Department of Computer Science and Technology

Course pages 2017–18

Computer Security: Current Applications and Research

R210 Slides and Readings

Reading assignments

The following papers are assigned reading for R210, which should be read prior to the class indicated. This list is still being finalised, and further changes may be made before the start of term. Please contact the module instructors if you have any questions.

Please let Daniel Thomas (drt24) know if you spot any mistakes.

  1. Encrypted data systems (Alastair Beresford - 22 January 2018)
    1. Building Web Applications on Top of Encrypted Data Using Mylar. Raluca Ada Popa, Emily Stark, Steven Valdez, Jonas Helfer, Nickolai Zeldovich, Hari Balakrishnan. Proceedings of the 11th USENIX Symposium on Network Systems Design and Implementation (NSDI), 2014.
    2. Breaking Web Applications Built On Top of Encrypted Data. Paul Grubbs, Richard McPherson, Muhammad Naveed, Thomas Ristenpart, Vitaly Shmatikov. Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS), 2016.
    3. What Else is Revealed by Order-Revealing Encryption? F. Betül Durak, Thomas M. DuBuisson, David Cash. Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS), 2016.
    Optional additional readings:
  2. Access Control (Robert Watson - 29 January 2018)
    1. D Elliot Bell and Len LaPadula. Secure Computer System: Unified Exposition and Multics Interpretation. Technical Report ESD-TR-75-306, ESD/AFSC, Hanscom AFB, Bedford, MA 01731 (1975). Read pp1-48, 64-73 only.
    2. Lee Badger, Daniel F. Sterne, David L. Sherman, Kenneth M. Walker, Sheila A. Haghighat, A Domain and Type Enforcement UNIX Prototype. Proceedings of the Fifth USENIX UNIX Security Symposium (1996)
    3. Robert N. M. Watson. A decade of OS access-control extensibility. Communications of the ACM 56(2), February 2013.
    Optional additional reading:
  3. Vulnerability management (Eireann Leverett - 5 February 2018)
    1. Optimal Policy for Software Vulnerability Disclosure, Ashish Arora, Rahul Telang, and Hao Xu, Management Science 54:4, 642-656, 2008.
    2. Milk or Wine: Does Software Security Improve with Age?, Andy Ozment and Stuart Schecter, Proceedings of the 15th USENIX Security Symposium, USENIX, 2007.
    3. You’ve Got Vulnerability: Exploring Effective Vulnerability Notifications, Frank Li, Zakir Durumeric, Jakub Czyz, Mohammad Karami, Michael Bailey, Damon McCoy, Stefan Savage, and Vern Paxson, Proceedings of the 25th USENIX Security Symposium, 2016.
    Optional additional readings:
  4. Banking security (Mike Bond - 12 February 2018)
    1. Chip and PIN is Broken, Steven J. Murdoch, Saar Drimer, Ross Anderson, and Mike Bond. In Proceedings of the 2010 IEEE Symposium on Security and Privacy (May 2010), pp. 433-446, doi:10.1109/sp.2010.33.
    2. Chip and Skim: cloning EMV cards with the pre-play attack by Mike Bond, Omar Choudary, Steven J. Murdoch, Sergei Skorobogatov, Ross Anderson. In Proceedings of the 2014 IEEE Symposium on Security and Privacy (May 2014).
    3. Security Protocols and Evidence: Where Many Payment Systems Fail by Steven J. Murdoch and Ross Anderson. In Financial Cryptography and Data Security, Barbados, 03–07 March 2014.
    Optional additional readings:
  5. Anonymity systems (Steven Murdoch - 19 February 2018)
    1. Mixminion: Design of a Type III Anonymous Remailer Protocol, George Danezis, Roger Dingledine, and Nick Mathewson. In Proceedings of the 2003 IEEE Symposium on Security and Privacy.
    2. Tor: The Second-Generation Onion Router (2014 DRAFT v1), Roger Dingledine, Nick Mathews on, Steven Murdoch and Paul Syverson. Technical Report, Tor Project, January 2014.
    3. Hot or Not: Revealing Hidden Services by their Clock Skew, Steven J. Murdoch. In Proceedings of the 2006 ACM Conference on Computer and Communications Security (CCS)
  6. Capability Systems (Robert Watson - 26 February 2018)
    1. David Wagner and Dean Tribble, A Security Analysis of the Combex DarpaBrowser Architecture, March 4, 2002.
    2. R. N. M. Watson, J. Anderson, B. Laurie, and K. Kennaway, Capsicum: practical capabilities for UNIX 19th USENIX Security Symposium, 2010
    3. R. N. M. Watson, J. Woodruff, P. G. Neumann, S. W. Moore, J. Anderson, D. Chisnall, N. Dave, B. Davis, K. Gudka, B. Laurie, S. J. Murdoch, R. Norton, M. Roe, S. Son, and M. Vadera. CHERI: A Hybrid Capability-System Architecture for Scalable Software Compartmentalization, Proceedings of the 36th IEEE Symposium on Security and Privacy ("Oakland"), San Jose, California, USA, May 2015.
    Optional additional reading:
  7. Language-based security (Khilan Gudka - 5 March 2018)
    1. Finding Security Vulnerabilities in Java Applications with Static Analysis. V. Benjamin Livshits and Monica S. Lam. Usenix Security 2005.
    2. A Decentralized Model for Information Flow Control. Andrew C. Myers and Barbara Liskov. Proceedings of the 16th ACM Symposium on Operating Systems Principles, Saint-Malo, France, 5–8 October 1997.
    3. Control-Flow Integrity - Principles, Implementations, and Applications. Martin Abadi, Mihai Budiu, Úlfar Erlingsson, Jay Ligatti. ACM CCS 2005.
  8. Blockchain (Shehar Bano - 12 March 2018)
    1. SoK: Consensus in the Age of Blockchains. Shehar Bano, Alberto Sonnino, Mustafa Al-Bassam, Sarah Azouvi, Patrick McCorry, Sarah Meiklejohn, and George Danezis. November 2017.
    2. Enhancing Bitcoin Security and Performance with Strong Consistency via Collective Signing. E. K. Kogias, P. Jovanovic, N. Gailly, I. Khoffi, L. Gasser, and B. Ford. Proceedings of the 25th USENIX Security Symposium (USENIX Security), pp. 279–296. 2016.
    3. Chainspace: A Sharded Smart Contracts Platform. Mustafa Al-Bassam, Alberto Sonnino, Shehar Bano, Dave Hrycyszyn and George Danezis. To appear in the proceedings of the 25th Network and Distributed System Security Symposium (NDSS), 2018.
    Optional additional readings: