Paper Response Guidelines
Write a ~400 word critical response to each required paper.
- In the first paragraph:
- State the problem that the paper tries to solve; and
- Summarize the main contributions.
- In one or more additional paragraphs:
- Evaluate the paper's strengths and weaknesses;
- Discuss something you would have done differently if you had written the paper; and
- Suggest one or more interesting open problems on related topics.
Your most important task is to demonstrate that you've read the paper and thought carefully about the topic.
Paper responses are due before the start of class via the online submission system. After you upload your work, the system will ask you to assess two responses written by your peers. We'll combine peer feedback and our own evaluation when determining your grade.
Please expect updates until mid-August
Welcome / Ethics
Tuesday, September 1 — Welcome
Thursday, September 3 — Ethics
- The Menlo Report: Ethical Principles. 2012.
- No Encore for Encore? Ethical questions for web-based censorship measurement. Arvind Narayanan, and Bendert Zevenbergen. 2015.
- Encore: Lightweight measurement of web censorship with cross-origin requests.. Sam Burnett, and Nick Feamster. SIGCOMM, 2015.
- The Moral Character of Cryptographic Work.
Tuesday, September 8 — TCP/IP
- Off-Path TCP Exploits: Global Rate Limit Considered Dangerous. Yue Cao, Zhiyun Qian, Zhongjie Wang, Tuan Dao, Srikanth V. Krishnamurthy, and Lisa M. Marvel. Usenix Security, 2016.
- Augur: Internet-wide detection of connectivity disruptions. Paul Pearce, Roya Ensafi, Frank Li, Nick Feamster, and Vern Paxson. Oakland, 2017.
Thursday, September 10 — DNS
- A Longitudinal, End-to-End View of the DNSSEC Ecosystem. Usenix Security, 2017.
- Satellite: Joint analysis of CDNs and network-level interference. Will Scott, Thomas Anderson, Tadayoshi Kohno, and Arvind Krishnamurthy. Usenix ATC, 2016.
- Global Measurement of DNS Manipulation. Paul Pearce, Ben Jones, Frank Li, Roya Ensafi, Nick Feamster, Nick Weaver, and Vern Paxson. Usenix Security, 2017.
- DNS observatory: The big picture of the DNS. Pawel Foremski, Oliver Gasser, and Giovane CM Moura. IMC, 2019.
Botnets and Denial of Service Attacks
Tuesday, September 15 — Botnets
- Understanding the Mirai Botnet. Manos Antonakakis, Tim April, Michael Bailey, Matt Bernhard, Elie Bursztein, Jaime Cochran, Zakir Durumeric et al. Usenix Security, 2017.
- Your botnet is my botnet: analysis of a botnet takeover. Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna. CCS, 2009.
Thursday, September 17 — DoS
- Amplification Hell: Revisiting Network Protocols for DDoS Abuse. Christian Rossow. NDSS, 2014.
- Identifying the Scan and Attack Infrastructures Behind Amplification DDoS Attacks. Johannes Krupp, Michael Backes, and Christian Rossow. CCS, 2016.
- Bro: A System for Detecting Network Intruders in Real-Time. Vern Paxson. Usenix Security, 1998.
Tuesday, September 22 — Anonymity
- Tor: The Second-Generation Onion Router. Paul Syverson, Roger Dingledine, and Nick Mathewson. Usenix Security, 2004.
- SoK: Secure Messaging. Nik Unger, Sergej Dechand, Joseph Bonneau, Sascha Fahl, Henning Perl, Ian Goldberg, and Matthew Smith. Oakland, 2015.
- Users Get Routed: Traffic Correlation on Tor by Realistic Adversaries. Aaron Johnson, Chris Wacek, Rob Jansen, Micah Sherr, and Paul Syverson. CCS, 2013.
- Judge Confirms What Many Suspected: Feds Hired CMU to Break Tor. Cyrus Farivar. Ars Technica, 2016.
Thursday, September 24 — Censorship Resistance
- Blocking-resistant Communication Through Domain Fronting. David Fifield, Chang Lan, Rod Hynes, Percy Wegmann, and Vern Paxson. PETS, 2015.
- Conjure: Summoning Proxies from Unused Address Space. Sergey Frolov, Jack Wampler, Sze Chuen Tan, J. Alex Halderman, Nikita Borisov, and Eric Wustrow. CCS, 2019.
- MassBrowser: Unblocking the Web for the Masses, By the Masses. Milad Nasr, Hadi Zolfaghari, and Amir Houmansadr. NDSS, 2020.
- Geneva: Evolving censorship evasion strategies. Kevin Bock, George Hughey, Xiao Qiang, and Dave Levin. CCS, 2019.
- WireGuard: Next Generation Kernel Network Tunnel. Jason A. Donenfeld. NDSS, 2017.
Tuesday, September 29 — Authentication
- Detecting Credential Spearphishing Attacks in Enterprise Settings. Grant Ho, Aashish Sharma, Mobin Javed, Vern Paxson, and David Wagner. Usenix Security, 2017.
- The Tangled Web of Password Reuse. Anupam Das, Joseph Bonneau, Matthew Caesar, Nikita Borisov, and XiaoFeng Wang. NDSS, 2014.
Thursday, October 1 — Usable Security
- A Comprehensive Quality Evaluation of Security and Privacy Advice on the Web. Elissa M. Redmiles, Noel Warford, Amritha Jayanti, Aravind Koneru, Sean Kross, Miraida Morales, Rock Stevens, and Michelle L. Mazurek. Usenix Security, 2020.
- How I Learned to be Secure: a Census-Representative Survey of Security Advice Sources and Behavior. Elissa M. Redmiles, Sean Kross, and Michelle L. Mazurek. CCS, 2016.
- Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness. Devdatta Akhawe and Adrienne Porter Felt. Usenix Security, 2013.
Tuesday, October 6 — Privacy
- Watching You Watch: The Tracking Ecosystem of Over-the-Top TV Streaming Devices. Hooman Mohajeri Moghaddam, Gunes Acar, Ben Burgess, Arunesh Mathur, Danny Yuxing Huang, Nick Feamster, Edward W. Felten, Prateek Mittal, and Arvind Narayanan. CCS, 2019.
- The Web Never Forgets: Persistent Tracking Mechanisms in the Wild. Gunes Acar, Christian Eubank, Steven Englehardt, Marc Juarez, Arvind Narayanan, Claudia Diaz. CCS, 2014.
Thursday, October 8 — Pre-proposal presentations No written response required.
Real World Crypto
Tuesday, October 13 — Crypto
- Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices. Nadia Heninger, Zakir Durumeric, Eric Wustrow, and J. Alex Halderman. Usenix Security, 2012.
- Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice. David Adrian, Karthikeyan Bhargavan, Zakir Durumeric, Pierrick Gaudry, Matthew Green, J. Alex Halderman, Nadia Heninger et al. CCS, 2015.
- DROWN: Breaking TLS using SSLv2. Aviram, Nimrod, Sebastian Schinzel, Juraj Somorovsky, Nadia Heninger, Maik Dankel, Jens Steube, Luke Valenta et al. Usenix Security, 2016.
Thursday, October 15 — Certificates
- Tracking Certificate Misissuance in the Wild. Deepak Kumar, Zhengping Wang, Matthew Hyder, Joseph Dickinson, Gabrielle Beck, David Adrian, Joshua Mason, Zakir Durumeric, J. Alex Halderman, and Michael Bailey. Oakland, 2018.
- Let’s Encrypt: An Automated Certificate Authority to Encrypt the Entire Web. Josh Aas, Richard Barnes, Benton Case, Zakir Durumeric, Peter Eckersley, Alan Flores-López, J. Alex Halderman et al. CCS, 2019.
- Analysis of the HTTPS Certificate Ecosystem. Zakir Durumeric, James Kasten, Michael Bailey, and J. Alex Halderman. IMC, 2013.
Tuesday, October 20 — IOT Security
- IoT Inspector: Crowdsourcing Labeled Network Traffic from Smart Home Devices at Scale. Danny Yuxing Huang, Noah Apthorpe, Frank Li, Gunes Acar, and Nick Feamster. Interactive, Mobile, Wearable and Ubiquitous Technologies, 2020.
- All Things Considered: An Analysis of IoT Devices on Home Networks. Deepak Kumar, Kelly Shen, Benton Case, Deepali Garg, Galina Alperovich, Dmitry Kuznetsov, Rajarshi Gupta, and Zakir Durumeric. Usenix Security, 2019.
- SoK: Security Evaluation of Home-Based IoT Deployment. Omar Alrawi, Chaz Lever, Manos Antonakakis, and Fabian Monrose. Oakland, 2019.
Thursday, October 22 — Automotive Security
- Experimental Security Analysis of a Modern Automobile. Karl Koscher, Alexei Czeskis, Franziska Roesner, Shwetak Patel, Tadayoshi Kohno, Stephen Checkoway, Damon McCoy et al. Oakland, 2010.
- A Comprehensive Study of Autonomous Vehicle Bugs. Joshua Garcia, Yang Feng, Junjie Shen, Sumaya Almanee, Yuan Xia, and Qi Alfred Chen. ICSE, 2020.
Nation State Attacks and Data Provenance
Tuesday, October 27 — Nation State Attacks
- Measuring the Security Harm of TLS Crypto Shortcuts. Drew Springall, Zakir Durumeric, and J. Alex Halderman. IMC, 2016.
- NSA TAO Chief on Disrupting Nation State Hackers (Talk). Rob Joyce. USENIX Enigma Conference, 2016.
- Decoding the Summer of Snowden.. Julian Sanchez. Cato Policy Report, 2013.
Thursday, October 29 — Data Provenance
- Tactical Provenance Analysis for Endpoint Detection and Response Systems. Wajih Ul Hassan, Adam Bates, Daniel Marino. Oakland, 2020.
- NoDoze: Combatting Threat Alert Fatigue with Automated Provenance Triage. Wajih Ul Hassan, Shengjian Guo, Ding Li, Zhengzhang Chen, Kangkook Jee, Zhichun Li, and Adam Bates. NDSS, 2019.
Embedded Devices Security
Tuesday, November 3 — No class due to elections! Work on your projects No written response required
Thursday, November 5 — Embedded Security and Medical Devices
- SoK: Security and Privacy in Implantable Medical Devices and Body Area Networks. Michael Rushanan and Aviel D. Rubin and Denis Foo Kune, and Colleen M. Swanson. Oakland, 2014.
- Light Commands: Laser-Based Audio Injection Attacks on Voice-Controllable Systems. Takeshi Sugawara and Benjamin Cyr, Sara Rampazzi, Daniel Genkin, and Kevin Fu. Usenix Security, 2020.
Tuesday, November 10 — No class due to ACM Conference on Computer and Communications Security (CCS)! Work on your projects No written response required
Thursday, November 12 — Malware
- Investigating Commercial Pay-Per-Install and the Distribution of Unwanted Software. Kurt Thomas, Juan A. Elices Crespo, Ryan Rasti, Jean-Michel Picod, Cait Phillips, Marc-André Decoste, Chris Sharp et al. Usenix Security, 2016.
- Nazca: Detecting Malware Distribution in Large-Scale Networks. Luca Invernizzi, Stanislav Miskovic, Ruben Torres, Christopher Kruegel, Sabyasachi Saha, Giovanni Vigna, Sung-Ju Lee, and Marco Mellia. NDSS, 2014.
Hardware Security and Machine Learning
Tuesday, November 17 — Hardware Attacks
- Exploiting the DRAM rowhammer bug to gain kernel privileges. Mark Seaborn and Thomas Dullien. 2015.
- Drammer: Deterministic Rowhammer Attacks on Mobile Platforms. Victor Van Der Veen, Yanick Fratantonio, Martina Lindorfer, Daniel Gruss, Clémentine Maurice, Giovanni Vigna, Herbert Bos, Kaveh Razavi, and Cristiano Giuffrida. CCS, 2016.
- Another Flip in the Wall of Rowhammer Defenses. Daniel Gruss, Moritz Lipp, Michael Schwarz, Daniel Genkin, Jonas Juffinger, Sioli O'Connell, Wolfgang Schoechl, and Yuval Yarom. Oakland, 2018.
Thursday, November 19 — Machine Learning
- Outside the Closed World: On Using Machine Learning For Network Intrusion Detection. Robin Sommer, and Vern Paxson. Oakland, 2010.
- Towards Evaluating the Robustness of Neural Networks. Nicholas Carlini, and David Wagner. Oakland, 2017.
- TESSERACT: Eliminating Experimental Bias in Malware Classification across Space and Times. Feargus Pendlebury, Fabio Pierazzi, Roberto Jordaney, Johannes Kinder, and Lorenzo Cavallaro. Usenix Security, 2019.
Tuesday, November 24 — No Classes
Thursday, November 26 — No Classes
Election and Mobile Security
Tuesday, December 1 — Election Security
- Can Voters Detect Malicious Manipulation of Ballot Marking Devices?. Matthew Bernhard, Allison McDonald, Henry Meng, Jensen Hwa, Nakul Bajaj, Kevin Chang, J. Alex Halderman. Oakland, 2020.
- Security Analysis of the Democracy Live Online Voting System. Michael A. Specter, and J. Alex Halderman. Usenix Security, 2021.
Thursday, December 3 — Mobile Security
- An Analysis of Pre-installed Android Software. Julien Gamba, Mohammed Rashed, Abbas Razaghpanah, Juan Tapiador, and Narseo Vallina-Rodriguez. Oakland, 2020.
- Who's Calling? Characterizing Robocalls through Audio and Metadata Analysis. Sathvik Prasad, Elijah Bouma-Sims, Athishay Kiran Mylappan, and Bradley Reaves, North. Usenix Security, 2020.
- 50 Ways to Leak Your Data: An Exploration of Apps' Circumvention of the Android Permissions System. Joel Reardon, Álvaro Feal, Primal Wijesekera, Amit Elazari Bar On, Narseo Vallina-Rodriguez, and Serge Egelman. Usenix Security, 2019.