Course Schedule Spring 2016

Assigned:

• DROWN: Breaking TLS using SSLv2. Aviram, Schinzel, Somorovsky, Heninger, Dankel, Steube, Valenta, Adrian, Halderman, Dukhovni, K{\"{a}}sper, Cohney, Engels, Paar, Shavitt. In submission. 2016.
• Attacks Only Get Better: Password Recovery Attacks Against RC4 in TLS. Garman, Paterson, {Van Der Merwe}, Holloway. Usenix Security. 2015.

Recommended:

• Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice. Adrian, Bhargavan, Durumeric, Gaudry, Green, Halderman, Heninger, Springall, Thom{\'{e}}, Valenta, Vandersloot, Wustrow, Paul. CCS. 2015.
• Lucky thirteen: Breaking the TLS and DTLS record protocols. AlFardan, Paterson. Oakland. 2013.
• The First Few Milliseconds of an HTTPS Connection. Moser. 2009.
• The Transport Layer Security (TLS) Protocol, Version 1.2. Dierks, Rescorla. 2008.

Assigned:

• SoK: SSL and HTTPS: Revisiting past challenges and evaluating certificate trust model enhancements. Clark, Van Oorschot. Oakland. 2013.
• Keeping Authorities "Honest or Bust" with Decentralized Witness Cosigning. Syta, Tamas, Visher, Wolinsky, Gasser, Gailly, Ford. Oakland. 2016.

Recommended:

• Analysis of the HTTPS Certificate Ecosystem. Durumeric, Kasten, Bailey, Halderman. IMC. 2013.
• Certified lies: Detecting and defeating government interception attacks against SSL (short paper). Soghoian, Stamm. FC. 2011.
• CONIKS: Bringing Key Transparency to End Users. Melara, Blankstein, Bonneau, Felten, Freedman. Usenix Security. 2015.

Assigned:

• SoK: Secure Messaging. Unger, Dechand, Bonneau, Fahl, Perl, Goldberg, Smith. 2015.
• Dancing on the Lip of the Volcano: Chosen Ciphertext Attacks on Apple iMessage. Garman, Green, Kaptchuk, Miers, Rushanan. In submission. 2016.

Assigned:

• The quest to replace passwords: A framework for comparative evaluation of web authentication schemes. Bonneau, Herley, Van Oorschot, Stajano. Oakland. 2012.
• Measuring real-world accuracies and biases in modeling password guessability. Ur, Segreti, Bauer, Christin, Cranor, Komanduri, Kurilova, Mazurek, Melicher, Shay. Usenix Security. 2015.

Recommended:

• PBKDF (Section 5.2 from PKCS \#5: Password-Based Cryptography Specification, Version 2.0). Kaliski. 2000.
• CloudCracker. Marlinspike. 2012.
• The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords. Bonneau. Oakland. 2012.
• Password Managers: Attacks and Defenses. Silver, Jana, Boneh, Chen, Jackson. Usenix Security. 2014.
• The Tangled Web of Password Reuse. Das, Bonneau, Caesar, Borisov, Wang. NDSS. 2014.

Assigned:

• Why Johnny can’t encrypt: A usability evaluation of PGP 5.0. Whitten, Whitten, Tygar, Tygar. Usenix Security. 1999.
• Alice in warningland: a large-scale field study of browser security warning effectiveness. Akhawe, Felt. Usenix Security. 2013.

Recommended:

• So long, and no thanks for the externalities: the rational rejection of security advice by users. Herley. NSPW. 2009.
• The psychology of security for the home computer user. Howe, Ray, Roberts, Urbanska, Byrne. Oakland. 2012.
• Why (Special Agent) Johnny (Still) Can't Encrypt: A Security Analysis of the APCO Project 25 Two-Way Radio System. Clark, Goodspeed, Metzger, Wasserman, Xu, Blaze. Usenix Security. 2011.

Assigned:

• Reining in the web with content security policy. Stamm, Sterne, Markham. WWW. 2010.
• Robust defenses for cross-site request forgery. Barth, Jackson, Mitchell. CCS. 2008.

Recommended:

• Blueprint: Robust prevention of cross-site scripting attacks for existing browsers. Louw, Venkatakrishnan. Oakland. 2009.
• Securing frame communication in browsers. Barth, Jackson, Mitchell. Usenix Security. 2009.
• Protection and communication abstractions for web browsers in MashupOS. Wang, Fan, Howell, Jackson. ACM SIGOPS Operating Systems Review. 2007.

Assigned:

• SoK: Eternal war in memory. Payer, Wei, Song. Oakland. 2013.
• Hacking blind. Bittau, Belay, Mashtizadeh, Mazi??res, Boneh. Oakland. 2014.

Assigned:

• Native client: A sandbox for portable, untrusted x86 native code. Yee, Sehr, Dardyk, Chen, Muth, Ormandy, Okasaka, Narula, Fullagar. Oakland. 2009.
• Capsicum: practical capabilities for UNIX. Watson, Anderson, Laurie, Kennaway. Usenix Security. 2010.

Recommended:

• Safe kernel extensions without run-time checking. Necula, Lee. SOSP. 1996.
• The Security Architecture of the Chromium Browser. Barth, Jackson, Reis. WWW. 2008.

Assigned:

• A secure and reliable bootstrap architecture. Arbaugh, Farber, Smith. Oakland. 1997.
• Bootstrapping trust in commodity computers. Parno, McCune, Perrig. Oakland. 2010.

Recommended:

• Reflections on trusting trust. Thompson. Communications of the ACM. 1984.
• The ten page introduction to trusted computing. Martin, Others. Computing Laboratory, Oxford University Oxford. 2008.
• TrInc: Small Trusted Hardware for Large Distributed Systems. Levin, Douceur, Lorch, Moscibroda. NSDI. 2009.
• Logical attestation: an authorization architecture for trustworthy computing. Sirer, de Bruijn, Reynolds, Shieh, Walsh, Williams, Schneider. SOSP. 2011.

Assigned:

• Shielding applications from an untrusted cloud with haven. Baumann, Peinado, Hunt. SOSP. 2014.
• VC3: Trustworthy Data Analytics in the Cloud using SGX. Schuster, Costa, Gkantsidis, Peinado, Mainar-ruiz, Russinovich. Oakland. 2015.

Recommended:

• Intel SGX Explained. Costan, Devadas. 2015.
• OpenSGX: An Open Platform for SGX Research. Jain, Desai, Kim, Shih, Lee, Choi, Shin, Kim, Kang, Han. NDSS. 2016.

Assigned:

• The Byzantine Generals Problem. Lamport, Shostak, Pease. 1982.
• Practical Byzantine fault tolerance. Castro, Castro, Liskov, Liskov. OSDI. 1999.

Assigned:

• Secure untrusted data repository (SUNDR). Li, Krohn, Mazi\`{e}res, Shasha. OSDI. 2004.
• SPORC: Group Collaboration using Untrusted Cloud Resources. Feldman, Zeller, Freedman, Felten. OSDI. 2010.

Recommended:

• Beyond one-third faulty replicas in Byzantine fault tolerant systems. Li, Mazi\`{e}res. NSDI. 2007.
• Depot: Cloud Storage with Minimal Trust. Mahajan, Setty, Lee, Clement, Alvisi, Dahlin, Walfish. OSDI. 2010.

Assigned:

• PeerReview: Practical Accountability for Distributed Systems. Haeberlen, Kouznetsov, Druschel. SOSP. 2007.
• CryptDB: Protecting Confidentiality with Encrypted Query Processing. Popa, Redfield, Zeldovich, Balakrishnan. SOSP.

Recommended:

• Social networking with frientegrity: privacy and integrity with an untrusted provider. Feldman, Blankstein, Freedman, Felten. Usenix Security. 2012.
• Building web applications on top of encrypted data using Mylar. Helfer, Valdez, Popa, Stark, Zeldovich, Kaashoek, Balakrishnan. NSDI. 2014.
• Accountable Virtual Machines. Haeberlen, Aditya, Rodrigues, Druschel. OSDI. 2010.
• Efficient Data Structures for Tamper-Evident Logging. Crosby, Wallach. Usenix Security. 2009.

Assigned:

• Verifying computations without reexecuting them : from theoretical possibility to near practicality. Walfish, Blumberg. ECCC. 2013.
• Pinocchio: Nearly practical verifiable computation. Parno, Howell, Gentry, Raykova. Oakland. 2013.

Recommended:

• Making argument systems for outsourced computation practical (sometimes). Setty, McPherson, Blumberg, Walfish. NDSS. 2012.
• Taking proof-based verified computation a few steps closer to practicality. Setty, Vu, Panpalia, Braun. Usenix Security. 2012.
• Resolving the conflict between generality and plausibility in verified computation. Setty, Braun, Vu, Blumberg, Parno, Walfish. EuroSys. 2013.

Assigned:

• Verifying computations with state. Braun, Feldman, Ren, Setty, Blumberg, Walfish. SOSP. 2013.
• Succinct Non-Interactive Zero Knowledge for a von Neumann Architecture. Ben-sasson, Chiesa, Tromer. Usenix Security. 2014.

Recommended:

• Verifiable computation with massively parallel interactive proofs. Thaler, Roberts. HotCloud. 2012.

Assigned:

• Adnostic : Privacy Preserving Targeted Advertising. Toubiana, Narayanan, Boneh, Nissenbaum, Barocas. NDSS. 2010.
• Third-party web tracking: Policy and technology. Mayer, Mitchell. 2012.

Recommended:

• Privad: practical privacy in online advertising. Guha, Cheng, Francis. NSDI. 2011.
• RePriv: Re-Imagining Content Personalization and In-Browser Privacy. Fredrikson, Livshits. Oakland. 2011.
• The Web Never Forgets: Persistent tracking mechanisms in the wild. Acar, Eubank, Englehardt, Juarez, Narayanan, Diaz. CCS. 2014.
• Private-by-Design Advertising Meets the Real World. Francis.

Assigned:

• Tor: The second-generation onion router. Dingledine, Mathewson, Syverson. Usenix Security. 2004.
• TapDance: End-to-Middle Anticensorship without Flow Blocking. Wustrow, Swanson, Halderman. Usenix Security. 2014.

Recommended:

• The parrot is dead: Observing unobservable network communications. Houmansadr, Brubaker, Shmatikov. Oakland. 2013.
• A Critical Evaluation of Website Fingerprinting Attacks. Juarez, Afroz, Acar, Diaz, Greenstadt, Berkeley. CCS. 2014.
• Dissent: Accountable Anonymous Group Messaging. Corrigan-Gibbs, Ford. CCS. 2010.
• Proactively Accountable Anonymous Messaging in Verdict. Corrigan-Gibbs, Wolinsky, Ford. Usenix Security. 2013.

Assigned:

• Seriously, get off my cloud! Cross-VM RSA Key Recovery in a Public Cloud. Sinan, Inci, G{\"{u}}lmezo˘, Irazoqui, Eisenbarth, Sunar. 2015.
• CacheBleed: A Timing Attack on OpenSSL Constant Time RSA. Yarom, Genkin, Heninger. In submission. 2016.

Recommended:

• Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds. Ristenpart, Tromer, Shacham, Savage. CCS. 2009.
• When Good Randomness Goes Bad: Virtual Machine Reset Vulnerabilities and Hedging Deployed Cryptography. Ristenpart, Yilek. NDSS. 2010.
• Cross-VM side channels and their use to extract private keys. Zhang, Juels, Reiter, Ristenpart. CCS. 2012.
• Scheduler-based Defenses against Cross-VM. Varadarajan, Ristenpart, Swift. Usenix Security. 2014.
• Cross-Tenant Side-Channel Attacks in PaaS Clouds. Juels, Ristenpart, Reiter. CCS. 2014.