |
Web security 1: same-origin policy, DOM model, cookies policy
Read The Tangled Web (2012), Chapters 9-11.
Presenter reads Busting Frame Busting:
a Study of Clickjacking Vulnerabilities on Popular Sites, Rydstedt et al.
Assignment
|
Lecture Slides Scribe notes
|
Wed, Oct 18 |
Symbolic execution.
Symbolic Execution for Software Testing: Three Decades Later, Cadar et al.
Presenter reads Coverage-based Greybox Fuzzing as Markov Chain, Bohme et al.
Assignment
|
Scribe notes
|
Mon, Oct 23 |
Sandboxing.
Ostia: A Delegating Architecture for Secure System Call Interposition, Garfinkel.
Presenter reads Native Client: A Sandbox for Portable, Untrusted x86 Native Code, Yee et al.
Assignment
|
Scribe notes
|
Wed, Oct 25 |
Usable security.
Conditioned-safe Ceremonies and a User Study of an Application to Web Authentication, Karlof et al.
Presenters read Improving SSL Warnings: Comprehension and Adherence, Felt et al. and The Emperor's New Security Indicators, Schechter et al.
Assignment
|
Scribe notes
|
Mon, Oct 30 |
Side-channel attacks.
Remote Timing Attacks are Practical, Brumley et al.
Presenter reads Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds, Ristenpart et al.
Assignment
|
Scribe notes
|
Wed, Nov 1 |
Exam.
|
|
Mon, Nov 6 |
Web security 2: XSS and CSRF attacks
Read CSRF, OWASP and XSS, OWASP
Presenter reads Robust Defenses for Cross-Site Request Forgery, Barth et al.
Assignment
|
Lecture slides
Scribe notes
|
Wed, Nov 8 |
Underground economy.
Read The Underground Economy: Priceless, Thomas and Martin.
Presenter reads Click Trajectories: End-to-End Analysis of the Spam Value Chain, Levchenko et al., and Ethics in Security Research: Which Lines Should Not Be Crossed? + their slides.
Assignment
|
Scribe notes
|
Mon, Nov 13 |
Anonymous messaging via mixnets.
Read the original paper on mixnets by D. Chaum.
Presenter reads Vuvuzela.
Assignment
|
|
Wed, Nov 15 |
Design day: securing email.
No reading for the class.
Presenter reads Signal's private contact discovery.
No assignment.
|
|
Mon, Nov 20 |
Project presentations.
|
|
Mon, Nov 27 |
Project presentations
|
-
|
Wed, Nov 29 |
Project presentations
|
-
|