Course pages 2016–17
Computer Security: Principles and Foundations
R209 Slides and Readings
Slides
Reading assignments
The following papers are assigned reading for R209, which should be read prior to the class indicated. This list is still being finalised, and further changes may be made before the start of term. Please contact the module instructors if you have any questions.
- Origins and Foundations of Computer Security (10 October 2016 - Watson, Anderson, Beresford)
- Jerome H Saltzer and Michael D Schroeder. The Protection of Information in Computer Systems, Communications of the ACM 17(7) (July 1974)
- Roger Needham and Michael Schroeder. Using Encryption for Authentication in Large Networks of Computers. Communications of the ACM 21(12) (Dec 1978)
- Adversarial Reasoning (17 October 2016 - Anderson)
- Paul Karger and Roger Schell. Multics Security Evaluation, Volume II: Vulnerability Analysis. Technical Report ESD-TR-74-193, v II, Electronic Systems Division, Air Force Systems Command, Hanscom Field, Bedford, MA 01731 (June 1974). Read pp1-64; *skip the Subverter Listing*; the glossary on p149 may be useful
- Karl Koscher, Alexei Czeskis, Franziska Roesner, Shwetak Patel, Tadayoshi Kohno, Stephen Checkoway, Damon McCoy, Brian Kantor, Danny Anderson, Hovav Shacham, Stefan Savage. Experimental Security Analysis of a Modern Automobile. IEEE Symposium on Security and Privacy, May 2010.
- Kaveh Razavi, Ben Gras, and Erik Bosman, Bart Preneel, Cristiano Giuffrida, and Herbert Bos. Flip Feng Shui: Hammering a Needle in the Software Stack. Proceedings of the 25th USENIX Security Symposium, August 2016.
- Andy Greenberg. Hackers Remotely Kill a Jeep on the Highway—With Me in It. Wired Magazine, July 2015.
- Access Control (24 October 2016 - Watson)
- D Elliot Bell and Len LaPadula. Secure Computer System: Unified Exposition and Multics Interpretation. Technical Report ESD-TR-75-306, ESD/AFSC, Hanscom AFB, Bedford, MA 01731 (1975). Read pp1-48, 64-73 only.
- Lee Badger, Daniel F. Sterne, David L. Sherman, Kenneth M. Walker, Sheila A. Haghighat, A Domain and Type Enforcement UNIX Prototype. Proceedings of the Fifth USENIX UNIX Security Symposium (1996)
- Robert N. M. Watson. A decade of OS access-control extensibility. Communications of the ACM 56(2), February 2013.
- Butler Lampson, A Note on the Confinement Problem, Communications of the ACM 16(10) (Oct 1973).
- Capability Systems (31 October 2016 - Watson)
- David Wagner and Dean Tribble, A Security Analysis of the Combex DarpaBrowser Architecture, March 4, 2002.
- R. N. M. Watson, J. Anderson, B. Laurie, and K. Kennaway, Capsicum: practical capabilities for UNIX 19th USENIX Security Symposium, 2010
- R. N. M. Watson, J. Woodruff, P. G. Neumann, S. W. Moore, J. Anderson, D. Chisnall, N. Dave, B. Davis, K. Gudka, B. Laurie, S. J. Murdoch, R. Norton, M. Roe, S. Son, and M. Vadera. CHERI: A Hybrid Capability-System Architecture for Scalable Software Compartmentalization, Proceedings of the 36th IEEE Symposium on Security and Privacy ("Oakland"), San Jose, California, USA, May 2015.
- W. Wulf, E. Cohen, W. Corwin, A. Jones, R. Levin, C. Pierson, and F. Pollack, HYDRA: the kernel of a multiprocessor operating system, Communications of the ACM 17(6) pp 337–345 (1974)
- Mark S. Miller, Ka-Ping Yee, Jonathan Shapiro. Capability Myths Demolished, Technical Report SRL2003-02, Systems Research Laboratory, Johns Hopkins University
- Security Economics (7 November 2016 - Anderson)
- Ross Anderson and Tyler Moore, Information security: where computer science, economics, and psychology meet, Phil Trans Roy Soc A v 367 no 1898 pp 2717–2727 (2009).
- Michel van Eeten, Johannes M. Bauer, Hadi Asghari, Shirin Tabatabaie, and Dave Rand, The Role of Internet Service Providers in Botnet Mitigation: An Empirical Analysis Based on Spam Data, WEIS 2010.
- Ross Anderson, Chris Barton, Rainer Bohme, Richard Clayton, Michel J.G. van Eeten, Michael Levi, Tyler Moore, and Stefan Savage, Measuring the Cost of Cybercrime, WEIS 2012.
- Gilbert Wondracek, Thorsten Holz, Christian Platzer, Engin Kirda, and Christopher Kruegel, Is the Internet for Porn? An Insight Into the Online Adult Industry, WEIS 2010.
- Passwords (14 November 2016 - Llewellyn-Jones)
- Robert Morris and Ken Thompson, Password security: a case history, Communications of the ACM 22(11) (1979).
- Anne Adams and M. Angela Sasse, Users are not the enemy, Communications of the ACM v 42 no 12 (1999).
- Joseph Bonneau, Cormac Herley, Paul C. van Oorschot, Frank Stajano, The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes, IEEE Security and Privacy 2012.
- Frank Stajano, Pico: no more passwords, Proc. Security Protocols Workshop 2011, Springer LNCS 7114.
- Joseph Bonneau, Cormac Herley, Paul C. van Oorschot and Frank Stajano. Passwords and the Evolution of Imperfect Authentication. Comms ACM 58(7):78-87, July 2015.
- Cryptographic Protocols (21 November 2016 - Anderson)
- Mike Burrows, Martín Abadi and Roger Needham, A Logic of Authentication, Proc. Roy. Soc. A v 426 no 1871 pp 233–271 (1989).
- Ross Anderson, API Attacks, from Security Engineering – A Guide to Building Dependable Distributed Systems, Second Edition, Wiley (2008).
- Benjamin Beurdouche, Karthikeyan Bhargavan, Antoine Delignat-Lavaud, Cedric Fournet, Markulf Kohlweiss, Alfredo Pironti, Pierre-Yves Strub, Jean Karim Zinzindohoue, A Messy State of the Union: Taming the Composite State Machines of TLS, IEEE Security and Privacy 2015
- Martín Abadi and Roger Needham, Prudent Engineering Practice for Cryptographic Protocols, IEEE Transactions on Software Engineering v 22 no 1 (1996).
- Correctness vs. Mitigation (28 November 2016 - Thomas)
- Gerwin Klein, Kevin Elphinstone, Gernot Heiser, June Andronick, David Cock, Philip Derrin, Dhammika Elkaduwe, Kai Engelhardt, Rafal Kolanski, Michael Norrish, Thomas Sewell, Harvey Tuch, and Simon Winwood, seL4: formal verification of an OS kernel, Proceedings of the ACM SIGOPS 22nd Symposium on Operating Systems principles (SOSP '09)
- Al Bessey, Ken Block, Ben Chelf, Andy Chou, Bryan Fulton, Seth Hallem, Charles Henri-Gros, Asya Kamsky, Scott McPeak, and Dawson Engler, A few billion lines of code later: using static analysis to find bugs in the real world, Communications of ACM 53(2) (February 2010)
- Laszlo Szekeres, Mathias Payer, Tao Wei, and Dawn Song, SoK: Eternal War in Memory, Proceedings of the 2013 IEEE Symposium on Security and Privacy (SP '13). IEEE Computer Society, Washington, DC, USA.
Optional additional reading:
Optional additional reading:
Optional additional reading:
Optional additional reading:
Optional additional reading:
Optional additional reading:
Course materials from previous years
Last year’s course materials are still available.