CSEP564 Computer Security (Autumn 2012)

Readings

The following is a list of readings for CSEP564. The main course page is here: here.

September 27, 2012

Read the following by October 18. You are not required to read these by the first lecture. There will not be additional assigned readings for October 18; however, we encourage you to start reading these as early as possible. UPDATE 9/28: You are not required to enter a review for these readings into HotCRP; the October 18 deadline is on the "honor system."

Chapter 1, "Security Goals," in Foundations of Security.
Chapter 2, "Secure Systems Design," in Foundations of Security.
Chapter 3, "Secure Design Principles," in Foundations of Security.

Optional readings:

Chapter 1, "The Context of Cryptography," in Cryptography Engineering.
"Analysis of an Electronic Voting System" (IEEE Security and Privacy 2004)

October 4, 2012

Theme: Understanding the adversaries

Required readings:

"An Inquiry into the Nature and Causes of Wealth in Internet Miscreants" (CCS 2007)
"Re: CAPTCHAs -- Understanding CAPTCHA-Solving Services in an Economic Context" (Usenix Security 2010)
"PharmaLeaks: Understanding the Business of Online Pharmaceutical Affiliate Programs" (Usenix Security 2012)

Optional readings:

"How to 0wn the Internet in Your Spare Time" (Usenix Security 2002)
"Show Me the Money: Characterizing Spam-advertised Revenue" (Usenix Security 2011)

October 11, 2012

Theme: Understanding the adversaries and security for emerging technologies (that may not have adversaries yet)

Required readings:

"Manufacturing Compromise: The Emergence of Exploit-as-a-Service" (CCS 2012)
"Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses" (IEEE Security and Privacy 2008)
"Comprehensive Experimental Analyses of Automotive Attack Surfaces" (Usenix Security 2011)

Optional readings:

"Experimental Security Analyses of a Modern Automobile" (IEEE Security and Privacy 2010)
"A Spotlight on Security and Privacy Risks with Future Household Robots: Attacks and Lessons" (UbiComp 2009)
"Patients, Pacemakers, and Implantable Defibrillators: Human Values and Security for Wireless Implantable Medical Devices" (CHI 2010)

October 18, 2012

Complete the assigned textbook readings from September 27, 2012.

October 25, 2012 and November 1, 2012

NOTE: There may be an additional reading for Nov 1. We will update this note as soon as possible.
UPDATE: No additional reading for Nov 1.

Highly recommended but optional readings:

Chapter 12, "Symmetric Key Cryptography," in Foundations of Security.
Chapter 13, "Asymmetric Key Cryptography," in Foundations of Security.
Chapter 14, "Key Management and Exchange," in Foundations of Security.
Chapter 15, "MACs and Signatures," in Foundations of Security.

For the final, I will draw from the lectures and not the text in the book. However, I do encourage you to familiarize yourself with the text since it will complement the lecture. (As an FYI, there will be a homework assignment related to cryptography; the homework questions will be similar to the exercises in the book Cryptography Engineering, but you do not need to actually read that book.)

Slides for the crypto (10/25 and 11/1 -- we'll use the whiteboard to augment; I'll try to send out photos of the whiteboard after class):

here

November 8, 2012

Topics: Threat Modeling at Microsoft (Mike Grimm guest lecture) and physical security. Slides to be posted soon.

Slides on threat modeling

here

Slides on physical security

here

November 15, 2012

Topics: Web security and classic papers.

Required readings:

"The quest to replace passwords: A framework for comparative evaluation of web authentication schemes" (Oakland 2012)
"On user choice in Graphical Password Schemes" (Usenix Secuity 2004)

Optional readings:

(Most recommended) Chapter 10, "Cross-Domain Security in Web Applications," in Foundations of Security.
Chapter 8, "SQL Injection," in Foundations of Security.
Chapter 9, "Password Security," in Foundations of Security.

Slides on Web security

here

November 29, 2012

Topics: Web tracking, Botnets, HCI+security

Required readings:

Optional readings:

"So You Want to Take Over a Botnet..." (LEET 2012)

Guest lecturers

Franzi Roesner, on web tracking
David Dittrich, on botnet take overs
Tamara Denning, on HCI+security in the context of medical devices

December 6, 2012

Topics: Web and Mobile

Required readings:

"App Isolation: Get the Security of Multiple Browsers with Just One" (CCS 2011)
"Analyzing Inter-Application Communications in Android" (MobiSys 2011)
"Android Permissions Demystified" (CCS 2011)

Optional readings related to web:

Option classic readings (not related to web and mobile):