Computer Laboratory

Course pages 2016–17

Computer Security: Current Applications and Research

R210 Slides and Readings

Reading assignments

The following papers are assigned reading for R210, which should be read prior to the class indicated. This list is still being finalised, and further changes may be made before the start of term. Please contact the module instructors if you have any questions.

  1. Vulnerability management (Eireann Leverett - 23 January 2017)
    1. Optimal Policy for Software Vulnerability Disclosure, Ashish Arora, Rahul Telang, and Hao Xu, Management Science 200854:4, 642-656.
    2. Milk or Wine: Does Software Security Improve with Age?, Andy Ozment and Stuart Schecter, Proceedings of the 15th USENIX Security Symposium, USENIX, 2007.
    3. You’ve Got Vulnerability: Exploring Effective Vulnerability Notifications, Frank Li, Zakir Durumeric, Jakub Czyz, Mohammad Karami, Michael Bailey, Damon McCoy, Stefan Savage, and Vern Paxson, Proceedings of the 25th USENIX Security Symposium, 2016, ISBN 978-1-931971-32-4.
    Optional additional readings:
  2. Cybercrime (Alice Hutchings - 30 January 2017)
    1. Ethical Dilemmas in Take-down Research,Tyler Moore and Richard Clayton. Second Workshop on Ethics in Computer Security Research (WECSR 2011), St Lucia, 4 March 2011.
    2. Click trajectories: End-to-end analysis of the spam value chain, Kirill Levchenko, Andreas Pitsillidis, Neha Chachra, et al. IEEE Symposium on Security and Privacy (SP), 22 May 2011.
    3. Exploring the provision of online booter services, Alice Hutchings and Richard Clayton. Deviant Behavior, 37(10), 1163-1178, 2016.
    Optional additional readings:
  3. Anonymity systems (Steven Murdoch - 6 February 2017)
    1. Mixminion: Design of a Type III Anonymous Remailer Protocol, George Danezis, Roger Dingledine, and Nick Mathewson. In Proceedings of the 2003 IEEE Symposium on Security and Privacy.
    2. Tor: The Second-Generation Onion Router (2014 DRAFT v1), Roger Dingledine, Nick Mathews on, Steven Murdoch and Paul Syverson. Technical Report, Tor Project, January 201 4.
    3. Hot or Not: Revealing Hidden Services by their Clock Skew, Steven J. Murdoch. In Proceedings of the 2006 ACM Conference on Computer and Communications Security (CCS)
  4. Usable security (Kat Krol - 13 February 2017)
    1. Why Johnny can't encrypt: A usability evaluation of PGP 5.0, Alma Whitten and J.D. Tygar, Usenix Security, 1999.
    2. More is not the answer Cormac Herley, 2014.
    3. The usability canary in the security coal mine: A cognitive framework for evaluation and design of usable authentication solutions Brian Glass, Graeme Jenkinson, Yuqi Liu, M. Angela Sasse, Frank Stajano, 2016.
    Optional additional readings:
  5. Censorship resistance (Sheharbano Khattak - 20 February 2017)
    1. Tools and Technology of Internet Filtering, Steven J. Murdoch and Ross Anderson. In Access Denied: The Practice and Policy of Global Internet Filtering, MIT Press, January 2008.
    2. Cirripede: Circumvention Infrastructure using Router Redirection with Plausible Deniability, Amir Houmansadr, Giang T. K. Nguyen, Matthew Caesar, Nikita Borisov. In Proceedings of the 2011 ACM Conference on Computer and Communications Security (CCS).
    3. Protecting Free Expression Online with Freenet, Ian Clarke, Theodore W. Hong, Scott G. Miller, Oskar Sandberg, and Brandon Wiley, IEEE Internet Computing v 6 no 1, 40-49 (2002).
    Optional additional readings:
  6. Language-based security (Khilan Gudka - 27 February 2017)
    1. All You Ever Wanted to Know about Dynamic Taint Analysis and Forward Symbolic Execution (but Might Have Been Afraid to Ask). Edward J. Schwartz, Thanassis Avgerinos, David Brumley. IEEE S&P 2010.
    2. A Decentralized Model for Information Flow Control. Andrew C. Myers and Barbara Liskov. Proceedings of the 16th ACM Symposium on Operating Systems Principles, Saint-Malo, France, 5–8 October 1997.
    3. Control-Flow Integrity - Principles, Implementations, and Applications. Martin Abadi, Mihai Budiu, Úlfar Erlingsson, Jay Ligatti. ACM CCS 2005.
  7. Banking security (Mike Bond - 6 March 2017)
    1. Chip and PIN is Broken, Steven J. Murdoch, Saar Drimer, Ross Anderson, and Mike Bond. In Proceedings of the 2010 IEEE Symposium on Security and Privacy (May 2010), pp. 433-446, doi:10.1109/sp.2010.33.
    2. Chip and Skim: cloning EMV cards with the pre-play attack by Mike Bond, Omar Choudary, Steven J. Murdoch, Sergei Skorobogatov, Ross Anderson. In Proceedings of the 2014 IEEE Symposium on Security and Privacy (May 2014).
    3. Designed to Fail: A USB-Connected Reader for Online Banking by Arjan Blom, Gerhard de Koning Gans, Erik Poll, Joeri de Ruiter and Roel Verdult. Nordic Conference on Secure IT Systems. 2012. doi:10.1007/978-3-642-34210-3_1.
  8. Encrypted data systems (Alastair Beresford - 13 March 2017)
    1. Building Web Applications on Top of Encrypted Data Using Mylar. Raluca Ada Popa, Emily Stark, Steven Valdez, Jonas Helfer, Nickolai Zeldovich, Hari Balakrishnan. Proceedings of the 11th USENIX Symposium on Network Systems Design and Implementation (NSDI), 2014.
    2. Breaking Web Applications Built On Top of Encrypted Data. Paul Grubbs, Richard McPherson, Muhammad Naveed, Thomas Ristenpart, Vitaly Shmatikov. Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS), 2016.
    3. What Else is Revealed by Order-Revealing Encryption? F. Betül Durak, Thomas M. DuBuisson, David Cash. Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS), 2016.
    Optional additional readings: