Computer & Network Security

EECS 588 – Winter 2018

Overview Schedule Readings Labs Course Project

Readings

The readings will change often, so watch for updates on Piazza.

Essays and Reviews: Paper Response Guidelines

Students will write a series of critical responses to papers we assign for reading. See the slides from Lecture 1 for the process and expectations for essays and reviews.

Plagiarism will result in a zero on the assignment and a likely failing grade in the course. We follow the Writing with Sources, 3rd Edition guidebook when assessing an essay for plagiarism. Make sure you're aware of how we decide plagiarism based on this guidebook. Do not accidentally violate this policy. We welcome questions during office hours if you seek additional practical tips on how to avoid plagiarism.

Paper Reviews: Basic Tips

We recommend following the advice of Hill and McKinley on how to write constructive and positive reviews. Write a ~400 word critical response to papers assigned for review. What should your review contain?

Your most important task is to demonstrate that you've read the paper and thought carefully about the topic. It's easy to find flaws; it's more challenging to tease out the diamonds in the rough of what the authors meant but did not say. Do not share reviews with your peers; plagiarism will result in a zero and likely failure of the course. It's not worth it! Wait until after lecture to share your thoughts and writing with peers.

Paper responses are due before the start of lecture on paper for peer-review during class.

Critical Essays: Common mistakes and pitfalls to avoid

Essay 1: End-to-End Argument and Spectre/Meltdown
(Due Thursday, 1/11 before lecture on printed paper for in-class peer review)

Use the end-to-end argument to explain how computer systems could better remain trustworthy despite security design flaws later found in lower-level components or layers (e.g., Spectre, Meltdown, TPMs). Hardware and software may contain undiscovered design flaws such that that mechanisms fail to adequately enforce guarantees of memory isolation. Consider what can the end-to-end argument teach us about making trustworthy software systems out of untrustworthy hardware components, what philosophical exceptions to the E2E argument may arise in the case of Spectre/Meltdown, and what are the limits of the E2E argument for securing computer systems.

Follow the instructions in Lecture 1 for your essay. Make sure to have a meaningful short title and begin your text with a technical thesis statement. Your name and the date should appear in the header. Every paragraph should have a clear topic sentence, and every sentence should support the topic sentence and thesis statement to warrant inclusion. For a one-page essay, a good rule of thumb is that your essay would use 2-3 pieces of evidence to support a technical argument.

Essay 2: Return from which mountain?
(Due Tuesday, 1/23 for in-class peer review)

Many solutions have been proposed to defend against Return Oriented Programming (ROP), a class of vulnerabilities pioneered by Hovav Shacham and others. Imagine that someone devises a technique that claims to completely eliminate code reuse attacks. How would you evaluate the effectiveness of a proposed conceptual defense that makes such a claim? And how would you tease out the threat model if none is stated with the proposed approach?

To respond with an essay, craft a thesis statement that includes a meaningful (non-binary) claim or hypothesis as your first topic sentence. Your supporting paragraphs should include 2-3 orthogonal pieces of evidence (the rule of three) to prove or argue your claim or hypothesis. The Science of Security SOK paper by Herley and van Oorschot offers several aphorisms on what makes a meaningful hypothesis:

A hypothesis is scientific only if it is consistent with some but not other possible states of affairs not yet observed, so that it is subject to the possibility of falsification by reference to experience. [Ayala]
In our view, the issue boils down to clarifying one question: what potential observational or experimental evidence is there that would persuade you that the theory is wrong and lead you to abandoning it? If there is none, it is not a scientific theory. [Ellis and Silk]

Essay 3: Machine Learning and Malware: It's Trick, Get an Axe
(Due Thursday, 3/8 for in-class peer review)

Signature-based anti-virus is no longer effective because of polymorphic viruses and the sheer quantity of new malware variants. Signatures simply lag too far behind the variants of malware. Thus, much of the field has moved toward behavior-based detection of malware. In this vein, many researchers have proposed using machine learning on various observable phenomena (e.g., power) to identify and classify malware. Often, research papers will cite the high "accuracy" as evidence of their success. You can find many such papers at security conferences. However, high accuracy is relatively trivial to achieve. The harder metrics to satisfy are precision and recall. In your essay, explain why accuracy is a red herring on the ultimate success of an ML-based malware detector, and why precision and recall are the more important metrics. To justify your claim, you may cite examples from any papers. Think about the simplest counterexamples where a detection approach with high accuracy may have poor precision or recall. You may also highlight red herring phrases from papers that report on high accuracy in their abstracts, etc.

Essay 4: Improving Trustworthiness of Sensor Output
(Due Thursday, 3/15 for in-class peer review)

The hardware spec sheet serves as contract between the chip supplier and the embedded systems engineer. An engineer can choose to ignore the requirements (e.g., minimum voltages, temperature), but then risks potential undefined behavior. A manufacturer may choose to hide certain requirements or characteristics such as resonant frequencies of MEMS sensors, the frequency response of a microphone, the cutoff frequencies of a filter, the sampling rate of the ADC, etc. What can be done to improve this contract language between the chip suppliers and chip users to better ensure the security of embedded systems against transduction attacks and make sensor outputs more verifiable despite adversarial control?

Essay 5: Reproducibility and Confidence
(Due Tuesday, 3/27 for in-class peer review)

In recent years, the field of psychology has faced what is called the reproducibility crisis. In psychology, the current standard for reproducibility is a p-value of 0.05, which has resulted in the bulk of the papers being accepted into the top journals simply being the 5% of papers that have extraordinary results due to random chance. This is also potentially a problem in the field of computer science, and security in particular, where researchers are even looser with confidence intervals. Many papers simply provide a flimsy proof of concept, because providing more rigorous evidence may be prohibitively time consuming/impossible without assistance from manufacturers. Does the field of computer security need more stringent measures of reproducibility? Argue for or against, and describe what measures should be taken, if any. Tuesday’s (March 27) assigned reading may provide direction.

Essay 6: Crypto Wars III and Assurance
(Due Thursday, 4/12 for in-class peer review)

In the 1990s, cryptographers and U.S. government debated key escrow in the context of secure phone calls and the Clipper Chip during the Clinton Administration. In Crypto Wars II during the Obama Administration, the debate shifted to the idea of a Golden Key. Susan Landau writes about the politics of wiretapping and encryption. Steve Bellovin of Columbia University argues that the latest debate in Crypto Wars III boils down to the system property of assurance. Take a position on the encryption debate (for or against technological approaches for government access to cryptographic key material). Then argue why (or why not) that non-technical measures would lead to better societal or law enforcement outcomes. The best arguments will be scoped in a manner where you can debate specifics rather than vague generalities. Your argument may be weaker or stronger depending on the class of applications you consider. (telephony? storage? hardware? software? social networks? cloud? cars? cloud cars? OK, not the last one.) Avoid unsubstantiated opinions; any claim must be backed by facts or data from reputable sources rather than FUD.

Reading List

This list is subject to change.

Unfortunately, some articles require paid subscriptions to journals and digital libraries. You can access these for free when connecting on campus. For off-campus access, try the U-M VPN or the MLibrary Proxy Server Bookmarklet.

Welcome

Tuesday, January 2

No Class.

Thursday, January 4

Building Blocks

Tuesday, January 9 — Threat Modeling and Security Engineering Principles

Thursday, January 11 — Science and Engineering of Security

Lab Basics and Control Flow

Tuesday, January 16 — In-Class Pre-Lab

No review or essay due; bring your pre-lab 1 response.

Thursday, January 18 — Buffer Overflows

Control Flow and Side Channels

Tuesday, January 23 — Sick

Thursday, January 25 — Return Oriented Programming (ROP)

Moar Side Channels

Tuesday, January 30 — Side Channels

Thursday, February 1 — DRAM side channel

  • Rowhammer by Seaborn and Dullien, Google, 2015. Paper Review #4 Due

Network Security and Web Security

Tuesday, February 6 — Network Security

Thursday, February 8 — Web Security

Cryptography / Crap-tography

Tuesday, February 13 — How Crypto Fails in Practice

Thursday, February 15 — How Crypto Protocols Fail in Practice, and Pre-Proposal Presentations

Internet of Things

Tuesday, February 20 — No class, work on lab No review or essay due; spend time on Lab 2 power analysis which is due tomorrow (Wednesday, February 21)

Thursday, February 22 — Automobile Security

Moar Internet of Things and Side Channels

Tuesday, March 6 — Medical Device Security

Thursday, March 8 — Power Side Channels

Transduction Attacks

Tuesday, March 13 — Sensor Integrity: Ultrasonic Attacks

Thursday, March 15 — Sensor Integrity: MEMS Acoustic Attacks

Risks of Feedback Control

Tuesday, March 20 — Fault Injection: Electromechanical Devices

  • Blue Note: How Intentional Acoustic Interference Damages Availability and Integrity in Hard Disk Drives and Operating Systems by Bolton et al. To appear in IEEE Symposium on Security and Privacy (Oakland), May 2018. Paper Review #11 Due

Thursday, March 22 — Crypto Side Channels

Usable Security (USENIX SOUPS!)

Tuesday, March 27 — Usable Encryption

Thursday, March 29 — Usable Security: Permissions

Topic

Tuesday, April 3 — Project Feedback Bring a first draft of your group project writeup. No reviews due today

Thursday, April 5 — Censorship

Topic

Tuesday, April 10 — Surveillance: Fingerprinting and Forensics

Thursday, April 12 — Cybercrime and Cyberwar

  • Keys Under Doormats. Abelson, Anderson, Bellovin, Benaloh, Blaze, Diffie, Gilmore, Green, Landau, Neumann, Rivest, Schiller, Schneier, Specter, and Weitzner. July 2015. Essay #6 Due [Link]

Project Presentations

Tuesday, April 17 — In-Class Presentations

  • Term papers are due before sunset