Course pages 2018–19
Computer Security: Principles and Foundations
Welcome to R209 - Computer Security: Principles and Foundations.
R209 Slides and Readings
Slides
Reading assignments
The following papers are assigned reading for R209, which should be read prior to the class indicated. Please contact the module instructors if you have any questions.
- Origins and Foundations of Computer Security (8 October 2018 - Anderson, Beresford, Thomas)
- Jerome H Saltzer and Michael D Schroeder. The Protection of Information in Computer Systems, Communications of the ACM 17(7) (July 1974)
- Roger Needham and Michael Schroeder. Using Encryption for Authentication in Large Networks of Computers. Communications of the ACM 21(12) (Dec 1978)
- Adversarial reasoning (15 October 2018 - Anderson)
- Butler Lampson. A Note on the Confinement Problem, Communications of the ACM 16(10) (Oct 1973).
- Karl Koscher, Alexei Czeskis, Franziska Roesner, Shwetak Patel, Tadayoshi Kohno, Stephen Checkoway, Damon McCoy, Brian Kantor, Danny Anderson, Hovav Shacham, Stefan Savage. Experimental Security Analysis of a Modern Automobile. IEEE Symposium on Security and Privacy, May 2010.
- Kaveh Razavi, Ben Gras, and Erik Bosman, Bart Preneel, Cristiano Giuffrida, and Herbert Bos. Flip Feng Shui: Hammering a Needle in the Software Stack. Proceedings of the 25th USENIX Security Symposium, August 2016.
- Ken Thompson. Reflections on Trusting Trust, Communications of the ACM v 27 no 8 (1984) pp 761–763.
- Paul Karger and Roger Schell. Multics Security Evaluation, Volume II: Vulnerability Analysis. Technical Report ESD-TR-74-193, v II, Electronic Systems Division, Air Force Systems Command, Hanscom Field, Bedford, MA 01731 (June 1974). Read pp1-64; *skip the Subverter Listing*; the glossary on p149 may be useful
- Access Control (22 October 2018 - Beresford)
- D Elliot Bell and Len LaPadula. Secure Computer System: Unified Exposition and Multics Interpretation. Technical Report ESD-TR-75-306, ESD/AFSC, Hanscom AFB, Bedford, MA 01731 (1975). Read pp1-48, 64-73 only.
- Lee Badger, Daniel F. Sterne, David L. Sherman, Kenneth M. Walker, Sheila A. Haghighat, A Domain and Type Enforcement UNIX Prototype. Proceedings of the Fifth USENIX UNIX Security Symposium (1996)
- Robert N. M. Watson. A decade of OS access-control extensibility. Communications of the ACM 56(2), February 2013.
- Cryptographic Protocols (29 October 2018 - Anderson)
- Mike Burrows, Martín Abadi and Roger Needham, A Logic of Authentication, Proc. Roy. Soc. A v 426 no 1871 pp 233–271 (1989).
- Ross Anderson, API Attacks, from Security Engineering – A Guide to Building Dependable Distributed Systems, Second Edition, Wiley (2008).
- Benjamin Beurdouche, Karthikeyan Bhargavan, Antoine Delignat-Lavaud, Cedric Fournet, Markulf Kohlweiss, Alfredo Pironti, Pierre-Yves Strub, Jean Karim Zinzindohoue, A Messy State of the Union: Taming the Composite State Machines of TLS, IEEE Security and Privacy 2015
Optional additional reading:
- Martín Abadi and Roger Needham, Prudent Engineering Practice for Cryptographic Protocols, IEEE Transactions on Software Engineering v 22 no 1 (1996).
- Correctness vs. Mitigation (5 November 2018 - Thomas)
- Gerwin Klein, Kevin Elphinstone, Gernot Heiser, June Andronick, David Cock, Philip Derrin, Dhammika Elkaduwe, Kai Engelhardt, Rafal Kolanski, Michael Norrish, Thomas Sewell, Harvey Tuch, and Simon Winwood, seL4: formal verification of an OS kernel, Proceedings of the ACM SIGOPS 22nd Symposium on Operating Systems principles (SOSP '09)
- Al Bessey, Ken Block, Ben Chelf, Andy Chou, Bryan Fulton, Seth Hallem, Charles Henri-Gros, Asya Kamsky, Scott McPeak, and Dawson Engler, A few billion lines of code later: using static analysis to find bugs in the real world, Communications of ACM 53(2) (February 2010)
- Laszlo Szekeres, Mathias Payer, Tao Wei, and Dawn Song, SoK: Eternal War in Memory, Proceedings of the 2013 IEEE Symposium on Security and Privacy (SP '13). IEEE Computer Society, Washington, DC, USA.
- Usable security (12 November 2018 - Beresford)
- Alma Whitten and J.D. Tygar. Why Johnny can't encrypt: A usability evaluation of PGP 5.0, Usenix Security, 1999.
- Cormac Herley. More is not the answer, 2014.
- Sascha Fahl, Marian Harbach, Thomas Muders, Matthew Smith, Lars Baumgärtner, Bernd Freisleben. Why Eve and Mallory love Android: an analysis of Android SSL (in)security, ACM conference on Computer and Communications Security (CCS), 2012.
- Cormac Herley. So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users, 2009.
- Daniel Kahneman's Nobel Prize lecture
- Security Economics (19 November 2018 - Anderson)
- Ross Anderson and Tyler Moore, Information security: where computer science, economics, and psychology meet, Phil Trans Roy Soc A v 367 no 1898 pp 2717–2727 (2009).
- Michel van Eeten, Johannes M. Bauer, Hadi Asghari, Shirin Tabatabaie, and Dave Rand, The Role of Internet Service Providers in Botnet Mitigation: An Empirical Analysis Based on Spam Data, WEIS 2010.
- Ross Anderson, Chris Barton, Rainer Bohme, Richard Clayton, Michel J.G. van Eeten, Michael Levi, Tyler Moore, and Stefan Savage, Measuring the Cost of Cybercrime, WEIS 2012.
Optional additional reading:
- Gilbert Wondracek, Thorsten Holz, Christian Platzer, Engin Kirda, and Christopher Kruegel, Is the Internet for Porn? An Insight Into the Online Adult Industry, WEIS 2010.
- Passwords (26 November 2018 - Beresford)
- Robert Morris and Ken Thompson, Password security: a case history, Communications of the ACM 22(11) (1979).
- Anne Adams and M. Angela Sasse, Users are not the enemy, Communications of the ACM v 42 no 12 (1999).
- Joseph Bonneau, Cormac Herley, Paul C. van Oorschot, Frank Stajano, The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes, IEEE Security and Privacy 2012.
Optional additional reading:
- Joseph Bonneau, Cormac Herley, Paul C. van Oorschot and Frank Stajano. Passwords and the Evolution of Imperfect Authentication. Comms ACM 58(7):78-87, July 2015.
Course materials from previous years
Last year’s course materials are still available.