Course Schedule Spring 2015

This schedule is subject to change. Please check back frequently.

Date	Topic	Readings
Mar. 31	Security and Crypto Basics I
Apr. 2	Security and Crypto Basics II
Apr. 9	Crypto Failures	Assigned: Mining Your Ps and Qs Detection of Widespread Weak Keys in Embedded Devices. Heninger, Durumeric, Wustrow. Usenix Security. 2012. Lessons Learned in Implementing and Deploying Crypto Software. Gutmann. Usenix Security. 2002. Recommended: The Matter of Heartbleed. Durumeric, Kasten, Adrian, Halderman, Bailey, Li, Weaver, Amann, Beekman, Payer, Paxson. IMC. 2014. Why Information Security is Hard - An Economic Perspective. Anderson. ACSAC. 2001. Cryptanalysis of the Windows Random Number Generator. Dorrendorf, Gutterman, Pinkas. CCS. 2007. The Most Dangerous Code in the World. Georgiev, Iyengar, Jana, Anubhai, Boneh, Shmatikov. CCS. 2012.
Apr. 10	TLS and HTTPS	Assigned: SoK: SSL and HTTPS: Revisiting past challenges and evaluating certificate trust model enhancements. Clark, Van Oorschot. Oakland. 2013. Lucky thirteen: Breaking the TLS and DTLS record protocols. AlFardan, Paterson. Oakland. 2013. Recommended: The First Few Milliseconds of an HTTPS Connection. Moser. 2009. The Transport Layer Security (TLS) Protocol, Version 1.2. Dierks, Rescorla. 2008. Analysis of the HTTPS Certificate Ecosystem. Durumeric, Kasten, Bailey, Halderman. IMC. 2013. Certified lies: Detecting and defeating government interception attacks against SSL (short paper). Soghoian, Stamm. FC. 2011.
Apr. 14	Passwords	Assigned: The quest to replace passwords: A framework for comparative evaluation of web authentication schemes. Bonneau, Herley, Van Oorschot, Stajano. Oakland. 2012. The Tangled Web of Password Reuse. Das, Bonneau, Caesar, Borisov, Wang. NDSS. 2014. Recommended: PBKDF (Section 5.2 from PKCS \#5: Password-Based Cryptography Specification, Version 2.0). Kaliski. 2000. CloudCracker. Marlinspike. 2012. The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords. Bonneau. Oakland. 2012. Password Managers: Attacks and Defenses. Silver, Jana, Boneh, Chen, Jackson. Usenix Security. 2014.
Apr. 16	Usable Security	Assigned: Why Johnny can’t encrypt: A usability evaluation of PGP 5.0. Whitten, Whitten, Tygar, Tygar. Usenix Security. 1999. So long, and no thanks for the externalities: the rational rejection of security advice by users. Herley. NSPW. 2009. Recommended: The psychology of security for the home computer user. Howe, Ray, Roberts, Urbanska, Byrne. Oakland. 2012. Alice in warningland: a large-scale field study of browser security warning effectiveness. Akhawe, Felt. Usenix Security. 2013. Why (Special Agent) Johnny (Still) Can't Encrypt: A Security Analysis of the APCO Project 25 Two-Way Radio System. Clark, Goodspeed, Metzger, Wasserman, Xu, Blaze. Usenix Security. 2011.
Apr. 21	Web Security	Assigned: Blueprint: Robust prevention of cross-site scripting attacks for existing browsers. Louw, Venkatakrishnan. Oakland. 2009. Robust defenses for cross-site request forgery. Barth, Jackson, Mitchell. CCS. 2008. Recommended: Reining in the web with content security policy. Stamm, Sterne, Markham. WWW. 2010. Securing frame communication in browsers. Barth, Jackson, Mitchell. Usenix Security. 2009. Protection and communication abstractions for web browsers in MashupOS. Wang, Fan, Howell, Jackson. ACM SIGOPS Operating Systems Review. 2007.
Apr. 23	Isolation	Assigned: Native client: A sandbox for portable, untrusted x86 native code. Yee, Sehr, Dardyk, Chen, Muth, Ormandy, Okasaka, Narula, Fullagar. Oakland. 2009. Capsicum: practical capabilities for UNIX. Watson, Anderson, Laurie, Kennaway. Usenix Security. 2010. Recommended: Safe kernel extensions without run-time checking. Necula, Lee. SOSP. 1996. The Security Architecture of the Chromium Browser. Barth, Jackson, Reis. WWW. 2008.
Apr. 28	Trusted Computing	Assigned: A secure and reliable bootstrap architecture. Arbaugh, Farber, Smith. Oakland. 1997. Bootstrapping trust in commodity computers. Parno, McCune, Perrig. Oakland. 2010. Recommended: Reflections on trusting trust. Thompson. Communications of the ACM. 1984. The ten page introduction to trusted computing. Martin, Others. Computing Laboratory, Oxford University Oxford. 2008. TrInc: Small Trusted Hardware for Large Distributed Systems. Levin, Douceur, Lorch, Moscibroda. NSDI. 2009. Logical attestation: an authorization architecture for trustworthy computing. Sirer, de Bruijn, Reynolds, Shieh, Walsh, Williams, Schneider. SOSP. 2011.
Apr. 30	BFT	Assigned: The Byzantine Generals Problem. Lamport, Shostak, Pease. 1982. Practical Byzantine fault tolerance. Castro, Castro, Liskov, Liskov. OSDI. 1999.
May. 5	Untrusted Cloud I	Assigned: Secure untrusted data repository (SUNDR). Li, Krohn, Mazi\`{e}res, Shasha. OSDI. 2004. SPORC: Group Collaboration using Untrusted Cloud Resources. Feldman, Zeller, Freedman, Felten. OSDI. 2010. Recommended: Beyond one-third faulty replicas in Byzantine fault tolerant systems. Li, Mazi\`{e}res. NSDI. 2007. Depot: Cloud Storage with Minimal Trust. Mahajan, Setty, Lee, Clement, Alvisi, Dahlin, Walfish. OSDI. 2010.
May. 7	Untrusted Cloud II	Assigned: PeerReview: Practical Accountability for Distributed Systems. Haeberlen, Kouznetsov, Druschel. SOSP. 2007. Efficient Data Structures for Tamper-Evident Logging. Crosby, Wallach. Usenix Security. 2009. Recommended: Social networking with frientegrity: privacy and integrity with an untrusted provider. Feldman, Blankstein, Freedman, Felten. Usenix Security. 2012. Accountable Virtual Machines. Haeberlen, Aditya, Rodrigues, Druschel. OSDI. 2010.
May. 12	Untrusted Cloud III	Assigned: CryptDB: Protecting Confidentiality with Encrypted Query Processing. Popa, Redfield, Zeldovich, Balakrishnan. SOSP. 2011. Building web applications on top of encrypted data using Mylar. Helfer, Valdez, Popa, Stark, Zeldovich, Kaashoek, Balakrishnan. NSDI. 2014.
May. 14	Verifiable Computation I	Assigned: Verifying computations without reexecuting them : from theoretical possibility to near practicality. Walfish, Blumberg. ECCC. 2013. Pinocchio: Nearly practical verifiable computation. Parno, Howell, Gentry, Raykova. Oakland. 2013. Recommended: Making argument systems for outsourced computation practical (sometimes). Setty, McPherson, Blumberg, Walfish. NDSS. 2012. Taking proof-based verified computation a few steps closer to practicality. Setty, Vu, Panpalia, Braun. Usenix Security. 2012. Resolving the conflict between generality and plausibility in verified computation. Setty, Braun, Vu, Blumberg, Parno, Walfish. EuroSys. 2013.
May. 21	Verifiable Computation II	Assigned: Verifying computations with state. Braun, Feldman, Ren, Setty, Blumberg, Walfish. SOSP. 2013. Succinct Non-Interactive Zero Knowledge for a von Neumann Architecture. Ben-sasson, Chiesa, Tromer. Usenix Security. 2014. Recommended: Verifiable computation with massively parallel interactive proofs. Thaler, Roberts. HotCloud. 2012.
May. 22	Privacy and Web Advertising	Assigned: Adnostic : Privacy Preserving Targeted Advertising. Toubiana, Narayanan, Boneh, Nissenbaum, Barocas. NDSS. 2010. Third-party web tracking: Policy and technology. Mayer, Mitchell. 2012. Recommended: Privad: practical privacy in online advertising. Guha, Cheng, Francis. NSDI. 2011. RePriv: Re-Imagining Content Personalization and In-Browser Privacy. Fredrikson, Livshits. Oakland. 2011. The Web Never Forgets: Persistent tracking mechanisms in the wild. Acar, Eubank, Englehardt, Juarez, Narayanan, Diaz. CCS. 2014. Private-by-Design Advertising Meets the Real World. Francis.
May. 26	Anonymity and Anticensorship	Assigned: Tor: The second-generation onion router. Dingledine, Mathewson, Syverson. Usenix Security. 2004. TapDance: End-to-Middle Anticensorship without Flow Blocking. Wustrow, Swanson, Halderman. Usenix Security. 2014. Recommended: The parrot is dead: Observing unobservable network communications. Houmansadr, Brubaker, Shmatikov. Oakland. 2013. A Critical Evaluation of Website Fingerprinting Attacks. Juarez, Afroz, Acar, Diaz, Greenstadt, Berkeley. CCS. 2014. Dissent: Accountable Anonymous Group Messaging. Corrigan-Gibbs, Ford. CCS. 2010. Proactively Accountable Anonymous Messaging in Verdict. Corrigan-Gibbs, Wolinsky, Ford. Usenix Security. 2013.
May. 28	Cryptocurrencies	Assigned: SoK: Research Perspectives and Challenges for Bitcoin and Cryptocurrencies. Bonneau, Miller, Clark, Narayanan, Kroll, Felten, Foundation. Oakland. 2015. Zerocoin: Anonymous distributed e-cash from bitcoin. Miers, Garman, Green, Rubin. Oakland. 2013. Recommended: Bitcoin: A Peer-to-Peer Electronic Cash System. Nakamoto. 2008. Zerocash: Decentralized Anonymous Payments from Bitcoin. Ben-sasson, Chiesa, Garman, Green, Miers, Tromer. Oakland. 2014.
Jun. 2	Vulnerabilities in Cloud-Hosted VMs	Assigned: Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds. Ristenpart, Tromer, Shacham, Savage. CCS. 2009. Cross-Tenant Side-Channel Attacks in PaaS Clouds. Juels, Ristenpart, Reiter. CCS. 2014. Recommended: When Good Randomness Goes Bad: Virtual Machine Reset Vulnerabilities and Hedging Deployed Cryptography.. Ristenpart, Yilek. NDSS. 2010. Cross-VM side channels and their use to extract private keys. Zhang, Juels, Reiter, Ristenpart. CCS. 2012. Scheduler-based Defenses against Cross-VM. Varadarajan, Ristenpart, Swift. Usenix Security. 2014.
Jun. 4	Secure Deletion	Assigned: Vanish: Increasing data privacy with self-destructing data. Geambasu, Kohno, Levy, Levy. Usenix Security. 2009. Defeating Vanish with Low-Cost Sybil Attacks Against Large DHTs. Wolchok, Hofmann, Heninger, Felten, Halderman, Rossbach, Waters, Witchel. NDSS. 2010. Recommended: SoK: Secure data deletion. Reardon, Basin, Capkun. Oakland. 2013. Shredding your garbage: Reducing data lifetime through secure deallocation. Chow, Pfaff, Garfinkel, Rosenblum. Usenix Security. 2005. Eternal Sunshine of the Spotless Machine: Protecting Privacy with Ephemeral Channels.. Dunn, Lee, Jana, Kim, Silberstein, Xu, Shmatikov, Witchel. OSDI. 2012.

Unfortunately, some articles require a paid subscription to a journal or digital library. These articles are linked via the UChicago library proxy, and you must authenticate with your CNetID to view them.