Computer & Network Security

Tuesday, January 15 No written response required for today.

• A Brief Introduction to Practical Cryptography

Thursday, January 17 No written response required for today.

Tuesday, January 22

• MD5 To Be Considered Harmful Someday. Dan Kaminsky. 2004.
• MD5 Considered Harmful Today. Sotirov, Stevens, Appelbaum, Lenstra, Molnar, Osvik, and Weger. CCC 2008.

• Public Key Distribution and Certificates and TLS and SSL. D. Koren, et al. Secure Networking Protocols Portal, 2009.
• RFC 2246: TLS Protocol v1.0, 1999 and RFC 5246: TLS Protocol v1.2, 2008.

Thursday, January 24

• Lessons Learned in Implementing and Deploying Crypto Software. Peter Gutmann. USENIX Security 2002.
• Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices. Heninger, Durumeric, Wustrow, and Halderman. USENIX Security 2012.

• Why Cryptosystems Fail. Ross Anderson. Commun. ACM, 37(11), Nov. 1994.
• Cryptanalytic Attacks on Pseudorandom Number Generators. Kelsey, Schneier, Wagner, and Hall. FSE 1998.
• Cryptanalysis of the Windows Random Number Generator. Dorrendorf, Gutterman, and Pinkas. CCS 2007.

Tuesday, January 29

• Smashing the Stack for Fun and Profit. Aleph One. Phrack 49(14), Nov. 1996.
• Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns. Pincus and Baker. IEEE Security and Privacy, July–Aug. 2004.

• English Shellcode. Mason, Small, Monrose, and MacManus. CCS 2009.
• Nozzle: A Defense Against Heap-spraying Code Injection Attacks. Ratanaworabhan, Livshits, and Zorn. 2008.

Thursday, January 31

• On the Effectiveness of Address-Space Randomization. Shacham, Page, Pfaff, Goh, Modadugu, and Boneh. CCS 2004.
• The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86). Hovav Shacham. CCS 2007.

• VUPEN Vulnerability Research Blog. (Details of advanced modern exploitation.)
• When Good Instructions Go Bad: Generalizing Return-Oriented Programming to RISC. Buchanan, Roemer, Shacham, and Savage. CCS 2008.

Tuesday, February 5

• Reflections on Trusting Trust. Ken Thompson. Communications of the ACM, 27(8), Aug. 1984.
• Towards Automatic Generation of Vulnerability-Based Signatures. Brumley, Newsome, Song, Wang, and Jha. IEEE Symposium on Security and Privacy, 2006.

Thursday, February 7

• Native Client: A Sandbox for Portable, Untrusted x86 Native Code. Yee, Sehr, Dardyk, Chen, Muth, Ormandy, Okasaka, Narula, and Fullagar. IEEE Symposium on Security and Privacy, 2009.
• CloudAV: N-Version Antivirus in the Network Cloud. Oberheide, Cooke, and Jahanian. USENIX Security 2008.

• Leveraging Legacy Code to Deploy Desktop Applications on the Web. Douceur, Elson, Howell, and Lorch. OSDI 2008.
• Safe Kernel Extensions Without Run-Time Checking. Necula and Lee. OSDI 1996.

Tuesday, February 12

• Blueprint: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers. Louw and Venkatakrishnan. IEEE Symposium on Security and Privacy, 2009.
• Robust Defenses for Cross-Site Request Forgery. Barth, Jackson, and Mitchell. CSS 2008.

• Protection and Communication Abstractions for Web Browsers in MashupOS. Wang, Fan, Howell, and Jackson. SOSP 2007.
• Securing Browser Frame Communication. Barth, Jackson, and Mitchell. USENIX Security 2008.
• Enemy of the State: A State-Aware Black-Box Web Vulnerability Scanner. Doupe, Cavedon, Kruegel, and Vigna. USENIX Security 2012.

Thursday, February 14

• Clickjacking: Attacks and Defenses. Huang, Moshchuk, Wang, Schechter, and Jackson. USENIX Security 2012.
• Beware of Finer-Grained Origins. Jackson and Barth. Web 2.0 Security and Privacy 2008.

• Protecting Browsers from DNS Rebinding Attacks. Jackson, Barth, Bortz, Shao, And Boneh. CCS 2007.
• Cross-Origin JavaScript Capability Leaks: Detection, Exploitation, and Defense. Barth, Weinberger, and Song. USENIX Security 2009.

Tuesday, February 19

• reCAPTCHA: Human-Based Character Recognition via Web Security Measures. von Ahn, Maurer, McMillen, Abraham, and Blum. Science, September 2008.
• An Analysis of Private Browsing Modes in Modern Browsers. Aggarwal, Bursztein, Jackson, and Boneh. USENIX Security 2010.

• Games with a Purpose. Luis von Ahn. CACM, August 2008.
• Sketcha: A Captcha Based on Line Drawings of 3D Models. S. Ross, J. A. Halderman, and A. Finkelstein. WWW 2010.
• Adnostic: Privacy Preserving Targeted Advertising. Toubiana, Narayanan, Boneh, Nissenbaum, and Barocas. NDSS 2010.

Thursday, February 21

• The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords. Joseph Bonneau. IEEE Symposium on Security and Privacy, 2012.
• So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users. Cormac Herley. NSPW 2009.

• Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0. Whitten and Tygar. USENIX Security 1999.
• The Security Architecture of the Chromium Browser. Barth, Jackson, Reis, and The Google Chrome Team. 2008.
• Why Information Security is Hard – An Economic Perspective. Ross Anderson. ACSAC 2001.

Tuesday, February 26

• Android Permissions Demystified. Felt, Chin, Hanna, Song, and Wagner. CCS 2011.
• You Can Run, but You Can’t Hide: Exposing Network Location for Targeted DoS Attacks in Cellular Networks. Z. Qian, Z. Wang, Q. Xu, Z. Mao, M. Zhang, and Y.-M. Wang. NDSS 2012.

• How to Ask for Permission. Felt, Egelman, Finifter, Akhawe, and Wagner. HotSec 2012.
• Android Permissions: User Attention, Comprehension, and Behavior. Felt, Ha, Egelman, Haney, Chin, and Wagner. SOUPS 2012.
• Smart-Phone Attacks and Defenses. Guo, Wang, and Zhu. HotNets 2004.

Thursday, February 28

• The Most Dangerous Code in the World: Validating SSL Certificates in Non-Browser Software. Georgiev, Iyengar, Jana, Anubhai, Boneh, and Shamatikov. CCS 2012.
• Crying Wolf: An Empirical Study of SSL Warning Effectiveness. Sunshine, Egelman, Almuhimedi, Atri, and Cranor. USENIX Security 2009.

• ForceHTTPS Cookies: A Defense Against Eavesdropping and Pharming. Jackson and Barth. WWW 2008.
• RFID Security and Privacy: A Research Survey. Juels. Journal of Selected Areas in Communication 2006.

Tuesday, March 12

• A Look Back at “Security Problems in the TCP/IP Protocol Suite.” Steve Bellovin. ACSAC 2004.

• Blind TCP/IP Hijacking is Still Alive. lkm. Phrack 64, 2007.
• A Survey of BGP Security Issues and Solutions. Butler, Farley, McDaniel, and Rexford. 2008.
• Black Ops 2008: It's the End of the Cache as We Know It. Kaminsky. Toorcon 2008 (slides).
• Increased DNS Forgery Resistance Through 0x20-Bit Encoding. Dagon, Antonakakis, Vixie, Jinmei, and Lee. CCS 2008.

Thursday, March 14

• Inside the Slammer Worm. Moore, Paxson, Savage, Shannon, Staniford, and Weaver. IEEE Security and Privacy, July/August 2003.
• Remote Physical Device Fingerprinting. Kohno, Broido, and Claffy. Oakland 2005.

• Bro: A System for Detecting Network Intruders in Real-Time. Paxson. Computer Networks 31(23-24), 1999.
• Peeping Tom in the Neighborhood: Keystroke Eavesdropping on Multi-User Systems. Zhang and Wang. Usenix Security 2009.

Tuesday, March 19

• APT1 Report. Mandiant tech report. 2013.

• W32.Stuxnet Dossier. Falliere, Murchu, and Chien. Symantec Tech Report, 2011.

Thursday, March 21

• Spamalytics: An Empirical Analysis of Spam Marketing Conversion. Kanich, Kreibich, Levchenko, Enright, Voelker, Paxson, and Savage. CCS 2008.
• Your Botnet is My Botnet: Analysis of a Botnet Takeover. Stone-Gross, Cova, Cavallaro, Gilbert, Szydlowski, Kemmerer, Kruegel, and Vigna. CCS 2009.

• A Multifaceted Approach to Understanding the Botnet Phenomenon. Rajab, Zarfoss, Monrose, and Terzis. ISC 2006.
• What’s Clicking What? Techniques and Innovations of Today’s Clickbots. Miller, Pearce, Grier, Kreibich, and Paxson. DIMVA 2011.

Tuesday, March 26 — Information Leakage

• Shredding Your Garbage: Reducing Data Lifetime Through Secure Deallocation. Chow, Pfaff, Garfinkel, and Rosenblum. USENIX Security 2005.
• Lest We Remember: Cold Boot Attacks on Encryption Keys. Halderman, Schoen, Heninger, Clarkson, Paul, Calandrino, Feldman, Appelbaum, and Felten. USENIX Security 2008.

• BootJacker: Compromising Computers Using Forced Restarts. Chan, Carlyle, David, Farivar, and Campbell. CCS 2008.
• Reconstructing RSA Private Keys from Random Key Bits. Heninger and Shacham. Crypto 2009.
• Keyboards and Covert Channels. Shah, Molina, and Blaze. USENIX Security 2006.
• Spot me if you can: Uncovering spoken phrases in encrypted VoIP conversations. Wright, Ballard, Coull, Monrose, and Masson. Oakland 2008.

Thursday, March 28 — Public Policy

• The Generative Internet. Zittrain. Harvard Law Review, 2006.

• Internet Clean-Slate Design: What and Why? Feldmann. 2007.

Tuesday, April 2 — Embedded Sec

• Designing and Implementing Malicious Hardware. King, Tucek, Cozzie, Grier, Jiang, and Zhou. LEET 2008.
• Comprehensive Experimental Analyses of Automotive Attack Surfaces. Checkoway, McCoy, Kantor, Anderson, Shacham, Savage, Koscher, Czeskis, Roesner, Kohno. USENIX Security 2011.

• Experimental Security Analysis of a Modern Automobile. Koscher, Czeskis, Roesner, Patel, Kohno, Checkoway, McCoy, Kantor, Anderson, Shacham, Savage. Oakland 2010.
• The ten-page Introduction to Trusted Computing. Martin. 2008.
• Building the IBM 4758 Secure Coprocessor. Dyer, Lnidermann, Perez, Sailer, van Doorn, Smith, and Weingart. IEEE Computer, Oct. 2001.
• Reverse-Engineering a Cryptographic RFID Tag. Nohl, Evans, Starbug, and Plotz. USENIX Security 2008.
• Cloaker: Hardware Supported Rootkit Concealment. David, Chan, Carlyle, and Campbell. Oakland 2008.

Thursday, April 4 — Securing Democracy

• Security Analysis of India's Electronic Voting Machines. Wolchok, Wustrow, Halderman, Prasad, Kankipati, Sakhamuri, Yagati, and Gonggrijp. CCS 2010.
• Attacking the Washington, D.C. Internet Voting System. Wustrow, Wolchok, Isabel, and Halderman. FC 2012.

• Security Analysis of the Diebold AccuVote-TS Voting Machine. Feldman, Halderman, and Felten. EVT 2007.
• Machine-Assisted Election Auditing. Calandrino, Halderman, and Felten. EVT 2007.
• Analysis of an Electronic Voting System. Kohno, Stubblefield, Rubin, and Wallach. IEEE Security and Privacy 2004.
• Helios: Web-based Open-Audit Voting. Ben Adida. USENIX Security 2008.

Tuesday, April 9 — Private and Anonymous Communications

• Tor: The Second-Generation Onion Router. Dingledine, Mattewson, and Syverson. Usenix Security, 2004.
• Off-the-Record Communication, or, Why Not to Use PGP. Borisov, Goldberg, and Brewer. WPES 2004.

• Keyboards and Covert Channels. Shah, Molina, and Blaze. USENIX Security 2006.
• Spot me if you can: Uncovering spoken phrases in encrypted VoIP conversations. Wright, Ballard, Coull, Monrose, and Masson. Oakland 2008.
• Shining Light in Dark Places: Understanding the Tor Network. McCoy, Bauer, Grunwald, Kohno, and Sicker. Privacy Enhancing Technology Symposium, 2008.
• Increasing Data Privacy with Self-Destructing Data. Geambasu, Kohno, Levy, and Levy. Usenix Security 2009.
• Defeating Vanish with Low-Cost Sybil Attacks Against Large DHTs. Wolchok, Hofmann, Heninger, Felten, Halderman, Rossbach, Waters, and Witchel. NDSS 2010.

Thursday, April 11 — Censorship Resistance

• Chipping Away at Censorship with User-Generated Content. Burnett, Feamster, and Vempala. Usenix Security 2010.
• Telex: Anticensorship in the Network Infrastructure. Wustrow, Wolchok, Goldberg, and Halderman. USENIX Security 2011.

• ConceptDoppler: A Weather Tracker for Internet Censorship. Crandall, Zinn, Byrd, Barr, and East. CCS 2007.
• Analysis of the Green Dam Censorware System. Wolchok, Yao, and Halderman. Tech Report, 2009.
• Internet Censorship in China: Where Does the Filtering Occur? Xu, Mao, and Halderman.

Tuesday, April 23 No written response required for today.

• Cryptology and Physical Security: Rights Amplification in Master-Keyed Mechanical Locks. Blaze. IEEE Security and Privacy, March/April 2003.
• Keep it Secret, Stupid! Blaze. 2003.

• Reconsidering Physical Key Secrecy: Teleduplication via Optical Decoding. Laxton, Wang, and Savage. CCS 2008.
• Notes on Picking Pin Tumbler Locks. Blaze. 2003.
• Safecracking for the Computer Scientist. Blaze. 2004.