|Student hours: Tu 3:30–4:30 or by appointment (Zoom)|
|Credits:||4. This course counts towards meeting software quals requirements.|
|Prerequisites:||EECS 482 Operating Systems, EECS 489 Computer Networks, EECS 388 Introduction to Security, or grad standing.
Success in this course requires a mature understanding of software systems.
|Lectures:||TuTh 1:30–3:30 PM ET - Zoom (Passcode in Email and Canvas)|
|GSI:||Ram Sundara Raman (Student hours: Mo 12:00–1:00 PM ET or by appointment (Zoom))|
|Reethika Ramesh (Remote meetings by appointment)|
|Forum:||We will use Canvas for submitting and peer-reviewing Paper Responses and Piazza for online discussion and announcements.
Please use firstname.lastname@example.org for all correspondence and reporting administrative issues.
Security Research at Michigan
Security Reading Group
This intensive research seminar covers foundational work and current topics in computer systems security. We will read research papers and discuss attacks and defenses against operating systems, client-side software, web applications, and IP networks. Students will be prepared for research in computer security and for security-related research in other subareas, and they will gain hands-on experience designing and evaluating secure systems.
Preliminary Topic List
There will be many opportunities to tailor the course to your
backgrounds and interests. The tentative list of topics below should
give you an idea of what to expect. See reading list for additional details. Please
get in touch if you have questions or suggestions.
Network SecurityThe security mindset, thinking like an attacker, reasoning about risk, research ethics
Network protocols security: TCP and DNS – attacks and defenses
Denial of service attacks, botnets and defenses
Privacy and Human FactorsAnonymity, secure messaging, censorship resistance, circumvention
Authentication, usability in security and privacy
Privacy attacks and privacy enhancing technologies
Systems SecurityKey exchange, public-key cryptography, real-world cryptography attacks
The TLS protocol, certificate ecosystem
Malware: viruses, spyware, rootkits – operation and detection
Hardware attacks, side-channels and OS-level defenses
Critical systems, physical attacks
Special TopicsMachine learning
Election security and surveillance
GradingThere will be no exams. Instead, your grade will be based on the following:
Class Participation (10%) — You will read one or two research papers for each class. After paper presentation by a group, we will discuss the strengths, weaknesses, scope, and future research areas related to the paper. Note that the discussion part of a lecture will not be recorded, but the paper presentation will be recorded and available on Canvas. Please try to attend the class discussions and be prepared to make substantive intellectual contributions. Participation on Canvas and Piazza discussions will also be considered towards this grade.
Paper Responses (15%) — You are required to write a short critical response for each paper we read (excluding recommended papers). Responses are due at the beginning of class. You will also review and rate your peers' reviews after the class. Look for evidence that the reviewever thought carefully about the topic.
Paper Presentation (25%) — Working with a partner, choose one of the topics from the reading list, read both the required and recommended papers, and prepare a 50 minute presentation. 30 minutes of your presentation should discuss details of the required paper and and the other 20 minutes should present an overview of the recommended papers and general research in the area. This part of the class will be recorded and made available on Canvas. You will receive a Google Form after the first class that will let you choose a topic of preferance.
Research Project (50%) — You will conduct an extended research project during the semester, with the goal of writing a publishable workshop paper. This work should be done in a group of size appropriate to the scope of your investigation. Typical project topics involve analyzing the security of a system or developing a new security mechanism.
Ethics, Law, and University Policies
To defend a system, you need to be able to think like an attacker, and that includes understanding techniques that can be used to compromise security. However, using those techniques in the real world may violate the law or the university’s rules, and it may be unethical. Under some circumstances, even probing for weaknesses may result in severe penalties, up to and including expulsion, civil fines, and jail time. Our policy in EECS 588 is that you must respect the privacy and property rights of others at all times, or else you will fail the course.
Acting lawfully and ethically is your responsibility. Carefully read the Computer Fraud and Abuse Act (CFAA), a federal statute that broadly criminalizes computer intrusion. This is one of several laws that govern “hacking.” Understand what the law prohibits — you don’t want to end up like this guy. The EFF provides helpful advice on vulnerability reporting and other legal matters. If in doubt, we can refer you to an attorney.
Please review ITS’s policies on responsible use of technology resources and CAEN’s policy documents for guidelines concerning proper use of information technology at U-M, as well as the Engineering Honor Code. As members of the university, you are required to abide by these policies.
Students with Disabilities
If you believe you need an accommodation for a disability, please let thee instructor know at the earliest opportunity. Some aspects of courses may be modified to facilitate your participation and progress. As soon as you make an instructor aware of your needs, they can work with the Services for Students with Disabilities (SSD) office to help determine appropriate academic accommodations. Information you provide will be treated as private and confidential.
Course lectures will be audio/video recorded and made available to all students in this course. As part of your participation in this course, you may be recorded. If you do not wish to be recorded, please contact the instructor the first week of class to discuss alternative arrangements. To prevent revealing your identity on recordings, please mute your video during lecture. Also, questions can be submitted via Zoom chat if you do not wish to reveal your voice.
Students may not record or distribute any class activity without written permission from the instructor, except as necessary as part of approved accommodations for students with disabilities. Any approved recordings may only be used for the student’s own private use.