COMS W4187: Lectures

The lectures and readings listed here are subject to change, including in response to current events (i.e., major new security holes).

Sep 03: Introduction

Text, Chapter 1
Thinking Security, Chapters 1-3
Sep 08: Access Control

Text, Chapter 2
The man page for Linux access control lists; run 'man 5 acl' on the CLIC machines
Sep 10: Complex Access Control

Text, Chapter 3
M. D. McIlroy and J. A. Reeds, "Multilevel Security in the Unix Tradition", Software—Practice and Experience, vol. 22:8, 1992, pp. 673-694.
Marking Classified National Security Information (optional)
Report on the U.S. Intelligence Community's Prewar Intelligence Assessments on Iraq (the document from which the sample marked page was taken; very optional)
Sep 15: Privileges

Text, Chapter 4
What is a Capability, Anyway?
Sep 17: Introduction to Cryptography

Text, Chapter 7
The Story of Alice and Bob
New Directions in Cryptography, Whitfield Diffie and Martin E. Hellman, IEEE Transactions on Information Theory, vol IT-22, number 6, pp. 644--654, November 1976.
Two articles on British invention of "non-secret encryption" (recommended)
A method for obtaining digital signatures and public-key cryptosystems, R. L. Rivest, A. Shamir, L. Adleman, Communications of the ACM, Volume 21 Issue 2, February 1978. (recommended)
XKCD on cracking RSA (recommended)
XKCD threat models (recommended)
Sep 22: Authentication

Text, Chapter 9
Thinking Security, Chapter 7
Password security: a case history, Robert Morris and Ken Thompson, Communications of the ACM, Volume 22, Issue 11 (November 1979), Pages: 594 - 597.
Google security exec: 'Passwords are dead', Daniel Terdiman, CNET News, September 10, 2013
Dr. Fun
Dilbert
Dilbert
Dilbert
Dilbert
User Friendly
Sep 24: Biometrics; Authentication as a Systems Problem

Thinking Security, Chapter 8
Chapter 5 of Who Goes There? Authentication Through the Lens of Privacy.
CS Department certificate
CUIT mail server certificate
Thinking Security, chapter 8
Why the iPhone's fingerprint sensor is better than the ones on older laptops, CITEworld
German Hackers Say They Cracked iPhone’s New Fingerprint Scanner, Wired Threat Level
NIST: Performance of Facial Recognition Software Continues to Improve, June 2014.
Performance of Face Identification Algorithms, Patrick J. Grother and Mei L. Ngan, NIST, May 2014 (optional)
Sep 29: Case Study: Access Control

Shellshock, Peter Du
Oct 01: Secure Programming I

Text, Chapter 6
The emperor's old clothes, Charles Antony Richard Hoare, February 1981, Communications of the ACM, Volume 24 Issue 2
Smashing The Stack For Fun And Profit, Aleph One, Phrack 49, Volume Seven, Issue Forty-Nine, File 14 of 16
Static Analysis for Security, Gary McGraw, IEEE Security & Privacy (Nov/Dec 2004).
Oct 06: Secure Programming II

Hacking the D.C. Internet Voting System, Scott Wolchok, Eric Wustrow, Dawn Isabel, and J. Alex Halderman, Proc. 16th Conference on Financial Cryptography & Data Security, 2012.
Windows DLL-loading security flaw puts Microsoft in a bind, Peter Bright, Ars Technica, August 24, 2010
The Windows DLL Loading Security Hole, Larry Seltzer, Dr. Dobb's, September 9, 2010.
Hacking Sweden's election with pen and paper, Wired UK, Duncan Geere, September 24, 2010.
Preparation of Internationalized Strings ("stringprep"), Paul Hoffman, RFC 3454, December 2002.
Creative usernames and Spotify account hijacking, Mikael Goldman, 18 June 2013.
Checking for Race Conditions in File Accesses, Matt Bishop and Michael Dilger, Computing Systems 9 (2) pp. 131-152 (Spring 1996).
setuid - checklist for security of setuid programs
Writing Safe SetUID Programs, Matt Bishop
Using Attack Surface Area And Relative Attack Surface Quotient To Identify Attackability, Ernst & Young LLP.
Oct 08: Protecting the Client
Protecting the client

Text, Chapter 13
Fare Collection Vulnerability Assessment Report, Zack Anderson, Russell Ryan, Alessandro Chiesa, August 8, 2008.
Anatomy of a Subway Hack, Zack Anderson, Russell Ryan, Alessandro Chiesa, (censored) DEFCON presentation, August 2008.
Dutch Public Transit Card Broken, Andy Tanenbaum.
Microsoft Updating Without Permission: When No Doesn't Mean No!, Lauren Weinstein's Blog, September 13, 2007.
Reading Between the Lines: Lessons from the SDMI Challenge, Scott A. Craver, Min Wu, Bede Liu, Adam Stubblefield, Ben Swartzlander, Dan W. Wallach, Drew Dean, and Edward W. Felten. Proc. of 10th USENIX Security Symposium, August 2001.
Viewpoint: the ACM declaration in Felten v. RIAA, Simons, B. 2001. Commun. ACM 44, 10 (Oct. 2001), 23-26.
Java Card Security: How Smart Cards and Java Mix, From Securing Java: Getting Down to Business with Mobile Code, Gary McGraw and Ed Felten, John Wiley & Sons, 1999.
MYK-78 CLIPPER CHIP: ENCRYPTION/DECRYPTION ON A CHIP (recommended)
Using Memory Errors to Attack a Virtual Machine, A. Appel and S. Govindavajhala. In IEEE Symposium on Security and Privacy, 2003 ( "Oakland Security Conference"). (recommended)
Overview of Differential Power Analysis, An engineering overview of Differential Power Analysis by Paul Kocher, Joshua Jaffe, and Benjamin Jun. (recommended)
Information Hiding: A Survey, Fabien A. P. Petitcolas, Ross J. Anderson and Markus G. Kuhn, Proceedings of the IEEE, special issue on protection of multimedia content, 87(7):1062-1078, July 1999. (recommended)
A (not so) quick primer on iOS encryption, David Scheutz, October 6, 2014. (recommended)
AES-256 Is Not Enough: Breaking a Bootloader, ChipWhisperer. (recommended)
Why can't Apple decrypt your iPhone?, Matthew Green, October 4, 2014.
Oct 13: Cryptographic Engineering

Thinking Security, Chapter 6
The Strange Story of Dual_EC_DRBG, Schneier on Security (blog), Nov. 15, 2007.
How a Crypto 'Backdoor' Pitted the Tech World Against the NSA, Kim Zetter, Wired Threat Level, Sep 24, 2013.
On the Practical Exploitability of Dual EC in TLS Implementations, Stephen Checkoway, Matthew Fredrikson, Ruben Niederhagen, Adam Everspaugh, Matthew Green, Tanja Lange, Thomas Ristenpart, Daniel J. Bernstein, Jake Maskiewicz, and Hovav Shacham, Usenix Security 2014
Randomness Requirements for Security, RFC 4086, D. Eastlake, 3rd, J.Schiller, S. Crocker. June 2005.
Mining your Ps and Qs: Detection of widespread weak keys in network devices. Nadia Heninger, Zakir Durumeric, Eric Wustrow, J. Alex Halderman. Usenix Security 2012.
Oct 15: Viruses and Trojan Horses

Thinking Security, Chapter 4
Recreating the Trojan Horse?
Computer Viruses - Theory and Experiments, F. Cohen. DOD/NBS 7th Conference on Computer Security, originally appearing in IFIP-sec 84, also appearing as invited paper in IFIP-TC11, ``Computers and Security'', V6#1 (Jan. 1987), pp 22-35
Reflections on trusting trust, Ken Thompson, CACM 27:8, August 1984.
Experience with Viruses on UNIX Systems, Tom Duff, Spring, 1989.
The worm programs -- early experience with a distributed computation, John Shoch and Jon Hupp, Communications of the ACM 25:3 (March 1982).
With Microscope and Tweezers: An Analysis of the Internet Virus of November 1988
How a grad student trying to build the first botnet brought the Internet to its knees
Tool turns unsuspecting surfers into hacking help, CNET, March 20, 2007.
JavaScript opens doors to browser-based attacks, CNET, July 28, 2006.
Oldest known depiction of the Trojan Horse, from the "Vase of Mykonos", almost 2700 years old
W32.Stuxnet.Dossier

Readings mentioned in class:

The Sony DRM Rootkit
Problems with the Sony uninstaller
The Sony license
Trojan in open source FTP daemon
Pentration of GNU archive
Bad flash drive caused worst U.S. military breach
A further update on php.net
Oct 20: Security and Usability

Thinking Security, Chapter 14
A. Adams and M. A. Sasse, 1999. "Users are not the enemy: why users compromise security mechanisms and how to take remedial measures". Communications of the ACM 42(12), 40-46.
Alma Whitten and J.D. Tygar, "Why Johnny Can't Encrypt: A Usability Case Study of PGP 5.0". Proceedings of the 8th USENIX Security Symposium, August 1999.
Lorrie Faith Cranor, "A Framework for Reasoning About the Human in the Loop". Usability Psychology and Security Workshop, 2008.
Oct 22: Midterm
Oct 27: Physical and Procedural Security

Thinking Security, Chapter 16
M. Blaze. "Cryptology and Physical Security: Rights Amplification in Master-Keyed Mechanical Locks." March 2003. IEEE Security and Privacy. March/April 2003.
M. Blaze. "Safecracking for the Computer Scientist." U. Penn CIS Department Technical Report. 7 December 2004 (revised 20 December 2004).
Physical Security Standards for Sensitive Compartmented Information Facilities. DCID 6/9, 18 November 2002.
The Art of Deception, Kevin Mitnick and William Simon, Wiley, 2002. (recommended) (Available as an EBook from the CU library)
US Navy Malware Infection Risked Submarine Prang
Disgruntled Techie Attempts Californian Power Blackout"
Chocolate the Key to Uncovering PC Passwords
Piecing Together Germany's Shredded Stasi Files
Power strip or network hacking tool? It’s both, actually
Oct 29: Architecture

Security Tips, Apache 2.4 (recommended)
suEXEC Support, Apache 2.4 (recommended)
Nov 05: Confinement

A domain and type enforcement UNIX prototype, Lee Badger, Daniel F. Sterne, David L. Sherman, and Kenneth M. Walker, Proc. of the 5th conference on USENIX UNIX Security Symposium, 1995. (recommended)
A Secure Environment for Untrusted Helper Applications, Ian Goldberg, David Wagner, Randi Thomas and Eric A. Brewer, Proc. Usenix Security Symposium, 1996. (recommended)
Capsicum: Practical Capabilities for UNIX, Robert N.M. Watson, Jonathan Anderson, Ben Laurie, and Kris Kennaway, Proc. 19th Usenix Security Symposium, 2010 (recommended).
Nov 10: Program Structure I

The 4.3BSD FTP daemon source.
Nov 12: Program Structure II

Steven M. Bellovin, "Virtual Machines, Virtual Security", Communications of the ACM, Vol. 49, No. 10, October 2006, Inside Risks.
Wang, Helen J., et al. "The Multi-Principal OS Construction of the Gazelle Web Browser." USENIX Security Symposium. 2009.
Nov 17: Security Analysis I

Thinking Security, Chapter 11
Silver Needle in the Skype, P. Biondi and F. Desclaux, BlackHat Europe, 2-3 March 2006.
Automated Penetration Testing with White-Box Fuzzing, John Neystadt, February 2008.
Nov 19: Security Analysis II

ITS4: A Static Vulnerability Scanner for C and C++ Code, John Viega, J.T. Bloch, Tadayoshi Kohno, and Gary McGraw, Annual Computer Security Applications Conference, 2000.
Checking for Race Conditions in File Accesses, M. Bishop and M. Dilger, Computing Systems 9:2, pp. 131-152 (Spring 1996)
CGI/Perl Taint Mode FAQ
Perl Advisor: Taint so Easy, Is It?, Randal L. Schwartz, Unix Review, August 2000.
Static analysis and computer security: New techniques for software assurance. David Wagner. Ph.D. dissertation, Dec. 2000, University of California at Berkeley. (recommended)
Using CQUAL for Static Analysis of Authorization Hook Placement, Xiaolan Zhang & Antony Edwards & Trent Jaeger, Proc. Usenix Security, 2002. (recommended)
Nov 24: The Internet of Things

Thinking Security, Section 11.8
"From the Aether to the Ethernet — Attacking the Internet using Broadcast Digital Television", Yossef Oren and Angelos D. Keromytis. In Proceedings of the 23rd USENIX Security Symposium, August 2014, San Diego, CA. (optional)
Nov 26: No class -- Happy Thanksgiving
Dec 01: Logging

Stalking the wily hacker, Communications of the ACM 31:5, May 1988.
Shadow Hawk Busted Again, Phrack 16, File 11 (Nov 1987) (recommended)
Chicago Phone Freak Gets Prison Term, Risks Digest 8:29, 22 February 1989 (recommended)
Thinking Security, Section 16.3
Dec 03: After an Attack

"The Taking of Clark", Chapter 17, Firewalls and Internet Security: Repelling the Wily Hacker, William R. Cheswick, Steven M. Bellovin, and Aviel D. Rubin, Second Edtion, Addison-Wesley, 2003.
"File System Analysis", Chapter 4, Forensic Discovery, Dan Farmer and Wietse Venema, Addison-Wesley 2004. Read Chapter 4.
Playing "Hide and Seek" with Stored Keys, Adi Shamir and Nicko van Someren, Proceedings of the Third International Conference on Financial Cryptography, 1999. (Recommended)
Dec 08: System Structure
Dec 17: Final Exam
The exam is 1:10-4:00, in the usual room for the course.

COMS W4187 — Lectures (Fall '14)