The lectures and readings listed here are subject to change, including in response to current events (i.e., major new security holes).
- Tania Lombrozo. Is it time to ban computers from classrooms? NPR, July 11, 2016. [ http ]
- Smith and Marchesini, Chapter 1
- Thinking Security, Chapters 1-3
- Smith and Marchesini, Chapter 2
- The man page for Linux access control lists
- M. D. McIlroy and J. A. Reeds. Multilevel security in the Unix tradition. Software---Practice and Experience, 22(8):673--694, 1992. [ http ]
- Smith and Marchesini, Chapter 3
- Marking Classified National Security Information (optional)
- Report on the U.S. Intelligence Community's Prewar Intelligence Assessments on Iraq (the document from which the sample marked page was taken; very optional)
- C.A.R. Hoare. The emperor's old clothes. Communications of the ACM, 24(2):75--83, February 1981. [ http ]
- Aleph One. Smashing the stack for fun and profit. Phrack magazine, 7(49):14--16, 1996. [ .pdf ]
- Brian Chess and Gary McGraw. Static analysis for security. IEEE Security & Privacy, 2(6):76--79, 2004. [ http ]
- Ms. Smith. Report: Over 80% mobile apps have crypto flaws, 4 of 5 web apps fail OWASP security. NetworkWorld, December 6, 2015. [ .html ]
- Smith and Marchesini, Chapter 6
- Return-oriented Programming: Exploitation without Code Injection, Black Hat 2008, Erik Buchanan, Ryan Roemer, Stefan Savage, Hovav Shacham
- Matt Bishop and Michael Dilger. Checking for race conditions in file accesses. Computing Systems, 9(2), Spring 1996. [ .pdf ]
- P. Hoffman and M. Blanchet. Preparation of Internationalized Strings (“stringprep”). RFC 3454, December 2002. [ .txt ]
- Peter Bright. Windows DLL-loading security flaw puts Microsoft in a bind. Ars Technica, August 24, 2010. [ http ]
- Larry Seltzer. The Windows DLL loading security hole. Dr. Dobb's, September 9, 2010. [ http ]
- Duncan Geere. Hacking Sweden's election with pen and paper. Wired UK, September 24 2010. [ http ]
- Scott Wolchok, Eric Wustrow, Dawn Isabel, and J. Alex Halderman. Hacking the D.C. Internet voting system. In Proc. 16th Conference on Financial Cryptography & Data Security, 2012. [ .pdf ]
- Peter Bright. How security flaws work: SQL injection. Ars Technica, October 28, 2016. [ http ] Creative usernames and Spotify account hijacking, Mikael Goldman, 18 June 2013.
- setuid - checklist for security of setuid programs
- Writing Safe SetUID Programs, Matt Bishop
- Using Attack Surface Area And Relative Attack Surface Quotient To Identify Attackability, Ernst & Young LLP.
- James Ellis. The possibility of secure non-secret encryption. CESG research report, GCHQ, December 16, 1969. [ http ]
- Clifford Cocks. A note on `non-secret' encryption', November 20, 1973. [ .pdf ]
- Whitfield Diffie and Martin E. Hellman. New directions in cryptography. IEEE Transactions on Information Theory, IT-22(6):644--654, November 1976.
- Ronald L. Rivest, Adi Shamir, and Leonard Adleman. A method of obtaining digital signatures and public-key cryptosystems. Communications of the ACM, 21(2):120--126, February 1978. [ http ]
- Nick Sullivan. A (relatively easy to understand) primer on elliptic curve cryptography. Ars Technica, October 24, 2013. [ http ]
- Natalie Wolchover. A trick path to quantum-safe encryption. Quanta Magazine, September 8, 2015. [ http ]
- Smith and Marchesini, Chapter 7
- The Story of Alice and Bob
- XKCD on cracking RSA (recommended)
- XKCD threat models (recommended)
- B. Kaliski. PKCS #5: Password-Based Cryptography Specification Version 2.0. RFC 2898, September 2000. [ .txt ]
- D. Eastlake, 3rd, Jeffrey I. Schiller, and S. Crocker. Randomness Requirements for Security. RFC 4086, June 2005. [ .txt ]
- Ross Anderson, Mike Bond, Jolyon Clulow, and Sergei Skorobogatov. Cryptographic processors -- a survey. Technical Report UCAM-CL-TR-641, University of Cambridge, Computer Laboratory, August 2005. [ .pdf ]
- Bruce Schneier. The strange story of Dual_EC_DRBG. Schneier on Security (blog), Nov. 15, 2007. [ .html ]
- Nadia Heninger, Zakir Durumeric, Eric Wustrow, and J Alex Halderman. Mining your Ps and Qs: Detection of widespread weak keys in network devices. In Proceedings of the 21st USENIX Security Symposium, 2012. [ .pdf ]
- Kim Zetter. How a crypto `backdoor' pitted the tech world against the NSA. Wired: Threat Level, September 24, 2013. [ http ]
- Stephen Checkoway, Matthew Fredrikson, Ruben Niederhagen, Adam Everspaugh, Matthew Green, Tanja Lange, Thomas Ristenpart, Daniel J. Bernstein, Jake Maskiewicz, and Hovav Shacham. On the practical exploitability of dual ec in tls implementations. In Usenix Security, 2014. [ http ]
- Dan Simmons. Us lottery security boss charged with fixing draw. BBC News, April 14, 2015. [ http ]
- Thinking Security, Chapter 6
- Real HSM Breaches
- Robert H. Morris and Ken Thompson. Unix password security. Communications of the ACM, 22(11):594, November 1979. [ http ]
- Yinqian Zhang, Fabian Monrose, and Michael K. Reiter. The security of modern password expiration: An algorithmic framework and empirical analysis. In Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS '10, pages 176--186, New York, NY, USA, 2010. ACM. [ DOI | .pdf ]
- Daniel Terdiman. Google security exec: 'passwords are dead'. CNET, September 10, 2013. [ http ]
- Lorrie Cranor. Time to rethink mandatory password changes. Tech@FTC blog, March 2, 2016. [ http ]
- Andy Greenberg. So hey you should stop using texts for two-factor authentication. Wired, June 26, 2016. [ http ]
- Brian Krebs. The limits of SMS for 2-factor authentication. Krebs on Security, September 16, 2016. [ http ]
- Smith and Marchesini, Chapter 9
- Dr. Fun
- Dilbert
- Dilbert
- Dilbert
- Dilbert
- User Friendly
- Thinking Security, Chapter 7.6, 8
- Chapter 5 of Who Goes There? Authentication Through the Lens of Privacy.
- CS Department certificate
- CUIT mail server certificate
- Why the iPhone's fingerprint sensor is better than the ones on older laptops, Y. Narasimhulu (blog).
- German Hackers Say They Cracked iPhone’s New Fingerprint Scanner, Wired Threat Level
- NIST: Performance of Facial Recognition Software Continues to Improve, June 2014.
- Performance of Face Identification Algorithms, Patrick J. Grother and Mei L. Ngan, NIST, May 2014 (optional)
- Security risk: Automated voice imitation can fool humans and machines, Science Daily, September 26, 2015.
- S. Govindavajhala and A. W. Appel. Using memory errors to attack a virtual machine. In Security and Privacy, 2003. Proceedings. 2003 Symposium on, pages 154--165, May 2003. [ DOI ]
- Smith and Marchesini, Chapter 13
- Fare Collection Vulnerability Assessment Report, Zack Anderson, Russell Ryan, Alessandro Chiesa, August 8, 2008.
- Anatomy of a Subway Hack, Zack Anderson, Russell Ryan, Alessandro Chiesa, (censored) DEFCON presentation, August 2008.
- Dutch Public Transit Card Broken, Andy Tanenbaum.
- Microsoft Updating Without Permission: When No Doesn't Mean No!, Lauren Weinstein's Blog, September 13, 2007.
- Reading Between the Lines: Lessons from the SDMI Challenge, Scott A. Craver, Min Wu, Bede Liu, Adam Stubblefield, Ben Swartzlander, Dan W. Wallach, Drew Dean, and Edward W. Felten. Proc. of 10th USENIX Security Symposium, August 2001.
- Viewpoint: the ACM declaration in Felten v. RIAA, Simons, B. 2001. Commun. ACM 44, 10 (Oct. 2001), 23-26.
- Java Card Security: How Smart Cards and Java Mix, From Securing Java: Getting Down to Business with Mobile Code, Gary McGraw and Ed Felten, John Wiley & Sons, 1999.
- MYK-78 CLIPPER CHIP: ENCRYPTION/DECRYPTION ON A CHIP (recommended)
- Overview of Differential Power Analysis, An engineering overview of Differential Power Analysis by Paul Kocher, Joshua Jaffe, and Benjamin Jun. (recommended)
- Information Hiding: A Survey, Fabien A. P. Petitcolas, Ross J. Anderson and Markus G. Kuhn, Proceedings of the IEEE, special issue on protection of multimedia content, 87(7):1062-1078, July 1999. (recommended)
- A (not so) quick primer on iOS encryption, David Scheutz, October 6, 2014. (recommended)
- AES-256 Is Not Enough: Breaking a Bootloader, ChipWhisperer. (recommended)
- Why can't Apple decrypt your iPhone?, Matthew Green, October 4, 2014.
- Thinking Security, Chapter 4
- Recreating the Trojan Horse?
- PandaLabs detected more than 21 million new threats, Panda Security, September 15, 2015.
- Computer Viruses - Theory and Experiments, F. Cohen. DOD/NBS 7th Conference on Computer Security, originally appearing in IFIP-sec 84, also appearing as invited paper in IFIP-TC11, ``Computers and Security'', V6#1 (Jan. 1987), pp 22-35
- Reflections on trusting trust, Ken Thompson, CACM 27:8, August 1984.
- Experience with Viruses on UNIX Systems, Tom Duff, Spring, 1989.
- The worm programs -- early experience with a distributed computation, John Shoch and Jon Hupp, Communications of the ACM 25:3 (March 1982).
- With Microscope and Tweezers: An Analysis of the Internet Virus of November 1988
- How a grad student trying to build the first botnet brought the Internet to its knees
- Tool turns unsuspecting surfers into hacking help, CNET, March 20, 2007.
- JavaScript opens doors to browser-based attacks, CNET, July 28, 2006.
- Oldest known depiction of the Trojan Horse, from the "Vase of Mykonos", almost 2700 years old
- W32.Stuxnet.Dossier
- Alma Whitten and J.D. Tygar. Why Johnny can't encrypt: A usability evaluation of PGP 5.0. In Proceedings of Usenix Security Symposium, 1999. [ .html ]
- Anne Adams and Martina Angela Sasse. Users are not the enemy. Commun. ACM, 42(12):40--46, December 1999. [ DOI | http ]
- Lorrie Faith Cranor. A framework for reasoning about the human in the loop. In Usability Psychology and Security Workshop, 2008. [ .pdf ]
- Ian Barker. American Express customers phished using phishing prevention scam. Betanews, September 14, 2016. [ http ]
- Lorenzo Franceschi-Bicchierai. How hackers broke into John Podesta and Colin Powell's Gmail accounts. Motherboard, October 20, 2016. [ http ]
- Paul Stepahin. We got phished. Exploratorium Tangents (blog), October 20, 2016. [ http ]
- Thinking Security, Chapter 14
- Jon Oberheide and Farnam Jahanian. When mobile is harder than fixed (and vice versa): Demystifying security challenges in mobile environments. In Proceedings of the Eleventh Workshop on Mobile Computing Systems & Applications, HotMobile '10, pages 43--48, New York, NY, USA, 2010. ACM. [ DOI | http ]
- M. Becher, F. C. Freiling, J. Hoffmann, T. Holz, S. Uellenbeck, and C. Wolf. Mobile security catching up? revealing the nuts and bolts of the security of mobile devices. In 2011 IEEE Symposium on Security and Privacy, pages 96--111, May 2011. [ DOI ]
- Matthew Green. Why can't Apple decrypt your iPhone? A Few Thoughts on Cryptographic Engineering, October 4, 2014. [ http ]
- Behind the Scenes with iOS Security, Ivan Krstić, Blackhat, August 2016
- Security Tips, Apache 2.4 (recommended)
- suEXEC Support, Apache 2.4 (recommended)
- Ian Goldberg, David A. Wagner, Randi Thomas, and Eric A. Brewer. A secure environment for untrusted helper applications. In Proceedings of the Sixth USENIX Security Symposium, San Jose, CA, USA, 1996. [ http ]
- Lee Badger, Daniel F Sterne, David L Sherman, Kenneth M Walker, and Sheila A Haghighat. A domain and type enforcement unix prototype. Computing Systems, 9(1):47--83, 1996. [ .pdf ]
- Robert N. M. Watson, Jonathan Anderson, Ben Laurie, and Kris Kennaway. Capsicum: Practical capabilities for unix. In USENIX Security Symposium, volume 46, page 2, 2010. [ .pdf ]
- Chenxi Wang. Containers 101: Linux containers and Docker explained. InfoWorld, May 26, 2016. [ .html ]
- The somewhat surprising history of chroot()
- Docker Security
- Steven M. Bellovin, "Virtual Machines, Virtual Security", Communications of the ACM, Vol. 49, No. 10, October 2006, Inside Risks.
- Wang, Helen J., et al. "The Multi-Principal OS Construction of the Gazelle Web Browser." USENIX Security Symposium. 2009.
- Stalking the wily hacker, Communications of the ACM 31:5, May 1988.
- Shadow Hawk Busted Again, Phrack 16, File 11 (Nov 1987) (recommended)
- Chicago Phone Freak Gets Prison Term, Risks Digest 8:29, 22 February 1989 (recommended)
- An Evening with Berferd, Firewalls and Internet Security, first edition, Cheswick and Bellovin, 1994.
- Thinking Security, Section 16.3
- Yossef Oren and Angelos D. Keromytis. From the aether to the Ethernet---attacking the Internet using broadcast digital television. In 23rd USENIX Security Symposium (USENIX Security 14), pages 353--368, San Diego, CA, August 2014. USENIX Association. [ http ]
- Adi Shamir Eyal Ronen, Colin O'Flynn and Achi-Or Weingarten. Iot goes nuclear: Creating a ZigBee chain reaction, 2016. [ http ]
- Brian Krebs. Oct 16 hacked cameras, DVRs powered today's massive internet outage. Krebs on Security, October 16, 2016. [ http ]
- Brian Krebs. IoT device maker vows product recall, legal action against western accusers. Krebs on Security, October 16, 2016. [ http ]
- Thinking Security, Section 17.4
- John Neystadt. Automated penetration testing with white-box fuzzing. MSDN, February 2008. [ http ]
- Andy Greenberg. Hacker lexicon: What is fuzzing? Wired, June 2, 2016. [ http ]
- Cade Metz. Google's training its AI to be Android's security guard. Wired, June 2, 2016. [ http ]
- Thinking Security, Chapter 11, 17
- Silver Needle in the Skype, P. Biondi and F. Desclaux, BlackHat Europe, 2-3 March 2006.
- ITS4: A Static Vulnerability Scanner for C and C++ Code, John Viega, J.T. Bloch, Tadayoshi Kohno, and Gary McGraw, Annual Computer Security Applications Conference, 2000.
- Checking for Race Conditions in File Accesses, M. Bishop and M. Dilger, Computing Systems 9:2, pp. 131-152 (Spring 1996)
- CGI/Perl Taint Mode FAQ
- Perl Advisor: Taint so Easy, Is It?, Randal L. Schwartz, Unix Review, August 2000.
- Static analysis and computer security: New techniques for software assurance. David Wagner. Ph.D. dissertation, Dec. 2000, University of California at Berkeley. (recommended)
- Using CQUAL for Static Analysis of Authorization Hook Placement, Xiaolan Zhang & Antony Edwards & Trent Jaeger, Proc. Usenix Security, 2002. (recommended)
- Bug 255161: I am Unable to Print from Open Office
- Kevin Mitnick and William Simon. The Art of Deception. Wiley, 2002. (Recommended).
- Director of Central Intelligence. Physical security standards for sensitive compartemented information facilities. Directive 6/9, CIA, November 18, 2002. [ .pdf ]
- Matt Blaze. Cryptology and physical security: Rights amplification in master-keyed mechanical locks. IEEE Security and Privacy, 1(2):24--32, March/April 2003. [ .pdf ]
- Matt Blaze. Safecracking for the computer scientist. Technical report, U. Penn CIS Department, December 2004. [ .pdf ]
- Maxim Kelly. Chocolate the key to uncovering PC passwords. The Register, April 17, 2007. [ http ]
- Lewis Page. US Navy malware infection risked submarine prang. The Register, April 18, 2007. [ http ]
- Lewis Page. Disgruntled techie attempts Californian power blackout. The Register, April 20, 2007. [ http ]
- Claudia Himmelreich. Piecing together germany's shredded Stasi files. Time, April 21, 2010. [ .html ]
- Sean Gallagher. Power strip or network hacking tool? it's both, actually. Ars Technica, July 23, 2012. [ http ]
- NSA. Media destruction guidance, 2015. [ http ]
- Andy Greenberg. Flaws in Samsung's `smart' home let hackers unlock doors and set off fire alarms. Wired, May 2, 2016. [ http ]
- Aaron Tilley. How a few words to Apple's Siri unlocked a man's front door. Forbes, September 21, 2016. [ http ]
- BBC. Service station thieves 'using car key jammers'. BBC News, December 3, 2016. [ http ]
- Thinking Security, Chapter 16
- The Graphing Calculator Story, Ron Avitzur, 2004.
- Adi Shamir and Nicko van Someren. Playing “hide and seek” with stored keys. In Proceedings of the Third International Conference on Financial Cryptography, 1999. [ http ]
- William R. Cheswick, Steven M. Bellovin, and Aviel D. Rubin. The taking of Clark. In Firewalls and Internet Security; Repelling the Wily Hacker, chapter 17. Addison-Wesley, Reading, MA, 2 edition, 2003. [ .pdf ]
- Dan Farmer and Wietse Venema. File system analysis. In Forensic Discovery, chapter 4. Addison-Wesley, 2004. [ http ]
- Michael Bartock, Jeffrey Cichonski, Murugiah Souppaya, Matthew Smith, Greg Witte, and Karen Scarfone. Guide for cybersecurity event recovery. Special Publication 800-184, NIST, December 2016. [ http ]
- Lawrence Abrams. New scheme: Spread Popcorn Time ransomware, get chance of free decryption key. December 8, 2016. [ http ]
- Eric Lipton, David E. Sanger, and Scott Shane. The perfect weapon: How Russian cyberpower invaded the U.S. New York Times, December 13, 2016. [ .html ]
Wednesday, September 07:
Introduction
Monday, September 12:
Access Control
Wednesday, September 14:
Complex Access Control
Wednesday, September 21:
Secure Programming I
Monday, September 26:
Secure Programming II
Wednesday, September 28:
Introduction to Cryptography
Monday, October 03:
Cryptographic Engineering
Wednesday, October 05:
Authentication
Monday, October 10:
Biometrics; Authentication as a Systems Problem
Wednesday, October 12:
Protecting the Client
Monday, October 17:
Viruses and Trojan Horses
Readings mentioned in class:
Readings mentioned in class:
Wednesday, October 19:
Midterm
Monday, October 24:
Security and Usability
Wednesday, October 26:
Mobile Applications
Smartphone Security: A Study (Bill Cheswick)
Security Issues for Mobile Devices
Smartphone Security: A Study (Bill Cheswick)
Security Issues for Mobile Devices
Monday, October 31:
Architecture
Wednesday, November 02:
Confinement
Monday, November 14:
Program Structure II
Wednesday, November 16:
Logging
Monday, November 21:
The Internet of Things
Wednesday, November 23:
To be determined
Monday, November 28:
Security Analysis I
Wednesday, November 30:
Security Analysis II
Monday, December 05:
Physical and Procedural Security
Wednesday, December 07:
After an Attack
Wednesday, December 21:
Final Exam
This date and time (1:10-4:00) are final. registrar.
This date and time (1:10-4:00) are final. registrar.
