Department of Computer Science and Technology

Course pages 2017–18

Computer Security: Principles and Foundations

Welcome to R209 - Computer Security: Principles and Foundations.

R209 Slides and Readings


  1. Introduction to R209
  2. How to present PICS in a seminar-style course
  3. Crypto protocols

Reading assignments

The following papers are assigned reading for R209, which should be read prior to the class indicated. Please contact the module instructors if you have any questions.

  1. Origins and Foundations of Computer Security (9 October 2016 - Watson, Anderson, Beresford)
    1. Jerome H Saltzer and Michael D Schroeder. The Protection of Information in Computer Systems, Communications of the ACM 17(7) (July 1974)
    2. Roger Needham and Michael Schroeder. Using Encryption for Authentication in Large Networks of Computers. Communications of the ACM 21(12) (Dec 1978)
  2. Adversarial reasoning (16 October 2017 - Anderson)
    1. Paul Karger and Roger Schell. Multics Security Evaluation, Volume II: Vulnerability Analysis. Technical Report ESD-TR-74-193, v II, Electronic Systems Division, Air Force Systems Command, Hanscom Field, Bedford, MA 01731 (June 1974). Read pp1-64; *skip the Subverter Listing*; the glossary on p149 may be useful
    2. Karl Koscher, Alexei Czeskis, Franziska Roesner, Shwetak Patel, Tadayoshi Kohno, Stephen Checkoway, Damon McCoy, Brian Kantor, Danny Anderson, Hovav Shacham, Stefan Savage. Experimental Security Analysis of a Modern Automobile. IEEE Symposium on Security and Privacy, May 2010.
    3. Kaveh Razavi, Ben Gras, and Erik Bosman, Bart Preneel, Cristiano Giuffrida, and Herbert Bos. Flip Feng Shui: Hammering a Needle in the Software Stack. Proceedings of the 25th USENIX Security Symposium, August 2016.
  3. Usable security (23 October 2017 - Beresford)
    1. Alma Whitten and J.D. Tygar. Why Johnny can't encrypt: A usability evaluation of PGP 5.0, Usenix Security, 1999.
    2. Cormac Herley. More is not the answer, 2014.
    3. Brian Glass, Graeme Jenkinson, Yuqi Liu, M. Angela Sasse, Frank Stajano. The usability canary in the security coal mine: A cognitive framework for evaluation and design of usable authentication solutions, 2016.
    Optional additional readings:
  4. Security Economics (30 October 2017 - Anderson)
    1. Ross Anderson and Tyler Moore, Information security: where computer science, economics, and psychology meet, Phil Trans Roy Soc A v 367 no 1898 pp 2717–2727 (2009).
    2. Michel van Eeten, Johannes M. Bauer, Hadi Asghari, Shirin Tabatabaie, and Dave Rand, The Role of Internet Service Providers in Botnet Mitigation: An Empirical Analysis Based on Spam Data, WEIS 2010.
    3. Ross Anderson, Chris Barton, Rainer Bohme, Richard Clayton, Michel J.G. van Eeten, Michael Levi, Tyler Moore, and Stefan Savage, Measuring the Cost of Cybercrime, WEIS 2012.

    Optional additional reading:

  5. Passwords (6 November 2017 - Beresford)
    1. Robert Morris and Ken Thompson, Password security: a case history, Communications of the ACM 22(11) (1979).
    2. Anne Adams and M. Angela Sasse, Users are not the enemy, Communications of the ACM v 42 no 12 (1999).
    3. Joseph Bonneau, Cormac Herley, Paul C. van Oorschot, Frank Stajano, The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes, IEEE Security and Privacy 2012.

    Optional additional reading:

  6. Cybercrime (13 November 2017 - Hutchings)
    1. Tyler Moore and Richard Clayton. Ethical Dilemmas in Take-down Research, Second Workshop on Ethics in Computer Security Research (WECSR 2011), St Lucia, 4 March 2011.
    2. Kirill Levchenko, Andreas Pitsillidis, Neha Chachra, et al. Click trajectories: End-to-end analysis of the spam value chain, IEEE Symposium on Security and Privacy (SP), 22 May 2011.
    3. Alice Hutchings and Richard Clayton. Exploring the provision of online booter services, Deviant Behavior, 37(10), 1163-1178, 2016.
    Optional additional readings:
  7. Cryptographic Protocols (20 November 2017 - Anderson)
    1. Mike Burrows, Martín Abadi and Roger Needham, A Logic of Authentication, Proc. Roy. Soc. A v 426 no 1871 pp 233–271 (1989).
    2. Ross Anderson, API Attacks, from Security Engineering – A Guide to Building Dependable Distributed Systems, Second Edition, Wiley (2008).
    3. Benjamin Beurdouche, Karthikeyan Bhargavan, Antoine Delignat-Lavaud, Cedric Fournet, Markulf Kohlweiss, Alfredo Pironti, Pierre-Yves Strub, Jean Karim Zinzindohoue, A Messy State of the Union: Taming the Composite State Machines of TLS, IEEE Security and Privacy 2015

    Optional additional reading:

  8. Correctness vs. Mitigation (27 November 2017 - Thomas)
    1. Gerwin Klein, Kevin Elphinstone, Gernot Heiser, June Andronick, David Cock, Philip Derrin, Dhammika Elkaduwe, Kai Engelhardt, Rafal Kolanski, Michael Norrish, Thomas Sewell, Harvey Tuch, and Simon Winwood, seL4: formal verification of an OS kernel, Proceedings of the ACM SIGOPS 22nd Symposium on Operating Systems principles (SOSP '09)
    2. Al Bessey, Ken Block, Ben Chelf, Andy Chou, Bryan Fulton, Seth Hallem, Charles Henri-Gros, Asya Kamsky, Scott McPeak, and Dawson Engler, A few billion lines of code later: using static analysis to find bugs in the real world, Communications of ACM 53(2) (February 2010)
    3. Laszlo Szekeres, Mathias Payer, Tao Wei, and Dawn Song, SoK: Eternal War in Memory, Proceedings of the 2013 IEEE Symposium on Security and Privacy (SP '13). IEEE Computer Society, Washington, DC, USA.

Course materials from previous years

Last year’s course materials are still available.