CSE P 564:  Computer Security (Winter 2015)

Time and Location

• Time:  6:30-9:20pm, Tuesdays
• Location:  MGH 231

Staff

• Instructor:  Tadayoshi Kohno (Goes by Yoshi) (Office Hours:  Directly after class)
• TA:  Adrian Sham (Office Hours:  5:30-6:20pm, CSE 218)
• Email address for staff:  cse-pmp-564-staff@cs.washington.edu

Catalyst Resources

• Forum, for discussions:  here
• Dropbox, for assignment submissions:  here
• Gradebook:  here

Course Mailing List

• URL for course mailing list:  https://mailman1.u.washington.edu/mailman/listinfo/multi_csep564a_wi15 .  If you are enrolled in this course, then your email address should have automatically been added to this list.  We plan to use this mailing list for course announcements.  Please use the forum for discussion.

Assignments:

• Reading reviews, due 6pm on the day of each class (except the first and last class)
• Assignment 1, due Jan 20 (6pm)
• Assignment 2, due Feb 9 (9pm)
• Assignment 3, due March 9 (9pm)

Given the nature of the assignments and the plans for the class sessions, all the assignments must be submitted on time.

Grading

• Assignments:  56%

• Assignment 1 (Security Review):  16%
• Assignment 2 (How To for outside of industry):  20%
• Assignment 3 (How To for within industry):  20%

• Readings + Discussions: 44%

• Pre-class written reviews:  30%        // # of papers
• Group discussions:  14%                // # of sessions * 2, except last session, and allowing 2 missed classes

Course Schedule

The following is the course schedule.  Details for dates two weeks in the future are subject to change.  If you have travel or other obligations and need to review papers more than two weeks in advance, please let the course staff know.

Jan 6:  Course overview, including threat modeling

• (Optional) Denning et al, Computer Security and the Modern Home, CACM 2013.
• (Optional) Roesner et al, Security and Privacy for Augmented Reality Systems, CACM 2014.
• (Optional) Checkoway et al, Comprehensive Experimental Analyses of Automotive Attack Surfaces, USENIX Security 2011.  
• Slides:  Lecture slides

Jan 13: Authentication (updated)

• Silver et al, Password Managers:  Attacks and Defenses, USENIX Security 2014.
• Bonneau et al, The Quest to Replace Passwords:  A Framework for Comparative Evaluation of Web Authentication Schemes, Oakland 2012.
• Not required:  Li et al, The Emperor’s New Password Manager:  Security Analysis of Web-based Password Managers, USENIX Security 2014.
• Not required:  Zhou and Evans, SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities, USENIX Security 2014.

Jan 20:  Users and Security Reviews (updated)

• Akhawe and Felt, Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness, USENIX Security 2013.
• Egelman et al, Are you Ready to Lock?  Understanding User Motivations for Smartphone Locking Behaviors, CCS 2014.
• Not required:  Egelman and Peer.  Scaling the Security Wall, CHI 2015.  (This is a pre-print and not the author’s final copy. You will need your UWNetID to access the paper.  Please do not redistribute.)
• Not required:  Hoyle et al, Privacy Behaviors of Lifeloggers using Wearable Cameras, Ubicomp 2014.
• We will also discuss Assignment 1.

Jan 27:  Criminal Ecosystems (updated)

• Durumeric et al, The Matter of Heartbleed, IMC 2014.
• Motoyama et al, Re: CAPTCHAs – Understanding CAPTCHA-Solving Services in an Economic Context, USENIX Security 2010
• Not required:  Grier et al, Manufacturing Compromise:  The Emergence of Exploit-as-a-Service, CCS 2012.
• Not required:  Thomas et al, Trafficking Fraudulent Accounts: The Role of the Underground Market in Twitter Spam and Abuse, USENIX Security 2013

Feb 3:  Targeted Attacks (updated)

• Gaw et al, Secrecy, Flagging, and Paranoia:  Adoption Criteria in Encrypted Email, CHI 2006.
• Marczak et al, When Governments Hack Opponents:  A Look at Actors and Technology, USENIX Security 2014.
• Not required:  Hardy et al, Targeted Threat Index:  Characterizing and Quantifying Politically-Motivated Targeted Malware, USENIX Security 2014.
• Not required:  Le Blond et al, A Look at Targeted Attacks Through the Lense of an NGO, USENIX Security 2014.

Feb 10:  Crypto (updated)

• Heninger et al, Mining your Ps and Qs:  Detection of Widespread Weak Keys in Network Devices, USENIX Security 2012.
• Egele et al, An Emperical Study of Cryptographic Misuse in Android Applications, CCS 2013.
• We will also discuss Assignment 2.
• Not required:  Brubaker et al, Using Frankencerts for Automated Adversarial Testing of Certificate Validation in SSL/TLS Implementations, Oakland 2014.

Feb 17:  Phones and Systems (updated)

• Felt et al, Android Permissions Demystified, CCS 2011.
• Parno et al, Bootstrapping Trust in Commodity Computers, Oakland 2010.
• Not required:  Brumley et al, Automatic Patch-Based Exploit Generation is Possible:  Techniques and Implications, Oakland 2008.

• Not required:  Enck et al, TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones, OSDI 2010.
• Slides: Assignment 3

Feb 24: Privacy Attacks and Privacy-Enhancing Technologies (updated)

• Dingledine et al, Tor: The Second-Generation Onion Router, USENIX Security 2004.
• Narayanan et al, Robust De-anonymization of Large Sparse Datasets (How To Break Anonymity of the Netflix Prize Dataset), Oakland 2008.
• Not required: Lee et al, PiBox:  A Platform for Privacy-Preserving Apps, NSDI 2013.
• Not required: He et al, ShadowCrypt: Encrypted Web Applications for Everyone, CCS 2014.

March 3:  Web Tracking and Emerging Technologies (updated)

• Guha et al, Privad: Practical Privacy in Online Advertising, NSDI 2011.
• Lecuyer et al, XRay: Enhancing the Web’s Transparency with Differential Correlation, USENIX Security 2014.

• Not required:  Roesner et al, World-Driven Access Control for Continuous Sensing, CCS 2014.
• Not required:  Martinovic et al, On the Feasibility of Side-Channel Attacks with Brain-Computer Interfaces, USENIX Security 2012.

March 10:  Topic TBD, but no papers