Department of Computer Science and Technology

Course pages 2018–19

Computer Security: Principles and Foundations

Welcome to R209 - Computer Security: Principles and Foundations.

R209 Slides and Readings

Slides

  1. Introduction to R209
  2. How to present PICS in a seminar-style course
  3. Crypto protocols

Reading assignments

The following papers are assigned reading for R209, which should be read prior to the class indicated. Please contact the module instructors if you have any questions.

  1. Origins and Foundations of Computer Security (8 October 2018 - Anderson, Beresford, Thomas)
    1. Jerome H Saltzer and Michael D Schroeder. The Protection of Information in Computer Systems, Communications of the ACM 17(7) (July 1974)
    2. Roger Needham and Michael Schroeder. Using Encryption for Authentication in Large Networks of Computers. Communications of the ACM 21(12) (Dec 1978)
  2. Adversarial reasoning (15 October 2018 - Anderson)
    1. Butler Lampson. A Note on the Confinement Problem, Communications of the ACM 16(10) (Oct 1973).
    2. Karl Koscher, Alexei Czeskis, Franziska Roesner, Shwetak Patel, Tadayoshi Kohno, Stephen Checkoway, Damon McCoy, Brian Kantor, Danny Anderson, Hovav Shacham, Stefan Savage. Experimental Security Analysis of a Modern Automobile. IEEE Symposium on Security and Privacy, May 2010.
    3. Kaveh Razavi, Ben Gras, and Erik Bosman, Bart Preneel, Cristiano Giuffrida, and Herbert Bos. Flip Feng Shui: Hammering a Needle in the Software Stack. Proceedings of the 25th USENIX Security Symposium, August 2016.
    Optional additional reading:
  3. Access Control (22 October 2018 - Beresford)
    1. D Elliot Bell and Len LaPadula. Secure Computer System: Unified Exposition and Multics Interpretation. Technical Report ESD-TR-75-306, ESD/AFSC, Hanscom AFB, Bedford, MA 01731 (1975). Read pp1-48, 64-73 only.
    2. Lee Badger, Daniel F. Sterne, David L. Sherman, Kenneth M. Walker, Sheila A. Haghighat, A Domain and Type Enforcement UNIX Prototype. Proceedings of the Fifth USENIX UNIX Security Symposium (1996)
    3. Robert N. M. Watson. A decade of OS access-control extensibility. Communications of the ACM 56(2), February 2013.
  4. Cryptographic Protocols (29 October 2018 - Anderson)
    1. Mike Burrows, Martín Abadi and Roger Needham, A Logic of Authentication, Proc. Roy. Soc. A v 426 no 1871 pp 233–271 (1989).
    2. Ross Anderson, API Attacks, from Security Engineering – A Guide to Building Dependable Distributed Systems, Second Edition, Wiley (2008).
    3. Benjamin Beurdouche, Karthikeyan Bhargavan, Antoine Delignat-Lavaud, Cedric Fournet, Markulf Kohlweiss, Alfredo Pironti, Pierre-Yves Strub, Jean Karim Zinzindohoue, A Messy State of the Union: Taming the Composite State Machines of TLS, IEEE Security and Privacy 2015

    Optional additional reading:

  5. Correctness vs. Mitigation (5 November 2018 - Thomas)
    1. Gerwin Klein, Kevin Elphinstone, Gernot Heiser, June Andronick, David Cock, Philip Derrin, Dhammika Elkaduwe, Kai Engelhardt, Rafal Kolanski, Michael Norrish, Thomas Sewell, Harvey Tuch, and Simon Winwood, seL4: formal verification of an OS kernel, Proceedings of the ACM SIGOPS 22nd Symposium on Operating Systems principles (SOSP '09)
    2. Al Bessey, Ken Block, Ben Chelf, Andy Chou, Bryan Fulton, Seth Hallem, Charles Henri-Gros, Asya Kamsky, Scott McPeak, and Dawson Engler, A few billion lines of code later: using static analysis to find bugs in the real world, Communications of ACM 53(2) (February 2010)
    3. Laszlo Szekeres, Mathias Payer, Tao Wei, and Dawn Song, SoK: Eternal War in Memory, Proceedings of the 2013 IEEE Symposium on Security and Privacy (SP '13). IEEE Computer Society, Washington, DC, USA.
  6. Usable security (12 November 2018 - Beresford)
    1. Alma Whitten and J.D. Tygar. Why Johnny can't encrypt: A usability evaluation of PGP 5.0, Usenix Security, 1999.
    2. Cormac Herley. More is not the answer, 2014.
    3. Sascha Fahl, Marian Harbach, Thomas Muders, Matthew Smith, Lars Baumgärtner, Bernd Freisleben. Why Eve and Mallory love Android: an analysis of Android SSL (in)security, ACM conference on Computer and Communications Security (CCS), 2012.
    Optional additional readings:
  7. Security Economics (19 November 2018 - Anderson)
    1. Ross Anderson and Tyler Moore, Information security: where computer science, economics, and psychology meet, Phil Trans Roy Soc A v 367 no 1898 pp 2717–2727 (2009).
    2. Michel van Eeten, Johannes M. Bauer, Hadi Asghari, Shirin Tabatabaie, and Dave Rand, The Role of Internet Service Providers in Botnet Mitigation: An Empirical Analysis Based on Spam Data, WEIS 2010.
    3. Ross Anderson, Chris Barton, Rainer Bohme, Richard Clayton, Michel J.G. van Eeten, Michael Levi, Tyler Moore, and Stefan Savage, Measuring the Cost of Cybercrime, WEIS 2012.

    Optional additional reading:

  8. Passwords (26 November 2018 - Beresford)
    1. Robert Morris and Ken Thompson, Password security: a case history, Communications of the ACM 22(11) (1979).
    2. Anne Adams and M. Angela Sasse, Users are not the enemy, Communications of the ACM v 42 no 12 (1999).
    3. Joseph Bonneau, Cormac Herley, Paul C. van Oorschot, Frank Stajano, The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes, IEEE Security and Privacy 2012.

    Optional additional reading:

Course materials from previous years

Last year’s course materials are still available.