Course pages 2015–16

Computer Security: Current Applications and Research

R210 Slides and Readings

Reading assignments

The following papers are assigned reading for R209, which should be read prior to the class indicated. This list is still being finalised, and further changes may be made before the start of term. Please contact the module instructors if you have any questions.

1. Psychology and security (Ross Anderson - 18 January 2016)
   1. Daniel Kahneman's Nobel Prize lecture
   2. The evolution and psychology of self-deception by Bill Von Hippell and Bob Trivers [focus on the main paper on pages 1-15 and take a look at the open peer commentary for a broader view]
   3. Scam Compliance and the Psychology of Persuasion, Modic, David and Lea, Stephen E. G., June 21, 2013, Available at SSRN.
   Optional additional reading:
   • Understanding scam victims: seven principles for systems security by Frank Stajano and Paul Wilson
2. Banking security (Mike Bond - 25 January 2016)
   1. Chip and PIN is Broken, Steven J. Murdoch, Saar Drimer, Ross Anderson, and Mike Bond. In Proceedings of the 2010 IEEE Symposium on Security and Privacy (May 2010), pp. 433-446, doi:10.1109/sp.2010.33.
   2. Majority is not Enough: Bitcoin Mining is Vulnerable, Ittay Eyal, Emin G. Sirer, 4 November 2013, arXiv.org
   3. Chip and Skim: cloning EMV cards with the pre-play attack by Mike Bond, Omar Choudary, Steven J. Murdoch, Sergei Skorobogatov, Ross Anderson. In Proceedings of the 2014 IEEE Symposium on Security and Privacy (May 2014).
   Optional additional reading:
   • Shopshifting: The potential for payment system abuse [recording from 32c3] by Fabian Bräunlein, Philipp Maier, and Karsten Nohl (slides)
3. Anonymity systems (Steven Murdoch - 1 February 2016)
   1. Mixminion: Design of a Type III Anonymous Remailer Protocol, George Danezis, Roger Dingledine, and Nick Mathewson. In Proceedings of the 2003 IEEE Symposium on Security and Privacy.
   2. Tor: The Second-Generation Onion Router (2014 DRAFT v1), Roger Dingledine, Nick Mathews on, Steven Murdoch and Paul Syverson. Technical Report, Tor Project, January 201 4.
   3. Hot or Not: Revealing Hidden Services by their Clock Skew, Steven J. Murdoch. In Proceedings of the 2006 ACM Conference on Computer and Communications Security (CCS)
4. Censorship resistance (Sheharbano Khattak - 8 February 2016)
   1. Tools and Technology of Internet Filtering, Steven J. Murdoch and Ross Anderson. In Access Denied: The Practice and Policy of Global Internet Filtering, MIT Press, January 2008.
   2. Protecting Free Expression Online with Freenet, Ian Clarke, Theodore W. Hong, Scott G. Miller, Oskar Sandberg, and Brandon Wiley, IEEE Internet Computing v 6 no 1, 40-49 (2002).
   3. Cirripede: Circumvention Infrastructure using Router Redirection with Plausible Deniability, Amir Houmansadr, Giang T. K. Nguyen, Matthew Caesar, Nikita Borisov. In Proceedings of the 2011 ACM Conference on Computer and Communications Security (CCS).
5. Cybercrime (Alice Hutchings - 15 February 2016)
   1. Ethical Dilemmas in Take-down Research,Tyler Moore and Richard Clayton. Second Workshop on Ethics in Computer Security Research (WECSR 2011), St Lucia, 4 March 2011.
   2. Click trajectories: End-to-end analysis of the spam value chain, Kirill Levchenko, Andreas Pitsillidis, Neha Chachra, et al. IEEE Symposium on Security and Privacy (SP), 22 May 2011.
   3. A crime script analysis of the online stolen data market, Alice Hutchings and Thomas J. Holt. British Journal of Criminology, 55(3), 596-614, 2015.
   Optional additional readings:
   • Measuring the Cost of Cybercrime, Ross Anderson, Chris Barton, Rainer Bohme, Richard Clayton, Michel J.G. van Eeten, Michael Levi, Tyler Moore, and Stefan Savage. WEIS 2012.
   • Economics and Internet Security: A survey of recent analytical, empirical and behavioral research, Tyler Moore and Ross Anderson. Computer Science Group, Harvard University.
6. Vulnerability management (Eireann Leverett - 22 February 2016)
   1. Optimal Policy for Software Vulnerability Disclosure, Ashish Arora, Rahul Telang, and Hao Xu, Management Science 200854:4, 642-656.
   2. Capture-recapture in Software Inspections after 10 Years Research – Theory, Evaluation and Application, Håkan Petersson, Thomas Thelin, Per Runeson1 and Claes Wohlin. Journal of Software and Systems, Vol. 72, No. 2, pp. 249-264, 2004.
   3. Milk or Wine: Does Software Security Improve with Age?, Andy Ozment and Stuart Schecter, Proceedings of the 15th USENIX Security Symposium, USENIX, 2007.
   Optional additional readings:
   • Empirical Estimates and Observations of 0Day Vulnerabilities, Miles McQueen, Trevor McQueen, Wayne Boyer, and May Chaffin, Proceedings of the 42nd Hawaii International Conference on System Sciences, 2009, IEEE.
7. Programming-language security and information flow control (Daniel Thomas - 29 February 2016)
   1. Andrew C. Myers and Barbara Liskov, A Decentralized Model for Information Flow Control, Proceedings of the 16th ACM Symposium on Operating Systems Principles, Saint-Malo, France, 5 –8 October 1997.
   2. Counterfeit Object-oriented Programming: On the Difficulty of Preventing Code Reuse Attacks in C++ Applications, Felix Schuster, Thomas Tendyck, Christopher Liebchen, Lucas Davi, Ahmad-Reza Sadeghi, Thorsten Holz. 2015 IEEE Symposium on Security and Privacy (SP)
   3. Li Gong, Marianne Mueller, Hemma Prafullchandra and Roland Schemmers, Going beyond the sandbox: an overview of the new security architecture in the java TM development Kit 1.2, Proceedings of the USENIX Symposium on Internet Technologies and Systems (USITS'97).
   Optional additional readings:
   • Ken Thompson, Reflections on Trusting Trust, Communications of the ACM v 27 no 8 (1984) pp 761–763.
8. Mobile-system security (Daniel Thomas - 7 March 2016)
   1. Jekyll on iOS: When Benign Apps Become Evil, Tielei Wang, Kangj ie Lu, Long Lu, Simon Chung, and Wenke Lee. In Proceedings of the 22nd USENIX Security Symposium (USENIX Security), 2013.
   2. PlaceRaider: Virtual Theft in Physical Spaces with Smartphones, Robert Templeman, Zahid Rahm an, David Crandall, and Apu Kapadia. arXiv:1209.5982 [cs.CR].
   3. TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones, William Enck, Peter Gilbert, Byung-gon Chun, Landon P. Cox, Jaeyeon Jung, Patrick McDaniel, and Anmol N. Sheth. In Proceedings of the 9th USENIX Symposium on Operating Systems Design and Implementation (OSDI), 2010.

Last year’s course materials are still available.