Course schedule overview
The scheduling and selection of lecture topics is subject to
minor adjustment as the semester progresses, but the assignment
and exam dates are not expected to change.
The "Lecture topic" links just link to the detailed information
further down the page, so they may not seem to go anywhere if the
detailed information is already visible in your window.
Detailed reading and lecture schedule
- Wednesday, September 4th
(8-up slides):
High level overview,
course assignments and grading logistics. No readings.
- Monday, September 9th
(8-up slides, updated with announcements):
Overview of course first half,
examples of software and OS-level vulnerabilities and attacks.
Readings:
Anderson 3rd Ed Chapter 1, "What Is Security Engineering?",
second edition equivalent Chapter 1, "What Is Security Engineering?";
Anderson 3rd Ed Chapter 27, "Secure Systems Development",
second edition equivalent Chapter 25, "Managing the Development of Secure
Systems".
- Wednesday, September 11th
(8-up slides):
Low-level
vulnerabilities. Reading: Crispin Cowan, Perry Wagle, Calton Pu,
Steve Beattie, and Jonathan Walpole. Buffer
Overflows: Attacks and Defenses for the Vulnerability of the
Decade (IEEE version, some formatting issues) (local mirror of author's version), DISCEX 2000.
- Monday, September 16th
(8-up slides):
Low-level attack techniques. Reading: Tilo Müller, ASLR Smack & Laugh Reference (posted with permission of the author)
- Wednesday, September 18th
(8-up slides)
Low-level defenses and counter-attacks, part 1. Reading:
Martín Abadi, Mihai Budiu, Úlfar Erlingsson, and
Jay Ligatti. “Control-flow
integrity”, ACM CCS 2005. (Campus download link)
- Monday, September 23rd
(8-up slides):
Low-level defenses and counter-attacks, part 2. Reading: Hovav
Shacham. “The geometry of
innocent flesh on the bone: return-into-libc without function
calls (on the x86)”, ACM CCS 2007, and
Nicolas Carlini, Antonio Barresi, Mathias Payer, David Wagner, and Thomas R. Gross, “Control-Flow Bending: On the Effectiveness of Control-Flow Integrity”, USENIX Security 2015.
- Wednesday, September 25th
(8-up slides):
Defensive programming and design
1. Readings: Jerome H. Saltzer and Michael D. Schroeder, The
Protection of Information in Computer Systems. Part I: Basic
Principles Of Information Protection. David Wheeler, Secure
Programming for Linux and Unix HOWTO, chapter 6: Avoid Buffer
Overflow and chapter 7: Structure Program Internals and Approach.
- Monday, September 30th
(8-up slides):
Defensive programming and design
2. Reading: Daniel J. Bernstein, Some thoughts
on security after ten years of qmail 1.0, CSAW 2007.
- Wednesday, October 2nd
(8-up slides):
OS security: authentication and
basic access control. Readings:
Anderson 3rd edition Chapter 3, "Psychology and Usability",
section 3.4: "Passwords", second edition equivalent
Chapter 2 Usability
and Psychology sections 2.4-2.5: "Passwords" and "System
Issues".
Anderson 3rd edition Chapter 17, "Biometrics", second edition equivalent
Chapter 15 Biometrics.
- Monday, October 7th
(8-up slides):
OS security: access control.
Readings: Anderson 3rd edition Chapter 6, "Access Control",
second edition equivalent Chapter 4 Access
Control.
Anderson 3rd edition Chapter 9, "Multilevel Security",
second edition equivalent Chapter 8 Multilevel
Security. Mark S. Miller, Ka-Ping Yee, and Jonathan
Shapiro, "Capability
Myths Demolished" Technical Report SRL2003-02, Systems
Research Laboratory, Johns Hopkins University.
- Wednesday, October 9th
(main 8-up slides,
extra 8-up slides on transient execution):
Side and covert channels.
Readings: Dawn Song, David Wagner, and Xuqing Tian.
“Timing
Analysis of Keystrokes and Timing Attacks on SSH”,
USENIX Security 2001; and Claudio Canella, Jo Van Bulck,
Michael Schwarz, Moritz Lipp, Benjamin von Berg, Philipp
Ortner, Frank Piessens, Dmitry Evtyushkin, and Daniel
Gruss. “A
Systematic Evaluation of Transient Execution Attacks and
Defenses”, USENIX Security 2019.
- Monday, October 14th
(8-up slides):
OS security: high assurance?
Readings: Anderson 3rd edition Chapter 10, "Boundaries".
second edition equivalent Chapter 9 Multilateral
Security.
Anderson 3rd edition Chapter 28, "Assurance and Sustainability",
second edition equivalent Chapter 26, System
Evaluation and Assurance.
- Wednesday, October 16th (8-up slides):
Introduction to network security: protocols and attacks.
Readings: Firewalls and
Internet Security: Repelling the Wily Hacker. William
R. Cheswick, Steven M. Bellovin, and Aviel D. Rubin, Second
Edition. Chapter 2, A Security Review of
Protocols: Lower Layers and Chapter 3, Security Review: The
Upper Layers.
- Monday, October 21st:
Electronic voting.
Readings: Anderson third edition section 25.5, Elections; second edition equivalent section 23.5, Elections (part of chapter 23,
The
Bleeding Edge); Joseph A. Calandrino, Ariel J. Feldman,
J. Alex Halderman, David Wagner, Harlan Yu, and William
P. Zeller. "Source
Code Review of the Diebold Voting System", Executive Summary
through Section 3: Major Attacks (pp. i-17); David Chaum,
Richard Carback, Jeremy Clark, Aleksander Essex, Stefan
Popoveniuc, Ronald L. Rivest, Peter Y. A. Ryan, Emily Shen, and
Alan T. Sherman. "Scantegrity
II: End-to-End Verifiability for Optical Scan Election Systems
using Invisible Ink Confirmation Codes", EVT 2008.
- Wednesday, October 23rd: no lecture or readings, in-class midterm.
The 2013,
2014,
2015,
2017,
spring 2019,
fall 2019, and
2021
midterms are available for comparison.