Readings
Paper Response Guidelines
Write a ~400 word critical response to each required paper.
-
In the first paragraph:
- State the problem that the paper tries to solve; and
- Summarize the main contributions.
-
In one or more additional paragraphs:
- Evaluate the paper's strengths and weaknesses;
- Discuss something you would have done differently if you had written the paper; and
- Suggest one or more interesting open problems on related topics.
Your most important task is to demonstrate that you've read the paper and thought carefully about the topic.
Paper responses are due before the start of class via the online submission system. After you upload your work, the system will ask you to assess two responses written by your peers. We'll combine peer feedback and our own evaluation when determining your grade.
Reading List
Introduction / Logistics
 
Wednesday, January 8 — Introduction / Logistics
- The Security Mindset. Bruce Schneier. 2008.
- How to Read a Paper. S. Keshav.
- How to Give a Great Research Talk. Simon Payton Jones. Microsoft Research, 2016.
- How to Write a Great Research Paper. Simon Payton Jones. Microsoft Research, 2016.
Ethics / DNS
Monday, January 13 — Ethics
- The Menlo Report: Ethical Principles. 2012.
- No Encore for Encore? Ethical questions for web-based censorship measurement. Arvind Narayanan, and Bendert Zevenbergen. 2015.
- Ethical Frameworks and Computer Security Trolley Problems: Foundations for Conversations. Tadayoshi Kohno, University of Washington; Yasemin Acar, Paderborn University & George Washington University; Wulf Loh, Universität Tübingen. USENIX Security 2023
Wednesday, January 15 — DNS
- DNS Cache Poisoning Attack Reloaded: Revolutions with Side Channels. Man, Keyu, Zhiyun Qian, Zhongjie Wang, Xiaofeng Zheng, Youjun Huang, and Haixin Duan. ACM SIGSAC Conference on Computer and Communications Security, 2020.
- A Longitudinal, End-to-End View of the DNSSEC Ecosystem. Taejoong Chung, Roland van Rijswijk-Deij, Balakrishnan Chandrasekaran, David Choffnes, Dave Levin, Bruce M. Maggs, Alan Mislove and Christo Wilson. USENIX Security 2017
- An Illustrated Guide to the Kaminsky DNS Vulnerability. Steve Friedl, 2008.
TCP/IP
Monday, January 20 — No Class
Wednesday, January 22 — TCP/IP
- Off-Path TCP Exploits: Global Rate Limit Considered Dangerous. Yue Cao, Zhiyun Qian, Zhongjie Wang, Tuan Dao, Srikanth V. Krishnamurthy and Lisa M. Marvel. Usenix Security, 2016.
- Augur: Internet-wide detection of connectivity disruptions. Paul Pearce, Roya Ensafi, Frank Li, Nick Feamster and Vern Paxson. IEEE Security & Privacy, 2017.
- Your Router is My Prober: Measuring IPv6 Networks via ICMP Rate Limiting Side Channels. Long Pan, Jiahai Yang, Lin He, Zhiliang Wang, Leyao Nie, Guanglei Song and Yaozhong Liu. NDSS, 2023.
- PMTUD is not Panacea: Revisiting IP Fragmentation Attacks against TCP. Xuewei Feng, Qi Li, Kun Sun, Ke Xu, Baojun Liu, Xiaofeng Zheng, Qiushi Yang, Haixin Duan and Zhiyun Qian. NDSS, 2022.
DOS / Anonymous Communication
Monday, January 27 — DOS
- Weaponizing Middleboxes for TCP Reflected Amplification. Kevin Bock, Abdulrahman Alaraj, Yair Fax, Kyle Hurley, Eric Wustrow, Dave Levin. USENIX Security, 2021.
- Amplification Hell: Revisiting Network Protocols for DDoS Abuse. Christian Rossow. NDSS, 2014.
- Identifying the Scan and Attack Infrastructures Behind Amplification DDoS Attacks. Johannes Krupp, Michael Backes, and Christian Rossow. CCS, 2016.
Wednesday, January 29 — Anonymous Communication
- Tor: The Second-Generation Onion Router. Paul Syverson, Roger Dingledine, and Nick Mathewson. Usenix Security, 2004.
- On the anonymity of peer-to-peer network anonymity schmes used by cryptocurrencies. Piyush Kumar Sharma, Devashish Gosain and Claudia Diaz. NDSS, 2023.
Web & Email / Botnets and Malware
Monday, February 3 — Web & Email
- Leaky Forms: A Study of Email and Password Exfiltration Before Form Submission. Asuman Senol, Gunes Acar, Mathias Humbert and Frederik Zuiderveen Borgesius. USENIX Security, 2022.
- Composition Kills: A Case Study of Email Sender Authentication. Jianjun Chen, Vern Paxson and Jian Jiang. USENIX Security, 2020.
Wednesday, February 5 — Botnets and Malware
- Understanding the Mirai Botnet. Manos Antonakakis, Tim April, Michael Bailey, Matt Bernhard, Elie Bursztein, Jaime Cochran, Zakir Durumeric et al. Usenix Security, 2017.
- Your botnet is my botnet: analysis of a botnet takeover. Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna. CCS, 2009.
Real-world Crypto & PKI / Mobile Security
Monday, February 10 — Real-world Crypto & PKI
- Zero-Knowledge Middleboxes. Paul Grubbs, Arasu Arun, Ye Zhang, Joseph Bonneau, and Michael Walfish. Usenix Security, 2022.
- Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice. David Adrian, Karthikeyan Bhargavan, Zakir Durumeric, Pierrick Gaudry, Matthew Green, J. Alex Halderman, Nadia Heninger et al. CCS, 2015.
- Let’s Encrypt: An Automated Certificate Authority to Encrypt the Entire Web. Josh Aas, Richard Barnes, Benton Case, Zakir Durumeric, Peter Eckersley, Alan Flores-López, J. Alex Halderman et al. CCS, 2019.
Wednesday, February 12 — Mobile Security
- 50 Ways to Leak Your Data: An Exploration of Apps' Circumvention of the Android Permissions System. Joel Reardon, Álvaro Feal, Primal Wijesekera, Amit Elazari Bar On, Narseo Vallina-Rodriguez, Serge Egelman USENIX Security, 2019.
- Unmasking the Veiled: A Comprehensive Analysis of Android Evasive Malware. Antonio Ruggia, Dario Nisi, Savino Dambra, Alessio Merlo, Davide Balzarotti and Simone Aonzo. ACM CCS, 2024.
Wireless Security / Private Messaging
Monday, February 17 — Wireless Security
- Untangling the Knot: Breaking Access Control in Home Wireless Mesh Networks. Xin’an Zhou, Qing Deng, Juefei Pu, Keyu Man, Zhiyun Qian and Srikanth V. Krishnamurthy. ACM CCS, 2024.
- Dragonblood: Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd Mathy Vanhoef and Eyal Ronen. IEEE Security & Privacy, 2020.
Wednesday, February 19 — Private Messaging
- SoK: Secure Messaging. Nik Unger, Sergej Dechand, Joseph Bonneau, Sascha Fahl, Henning Perl, Ian Goldberg and Matthew Smith. IEEE Security & Privacy, 2015.
- CONIKS: Bringing Key Transparency to End Users. Marcela S. Melara, Aaron Blankstein, Joseph Bonneau, Edward W. Felten and Michael J. Freedman. IEEE Security & Privacy, 2015.
Differential Privacy
Monday, February 24 — Differential Privacy
- Differential Privacy. Cynthia Dwork. ICALP, 2006.
Wednesday, February 26 — No Class
Spring Break
Monday, March 3 — No Class
Wednesday, March 5 — No Class
Project Proposal
Monday, March 10 — Project Proposal
Wednesday, March 12 — Project Proposal
Censorship Measurement and Circumvention
Monday, March 17 — Censorship Measurement
- Global, Passive Detection of Connection Tampering. Ram Sundara Raman, Louis-Henri Merino, Kevin Bock, Marwan Fayed, Dave Levin, Nick Sullivan, and Luke Valenta SIGCOMM, 2023.
- Measuring the Deployment of Network Censorship Filters at Global Scale. Ram Sundara Raman, Adrian Stoll, Jakub Dalek, Reethika Ramesh, Will Scott, and Roya Ensafi NDSS, 2022.
- Network Measurement Methods for Locating and Examining Censorship Devices. Ram Sundara Raman, Mona Wang, Jakub Dalek, Jonathan Mayer, and Roya Ensafi CONEXT, 2022.
- Decentralized Control: A Case Study of Russia. Reethika Ramesh, Ram Sundara Raman, Matthew Bernhard, Victor Ongkowijaya, Leonid Evdokimov, Anne Edmundson, Steven Sprecher, Muhammad Ikram, and Roya Ensafi NDSS, 2020.
Wednesday, March 19 — Censorship Circumvention
- Snowflake, a censorship circumvention system using temporary WebRTC proxies. Xiaokang Wang, David Fifield, Cecylia Bocovich, Serene and Arlo Breault. USENIX Security 2024
- SoK: Towards Grounding Censorship Circumvention in Empiricism. Michael Carl Tschantz, Sadia Afroz, Anonymous and Vern Paxson. IEEE Security & Privacy, 2016.
- Blocking-resistant communication through domain fronting. David Fifield, Chang Lan, Rod Hynes, Percy Wegmann and Vern Paxson. PETS, 2015.
Traffic Analysis and VPN Security
Monday, March 24 — Traffic Analysis
- Online Website Fingerprinting: Evaluating Website Fingerprinting Attacks on Tor in the Real World. Giovanni Cherubin, Rob Jansen, and Carmela Troncoso USENIX Security, 2022.
- GGFAST: Automating Generation of Flexible Network Traffic Classifiers. Julien Piet, Dubem Nwoji, and Vern Paxson SIGCOMM, 2023.
- A Measurement of Genuine Tor Traces for Realistic Website Fingerprinting. Rob Jansen, Ryan Wails, and Aaron Johnson Technical Report, 2024.
- Repositioning Real-World Website Fingerprinting on Tor. Rob Jansen, Ryan Wails, and Aaron Johnson WPES, 2024.
Wednesday, March 26 — VPN Security
- Blind In/On-Path Attacks and Applications to VPNs. William J. Tolley, Beau Kujath, Mohammad Taha Khan, Narseo Vallina-Rodriguez, and Jedidiah R. Crandall USENIX Security 2021
- Attacking Connection Tracking Frameworks as used by Virtual Private Networks. Benjamin Mixon-Baca, Jeffrey Knockel, Diwen Xue, Tarun Ayyagari, Deepak Kapur, Roya Ensafi, and Jedidiah R. Crandall PETS 2024
- VPNalyzer: Systematic Investigation of the VPN Ecosystem. Reethika Ramesh, Leonid Evdokimov, Diwen Xue, and Roya Ensafi NDSS, 2022.
- "All of them claim to be the best": Multi-perspective study of VPN users and VPN providers. Reethika Ramesh, Anjali Vyas, and Roya Ensafi USENIX Security, 2023.
Dis/Misinformation and Machine Learning
Monday, March 31 — Dis/Misinformation
- Specious Sites: Tracking the Spread and Sway of Spurious News Stories at Scale. Hans W. A. Hanley, Deepak Kumar, and Zakir Durumeric IEEE SP, 2024.
- A Golden Age: Conspiracy Theories’ Relationship with Misinformation Outlets, News Media, and the Wider Internet. Hans W. A. Hanley, Deepak Kumar, and Zakir Durumeric CSCW, 2023.
- Happenstance: Utilizing Semantic Search to Track Russian State Media Narratives about the Russo-Ukrainian War On Reddit. Hans W. A. Hanley, Deepak Kumar, and Zakir Durumeric ICWSM, 2023.
Wednesday, April 2 — Machine Learning
- PRP: Propagating Universal Perturbations to Attack Large Language Model Guard-Rails. Neal Mangaokar, Ashish Hooda, Jihye Choi, Shreyas Chandrashekaran, Kassem Fawaz, Somesh Jha, and Atul Prakash ACL 2024
- Stateful Defenses for Machine Learning Models Are Not Yet Secure Against Black-box Attacks. Ryan Feng, Ashish Hooda, Neal Mangaokar, Kassem Fawaz, Somesh Jha, and Atul Prakash CCS 2023
Hardware and IoT Security
Monday, April 7 — Hardware Security
- Spectre Attacks: Exploiting Speculative Execution. Paul Kocher, Jann Horn, Anders Fogh, Daniel Genkin,Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp,Stefan Mangard, Thomas Prescher, Michael Schwarz, and Yuval Yarom IEEE SP, 2019.
- SpecHammer: Combining Spectre and Rowhammer for New Speculative Attacks. Tobah, Youssef and Kwong, Andrew and Kang, Ingab and Genkin, Daniel and Shin, Kang G. IEEE SP, 2022.
- Exploiting the DRAM rowhammer bug to gain kernel privileges. Mark Seaborn and Thomas Dullien. 2015.
- Meltdown: Reading Kernel Memory from User Space. Moritz Lipp, Michael Schwarz, Daniel Gruss, Thomas Prescher, Werner Haas, Anders Fogh, Jann Horn, Stefan Mangard, Paul Kocher, Daniel Genkin, Yuval Yarom, and Mike Hamburg USENIX Security, 2018.
Wednesday, April 9 — IoT Security
- IoT Inspector: Crowdsourcing Labeled Network Traffic from Smart Home Devices at Scale. Danny Yuxing Huang, Noah Apthorpe, Frank Li, Gunes Acar, and Nick Feamster. Interactive, Mobile, Wearable and Ubiquitous Technologies, 2020.
- The TV is Smart and Full of Trackers: Measuring Smart TV Advertising and Tracking. Janus Varmarken, Hieu Le, Anastasia Shuba, Athina Markopoulou, and Zubair Shafq PETS, 2020.
- SoK: Security Evaluation of Home-Based IoT Deployment. Omar Alrawi, Chaz Lever, Manos Antonakakis, and Fabian Monrose. Oakland, 2019.