Below is the calendar for this semester course. This is the preliminary schedule, which will be altered as the semester progresses. It is the responsibility of the students to frequently check this web-page for schedule, readings, and assignment changes. As the professor, I will attempt to announce any change to the class, but this web-page should be viewed as authoritative. If you have any questions, please contact me (contact information is available at the course homepage).

DateTopicAssignments
Due
Readings for Discussion
(do readings before class)
01/09/18Introduction
(Slides)
Course syllabus link
Fast and Vulnerable: A Story of Telematic Failures. Ian Foster, Andrew Prudhomme, Karl Koscher, and Stefan Savage, USENIX Workshop on Offensive Technologies, 2015. link
01/11/18Threats
(Slides)
Defense Design (Due 1/18/18)link
Operating Systems Security - Chs 1 and 4 link
Chapter 2: Why Systems Are Not Secure?. Morrie Gasser, in Building a Secure Computer System, 1988. link
The Risks Digest link
Common Vulnerabilities and Exposures link
Common Weakness Enumeration link
Security Focus: BugTraq link
01/16/18Security Principles
(Slides)
Operating Systems Security - Ch 2 link
Protection. Butler Lampson, Proc. 5th Princeton Conf. on Information Sciences and Systems, 1971. link
Reference Monitor Concept, Trent Jaeger, Encyclopedia of Cryptography and Security, 2010. link
Computer Security Archives Project, Matt Bishop. link
01/18/18Multics
(Slides)
Course Project Proposal (Due 1/31/18)link
Operating Systems Security, Chapter 3 link
Introduction and Overview of the Multics System F. J. Corbato and V. A. Vyssotsky, in Proceedings of the Fall Joint Computer Conference, 1965. link
01/23/18Linux Security Modules
(Slides)
Operating Systems Security, Chapter 9 link
Linux Security Modules: General Security Support for the Linux Kernel. Chris Wright et al. In Proceedings of the 11th USENIX Security Symposium, August 2002. link
Using CQUAL for static analysis of authorization hook placement. Xiaolan Zhang, Antony Edwards, Trent Jaeger. In Proceedings of the 11th USENIX Security Symposium, August 2002. link
01/25/18Integrity
(Slides)
Operating Systems Security, Chapter 5 link
A Comparison of Commercial and Military Computer Security Policies. David D. Clark and David R. Wilson. In Proceedings of the 1987 IEEE Symposium on Security and Privacy, 1987. link
01/30/18CW-Lite Integrity
(Slides)
Linux Security Module (Due 3/1/18)link
Toward Automated Information-Flow Integrity Verification for Security-Critical Applications. Umesh Shankar, Trent Jaeger, and Reiner Sailer. In Proceedings of the 2006 Network and Distributed Systems Security Symposium, Feb. 2006, pp. 267-280. link
02/01/18Program Diversity
(Slides)
An Analysis of Address Space Layout Randomization in Windows Vista. O. Whitehouse. Symantec Report, 2007. link
The Case for Less Predictable Operating System Behavior. Ruimin Sun, Donald E. Porter, Daniela Oliveira, Matt Bishop, Hot Topics on Operating Systems, 2015. link
Readactor: Practical Code Randomization Resilient to Memory Disclosure. Stephen Crane, Christopher Liebchen, Andrei Homescu, Lucas Davi, Per Larsen, Ahmad-Reza Sadeghi, Stefan Brunthaler, Michael Franz, IEEE Symposium on Security and Privacy, 2015. link
02/06/18Control-Flow Integrity
(Slides)
Control-flow Integrity. Martin Abadi, Mihai Budiu, Ulfar Erlingsson, and Jay Ligatti, in Proceedings of the 12th ACM Conference on Computer and Communications Security, 2005. link
Fine-Grained Control-Flow Integrity for Kernel Software. Xinyang Ge, Nirupama Talele, Mathias Payer, Trent Jaeger. In Proceedings of the IEEE European Symposium on Security and Privacy, Mar. 2016, pp. 179-194. link
02/08/18SELinux
(Slides) (Slides) (Slides)
Operating Systems Security, Chapter 8 link
Integrating Flexible Support for Security Policies into the Linux Operating System, Peter Loscocco and Stephen Smalley. In Proceedings of the FREENIX Track: 2001 USENIX Annual Technical Conference, 2001. link
02/13/18Confused Deputy
(Slides)
The Confused Deputy (or why capabilities might have been invented). Norm Hardy. Operating Systems Review, pp. 36-38, Oct. 1988. link
JIGSAW: Protecting Resource Access by Inferring Programmer Expectations. Hayawardh Vijayakumar, Xinyang Ge, Mathias Payer, and Trent Jaeger, 23rd USENIX Security Symposium, 2014. link
02/15/18Security Kernels
(Slides)
Operating Systems Security, Chapter 6 link
Fault Isolation for Device Drivers. Jorrit N. Herder, Herbert Bos, Ben Gras, Philip Homburg, and Andrew S. Tanenbaum, in Proceedings of the 39th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN'09), pgs. 33-42, July 2009. link
02/20/18NDSS Break - No class
02/22/18NDSS Break - No class
02/27/18Capability Systems
(Slides)
Operating Systems Security, Chapter 10 link
On the Inability of an Unmodified Capability Machine to Enforce the *-Property. W. E. Boebert, 7th DOD/NBS Computer Security Conference, 1984. link
A Secure Identity-Based Capability System. Li Gong, 1989 IEEE Symposium Security and Privacy, May 1989. link
The CHERI capability model: Revisiting RISC in an age of risk. Jonathan Woodruff et al. 2014 IEEE Symposium Security and Privacy, May 2014. link
03/01/18System Information Flow Control
(Slides)
Information flow control for standard OS abstractions. Maxwell Krohn et al, in Proceedings of the ACM Symposium on Operating Systems Principles, 2007. link
03/06/18Spring Break - No class
03/08/18Spring Break - No class
03/13/18System Information Flow Control
(Slides)
Information flow control for standard OS abstractions. Maxwell Krohn et al, in Proceedings of the ACM Symposium on Operating Systems Principles, 2007. link
03/15/18Malware Detection
(Slides)
Midterm (Take Home - Due 3/22/18 11:59pm)link
The Art of Unpacking. Mark Vincent Yason, BlackHat 2007. link
Effective and Efficient Malware Detection at the End Host. Clemens Kolbitsch, Paolo Milani Comparetti, Christopher Kruegel, Engin Kirda, Xiaoyong Zhou, and XiaoFeng Wang, 18th USENIX Security Symposium, 2009. link
Using Hardware Features for Increased Debugging Transparency. Fengwei Zhang, Kevin Leach, Angelos Stavrou, Haining Wang, and Kun Sun, IEEE Symposium on Security and Privacy, 2015. link
03/20/18Program Retrofitting
(Slides) (Slides)
Producing Hook Placements to Enforce Expected Access Control Policies. Divya Muthukumaran, Nirupama Talele, Trent Jaeger, and Gang Tan. In Proceedings of the 2015 International Symposium on Engineering Secure Software and Systems (ESSoS), Mar. 2015. link
DIFC Programs by Automatic Instrumentation. William R. Harris, Somesh Jha, and Thomas Reps, in Computer and Communications Security (CCS), 2010. link
03/22/18Program Information Flow Control
(Slides)
A Decentralized Model for Information Flow Control. Andrew Myers and Barbara Liskov, in Proceedings of the 16th ACM Symposium on Operating Systems Principles, 1997. link
Sharing Mobile Code Securely With Information Flow Control. Owen Arden, Michael D. George, Jed Liu, K. Vikram, Aslan Askarov, Andrew Myers. In Proceedings of the 2012 IEEE Symposium on Security and Privacy, 2012. link
03/27/18Symbolic Execution
(Slides) (Slides)
KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems. Cristian Cadar, Daniel Dunbar, Dawson Engler, in Proceedings of the 8th USENIX Conference on Operating Systems Design and Implementation, 2008. link
AEG: Automatic Exploit Generation. Thanassis Avgerinos, Sang Kil Cha, Brent Lim Tze Hao and David Brumley, in Proceedings of the 2011 Network and Distributed System Security Symposium, Feb. 2011. link
03/29/18Fuzz Testing
(Slides)
American Fuzzy Lop. M. Zalewski. link
Driller: Augmenting Fuzzing Through Selective Symbolic Execution. Nick Stephens, John Grosen, Christopher Salls, Andrew Dutcher, Ruoyu Wang, Jacopo Corbetta, Yan Shoshitaishvili, Christopher Kruegel, Giovanni Vigna. Proceedings of the Network and Distributed System Security Symposium (NDSS), February 2016.link
04/03/18Virtual Machine Systems
(Slides)
Operating Systems Security, Chapter 11 link
TrustShadow: Secure Execution of Unmodified Applications with ARM TrustZone. Le Guan, Peng Liu, Xinyu Xing, Xinyang Ge, Shengzhi Zhang, Meng Yu, and Trent Jaeger. In Proceedings of the 15th ACM International Conference on Mobile Systems, Applications, and Services (MobiSys), June 2017.link
Dune: Safe User-level Access to Privileged CPU Features. Adam Belay, Andrea Bittau, Ali Mashtizadeh, David Terei, David Mazieres, Christos Kozyrakis. Proceedings of the 10th Symposium on Operating Systems Design and Implementation, October 2012.link
04/05/18Isolated Systems (SGX)
(Slides)
Operating Systems Security, Chapter 11 link
Overshadow: A Virtualization-Based Approach to Retrofitting Protection in Commodity Operating Systems. Xiaoxin Chen, Tal Garfinkel, E. Christopher Lewis, Pratap Subrahmanyam, Carl A. Waldspurger (VMware), Dan Boneh (Stanford), Jeffrey Dwoskin (Princeton), and Dan R.K. Ports (MIT), in Proceedings of the 2008 Conference on Architectural Support for Programming Languages and Operating Systems, 2008. link
VC3: Trustworthy Data Analytics in the Cloud using SGX. Felix Schuster, Manuel Costa, Cedric Fournet, Christos Gkantsidis, Marcus Peinado, Gloria Mainar-Ruiz, Mark Russinovich, IEEE Symposium on Security and Privacy, 2015. link
04/10/18Attacking SGX
(Slides)
Hacking in Darkness: Return-oriented Programming against Secure Enclaves. Jaehyuk Lee et al. In Proceedings of the 26th USENIX Security Symposium. August 2017.link
Inferring Fine-grained Control Flow Inside SGX Enclaves with Branch Shadowing. Sangho Lee, Ming-Wei Shih, Prasun Gera, Taesoo Kim, and Hyesoon Kim. In Proceedings of the 26th USENIX Security Symposium. August 2017.link
04/12/18Other Hardware Advances for Security
(Slides)
SPROBES: Enforcing Kernel Code Integrity on the TrustZone Architecture. Xinyang Ge, Hayawardh Vijayakumar, and Trent Jaeger, Mobile Security Technologies Workshop, 2014. link
LMP: Light-Weighted Memory Protection with Hardware Assistance. Wei Huang, Zhen Huang, Dhaval Miyani and David Lie. In Proceedings of the 2016 Annual Computer Security Applications Conference (ACSAC 2016), December 2016.link
04/17/18Student Project Presentations
04/19/18Cloud Computing Security
(Slides)
Inevitable Failure: The Flawed Trust Assumption in the Cloud. Yuqiong Sun, Giuseppe Petracca, Trent Jaeger, in Cloud Computing Security Workshop, 2014. link
Policy-Sealed Data: A New Abstraction for Building Trusted Cloud Services. Nuno Santos, Rodrigo Rodrigues, Krishna P. Gummadi, Stefan Saroiu, in Proceedings of the 21st USENIX Security Symposium, 2012. link
Unicorn: Two-Factor Attestation for Data Security. Mohammad Mannan, Beom Heyn Kim, Afshar Ganjali and David Lie, in Proceedings of the 18th ACM Conference on Computer and Communications Security (CCS 2011). Pages 17-28. October 2011. link
04/24/18Internet of Things Security
(Slides)
Security Analysis of Emerging Smart Home Applications. Earlence Fernandes, Jaeyeon Jung, Atul Prakash. Proceedings of the IEEE Symposium on Security and Privacy, 2016.link
ContexIoT: Towards Providing Contextual Integrity to Appified IoT Platforms. Yunhan Jack Jia, Qi Alfred Chen, Shiqi Wang, Amir Rahmati, Earlence Fernandes, Z. Morley Mao, Atul Prakash. Proceedings of the Network and Distributed Systems Symposium, 2017.link
04/26/18Future of Systems Security
(Slides) (Slides)
DATS: Data-centric Mandatory Access Control on Web Applications. Lluis Vilanova, Casen Hunger, Charalampos Papamanthou, Yoav Etsion, Mohit Tiwari. In Proceedings of Architectural Support for Programming Languages and Operating Systems, (ASPLOS), March 2018.link
PtrSplit: Supporting General Pointers in Automatic Program Partitioning. S. Liu, G. Tan, and T. Jaeger. In 24th ACM Conference on Computer and Communications Security (CCS), 2017.link
05/01/18Final Exam - 2:30PM - 4:20PM - 271 Willard Bldg
.