Readings
Paper Response Guidelines
Write a ~400 word critical response to each required paper.
- In the first paragraph:
- State the problem that the paper tries to solve; and
- Summarize the main contributions.
- In one or more additional paragraphs:
- Evaluate the paper's strengths and weaknesses;
- Discuss something you would have done differently if you had written the paper; and
- Suggest one or more interesting open problems on related topics.
Your most important task is to demonstrate that you've read the paper and thought carefully about the topic.
Paper responses are due before the start of class via the online submission system. After you upload your work, the system will ask you to assess two responses written by your peers. We'll combine peer feedback and our own evaluation when determining your grade.
Reading List
Please expect updates until mid-August
Welcome / Ethics
 
Thursday, January 5 — Welcome / Ethics
- The Security Mindset. Bruce Schneier. 2008.
- How to Read a Paper. S. Keshav.
- How to Give a Great Research Talk. Simon Payton Jones. Microsoft Research, 2016.
- How to Write a Great Research Paper. Simon Payton Jones. Microsoft Research, 2016.
- The Menlo Report: Ethical Principles. 2012.
- No Encore for Encore? Ethical questions for web-based censorship measurement. Arvind Narayanan, and Bendert Zevenbergen. 2015.
Network Security
Tuesday, January 10 — TCP/IP
- Off-Path TCP Exploits: Global Rate Limit Considered Dangerous. Yue Cao, Zhiyun Qian, Zhongjie Wang, Tuan Dao, Srikanth V. Krishnamurthy, and Lisa M. Marvel. Usenix Security, 2016.
- Spoki: Unveiling a New Wave of Scanners through a Reactive Network Telescope. Raphael Hiesgen, HAW Hamburg; Marcin Nawrocki, Freie Universität Berlin; Alistair King, Kentik; Alberto Dainotti, CAIDA, UC San Diego and Georgia Institute of Technology; Thomas C. Schmidt, HAW Hamburg; Matthias Wählisch, Freie Universität Berlin. USENIX Security, 2022.
Thursday, January 12 — DNS
- DNS Cache Poisoning Attack Reloaded: Revolutions with Side Channels. Man, Keyu, Zhiyun Qian, Zhongjie Wang, Xiaofeng Zheng, Youjun Huang, and Haixin Duan. ACM SIGSAC Conference on Computer and Communications Security, 2020.
- Satellite: Joint analysis of CDNs and network-level interference. Will Scott, Thomas Anderson, Tadayoshi Kohno, and Arvind Krishnamurthy. Usenix ATC, 2016.
- Global Measurement of DNS Manipulation. Paul Pearce, Ben Jones, Frank Li, Roya Ensafi, Nick Feamster, Nick Weaver, and Vern Paxson. Usenix Security, 2017.
Botnets and Denial of Service Attacks
Tuesday, January 17 — Botnets
- Understanding the Mirai Botnet. Manos Antonakakis, Tim April, Michael Bailey, Matt Bernhard, Elie Bursztein, Jaime Cochran, Zakir Durumeric et al. Usenix Security, 2017.
- Your botnet is my botnet: analysis of a botnet takeover. Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna. CCS, 2009.
Thursday, January 19 — DoS
- Weaponizing Middleboxes for TCP Reflected Amplification. Kevin Bock, Abdulrahman Alaraj, Yair Fax, Kyle Hurley, Eric Wustrow, Dave Levin. USENIX Security, 2021.
- Identifying the Scan and Attack Infrastructures Behind Amplification DDoS Attacks. Johannes Krupp, Michael Backes, and Christian Rossow. CCS, 2016.
Online Freedom
Tuesday, January 24 — Anonymity
- Tor: The Second-Generation Onion Router. Paul Syverson, Roger Dingledine, and Nick Mathewson. Usenix Security, 2004.
- Judge Confirms What Many Suspected: Feds Hired CMU to Break Tor. Cyrus Farivar. Ars Technica, 2016.
- The Effect of DNS on Tor’s Anonymity. Benjamin Greschbach, Tobias Pulls, Laura M. Roberts, Philipp Winter, Nick Feamster NDSS, 2017.
Thursday, January 26 — Censorship Resistance
- Blocking-resistant Communication Through Domain Fronting. David Fifield, Chang Lan, Rod Hynes, Percy Wegmann, and Vern Paxson. PETS, 2015.
- Conjure: Summoning Proxies from Unused Address Space. Sergey Frolov, Jack Wampler, Sze Chuen Tan, J. Alex Halderman, Nikita Borisov, and Eric Wustrow. CCS, 2019.
- MassBrowser: Unblocking the Web for the Masses, By the Masses. Milad Nasr, Hadi Zolfaghari, and Amir Houmansadr. NDSS, 2020.
- Geneva: Evolving censorship evasion strategies. Kevin Bock, George Hughey, Xiao Qiang, and Dave Levin. CCS, 2019.
Human Factors
Tuesday, January 31 — Authentication
- Detecting Credential Spearphishing Attacks in Enterprise Settings. Grant Ho, Aashish Sharma, Mobin Javed, Vern Paxson, and David Wagner. Usenix Security, 2017.
- The Tangled Web of Password Reuse. Anupam Das, Joseph Bonneau, Matthew Caesar, Nikita Borisov, and XiaoFeng Wang. NDSS, 2014.
Thursday, February 2 — Usable In Security
- A Comprehensive Quality Evaluation of Security and Privacy Advice on the Web. Elissa M. Redmiles, Noel Warford, Amritha Jayanti, Aravind Koneru, Sean Kross, Miraida Morales, Rock Stevens, and Michelle L. Mazurek. Usenix Security, 2020.
- Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness. Devdatta Akhawe and Adrienne Porter Felt. Usenix Security, 2013.
Privacy
Tuesday, February 7 — Privacy
- Watching You Watch: The Tracking Ecosystem of Over-the-Top TV Streaming Devices. Hooman Mohajeri Moghaddam, Gunes Acar, Ben Burgess, Arunesh Mathur, Danny Yuxing Huang, Nick Feamster, Edward W. Felten, Prateek Mittal, and Arvind Narayanan. CCS, 2019.
- The Web Never Forgets: Persistent Tracking Mechanisms in the Wild. Gunes Acar, Christian Eubank, Steven Englehardt, Marc Juarez, Arvind Narayanan, Claudia Diaz. CCS, 2014.
Thursday, February 9 — Pre-proposal presentations
Real World Crypto
Tuesday, February 14 — Crypto
- Zero-Knowledge Middleboxes. Paul Grubbs, Arasu Arun, Ye Zhang, Joseph Bonneau, and Michael Walfish. Usenix Security, 2022.
- Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice. David Adrian, Karthikeyan Bhargavan, Zakir Durumeric, Pierrick Gaudry, Matthew Green, J. Alex Halderman, Nadia Heninger et al. CCS, 2015.
- DROWN: Breaking TLS using SSLv2. Aviram, Nimrod, Sebastian Schinzel, Juraj Somorovsky, Nadia Heninger, Maik Dankel, Jens Steube, Luke Valenta et al. Usenix Security, 2016.
Thursday, February 16 — Certificates
- Tracking Certificate Misissuance in the Wild. Deepak Kumar, Zhengping Wang, Matthew Hyder, Joseph Dickinson, Gabrielle Beck, David Adrian, Joshua Mason, Zakir Durumeric, J. Alex Halderman, and Michael Bailey. Oakland, 2018.
- Let’s Encrypt: An Automated Certificate Authority to Encrypt the Entire Web. Josh Aas, Richard Barnes, Benton Case, Zakir Durumeric, Peter Eckersley, Alan Flores-López, J. Alex Halderman et al. CCS, 2019.
- Analysis of the HTTPS Certificate Ecosystem. Zakir Durumeric, James Kasten, Michael Bailey, and J. Alex Halderman. IMC, 2013.
Critical Systems
Tuesday, February 21 — IOT Security
- IoT Inspector: Crowdsourcing Labeled Network Traffic from Smart Home Devices at Scale. Danny Yuxing Huang, Noah Apthorpe, Frank Li, Gunes Acar, and Nick Feamster. Interactive, Mobile, Wearable and Ubiquitous Technologies, 2020.
- All Things Considered: An Analysis of IoT Devices on Home Networks. Deepak Kumar, Kelly Shen, Benton Case, Deepali Garg, Galina Alperovich, Dmitry Kuznetsov, Rajarshi Gupta, and Zakir Durumeric. Usenix Security, 2019.
- SoK: Security Evaluation of Home-Based IoT Deployment. Omar Alrawi, Chaz Lever, Manos Antonakakis, and Fabian Monrose. Oakland, 2019.
Thursday, February 23 — Automotive Security
- Experimental Security Analysis of a Modern Automobile. Karl Koscher, Alexei Czeskis, Franziska Roesner, Shwetak Patel, Tadayoshi Kohno, Stephen Checkoway, Damon McCoy et al. Oakland, 2010.
- A Comprehensive Study of Autonomous Vehicle Bugs. Joshua Garcia, Yang Feng, Junjie Shen, Sumaya Almanee, Yuan Xia, and Qi Alfred Chen. ICSE, 2020.
Spring Break
Tuesday, February 28 — No class
Thursday, March 2 — No class
Nation State Attacks and Data Provenance
Tuesday, March 7 — Nation State Attacks
- Measuring the Security Harm of TLS Crypto Shortcuts. Drew Springall, Zakir Durumeric, and J. Alex Halderman. IMC, 2016.
- NSA TAO Chief on Disrupting Nation State Hackers (Talk). Rob Joyce. USENIX Enigma Conference, 2016.
- Decoding the Summer of Snowden.. Julian Sanchez. Cato Policy Report, 2013.
Thursday, March 9 — Data Provenance
- Tactical Provenance Analysis for Endpoint Detection and Response Systems. Wajih Ul Hassan, Adam Bates, Daniel Marino. Oakland, 2020.
- NoDoze: Combatting Threat Alert Fatigue with Automated Provenance Triage. Wajih Ul Hassan, Shengjian Guo, Ding Li, Zhengzhang Chen, Kangkook Jee, Zhichun Li, and Adam Bates. NDSS, 2019.
Embedded Devices Security
Tuesday, March 14 — No class
Thursday, March 16 — Embedded Security and Medical Devices
- SoK: Security and Privacy in Implantable Medical Devices and Body Area Networks. Michael Rushanan and Aviel D. Rubin and Denis Foo Kune, and Colleen M. Swanson. Oakland, 2014.
- Light Commands: Laser-Based Audio Injection Attacks on Voice-Controllable Systems. Takeshi Sugawara and Benjamin Cyr, Sara Rampazzi, Daniel Genkin, and Kevin Fu. Usenix Security, 2020.
Software Security
Tuesday, March 21 — No class
Thursday, March 23 — Malware
- Investigating Commercial Pay-Per-Install and the Distribution of Unwanted Software. Kurt Thomas, Juan A. Elices Crespo, Ryan Rasti, Jean-Michel Picod, Cait Phillips, Marc-André Decoste, Chris Sharp et al. Usenix Security, 2016.
- Nazca: Detecting Malware Distribution in Large-Scale Networks. Luca Invernizzi, Stanislav Miskovic, Ruben Torres, Christopher Kruegel, Sabyasachi Saha, Giovanni Vigna, Sung-Ju Lee, and Marco Mellia. NDSS, 2014.
Hardware Security and Machine Learning
Tuesday, March 28 — Hardware Attacks
- Exploiting the DRAM rowhammer bug to gain kernel privileges. Mark Seaborn and Thomas Dullien. 2015.
- SpecHammer: Combining Spectre and Rowhammer for New Speculative Attacks. Tobah, Youssef and Kwong, Andrew and Kang, Ingab and Genkin, Daniel and Shin, Kang G. IEEE SP, 2022.
Thursday, March 30 — Machine Learning
- Towards Evaluating the Robustness of Neural Networks. Carlini, Nicholas and Wagner, David. IEEE SP, 2017.
- Robust Physical-World Attacks on Deep Learning Visual Classification. Eykholt, Kevin and Evtimov, Ivan and Fernandes, Earlence and Li, Bo and Rahmati, Amir and Xiao, Chaowei and Prakash, Atul and Kohno, Tadayoshi and Song, Dawn. CVPR, 2018.
Election Security
Tuesday, April 4 — Election Security
- Can Voters Detect Malicious Manipulation of Ballot Marking Devices?. Matthew Bernhard, Allison McDonald, Henry Meng, Jensen Hwa, Nakul Bajaj, Kevin Chang, J. Alex Halderman. Oakland, 2020.
- Security Analysis of the Democracy Live Online Voting System. Michael A. Specter, and J. Alex Halderman. Usenix Security, 2021.