6.858 | Fall 2014 | Graduate

Computer Systems Security

Readings

LEC # READINGS READING QUESTION
1 No readings No question
2 Akritidis, Periklis, Manuel Costa, et al. “Baggy Bounds Checking: An Efficient and Backwards-Compatible Defense against Out-of-Bounds Errors.” USENIX Security Symposium (2009): pp. 51–66. Lecture 2 Question (PDF)
3 Bittau, Andrea, Adam Belay, et al. “Hacking Blind.” Proceedings of the IEEE Symposium on Security & Privacy (2014). Lecture 3 Question (PDF)
4 Krohn, Maxwell. “Building Secure High-Performance Web Services with OKWS (PDF).” USENIX Technical Conference (2004): pp. 185–198. Lecture 4 Question (PDF)
5 No readings No question
6

Hardy, Norm. “The Confused Deputy.” ACM SIGOPS Operating Systems Review 22, no. 4 (1988): pp. 36–38.

Watson, Robert N. M., Jonathan Anderson, et al. “Capsicum: practical capabilities for UNIX.” (PDF) Proceedings of the 19th USENIX Security Symposium (2010).

Lecture 6 Question (PDF)
7 Yee, Bennett, David Sehr, et al. “Native Client: A Sandbox for Portable, Untrusted x86 Native Code.” IEEE Symposium on Security and Privacy (2009): pp. 79–93. Lecture 7 Question (PDF)
8

OWASP Top 10 - 2013: The Ten Most Critical Web Application Security Risks.”

Zalewski, Michal. Chapters 9–13 in The Tangled Web: A Guide to Securing Modern Web Applications. No Starch Press, 2011. ISBN: 9781593273880.

Lecture 8 Question (PDF)
9

Security in Django.”

Django CSRF Protection.”

Lecture 9 Question (PDF)
10 Cadar, Cristian, Daniel Dunbar, et al. “KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs.” Operating Systems Design and Implementation (2008): pp. 209–224. Lecture 10 Question (PDF)
11 Chlipala, Adam. “Ur / Web: A Simple Model for Programming the Web.” ACM SIGPLAN-SIGACT Symposium (2015): pp. 153–165. Lecture 11 Question (PDF)
12 Bellovin, Steven M. “A Look Back at ‘Security Problems in the TCP/IP Protocol Suite’.” Computer Security Applications Conference (2004): pp. 229–249. Lecture 12 Question (PDF)
13 Steiner, Jennifer G., Clifford Neuman, et al. “Kerberos: An Authentication Service for Open Network Systems.” USENIX Conference (1988). Lecture 13 Question (PDF)
14 Jackson, Collin, and Adam Barth. “ForceHTTPS: Protecting High-Security Web Sites from Network Attacks.” Proceedings of the 17th international conference on World Wide Web (2008): pp. 525–534. Lecture 14 Question (PDF)
15 Fu, Kevin. “Trustworthy Medical Device Software,” 2011. Lecture 15 Question (PDF)
16 Brumley, David, and Dan Boneh. “Remote Timing Attacks are Practical.” Proceedings of the 12th USENIX Security Symposium 12, (2003): pp. 1. Lecture 16 Question (PDF)
17

Bonneau, Joseph, Cormac Herley, et al. “The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes.” IEEE Symposium on Security and Privacy (2012): pp. 553–567.

There is an optional extended version published by the University of Cambridge: Computer Laboratory.

Lecture 17 Question (PDF)
18 Aggarwal, Gaurav, Elie Burzstein, et al. “An Analysis of Private Browsing Modes in Modern Browsers.” USENIX Conference on Security (2010). Lecture 18 Question (PDF)
19

Dingledine, Roger, Nick Mathewson, et al. “Tor: The Second-Generation Onion Router.” Proceedings of the 13th USENIX Security Symposium 13 (2004): pp. 21.

Blog posts:

Part 1   
Part 2   
Part 3

Lecture 19 Question (PDF)
20

“Enck, William, Machigar Ongtang, et al. “Understanding Android Security.” IEEE Security and Privacy 7, no. 1 (2009): pp. 50–57.

Errata: Bug in the paper: In Figure 1, in the FriendViewer application, the top right blue oval (shown as Activity “FriendTracker”) should actually be a rounded-rectangle Activity “FriendMap” (see Figure 2).

Lecture 20 Question (PDF)
21 Enck, William, Peter Gilbert, et al. “TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones.” Communications of the ACM 57, no. 3 (2010): pp. 99–106. Lecture 21 Questions (PDF)
22 No readings No question
23 Levchenko, Kirill, Andreas Pitsillidis, et al. “Click Trajectories: End-to-End Analysis of the Spam Value Chain.” IEEE Symposium on Security and Privacy (2011): pp. 431–446. Lecture 23 Question (PDF)
24 No readings No question

Course Info

As Taught In
Fall 2014
Level
Learning Resource Types
Lecture Videos
Exams with Solutions
Lecture Notes
Projects with Examples