To create effective security mechanisms, you must understand the capabilities of real-world attackers. Practical experience suggests that many protection mechanisms (e.g. firewalls, access control, passwords, security patches) are not enough for defending against skilled and persistent hackers. ENEE 757 therefore aims to complement an understanding of the design and implementation of protection mechanisms with knowledge of security analytics, used to measure the effectiveness of security mechanisms or to infer malicious activity from large volumes of data.
ENEE 757 is a graduate security class. This means that knowledge is not delivered mainly through lectures where you sit back and listen; instead, you will learn by reading, explaining and doing. You will read 2-3 recent papers per week; most of the information from these papers is not covered in any textbook. Before each class you will submit critiques for the papers you read, using a defined written template; in class, I will randomly call upon a few students to discuss the papers' contributions and weaknesses. You will also apply some of the ideas discussed in a semester long project, for which you are encouraged to form teams with 2+ members. Your grades will be based on two background homeworks, the paper critiques, class participation, the course project, and a final exam.
No required textbook. Reading materials will be provided on the course website and/or distributed in class. If you lack the basic background in security, the following textbooks may be helpful:
Your final grade for the course will be based on the following weights:
Submit your homeworks and critiques using the GRACE system.
Paper critiques are due at 11 am one week before class, unless otherwise indicated.
Project and homework submissions are due at midnight on the indicated days.
The schedule is also available as an ical file that you can subscribe to.
| # | Date | Topics | Notes | Readings |
|---|---|---|---|---|
| Part 1: Fundamentals | ||||
| 1 | Mon 08/31 | Introduction to security: trust, threat models, attack vectors and security properties [pdf] |
Measuring Pay-per-Install: The Commoditization of Malware Distribution | |
| 2 | Wed 09/02 | Memory corruption and vulnerability exploits [pdf] |
Low-Level Software Security by Example | |
| Mon 09/07 | Labor Day |
|||
| 3 | Wed 09/09 | Cryptography: guarantees provided and common misuse patterns [pdf] |
Homework #1 due First critiques due (for readings on 09/14 and 09/16) |
Cryptographic Misuse in Android Applications |
| 4 | Mon 09/14 | OS protection mechanisms: least privilege, reference monitors, confinement [pdf] |
Template Pilot-project proposals due |
Efficient Software-Based Fault Isolation |
| 5 | Wed 09/16 | Network security fundamentals: threats and attack detection [pdf] |
Template | A Look Back at "Security Problems in the TCP/IP Protocol Suite" |
| 6 | Mon 09/21 | Trustworthy computing and the trusted computed base [pdf] |
Template | Flicker, Nexus |
| Part 2: Authentication and Access Control in Distributed Systems | ||||
| Wed 09/23 | Guest lecture: Ksenia Dmitrieva (Cigital) [pdf] |
In room AVW 2460 (instead of JMP 1202) | ||
| 7 | Mon 09/28 | Measuring password strength [pdf] |
Template First structured discussion Pilot-project reports due |
The Science of Guessing |
| 8 | Wed 09/30 | Biometrics [pdf] |
Template Pilot-projet reviews due |
Crypto Primitives Secure Against Rubber Hose Attacks, Towards reliable storage of 56-bit secrets in human memory |
| 9 | Mon 10/05 | Authorization logic [pdf] |
Template Group-project proposals due |
Authentication in the Taos Operating System |
| 10 | Wed 10/07 | Web authentication [pdf] |
Template | The Dos and Don'ts of Client Authentication on the Web, Cookies Lack Integrity: Real-World Implications |
| Mon 10/12 | Security analytics: hands-on lab (1) [pdf] |
|||
| Wed 10/14 | Security analytics: hands-on lab (2) [pdf] |
|||
| 11 | Mon 10/19 | Usability issues in authentication [pdf] |
Homework #2 due Template |
Conditioned-safe Ceremonies, Penumbra |
| Part 3: Network-Level Attacks and Defenses | ||||
| 12 | Wed 10/21 | Internet protocols and denial of service [pdf] |
Template | Misbehaving TCP receivers can cause Internet-wide congestion collapse |
| Mon 10/26 | Project Checkpoint #1 |
|||
| 13 | Wed 10/28 | Malware distribution networks [pdf] |
Template | All Your iFRAMEs Point to Us, Topologically Dedicated Hosts on Malicious Web Infrastructures |
| 14 | Mon 11/02 | SSL/TLS and the public key infrastructure [pdf] |
Template | The SSL Landscape, Analyzing Forged SSL Certificates in the Wild |
| 15 | Wed 11/04 | Patch deployment and certificate revocation [pdf] |
Template | Analysis of SSL Certificate Reissues and Revocations in the Wake of Heartbleed |
| Part 4: Distributed Infrastructures Supporting Cybercrime | ||||
| 16 | Mon 11/09 | Automatic exploit generation and obfuscation [pdf] |
Template | Automatic Patch-Based Exploit Generation, Infeasibility of Modeling Polymorphic Shellcode |
| 17 | Wed 11/11 | Worms and infection spreading [pdf] |
Template | How to 0wn the Internet in Your Spare Time |
| Mon 11/16 | Project checkpoint #2 |
|||
| 18 | Wed 11/18 | DDoS [pdf] |
Template | The Crossfire Attack, STRIDE: Sanctuary Trail – Refuge from Internet DDoS Entrapment |
| 19 | Mon 11/23 | Botnets [pdf] |
Template | Your botnet is my botnet: analysis of a botnet takeover, EXPOSURE: Finding Malicious Domains Using Passive DNS Analysis |
| 20 | Wed 11/25 | Botnets (cont'd) and spam [pdf] |
Template | Spamalytics |
| 21 | Mon 11/30 | Reputation-based security [pdf] |
Template | Guilt by-Association: Large Scale Malware Detection by Mining File-relation Graphs |
| 22 | Wed 12/02 | Security and the physical world: Internet-of-Things, robots, augmented reality |
Template | SurroundWeb: Mitigating Privacy Concerns in a 3D Web Browser |
| Mon 12/07 | Group-Project Presentations |
Group-project reports due | ||
| Wed 12/09 | Group-Project Presentations |
|||
| Fri 12/11 | Last Day of Classess (no lecture) |
Exam due | ||
Created with coursegen. Last updated: 2016-01-22 09:15:21 -0500 [validate xhtml]