Below is the calendar for this semester course. This is the preliminary schedule, which will be altered as the semester progresses. It is the responsibility of the students to frequently check this web-page for schedule, readings, and assignment changes. As the professor, I will attempt to announce any change to the class, but this web-page should be viewed as authoritative. If you have any questions, please contact me (contact information is available at the course homepage).

Readings for Discussion
(do readings before class)
Course syllabus link
01/11/18Security Basics
Reflections on Trusting Trust. K. Thompson, Turing Award Lecture, 1983. link
Server Authentication (Due 2/13/18)link
Linux Password and Shadow File Formatlink
01/18/18Programming Mistakes (Info Flow)
SQL Injection Cheat Sheet and Tutoriallink
The Risks Digest link
01/23/18Programming Flaws (Buffer Overflows)
Smashing the Stack for Fun and Profit, Aleph One. Phrack 7(49), 1996link
Common Vulnerabilities and Exposures link
Talk: Secure Software through Proof Engineering, Greg
Some OpenSSL helplink
01/25/18Programming Flaws (Heap Overflows, Etc.)
Hacker's Hut: Exploiting the Heap (11-11.2) link
Security Focus: BugTraq link
01/30/18Programming Flaws (Memory Errors)
Using Freed Memory link
Double Frees link
One Perfect Bug: Exploiting Type Confusion in Flash (Basic Idea) link
Format String Vulnerability link
02/01/18Research Talk: Copy Relocation Violations
An Evil Copy: How the Loader Betrays You. X. Ge, M. Payer, T. Jaeger. Proceedings of the Network and Distributed Systems Security Symposium,
02/06/18Confused Deputy
The Confused Deputy (or why capabilities might have been invented). Norm Hardy. Operating Systems Review, pp. 36-38, Oct. 1988. link
02/08/18Defensive Programming
Secure Programming HOWTO (Chapter 5)link
02/13/18Defensive Programming
Secure Programming HOWTO (Chapter 6)link
02/15/18Dynamic Testing
Server Hardening (Due 2/27/18)link
The Fuzzing Project: Tutoriallink
American Fuzzy Loplink
02/20/18Static Analysis
Tutorial: Static Analysis and Dynamic Testing of Software, Richard Fairley,
LLVM Checkerslink
02/22/18Research Talk: Android Sensor Security
AWare: Preventing Abuse of Privacy-Sensitive Sensors via Operation Bindings. Giuseppe Petracca, Ahmad-Atamli Reineh, Yuqiong Sun, Jens Grossklags, and Trent Jaeger. In Proceedings of the 26th USENIX Security Symposium, Aug.
02/27/18Static Analysis
HP Fortifylink
IBM Rationallink
LLVM Based Bug Detection: A comparison of CETS and Parfait (Focus on Parfait). Sebastian
03/01/18Symbolic Execution
KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems. Cristian Cadar, Daniel Dunbar, Dawson Engler, in Proceedings of the 8th USENIX Conference on Operating Systems Design and Implementation, 2008. link
03/06/18Spring Break - No class
03/08/18Spring Break - No class
03/13/18Course Review
03/20/18Execution Integrity
Break Someone's Server (Due 4/7/18)link
03/22/18Execution Integrity
Control-Flow Integrity: Precision, Security, and Performance (Section 2.1)link
03/27/18Security Mechanisms
Privilege-Separated OpenSSH link
03/29/18No Lecture
04/03/18Automating Privilege Separation
PtrSplit: Supporting General Pointers in Automatic Program Partitioning. S. Liu, G. Tan, and T. Jaeger. In 24th ACM Conference on Computer and Communications Security (CCS),
04/05/18Reference Monitor
Reference Monitorlink
Leveraging 'Choice' in Authorization Hook Placement (Sections 1-3). Divya Muthukumaran, Trent Jaeger, and Vinod Ganapathy. In 19th ACM Conference on Computer and Commumications Security, 2012. link
04/10/18Software Fault Isolation
Authorization (Due 4/26/18)link
Software-based Fault Isolation (Notes)link
04/12/18Comparing Java to C
04/17/18Information Flow
Jave Information Flow (Jif)link
04/19/18Hardware for Security
Design of Intel MPXlink
04/24/18Attack Surface
Attack Surface Analysis Cheat Sheetlink
04/26/18Final Review
05/01/18Final Exam - 10:10AM - 12:00PM, 106 Forest Res Bldg