Course pages 2016–17

Computer Security: Current Applications and Research

R210 Slides and Readings

Reading assignments

The following papers are assigned reading for R210, which should be read prior to the class indicated. This list is still being finalised, and further changes may be made before the start of term. Please contact the module instructors if you have any questions.

1. Vulnerability management (Eireann Leverett - 23 January 2017)
   1. Optimal Policy for Software Vulnerability Disclosure, Ashish Arora, Rahul Telang, and Hao Xu, Management Science 200854:4, 642-656.
   2. Milk or Wine: Does Software Security Improve with Age?, Andy Ozment and Stuart Schecter, Proceedings of the 15th USENIX Security Symposium, USENIX, 2007.
   3. You’ve Got Vulnerability: Exploring Effective Vulnerability Notifications, Frank Li, Zakir Durumeric, Jakub Czyz, Mohammad Karami, Michael Bailey, Damon McCoy, Stefan Savage, and Vern Paxson, Proceedings of the 25th USENIX Security Symposium, 2016, ISBN 978-1-931971-32-4.
   Optional additional readings:
   • Empirical Estimates and Observations of 0Day Vulnerabilities, Miles McQueen, Trevor McQueen, Wayne Boyer, and May Chaffin, Proceedings of the 42nd Hawaii International Conference on System Sciences, 2009, IEEE.
   • Capture-recapture in Software Inspections after 10 Years Research – Theory, Evaluation and Application, Håkan Petersson, Thomas Thelin, Per Runeson and Claes Wohlin. Journal of Software and Systems, Vol. 72, No. 2, pp. 249-264, 2004.
2. Cybercrime (Alice Hutchings - 30 January 2017)
   1. Ethical Dilemmas in Take-down Research,Tyler Moore and Richard Clayton. Second Workshop on Ethics in Computer Security Research (WECSR 2011), St Lucia, 4 March 2011.
   2. Click trajectories: End-to-end analysis of the spam value chain, Kirill Levchenko, Andreas Pitsillidis, Neha Chachra, et al. IEEE Symposium on Security and Privacy (SP), 22 May 2011.
   3. Exploring the provision of online booter services, Alice Hutchings and Richard Clayton. Deviant Behavior, 37(10), 1163-1178, 2016.
   Optional additional readings:
   • Economics and Internet Security: A survey of recent analytical, empirical and behavioral research, Tyler Moore and Ross Anderson. Computer Science Group, Harvard University.
   • A crime script analysis of the online stolen data market, Alice Hutchings and Thomas J. Holt. British Journal of Criminology, 55(3), 596-614, 2015.
3. Anonymity systems (Steven Murdoch - 6 February 2017)
   1. Mixminion: Design of a Type III Anonymous Remailer Protocol, George Danezis, Roger Dingledine, and Nick Mathewson. In Proceedings of the 2003 IEEE Symposium on Security and Privacy.
   2. Tor: The Second-Generation Onion Router (2014 DRAFT v1), Roger Dingledine, Nick Mathews on, Steven Murdoch and Paul Syverson. Technical Report, Tor Project, January 201 4.
   3. Hot or Not: Revealing Hidden Services by their Clock Skew, Steven J. Murdoch. In Proceedings of the 2006 ACM Conference on Computer and Communications Security (CCS)
4. Usable security (Kat Krol - 13 February 2017)
   1. Why Johnny can't encrypt: A usability evaluation of PGP 5.0, Alma Whitten and J.D. Tygar, Usenix Security, 1999.
   2. More is not the answer Cormac Herley, 2014.
   3. The usability canary in the security coal mine: A cognitive framework for evaluation and design of usable authentication solutions Brian Glass, Graeme Jenkinson, Yuqi Liu, M. Angela Sasse, Frank Stajano, 2016.
   Optional additional readings:
   • So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users Cormac Herley, 2009.
   • Daniel Kahneman's Nobel Prize lecture
5. Censorship resistance (Sheharbano Khattak - 20 February 2017)
   1. Tools and Technology of Internet Filtering, Steven J. Murdoch and Ross Anderson. In Access Denied: The Practice and Policy of Global Internet Filtering, MIT Press, January 2008.
   2. Cirripede: Circumvention Infrastructure using Router Redirection with Plausible Deniability, Amir Houmansadr, Giang T. K. Nguyen, Matthew Caesar, Nikita Borisov. In Proceedings of the 2011 ACM Conference on Computer and Communications Security (CCS).
   3. Protecting Free Expression Online with Freenet, Ian Clarke, Theodore W. Hong, Scott G. Miller, Oskar Sandberg, and Brandon Wiley, IEEE Internet Computing v 6 no 1, 40-49 (2002).
   Optional additional readings:
   • Do You See What I See? Differential Treatment of Anonymous Users. Sheharbano Khattak, David Fifield, Sadia Afroz, Mobin Javed, Srikanth Sundaresan, Vern Paxson, Steven J. Murdoch, and Damon McCoy. In Proceedings of the 23rd Network and Distributed System Security Symposium (NDSS), 2016.
6. Language-based security (Khilan Gudka - 27 February 2017)
   1. All You Ever Wanted to Know about Dynamic Taint Analysis and Forward Symbolic Execution (but Might Have Been Afraid to Ask). Edward J. Schwartz, Thanassis Avgerinos, David Brumley. IEEE S&P 2010.
   2. A Decentralized Model for Information Flow Control. Andrew C. Myers and Barbara Liskov. Proceedings of the 16th ACM Symposium on Operating Systems Principles, Saint-Malo, France, 5–8 October 1997.
   3. Control-Flow Integrity - Principles, Implementations, and Applications. Martin Abadi, Mihai Budiu, Úlfar Erlingsson, Jay Ligatti. ACM CCS 2005.
7. Banking security (Mike Bond - 6 March 2017)
   1. Chip and PIN is Broken, Steven J. Murdoch, Saar Drimer, Ross Anderson, and Mike Bond. In Proceedings of the 2010 IEEE Symposium on Security and Privacy (May 2010), pp. 433-446, doi:10.1109/sp.2010.33.
   2. Chip and Skim: cloning EMV cards with the pre-play attack by Mike Bond, Omar Choudary, Steven J. Murdoch, Sergei Skorobogatov, Ross Anderson. In Proceedings of the 2014 IEEE Symposium on Security and Privacy (May 2014).
   3. Designed to Fail: A USB-Connected Reader for Online Banking by Arjan Blom, Gerhard de Koning Gans, Erik Poll, Joeri de Ruiter and Roel Verdult. Nordic Conference on Secure IT Systems. 2012. doi:10.1007/978-3-642-34210-3_1.
8. Encrypted data systems (Alastair Beresford - 13 March 2017)
   1. Building Web Applications on Top of Encrypted Data Using Mylar. Raluca Ada Popa, Emily Stark, Steven Valdez, Jonas Helfer, Nickolai Zeldovich, Hari Balakrishnan. Proceedings of the 11th USENIX Symposium on Network Systems Design and Implementation (NSDI), 2014.
   2. Breaking Web Applications Built On Top of Encrypted Data. Paul Grubbs, Richard McPherson, Muhammad Naveed, Thomas Ristenpart, Vitaly Shmatikov. Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS), 2016.
   3. What Else is Revealed by Order-Revealing Encryption? F. Betül Durak, Thomas M. DuBuisson, David Cash. Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS), 2016.
   Optional additional readings:
   • Videos
     • Paul Grubbs at Real World Crypto 2017 on Mylar attacks
     • David Cash at Real World Crypto 2017 on Order-Revealing Encryption
     • Raluca Ada Popa at Real World Crypto 2017 on Mylar and Verena
   • The Morning Paper summary. Archive URL.
   • Short response by Mylar authors to Grubbs et al. paper. Archive URL.
   • Short response by Grubbs et al. to the response by Mylar authors. Archive URL.