LEC # | READINGS | READING QUESTION |
---|---|---|
1 | No readings | No question |
2 | Akritidis, Periklis, Manuel Costa, et al. "Baggy Bounds Checking: An Efficient and Backwards-Compatible Defense against Out-of-Bounds Errors." USENIX Security Symposium (2009): pp. 51–66. | Lecture 2 Question (PDF) |
3 | Bittau, Andrea, Adam Belay, et al. "Hacking Blind." Proceedings of the IEEE Symposium on Security & Privacy (2014). | Lecture 3 Question (PDF) |
4 | Krohn, Maxwell. "Building Secure High-Performance Web Services with OKWS (PDF)." USENIX Technical Conference (2004): pp. 185–198. | Lecture 4 Question (PDF) |
5 | No readings | No question |
6 |
Hardy, Norm. "The Confused Deputy." ACM SIGOPS Operating Systems Review 22, no. 4 (1988): pp. 36–38. Watson, Robert N. M., Jonathan Anderson, et al. "Capsicum: practical capabilities for UNIX." (PDF) Proceedings of the 19th USENIX Security Symposium (2010). | Lecture 6 Question (PDF) |
7 | Yee, Bennett, David Sehr, et al. "Native Client: A Sandbox for Portable, Untrusted x86 Native Code." IEEE Symposium on Security and Privacy (2009): pp. 79–93. | Lecture 7 Question (PDF) |
8 |
"OWASP Top 10 - 2013: The Ten Most Critical Web Application Security Risks." Zalewski, Michal. Chapters 9–13 in The Tangled Web: A Guide to Securing Modern Web Applications. No Starch Press, 2011. ISBN: 9781593273880. | Lecture 8 Question (PDF) |
9 | Lecture 9 Question (PDF) | |
10 | Cadar, Cristian, Daniel Dunbar, et al. "KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs." Operating Systems Design and Implementation (2008): pp. 209–224. | Lecture 10 Question (PDF) |
11 | Chlipala, Adam. "Ur / Web: A Simple Model for Programming the Web." ACM SIGPLAN-SIGACT Symposium (2015): pp. 153–165. | Lecture 11 Question (PDF) |
12 | Bellovin, Steven M. "A Look Back at 'Security Problems in the TCP/IP Protocol Suite'." Computer Security Applications Conference (2004): pp. 229–249. | Lecture 12 Question (PDF) |
13 | Steiner, Jennifer G., Clifford Neuman, et al. "Kerberos: An Authentication Service for Open Network Systems." USENIX Conference (1988). | Lecture 13 Question (PDF) |
14 | Jackson, Collin, and Adam Barth. "ForceHTTPS: Protecting High-Security Web Sites from Network Attacks." Proceedings of the 17th international conference on World Wide Web (2008): pp. 525–534. | Lecture 14 Question (PDF) |
15 | Fu, Kevin. "Trustworthy Medical Device Software." (PDF), 2011. | Lecture 15 Question (PDF) |
16 | Brumley, David, and Dan Boneh. "Remote Timing Attacks are Practical." Proceedings of the 12th USENIX Security Symposium 12, (2003): pp. 1. | Lecture 16 Question (PDF) |
17 |
Bonneau, Joseph, Cormac Herley, et al. "The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes." IEEE Symposium on Security and Privacy (2012): pp. 553–567. There is an optional extended version published by the University of Cambridge: Computer Laboratory. | Lecture 17 Question (PDF) |
18 | Aggarwal, Gaurav, Elie Burzstein, et al. "An Analysis of Private Browsing Modes in Modern Browsers." USENIX Conference on Security (2010). | Lecture 18 Question (PDF) |
19 |
Dingledine, Roger, Nick Mathewson, et al. "Tor: The Second-Generation Onion Router." Proceedings of the 13th USENIX Security Symposium 13 (2004): pp. 21. Blog posts: | Lecture 19 Question (PDF) |
20 |
"Enck, William, Machigar Ongtang, et al. "Understanding Android Security." IEEE Security and Privacy 7, no. 1 (2009): pp. 50–57. Errata: Bug in the paper: In Figure 1, in the FriendViewer application, the top right blue oval (shown as Activity "FriendTracker") should actually be a rounded-rectangle Activity "FriendMap" (see Figure 2). | Lecture 20 Question (PDF) |
21 | Enck, William, Peter Gilbert, et al. "TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones." Communications of the ACM 57, no. 3 (2010): pp. 99–106. | Lecture 21 Questions (PDF) |
22 | No readings | No question |
23 | Levchenko, Kirill, Andreas Pitsillidis, et al. "Click Trajectories: End-to-End Analysis of the Spam Value Chain." IEEE Symposium on Security and Privacy (2011): pp. 431–446. | Lecture 23 Question (PDF) |
24 | No readings | No question |