We will read, evaluate, and discuss both background materials, classic papers, and new papers from the computer security literature. The course requirements include reading the assigned materials, writing short evaluations of these materials (unless otherwise noted), and participating in class discussions. There will also be a final project and a few assignments / labs.
The following describes the course requirements in more detail:
The goal of this course is to help you prepare for research in computer security, as well as for research in other domains for which there will be a security component. We will therefore read a number of important and/or representative papers in the field. Reading the papers will help you prepare for the classroom discussions, which in turn will help you contribute to everyone's overall learning experience, including your own. You may skip any appendices.
To complement the academic papers, when appropriate, we will also read relevant background material.
To help motivate the classroom discussions, everyone enrolled in the course must submit a short evaluation of each assigned reading. There will generally be at most two assigned readings per class. Your evaluations should have the following form:
The evaluations must be submitted by 8am on the day of the class. You may submit evaluations as a text or PDF file. You should upload the evaluations to the online Catalyst system (link on the class home page). If you choose to submit a PDF file, then your evaluation for each reading must be less than one page long, be single-spaced, use 12pt font, and have at least 1 inch margins; I expect for most paper evaluations to be approximately 1/2 to 3/4 pages long. If you submit a text file, then please be sure that the length of your evaluation corresponds roughly to the above criteria for PDF submissions.
The written evaluations will be graded on a binary scale. Your primary goal should be to read, understand, and think deeply about the assigned papers. If you do that, it should be trivial to answer the above questions for each paper. Late evaluations will not be accepted.
I realize that some times are busier for people than others, e.g., right before a conference submission deadline or a midterm in another class. Therefore, you are allowed four free reviews, meaning that you do not have to submit a review for four papers of your choice. However, you are still expected to know the materials in these four papers and to be able to discuss them in class.
One of the best ways to deeply understand a topic is to discuss the topic with others. Therefore, everyone is expected to actively participate in the classroom discussions. You may use your paper evaluations as the basis for discussion, but please do not feel a need to limit your comments to what you wrote in your evaluations. I encourage everyone to ask questions about or offer clarifications for confusing parts of the papers, and to think about the limitations of or possible extensions to the works being discussed.
There will be an advocate and a skeptic for each paper, each to speak for 2-3 minutes about the paper. The advocate gives the elevator pitch for the paper: what is the topic of the paper, what are its main results, why the system or idea is an improvement upon the previous works (if any), why does the result matter, and so on. (The answers to these questions may be different from the ones the authors gave in the paper.) The skeptic should discuss why we should be cautious in interpreting the results of the paper. The skeptic should also suggest additional research directions that could build upon, improve, or otherwise augment the paper under discussion.
Each person should sign up to be the advocate on one paper and the skeptic on a different paper. (The sign up sheet is on my door, and I will also take the sign up sheet to class.) When you are not the advocate or skeptic on a paper, I will still expect you to participate actively in the class discussions.
If you expect to be absent from a class, please let me know well in advance. And please remind me again before the class that you will miss. In some cases I may ask you to answer a few additional questions about the papers over email.
There will be a course research project. The goal of the project is to help give you a deeper understanding of how to think about and solve a real problem from a computer security perspective. A related goal is to help you mature as a researcher, independent of what research area you eventually settle in. We'll talk more about these goals in class.
You may choose a research project related to any area of computer security, including areas not directly covered in this course. A conference-style report for your project is due at the beginning of the final exam period. You will also give a short presentation during the course final exam period. We will have several milestones along the way, just to make sure everything is going smoothly. I also encourage you to just stop by my office and talk with me about your project.
You may work in groups of 2--3 people. You may choose your own groups, or I can form groups for you if you haven't already done so by the end of the second week of class. In rare cases it maybe possible to work a group of size 1; please contact me if you wish to explore this option.
I strongly encourage you to be ambitious and have fun with your projects. While certainly not required, I suspect that some of the projects will evolve into conference or workshop publications; if you're interested in exploring such a possibility, please feel free to ask for options and recommendations. Also, if you have a project that might require special resources, please contact me as soon as possible.
The following is a more detailed description of the project timeline and requirements:
In your progress reports, you should reflect on what you have accomplished and draw preliminary conclusions from your results. If appropriate, you should also explicitly state any additional experiments or evaluations you may need to perform in order to strengthen your preliminary conclusions or answer open questions left by your preliminary conclusions.
It's OK if you haven't completed your research by now. See the next bullet for why you're turning in a draft two weeks before the final report is due. Your draft should clearly specify what you plan to do over the next two weeks.
You will be expected to read the draft reports that I give you (at most three) and write detailed reviews of those papers. You are to upload those reviews to the Catalyst system by the above-specified deadline. The reviews you write should be anonymous (i.e., not include your name or other identifying information).
I will then collect those reviews and send them to the authors of the relevant reports. There are several reasons we're doing this, but the main goals are to (1) help you (as reviewers) gain more experience in evaluating in-progress (as opposed to completed) research and (2) help everyone improve the quality of their final written report.
Your report should be structured like a conference paper, meaning that your report should contain an abstract, a well-motivated introduction, a discussion of related work (with citations), a description of your methodology, a discussion of your results, and so on.
Everyone should also submit a short summary of their contributions to the project (not required for groups of size 1). This should be at most a page long, and can reference the final report.
There are numerous resources on the Internet about how to write a good research paper. If you haven't already read them, you might find the following resources helpful:
The peer reviews and final report and slide deck must be submitted on time in order to be graded; i.e., late peer reviews, final reports, and slide decks will receive a zero grade. If you submit other project materials late (proposal, checkpoint, draft), you will be marked down 25% for each day that the material is late. When computing the number of days late, we will round up; so material turned in 1.25 days late will be downgraded 50%.
But please be aware of the following: If you do submit your draft written report late, then we will very likely not be able to distribute your draft to peer reviewers and you will not benefit from their reviews when preparing your final written report. (This is in order to be fair to the peer reviewers, who should have as much time as possible to read their assigned papers.) In short, I highly encourage all of you to submit all your materials on time.
There will be a lab for this course. You will have an opportunity to carry out attacks against real code. See the course schedule for the specific timeline for this lab.
As with parts of your course project, you may submit your attack lab late. However, you will be marked down 25% for each day that the material is late. When computing the number of days late, we will round up; so material turned in 1.25 days late will be downgraded 50%.
A key goal of this course is to get you to start thinking about the world in a different way -- to develop what we call the "security mindset." Toward this goal, we will have several small assignments (called "security reviews") targeted at getting you to think about security on a regular basis, and in contexts where you might not normally think about security. For more background, we've written a little about the security mindset here: http://cubist.cs.washington.edu/Security/2007/11/22/why-a-computer-security-course-blog/.
Your goal with the security reviews is to evaluate the potential security and privacy issues with new technologies, evaluate the severity of those issues, and discuss how those technologies could potentially address those security and privacy issues.
You are required to submit three security reviews over the course of the quarter. The course schedule has specific due dates, but you are encouraged to submit your security reviews early. The ideal mode of operation is as follows: You might be reading Slashdot or some other news source and see the announcement for a new product or service. You immediately start thinking about the security implications and issues associated with the new technology. You then formalize your thoughts (in the framework described below) and submit your writeup to the Catalyst system.
Each security review should contain:
These security reviews should be short (2--3 pages). They should be submitted as PDF files, with 12pt fonts, in single-column format with 1-inch margins.
As with parts of your course project and the attack lab, you may submit your security reviews late. However, you will be marked down 25% for each day that the material is late. When computing the number of days late, we will round up; so material turned in 1.25 days late will be downgraded 50%.
To check your grades on your MyUW page: