Below is the calendar for this semester course. This is the preliminary schedule, which will be altered as the semester progresses. It is the responsibility of the students to frequently check this web-page for schedule, readings, and assignment changes. As the professor, I will attempt to announce any change to the class, but this web-page should be viewed as authoritative. If you have any questions, please contact me (contact information is available at the course homepage). Also, the specifics of each of the course assignments is available on the assignments page.

DateTopicAssignments
Due		Readings for Discussion
(do readings before class)
01/13/10 Introduction
(Slides)
Course syllbus. link (summary and questions) Presenter: Moyer
01/20/10 Web 2.0 Overview
(Slides) (Tutorial Slides)
Open Web Application Security Project (OWASP). OWASP Top 10 - 2007: The Ten Most Critical Web Application Security Vulnerabilities. 2007. link (summary and questions) Presenter: Moyer
01/27/10 Cross-Site Scripting Assignment #1
Engin Kirda, Nenad Jovanovic, Christopher Kruegel, and Giovanni Vigna. Client-Side Cross-Site Scripting Protection. Computers and Security, 28(7):592-604, 2009. link (summary and questions) Presenter: McLaughlin
P. Vogt, F. Nentwich, N. Jovanovic, E. Kirda, C. Kruegel, and G. Vigna. Cross-Site Scripting Prevention with Dynamic Data Tainting and Static Analysis. In Proceeding of the Network and Distributed System Security Symposium (NDSS), San Diego, CA, February 2007. link (summary and questions) Presenter: Burhans
T. Oda, G. Wurster, P.C. van Oorschot, A. Somayaji. SOMA: Mutual Approval for Included Content in Web Pages. ACM CCS 2008, Oct.27-31 2008, Alexandria, VA, USA. link (summary and questions) Presenter: Edwards
02/03/10 Injection Attacks Project Choice
Trevor Jim, Nikhil Swamy, and Michael Hicks. Defeating Script Injection Attacks with Browser-Enforced Embedded Policies. In WWW '07: Proceedings of the 16th international conference on World Wide Web, pages 601-610, New York, NY, USA, 2007. ACM. link (summary and questions) Presenter: Rummel
Zhendong Su and Gary Wassermann. The essence of command injection attacks in web applications. In POPL '06: Conference record of the 33rd ACM SIGPLAN-SIGACT symposium on Principles of programming languages, pages 372-382, New York, NY, USA, 2006. ACM. link (summary and questions) Presenter: Verdol
Reis, C., Gribble, S. D., Kohno, T., and Weaver, N. C. 2008. Detecting in-flight page changes with web tripwires. In Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation (San Francisco, California, April 16 - 18, 2008). J. Crowcroft and M. Dahlin, Eds. USENIX Association, Berkeley, CA, 31-44. link (summary and questions) Presenter: Vijayakumar
02/10/10 Web-App Analysis Assignment #2
Yao-Wen Huang, Fang Yu, Christian Hang, Chung-Hung Tsai, Der-Tsai Lee, and Sy-Yen Kuo. Securing web application code by static analysis and runtime protection. In WWW '04: Proceedings of the 13th international conference on World Wide Web, pages 40-52, New York, NY, USA, 2004. ACM. link (summary and questions) Presenter: Rummel
Yasuhiko Minamide. Static approximation of dynamically generated web pages. In WWW '05: Proceedings of the 14th international conference on World Wide Web, pages 432-441, New York, NY, USA, 2005. ACM. link (summary and questions) Presenter: Pohly
02/17/10 Web Privacy
(XML Slides) (XML/XSLT Sample Code) 		Assignment #3
Gary Wassermann and Zhendong Su. Static detection of cross-site scripting vulnerabilities. In ICSE '08: Proceedings of the 30th international conference on Software engineering, pages 171-180, New York, NY, USA, 2008. ACM. link (summary and questions) Presenter: Verdol
Collin Jackson, Andrew Bortz, Dan Boneh, and John C. Mitchell. Protecting browser state from web privacy attacks. In WWW '06: Proceedings of the 15th international conference on World Wide Web, pages 737-744, New York, NY, USA, 2006. ACM. link (summary and questions) Presenter: Moyer
Umesh Shankar and Chris Karlof. Doppelganger: Better browser privacy without the bother. In CCS '06: Proceedings of the 13th ACM conference on Computer and communications security, pages 154-167, New York, NY, USA, 2006. ACM. link (summary and questions) Presenter: Hu
Simon Byers, Lorrie Cranor, David Kormann, and Patrick McDaniel. Searching for Privacy: Design and Implementation of a P3P-Enabled Search Engine. Proceedings of 2004 Workshop on Privacy Enhancing Technologies (PETS), May 2004. Toronto, Canada. link (summary and questions) Presenter: Xu
02/24/10 Mashups Assignment #4
Collin Jackson and Helen J. Wang. Subspace: secure cross-domain communication for web mashups. In WWW '07: Proceedings of the 16th international conference on World Wide Web, pages 611-620, New York, NY, USA, 2007. ACM. link (summary and questions) Presenter: Hu
Frederik De Keukelaere, Sumeer Bhola, Michael Steiner, Suresh Chari, and Sachiko Yoshihama. Smash: secure component model for cross-domain mashups on unmodified browsers. In WWW '08: Proceeding of the 17th international conference on World Wide Web, pages 535-544, New York, NY, USA, 2008. ACM. link (summary and questions) Presenter: Yoon
Adam Barth, Collin Jackson, and John C. Mitchell. Securing frame communication in browsers. Commun. ACM, 52(6):83-91, 2009. link (summary and questions) Presenter: Miadzvezhanka
03/03/10 Browsers
Chris Grier, Shuo Tang, and Samuel T. King. Secure web browsing with the op web browser. In SP '08: Proceedings of the 2008 IEEE Symposium on Security and Privacy, pages 402-416, Washington, DC, USA, 2008. IEEE Computer Society. link (summary and questions) Presenter: McLaughlin
Adam Barth, Collin Jackson, Charles Reis, and The Google Chrome Team. Security architecture of the chromium browser. Technical report, Stanford, September 2008. link (summary and questions) Presenter: Pohly
Helen J. Wang, Chris Grier, Alexander Moshchuk, Samuel T. King, Piali Choudhury, and Herman Venter. The multi-principal os construction of the gazelle web browser. Technical report, Microsoft Research, 2009. link (summary and questions) Presenter: Schiffman
03/10/10 No class - spring break
03/17/10 Class held in 102 Pond
03/17/10 Worms and Bots
V. T. Lam, S. Antonatos, P. Akritidis, and K. G. Anagnostakis. Puppetnets: misusing web browsers as a distributed attack infrastructure (extended version). In CCS '06: Proceedings of the 13th ACM conference on Computer and communications security, pages 221-234, New York, NY, USA, 2006. ACM. link (summary and questions) Presenter: Rummel
Matthew Van Gundy, Davide Balzarotti, and Giovanni Vigna. Catch me, if you can: evading network signatures with web-based polymorphic worms. In WOOT '07: Proceedings of the first USENIX workshop on Offensive Technologies, pages 1-9, Berkeley, CA, USA, 2007. USENIX Association. link (summary and questions) Presenter: Verdol
Benjamin Livshits and Weidong Cui. Spectator: detection and containment of javascript worms. In ATC'08: USENIX 2008 Annual Technical Conference on Annual Technical Conference, pages 335-348, Berkeley, CA, USA, 2008. USENIX Association. link (summary and questions) Presenter: Miadzvezhanka
03/24/10 Phishing and CRSF Assignment #5
Marco Cova, Christopher Kruegel, and Giovanni Vigna. There is no free phish: an analysis of "free" and live phishing kits. In WOOT'08: Proceedings of the 2nd conference on USENIX Workshop on offensive technologies, pages 1-8, Berkeley, CA, USA, 2008. USENIX Association. link (summary and questions) Presenter: Xu
Chuan Yue and Haining Wang. Anti-phishing in offense and defense. Annual Computer Security Applications Conference, 2008. link (summary and questions) Presenter: Burhans
Adam Barth, Collin Jackson, and John C. Mitchell. Robust defenses for cross-site request forgery. In CCS '08: Proceedings of the 15th ACM conference on Computer and communications security, pages 75-88, New York, NY, USA, 2008. ACM. link (summary and questions) Presenter: Yoon
03/31/10 Malicious Objects In class project showcase
Adam Barth, Juan Caballero, and Dawn Song. Secure Content Sniffing for Web Browsers or How to Stop Papers from Reviewing Themselves. In 30th IEEE Symposium on Security and Privacy, 2009. link (summary and questions) Presenter: McLaughlin
Sean Ford, Marco Cova, Chris Kruegel, and Giovanni Vigna. Analyzing and detecting malicious flash advertisements. Annual Computer Security Applications Conference, 2009. link (summary and questions) Presenter: Vijayakumar
04/07/10 Cloud Security Assignment #6
Mihai Christodorescu, Reiner Sailer, Douglas Schales, Daniele Sgandurra, and Diego Zamboni. Cloud security is not (just) virtualization security. The ACM Cloud Computing Security Workshop, 2009. link (summary and questions) Presenter: Moyer
Thomas Ristenpart, Eran Tromer, Hovav Shacham, and Stefan Savage. Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds. In CCS '09: Proceedings of the 16th ACM conference on Computer and communications security, pages 199-212, New York, NY, USA, 2009. ACM. link (summary and questions) Presenter: Pohly
Chris Erway, Alptekin Kupcu, Charalampos Papamanthou, and Roberto Tamassia. Dynamic provable data possession. In CCS '09: Proceedings of the 16th ACM conference on Computer and communications security, pages 213-222, New York, NY, USA, 2009. ACM. link (summary and questions) Presenter: Yoon
04/14/10 SSL Assignment #7
Collin Jackson and Adam Barth. Forcehttps: protecting high-security web sites from network attacks. In WWW '08: Proceeding of the 17th international conference on World Wide Web, pages 525-534, New York, NY, USA, 2008. ACM. link (summary and questions) Presenter: Edwards
Shuo Chen, Ziqing Mao, Yi-Ming Wang, and Ming Shang. Pretty-Bad-Proxy: An Overlooked Adversary in Browsers' HTTPS Deployments. In 30th IEEE Symposium on Security and Privacy, 2009. link (summary and questions) Presenter: Schiffman
04/21/10 Project Discussion
04/28/10 Web Services Lecture
(Slides) 		Assignment #8