The lectures and readings listed here are subject to change, including
in response to current events (i.e., major new security holes).
- Sep 13
-
Access Control
- Text, Chapter 2
- The man page for Linux access control lists; run 'man 5 acl' on the
CLIC machines
- Sep 22
-
Introduction to Cryptography
- Text, Chapter 7
- The Story of
Alice and Bob
- New Directions in Cryptography,
Whitfield Diffie and Martin E. Hellman, IEEE Transactions on Information
Theory, vol IT-22, number 6, pp. 644--654, November 1976.
-
British invention of non-secret encryption (recommended)
- A method for
obtaining digital signatures and public-key cryptosystems,
R. L. Rivest, A. Shamir, L. Adleman, Communications of the ACM, Volume 21
Issue 2, February 1978. (recommended)
- Oct 06
-
Secure Programming I
- Text, Chapter 6
-
The emperor's
old clothes, Charles Antony Richard Hoare, February 1981,
Communications of the ACM, Volume 24 Issue 2
-
Smashing
The Stack For Fun And Profit, Aleph One, Phrack 49, Volume
Seven, Issue Forty-Nine, File 14 of 16
-
Static
Analysis for Security,
Gary McGraw, IEEE Security & Privacy (Nov/Dec 2004).
- Oct 11
-
Secure Programming II
- Hacking the D.C. Internet Voting Pilot,
J. Alex Halderman, October 5, 2010.
- Windows
DLL-loading security flaw puts Microsoft in a bind,
Peter Bright, Ars Technica, August 24, 2010
- The Windows
DLL Loading Security Hole, Larry Seltzer,
Dr. Dobb's, September 9, 2010.
-
Preparation of
Internationalized Strings ("stringprep"), Paul Hoffman, RFC 3454,
December 2002.
-
Checking
for Race Conditions in File Accesses,
Matt Bishop and Michael Dilger, Computing Systems 9 (2) pp. 131-152
(Spring 1996).
- setuid - checklist for security of setuid programs
- Writing Safe
SetUID Programs, Matt Bishop
- Using
Attack Surface Area And Relative Attack Surface Quotient
To Identify Attackability, Ernst & Young LLP.
- Oct 13
-
Protecting the Client
Protecting the client
- Text, Chapter 13
- Fare
Collection Vulnerability Assessment Report,
Zack Anderson, Russell Ryan, Alessandro Chiesa, August 8, 2008.
- Anatomy
of a Subway Hack, Zack Anderson, Russell Ryan, Alessandro Chiesa,
(censored) DEFCON presentation,
August 2008.
- Dutch
Public Transit Card Broken, Andy Tanenbaum.
-
Microsoft
Updating Without Permission: When No Doesn't Mean No!,
Lauren Weinstein's Blog, September 13, 2007.
-
Reading Between the
Lines: Lessons from the SDMI Challenge, Scott A. Craver, Min Wu, Bede
Liu, Adam Stubblefield, Ben Swartzlander, Dan W. Wallach, Drew Dean, and
Edward W. Felten. Proc. of 10th USENIX Security Symposium, August 2001.
- Viewpoint: the ACM
declaration in Felten v. RIAA, Simons, B. 2001. Commun. ACM 44, 10
(Oct. 2001), 23-26.
- Java
Card Security: How Smart Cards and Java Mix, From Securing Java:
Getting Down to Business with Mobile Code, Gary McGraw and Ed Felten, John
Wiley & Sons, 1999.
- MYK-78 CLIPPER CHIP:
ENCRYPTION/DECRYPTION ON A CHIP (recommended)
- Using
Memory Errors to Attack a Virtual Machine, A. Appel and S.
Govindavajhala. In IEEE Symposium on Security and Privacy, 2003 (
"Oakland Security Conference"). (recommended)
- Overview
of Differential Power Analysis, An engineering overview of
Differential Power Analysis by Paul Kocher, Joshua Jaffe, and Benjamin
Jun. (recommended)
- Information
Hiding: A Survey, Fabien A. P. Petitcolas, Ross J. Anderson and Markus
G. Kuhn, Proceedings of the IEEE, special issue on protection of
multimedia content, 87(7):1062{1078, July 1999. (recommended)
- The
Risk of ePassports and RFID,
THC Blog, Sep 29, 2008. (recommended)
- Nov 08
-
Confinement
- A
domain and type enforcement UNIX prototype, Lee Badger, Daniel F.
Sterne, David L. Sherman, and Kenneth M. Walker,
Proc. of the 5th conference on USENIX UNIX Security Symposium,
1995. (recommended)
- A
Secure Environment for Untrusted Helper Applications, Ian Goldberg,
David Wagner, Randi Thomas and Eric A. Brewer, Proc. Usenix Security
Symposium, 1996. (recommended)
- Capsicum:
Practical Capabilities for UNIX,
Robert N.M. Watson, Jonathan Anderson, Ben Laurie, and Kris Kennaway,
Proc. 19th Usenix Security Symposium, 2010 (recommended).
- Nov 10
-
Viruses and Trojan Horses
- Recreating
the Trojan Horse?
-
Computer Viruses -
Theory and Experiments,
F. Cohen. DOD/NBS 7th Conference on Computer Security, originally
appearing in IFIP-sec 84, also appearing as invited paper in IFIP-TC11,
``Computers and Security'', V6#1 (Jan. 1987), pp 22-35
-
Reflections on
trusting trust, Ken Thompson, CACM 27:8, August 1984.
-
Viral Attacks On UNIX System Security,
Tom Duff, August 1987.
-
The worm programs -- early
experience with a distributed computation,
John Shoch and Jon Hupp, Communications of the ACM 25:3 (March
1982).
- With
Microscope and Tweezers:
An Analysis of the Internet Virus of November 1988
- Come Sunday, it
will be 20 years ago that day a worm came out to play
- Tool
turns unsuspecting surfers into hacking help, CNET, March 20, 2007.
- JavaScript
opens doors to browser-based attacks, CNET, July 28, 2006.
- Oldest
known depiction of the Trojan Horse, from the "Vase of
Mykonos", almost 2700 years old
Readings mentioned in class:
- Nov 24
-
Security Analysis II
-
ITS4: A Static
Vulnerability Scanner for C and C++ Code,
John Viega, J.T. Bloch, Tadayoshi Kohno, and Gary McGraw, Annual Computer
Security Applications Conference, 2000.
- Checking
for Race Conditions in File Accesses,
M. Bishop and M. Dilger,
Computing Systems 9:2, pp. 131-152 (Spring 1996)
-
CGI/Perl Taint Mode
FAQ
-
Perl
Advisor: Taint so Easy, Is It?, Randal L. Schwartz, Unix Review,
August 2000.
-
Static analysis
and computer security: New techniques for software assurance.
David Wagner. Ph.D. dissertation, Dec. 2000, University of California at
Berkeley. (recommended)
-
Using CQUAL for Static Analysis of Authorization Hook Placement,
Xiaolan Zhang & Antony Edwards & Trent Jaeger, Proc. Usenix Security,
2002. (recommended)
- Dec 06
-
After an Attack
- "The Taking of Clark",
Chapter 17, Firewalls and Internet
Security: Repelling the Wily Hacker, William R. Cheswick, Steven M.
Bellovin, and Aviel D. Rubin, Second Edtion, Addison-Wesley, 2003.
-
"File System Analysis", Chapter 4,
Forensic
Discovery, Dan Farmer and Wietse Venema, Addison-Wesley 2004.
Read Chapter 4.
-
Playing
"Hide and Seek" with Stored Keys, Adi Shamir and Nicko van
Someren, Proceedings of the Third International Conference on
Financial Cryptography, 1999. (Recommended)
- Dec 13
-
Final Exam
If having the exam on the last day of class is a problem for you,
please contact me directly.