CSE 127: Computer Security: Syllabus

Date	Topic and reading
Tue, Jan. 8	Introduction Reading: S. Inguva et al.: Source Code Review of the Hart InterCivic Voting System (Chapter 3 only) K. Thompson: Reflections on Trusting Trust
Thu, Jan. 10	Buffer Overflows and Memory Safety Reading: U. Erlingsson: Low-level Software Security: Attacks and Defenses Aleph One: Smashing The Stack For Fun And Profit Scut and Team Teso: Exploiting Format String Vulnerabilities
Tue, Jan. 15	(Class canceled)
Thu, Jan. 17	Sandboxing and Legacy Software Reading: B. Lampson: A Note on the Confinement Problem T. Garfinkel: Traps and Pitfalls: Practical Problems in System Call Interposition Based Security Tools S. McCamant and G. Morrisett: Evaluating SFI for a CISC Architecture
Tue, Jan. 22	Writing Secure Code Reading: J. Saltzer and M. Schroeder: The Protection of Information in Computer Systems D.J. Bernstein: Some thoughts on security after ten years of qmail 1.0 H. Chen, D. Wagner, and D. Dean: Setuid Demystified D. Wheeler: Secure Programming for Linux and Unix HOWTO (optional) R. Seacord and CERT: CERT Secure Coding Standards (optional)
Thu, Jan. 24	The TCP/IP Protocol Suite Reading: S. Bellovin: A Look Back at “Security Problems in the TCP/IP Protocol Suite” S. Bellovin: Using the Domain Name System for System Break-Ins R. Morris: A Weakness in the 4.2BSD Unix TCP/IP Software S. Savage et al.: TCP Congestion Control with a Misbehaving Receiver
Tue, Jan. 29	Firewalls and NATs Reading: E. Zwicky, S. Cooper, and B. Chapman: Building Internet Firewalls (optional)
Thu, Jan. 31	Intrusion Detection and Denial of Service Reading: Vern Paxson: Bro: A System for Detecting Network Intruders in Real-Time T. Ptacek and T. Newsham: Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection D. Moore, G. Voelker, and S. Savage: Inferring Internet Denial of Service Activity
Tue, Feb. 5	SSH, SSL, and IPsec Guest lecturer: Eric Rescorla Slides: PDF Reading: none
Thu, Feb. 7	Web Server Language Security S. Clowes: A Study In Scarlet Exploiting Common Vulnerabilities in PHP Applications C. Anley: Advanced SQL Injection In SQL Server Applications
Tue, Feb. 12	Browser Security Guest lecturer: Collin Jackson Slides: PDF Reading: none
Thu, Feb. 14	Web Server Security Reading: K. Fu et al.: Dos and Don'ts of Client Authentication on the Web
Tue, Feb. 19	Spam and Phishing Reading: A. Ramachandran and N. Feamster: Understanding the Network-level Behavior of Spammers R. Dhamija, J. D. Tygar and M. Hearst: Why Phishing Works
Thu, Feb. 21	Worms and Botnets Reading: D. Moore et al.: Inside the Slammer Worm S. Staniford et al.: The Top Speed of Flash Worms The Honeynet Project: Know your Enemy: Tracking Botnets
Tue, Feb. 26	Application security, concluded Reading: none.
Thu, Feb. 28	Authentication Reading: D. Davis et al.: On User Choice in Graphical Password Schemes B. Ross et al.: Stronger Password Authentication using Browser Extensions
Tue, Mar. 4	Access Control, Covert Channels, the Common Criteria, and Secure Operating Systems Reading (skim): M. Schroeder and J. Saltzer: A Hardware Architecture for Implementing Protection Rings (1971) P. Karger and R. Schell: Multics Security Evaluation: Vulnerability Analysis (1974); or reformatted here P. Karger and R. Schell: Thirty Years Later: Lessons from the Multics Security Evaluation (2002) J. Saltzer and M. Schroeder: The Protection of Information in Computer Systems (1974) P. Karger: Non-discretionary Access Control for Decentralized Computing Systems (1977) R.M. Tague: Multics Security Model—Bell and LaPadula (1985) N. Zeldovich: Securing Untrustworthy Software using Information Flow Control (2007)
Thu, Mar. 6	New and Advanced Topics, I: x86 Security Reading: N. Sovarel, D. Evans, and N. Paul: Where's the FEEB? The Effectiveness of Instruction Set Randomization H. Shacham: The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86)
Tue, Mar. 11	New and Advanced Topics, II: Voting Reading: T. Kohno et al.: Analysis of an Electronic Voting System A. Feldman, A. Halderman, and E. Felten: Security Analysis of the Diebold AccuVote-TS Voting Machine S. Inguva et al.: Source Code Review of the Hart InterCivic Voting System
Thu, Mar. 13	Wrapping Up A. Halderman et al.: Lest We Remember: Cold Boot Attacks on Encryption Keys
Tue, Mar. 18 3:00–6:00 PM	(Final Exam)

CSE 127: Computer Security: Syllabus

Navigation: CSE // CSE 127 // Syllabus