EECS 588 - Reading List

Readings

Paper Response Guidelines

Write a ~400 word critical response to each required paper.

In the first paragraph:
1. State the problem that the paper tries to solve; and
2. Summarize the main contributions.
In one or more additional paragraphs:
1. Evaluate the paper's strengths and weaknesses;
2. Discuss something you would have done differently if you had written the paper; and
3. Suggest one or more interesting open problems on related topics.

Your most important task is to demonstrate that you've read the paper and thought carefully about the topic.

Paper responses are due before the start of class via the online submission system. Before you upload your work, the system will ask you to assess earlier responses written by your peers. We'll combine peer feedback and our own evaluation when determining your grade.

Reading List

This list is subject to change. Updates will be posted by the end of the day on the Friday before each lecture.

Unfortunately, some articles require paid subscriptions to journals and digital libraries. You can access these for free when connecting on campus. For off-campus access, try the U-M VPN or the MLibrary Proxy Server Bookmarklet.

Welcome / How Crypto Fails

Tuesday, January 12

Introduction. (Slides from lecture.)
Essential Cryptography. (Slides from lecture.)
The Security Mindset. Bruce Schneier. 2008.
Security Engineering. Ross Anderson. Wiley, 2001.
Handbook of Applied Cryptography. Menezes, van Oorschot, and Vanstone. CRC Press, 1996.

Thursday, January 14

MD5 To Be Considered Harmful Someday. Dan Kaminsky. 2004.
MD5 Considered Harmful Today. Sotirov, Stevens, Appelbaum, Lenstra, Molnar, Osvik, and Weger. CCC 2008.

TLS and SSL. D. Koren, et al. Secure Networking Protocols Portal, 2009.
TLS v1.2. Dierks and Rescorla. RFC 5246, 2008.
Let's Encrypt. (the CA Alex is building).
How to Break MD5 and Other Hash Functions. Wang and Yu. Eurocrypt 2005.
Short Chosen-Prefix Collisions for MD5 and the Creation of a Rogue CA Certificate. Stevens, Sotirov, Appelbaum, Lenstra, Molnar, Osvik, and Weger. Crypto 2009.
Chosen-prefix collisions for MD5 and applications. Stevens, Lenstra, and de Weger. Int. J. Applied Cryptography, 2(4), 2012.
Freestart collisions for SHA-1. October 2015.
Transcript Collision Attacks: Breaking Authentication in TLS, IKE, and SSH. Bhargavan and Leurent. MDSS 2016.

Real World Crypto

Tuesday, January 19

Lessons Learned in Implementing and Deploying Crypto Software. Peter Gutmann. Usenix Security 2002.
Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices. Heninger, Durumeric, Wustrow, and Halderman. Usenix Security 2012.

Why Cryptosystems Fail. Ross Anderson. Commun. ACM, 37(11), Nov. 1994.
Why Information Security is Hard: An Economic Perspective. Ross Anderson. ACSAC 2001.
ZMap: Fast Internet-Wide Scanning and its Security Applications. Durumeric, Wustrow, and Halderman. Usenix Security 2013.
Censys: A Search Engine Backed by Internet-Wide Scanning. Durumeric, Adrian, Mirian, Bailey, and Halderman. CCS 2015.
Analysis of the HTTPS Ecosystem. Durumeric, Kasten, Bailey, and Halderman. IMC 2013.
Cryptanalysis of the Windows Random Number Generator. Dorrendorf, Gutterman, and Pinkas. CCS 2007.
SSL and HTTPS: Revisiting Past Challenges and Evaluating Certificate Trust Model Enhancements. Clark and van Oorschot. Oakland 2013.

Thursday, January 21

The First Few Milliseconds of an HTTPS Connection. Jeff Moser. 2009.
Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice. Adrian, Bhargavan, Durumeric, Gaudry, Green, Halderman, Heninger, Springall, Thomé, Valenta, VanderSloot, Wustrow, Zanella-Béguelin, and Zimmermann. CCS 2015.

A Messy State of the Union: Taming the Composite State Machines of TLS. Beurdouche, Bhargavan, Delignat-Lavaud, Fournet, Kohlweiss, Pironti, Strub, Zinzindohoue. Oakland 2015.
ForceHTTPS Cookies: A Defense Against Eavesdropping and Pharming. Jackson and Barth. WWW 2008.
Null Prefix Attacks Against SSL/TLS Certificates. Moxie Marlinspike. 2009.
Lucky 13: Breaking the TLS and DTLS Record Protocols. AlFardan and Paterson. Oakland 2013.
On the Security of RC4 in TLS. AlFardan, Bernstein, Paterson, Schuldt, and Holloway. Usenix Security 2013.
The Most Dangerous Code in the World: Validating SSL Certificates in Non-Browser Software. Georgiev, Iyengar, Jana, Anubhai, Boneh, and Shamatikov. CCS 2012.
CAge: Taming Certificate Authorities by Inferring Restricted Scopes. Kasten, Wustrow, and Halderman. FC 2013.

Binary Exploitation

Tuesday, January 26 — Basic Exploitation

Smashing the Stack for Fun and Profit. Aleph One. Phrack 49(14), Nov. 1996.
StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks. Cowan, Pu, Maier, Hinton, Walpole, Bakke, Beattie, Grier, Wagle, and Zhang. Usenix Security 1998.

Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns. Pincus and Baker. IEEE Security and Privacy, July–Aug. 2004.
On the Effectiveness of ASLR. Shacham, Page, Pfaff, Goh, Modadugu, and Boneh. CCS 2004.
English Shellcode. Mason, Small, Monrose, and MacManus. CCS 2009.
AEG: Automatic Exploit Generation. Avgerinos, Cha, Hao, and Brumley. NDSS 2011.

Thursday, January 28 — Modern Attacks

Eternal War in Memory. Szekeres, Payer, Wei, and Song. Oakland 2013.
The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86). Hovav Shacham. CCS 2007.

VUPEN Vulnerability Research Blog. (Details of advanced modern exploitation.)
An Empirical Study of Vulnerability Rewards Programs. Finifter, Akhawe, and Wagner. Usenix Security 2013.
Nozzle: A Defense Against Heap-spraying Code Injection Attacks. Ratanaworabhan, Livshits, and Zorn. Usenix Security 2009.

Malicious Software

Tuesday, February 2 — Malware

Reflections on Trusting Trust. Ken Thompson. Communications of the ACM, 27(8), Aug. 1984.
Nazca: Detecting Malware Distribution in Large-Scale Networks. Invernizzi, Miskovic, Torres, Saha, Lee, Mellia, Kruegel, and Vigna. NDSS 2014.

Towards Automatic Generation of Vulnerability-Based Signatures. Brumley, Newsome, Song, Wang, and Jha. Oakland 2006.
Control Flow Integrity for COTS Binaries. Zhang and Sekar. Usenix Security 2013.
Inside the Slammer Worm. Moore, Paxson, Savage, Shannon, Staniford, and Weaver. IEEE Security and Privacy, July/August 2003.
The Morris Worm: A Fifteen-Year Perspective. Orman. IEEE Security and Privacy, Sept./Oct. 2003.
Prudent Practices for Designing Malware Experiments: Status Quo and Outlook. Rossow, Dietrich, Grier, Kreibich, Paxson, Pohlmann, Bos, and van Steen. Oakland 2012.

Thursday, February 4 — Isolation

Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds. Ristenpart Tromer, Shacham, and Savage. CCS 2009.
The Security Architecture of the Chromium Browser. Barth, Jackson, Reis, and The Google Chrome Team. 2008.

Native Client: A Sandbox for Portable, Untrusted x86 Native Code. Yee, Sehr, Dardyk, Chen, Muth, Ormandy, Okasaka, Narula, and Fullagar. Oakland 2009.
Cross-VM Side Channels and Their Use to Extract Private Keys. Zhang, Juels, Reiter, and Ristenpart. CCS 2012.
Capsicum: Practical Capabilities for UNIX. Watson, Anderson, Laurie, and Kennaway. Usenix Security 2010.
Leveraging Legacy Code to Deploy Desktop Applications on the Web. Douceur, Elson, Howell, and Lorch. OSDI 2008.
Safe Kernel Extensions Without Run-Time Checking. Necula and Lee. OSDI 1996.
The Ten-Page Introduction to Trusted Computing. Martin. 2008.

Web Security

Tuesday, February 9 — Web Attacks

Robust Defenses for Cross-Site Request Forgery. Barth, Jackson, and Mitchell. CSS 2008.
Blueprint: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers. Louw and Venkatakrishnan. Oakland 2009.

Enemy of the State: A State-Aware Black-Box Web Vulnerability Scanner. Doupe, Cavedon, Kruegel, and Vigna. Usenix Security 2012.
OWASP Cheat Sheet Series. Open Web Application Security Project.
The Unexpected Dangers of Dynamic JavaScript. Lekies, Stock, Wentzel, and Johns. Usenix Security 2015.
Toward Black-Box Detection of Logic Flaws in Web Applications. Pellegrino and Balzarotti. NDSS 2014.

Thursday, February 11 — Web Isolation

Securing Browser Frame Communication. Barth, Jackson, and Mitchell. Usenix Security 2008.
Reining in the Web with Content Security Policy. Stamm, Sterne, and Markham. WWW 2010.

Protection and Communication Abstractions for Web Browsers in MashupOS. Wang, Fan, Howell, and Jackson. SOSP 2007.
Beware of Finer-Grained Origins. Jackson and Barth. Web 2.0 Security and Privacy 2008.
Protecting Browsers from DNS Rebinding Attacks. Jackson, Barth, Bortz, Shao, And Boneh. CCS 2007.
Eradicating DNS Rebinding with the Extended Same-Origin Policy. Johns, Lekies, and Stock. Usenix Security 2013.
Content Security Policy 1.0. Sterne and Barth. W3C Candidate Recommendation, 2012.

Mobile Security

Tuesday, February 16 — Mobile Security

Dissecting Android Malware: Characterization and Evolution. Zhou and Jiang. Oakland 2012.
Securing Embedded User Interfaces: Android and Beyond. Roesner and Kohno. Usenix Security 2013.

Smart-Phone Attacks and Defenses. Guo, Wang, and Zhu. HotNets 2004.
User-Driven Access Control: Rethinking Permission Granting in Modern Operating Systems. Roesner, Kohno, Moshchuk, Parno, Wang, and Cowan. Oakland 2012.
Android Permissions Demystified. Felt, Chin, Hanna, Song, and Wagner. CCS 2011.
Android Permissions: User Attention, Comprehension, and Behavior. Felt, Ha, Egelman, Haney, Chin, and Wagner. SOUPS 2012.
You Can Run, but You Can’t Hide: Exposing Network Location for Targeted DoS Attacks in Cellular Networks. Qian, Wang, Xu, Mao, Zhang, and Wang. NDSS 2012.

Thursday, February 18 — Pre-proposal presentations No written response required for today.

Human Factors

Tuesday, February 23 — Authentication

The End is Nigh: Generic Solving of Text-based CAPTCHAs. Bursztein, Aigrain, Moscicki, and Mitchell. WOOT 2014.
The Tangled Web of Password Reuse. Das, Bonneau, Caesar, Borisov, and Wang. NDSS 2014.

reCAPTCHA: Human-Based Character Recognition via Web Security Measures. von Ahn, Maurer, McMillen, Abraham, and Blum. Science, September 2008.
How Good are Humans at Solving CAPTCHAs? Bursztein, Bethard, Fabry, Mitchell, and Jurafsky. Oakland 2010.
Sketcha: A Captcha Based on Line Drawings of 3D Models. Ross, Halderman, and Finkelstein. WWW 2010.
The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords. Joseph Bonneau. Oakland 2012.
A Usability Study and Critique of Two Password Managers. Chiasson, van Oorschot, and Biddle. Usenix Security 2006.
Designing Crypto Primitives Secure Against Rubber Hose Attacks. Bojinov, Sanchez, Reber, Boneh, and Lincoln. Usenix Security 2012.
Honeywords: Making Password-Cracking Detectable. Juels and Rivest. CCS 2013.

Thursday, February 25 — Usable Security

Why Johnny Can’t Encrypt: A Usability Evaluation of PGP 5.0. Whitten and Tygar. Usenix Security 1999.
Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness. Akhawe and Felt. Usenix Security 2013.

Why (Special Agent) Johnny (Still) Can't Encrypt. Clark, Goodspeed, Metzger, Wasserman, Xu, and Blaze. Usenix Security 2011.
Secrecy, Flagging, and Paranoia: Adoption Criteria in Encrypted Email. Gaw, Felten, and Fernandez-Kelly. CHI 2006.
So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users. Cormac Herley. NSPW 2009.
In Search of Usable Security: Five Lessons from the Field. Balfanz, Durfee, Grinter, and Smetters. IEEE Security and Privacy, September/October 2004.
Folk Models of Home Computer Security. Rick Wash. SOUPS 2010.
Your Attention Please: Designing Security-Decision UIs. Bravo-Lillo, Cranor, Downs, Komanduri, Reeder, Schechter, and Sleeper. SOUPS 2013.

Network Security

Tuesday, March 8 — Network Attacks

DROWN: Breaking TLS using SSLv2. Aviram, Schinzel, Somorovsky, Heninger, Dankel, Steube, Valenta, Adrian, Halderman, Dukhovni, Käsper, Cohney, Engels, Paar, and Shavitt. (Last week’s news.)

A Look Back at “Security Problems in the TCP/IP Protocol Suite.” Steve Bellovin. ACSAC 2004.
Amplification Hell: Revisiting Network Protocols for DDoS Abuse. Christian Rossow. NDSS 2014.
Exit from Hell? Reducing the Impact of Amplification DDoS Attacks. Kührer, Hupperich, Rossow, and Holz. Usenix Security 2014.
Blind TCP/IP Hijacking is Still Alive. lkm. Phrack 64, 2007.
A Survey of BGP Security Issues and Solutions. Butler, Farley, McDaniel, and Rexford. 2008.
Black Ops 2008: It’s the End of the Cache as We Know It. Dan Kaminsky. Toorcon 2008.
Increased DNS Forgery Resistance Through 0x20-Bit Encoding. Dagon, Antonakakis, Vixie, Jinmei, and Lee. CCS 2008.
Bro: A System for Detecting Network Intruders in Real-Time. Vern Paxson. Computer Networks 31(23-24), 1999.
The Security Flag in the IPv4 Header. Steve Bellovin. RFC 3514.

Thursday, March 10 — Online Crime

Spamalytics: An Empirical Analysis of Spam Marketing Conversion. Kanich, Kreibich, Levchenko, Enright, Voelker, Paxson, and Savage. CCS 2008.
Your Botnet is My Botnet: Analysis of a Botnet Takeover. Stone-Gross, Cova, Cavallaro, Gilbert, Szydlowski, Kemmerer, Kruegel, and Vigna. CCS 2009.

Modeling and Evaluating the Resilience of Peer-to-Peer Botnets. Rossow, Andriesse, Werner, Stone-Gross, Plohmann, Dietrich, and Bos. Oakland 2013.
A Multifaceted Approach to Understanding the Botnet Phenomenon. Rajab, Zarfoss, Monrose, and Terzis. ISC 2006.
What’s Clicking What? Techniques and Innovations of Today’s Clickbots. Miller, Pearce, Grier, Kreibich, and Paxson. DIMVA 2011.
Clickjacking: Attacks and Defenses. Huang, Moshchuk, Wang, Schechter, and Jackson. Usenix Security 2012.
On the Mismanagement and Maliciousness of Networks. Zhang, Durumeric, Bailey, Liu, and Karir. NDSS 2014.

Security and Government Power

Tuesday, March 15 — The Post-Snowden Era

Global Surveillance Disclosures. Wikipedia.
Decoding the Summer of Snowden. Julian Sanchez. Cato Policy Report, 2013.
NSA's ANT Division Catalog of Exploits. Published by Der Spiegel, Dec. 2013.

Liberty and Security in a Changing World. President's review group on intelligence and communications technologies. Dec. 2013.
NSA Collecting Phone Records of Millions of Verizon Customers Daily. Glenn Greenwald. The Guardian, Jun. 2013.
NSA Infiltrates Links to Yahoo, Google Data Centers Worldwide, Snowden Documents Say. Gellman and Soltani. Washington Post, Oct. 2013.
NSA Collects Millions of Text Messages Daily in ‘Untargeted’ Global Sweep. James Ball. The Guardian, Jan. 2014.
Designing and Implementing Malicious Hardware. King, Tucek, Cozzie, Grier, Jiang, and Zhou. LEET 2008.
Stealthy Dopant-Level Hardware Trojans. Becker, Regazzoni, Paar, and Burleson. CHES 2013.
On the Practical Exploitability of Dual EC in TLS Implementations. Checkoway, Fredrikson, Niederhagen, Everspaugh, Green, Lange, Ristenpart, Bernstein, Maskiewicz, and Shacham. Usenix Security 2015.

Thursday, March 17 — Cyberwar/Crypto War

W32.Stuxnet Dossier. Falliere, Murchu, and Chien. Symantec technical report, 2011.
Keys Under Doormats. Abelson, Anderson, Bellovin, Benaloh, Blaze, Diffie, Gilmore, Green, Landau, Neumann, Rivest, Schiller, Schneier, Specter, and Weitzner. July 2015.

APT1 Report. Mandiant technical report, 2013.
Cyberwar and Peace. Thomas Rid. Foreign Affairs, Nov./Dec. 2013.
To Kill a Centrifuge. Ralph Langner. Nov. 2013.
Order Compelling Apple, Inc. to Assist Agents in Search. Feb. 2016.
Apple Inc.'s Motion to Vacate Order Compelling Apple Inc. to Assist Agents in Search, and Opposition to Government's Motion to Compel Assistance. Feb. 2016.
Statement Before the Senate Select Committee on Intelligence. James Comey. July 2015.
Going Bright: Wiretapping without Weakening Communications Infrastructure. Bellovin, Blaze, Clark, and Landau. IEEE Security & Privacy 11:1, Jan/Feb 2013.
The Export of Cryptography in the 20th Century and the 21st. Diffie and Landau. In the Handbook of the History of Information Security, Elsevier, 2005.
Bernstein v. United States. 1995–2002.
Lavabit Legal Proceedings. 2013.

Critical Systems / Critical Thinking

Tuesday, March 22 — Automotive Security

Experimental Security Analysis of a Modern Automobile. Koscher, Czeskis, Roesner, Patel, Kohno, Checkoway, McCoy, Kantor, Anderson, Shacham, and Savage. Oakland 2010.
Comprehensive Experimental Analyses of Automotive Attack Surfaces. Checkoway, McCoy, Kantor, Anderson, Shacham, Savage, Koscher, Czeskis, Roesner, and Kohno. Usenix Security 2011.

Adventures in Automotive Networks and Control Units. Miller and Valasek. Countermeasure 2013.
Remote Exploitation of an Unaltered Passenger Vehicle. Miller and Valasek. DEF CON 23, Aug. 2015.
Security and Privacy for Implantable Medical Devices. Halperin, Heydt-Benjamin, Fu, Kohno, and Maisel. IEEE Pervasive Computing 7(1), 2008.
Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses. Halperin, Heydt-Benjamin, Ransford, Clark, Defend, Morgan, Fu, Kohno, and Maisel. Oakland 2008.
Illuminating the Security Issues Surrounding Lights-Out Server Management. Bonkoski, Bielawski, and Halderman. WOOT 2013.

Thursday, March 24 — Security and Ethics

The Moral Character of Cryptographic Work. Phillip Rogaway. Dec. 2015.

Markets for Zero-Day Exploits: Ethics and Implications. Egelman, Herley, and van Oorschot. NSPW 2013.
The Menlo Report. Bailey, Dittrich, Kenneally, and Maughan. IEEE Security and Privacy 10(2):71-75, 2012.

Privacy and Confidentiality

Tuesday, March 29 — Deletion and Leakage

Lest We Remember: Cold Boot Attacks on Encryption Keys. Halderman, Schoen, Heninger, Clarkson, Paul, Calandrino, Feldman, Appelbaum, and Felten. Usenix Security 2008.
Secure Data Deletion. Reardon, Basin, and Capkun. Oakland 2013.

History Independence for File Systems. Bajat and Sion. CCS 2013.
BootJacker: Compromising Computers Using Forced Restarts. Chan, Carlyle, David, Farivar, and Campbell. CCS 2008.
Shredding Your Garbage: Reducing Data Lifetime Through Secure Deallocation. Chow, Pfaff, Garfinkel, and Rosenblum. Usenix Security 2005.
Increasing Data Privacy with Self-Destructing Data. Geambasu, Kohno, Levy, and Levy. Usenix Security 2009.
Defeating Vanish with Low-Cost Sybil Attacks Against Large DHTs. Wolchok, Hofmann, Heninger, Felten, Halderman, Rossbach, Waters, and Witchel. NDSS 2010.
Reconstructing RSA Private Keys from Random Key Bits. Heninger and Shacham. Crypto 2009.
Peeping Tom in the Neighborhood: Keystroke Eavesdropping on Multi-User Systems. Zhang and Wang. Usenix Security 2009.
Electromagnetic Eavesdropping Risks of Flat-Panel Displays. Markus Kuhn. PETS 2004.

Thursday, March 31 — Privacy in the Cloud

Social Networking with Frientegrity: Privacy and Integrity with an Untrusted Provider. Feldman, Blankstein, Freedman, and Felten. Usenix Security 2012.
CONIKS: Bringing Key Transparency to End Users. Melara, Blankstein, Bonneau, Felten, and Freedman. Usenix Security 2015.

“You Might Also Like:” Privacy Risks of Collaborative Filtering. Calandrino, Kilzer, Narayanan, Felten, and Shmatikov. Oakland 2011.
Selling Off Privacy at Auction. Olejnik, Tran, and Castelluccia. NDSS 2014.
Third-Party Web Tracking: Policy and Technology. Mayer and Mitchell. Oakland 2012.
Remote Physical Device Fingerprinting. Kohno, Broido, and Claffy. Oakland 2005.
Adnostic: Privacy Preserving Targeted Advertising. Toubiana, Narayanan, Boneh, Nissenbaum, and Barocas. NDSS 2010.
Securing Web Applications by Blindfolding the Server. Popa, Stark, Valdez, Helfer, Zeldovich, Kasshoek, and Balakrishnan. NSDI 2014.
An Analysis of Private Browsing Modes in Modern Browsers. Aggarwal, Bursztein, Jackson, and Boneh. Usenix Security 2010.
Privacy Policy. Google, Inc.

Online Freedom

Tuesday, April 5 — Anonymity

Tor: The Second-Generation Onion Router. Dingledine, Mattewson, and Syverson. Usenix Security 2004.
SoK: Secure Messaging. Unger, Dechand, Bonneau, Fahl, Perl, Goldberg, and Smith. Oakland 2015.

Users Get Routed: Traffic Correlation on Tor by Realistic Adversaries. Johnson, Wacek, Jansen, Sherr, and Syverson. CCS 2013.
Off-the-Record Communication, or, Why Not to Use PGP. Borisov, Goldberg, and Brewer. WPES 2004.
How Secure is TextSecure? Frosch, Mainka, Bader, Bergsma, Schwenk, and Holz. EuroS&P 2016.
Shining Light in Dark Places: Understanding the Tor Network. McCoy, Bauer, Grunwald, Kohno, and Sicker. PETS 2008.
Trawling for Tor Hidden Services. Biryukov, Pustogarov, and Weinmann. Oakland 2013.
Criminal Complaint, U.S. v. Ulbricht. Oct. 2013.
How the NSA Attacks Tor Users with QUANTUM and FOXACID. Bruce Schneier. Oct. 2013.
Judge Confirms What Many Suspected: Feds Hired CMU to Break Tor. Cyrus Farivar. Ars Technica, Feb. 2016.

Thursday, April 7 — Censorship Resistance

Examining How the Great Firewall Discovers Hidden Circumvention Servers. Ensafi, Fifield, Winter, Feamster, Weaver, and Paxson. IMC 2015.
Telex: Anticensorship in the Network Infrastructure. Wustrow, Wolchok, Goldberg, and Halderman. Usenix Security 2011.

Blocking-resistant Communication Through Domain Fronting. Fifield, Lan, Hynes, Wegmann, and Paxson. PETS 2015.
Scramblesuit: A Polymorphic Network Protocol to Circumvent Censorship. Winter, Pulls, and Fuss. WPES 2013.
Protocol Misidentification Made Easy with Format-Transforming Encryption. Dyer, Coull, Ristenpart, and Shrimpton. CSS 2013.
Internet Censorship in China: Where Does the Filtering Occur? Xu, Mao, and Halderman. PAM 2011.
Internet Censorship in Iran: A First Look. Aryan, Aryan, and Halderman. FOCI 2013.
Analysis of the Green Dam Censorware System. Wolchok, Yao, and Halderman. Tech Report, 2009.
No Direction Home: The True Cost of Routing Around Decoys. Houmansadr, Wong, and Shmatikov. NDSS 2014.

Computer & Network Security

EECS 588 – Winter 2016