18732 Reading List
Part I: Secure Coding
- Jan 10: Introduction
Reflections on
trusting trust, by Thompson
Rudimentary
treatise on the construction of locks, Tomlinson.
- Jan 12:
Smashing The
Stack For Fun And Profit, Aleph One.
Buffer
Overflows: Attacks and Defenses for the Vulnerability of the Decade,
Crispin Cowan, et al.
- Jan 19:
A
First Step Towards Automated Detection of Buffer Overrun
Vulnerabilities, by David Wagner and Drew Dean
High
Coverage Detection of Input-Related Security Faults, by Eric Larson
and Todd Austin.
- Jan 24:
Exploiting
Format String Vulnerabilities, team teso.
Detecting
Format String Vulnerabilities With Type Qualifiers, by Shankar,
Talwar, Foster, Wagner
- Jan 26:
CCured:
Type-Safe Retrofitting of Legacy Code. George C. Necula, Scott
McPeak, Westley Weimer.
A Practical
Dynamic Buffer Overflow Detector, by O. Ruwase and M. Lam.
- Jan 31: Guest lecture (Sanjit Seshia)
Automatic Discovery of API-Level Exploits by Vinod Ganapathy, Sanjit A. Seshia, Somesh Jha, Thomas W. Reps and Randal E. Bryant
- Feb 2: Guest lecture (Chris Long)
Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0 by Alma
Whitten and J. D. Tygar
Trusted Paths for Browsers by E. Ye and S.W. Smith
- Feb 7: mid mini break, no class
- Feb 9:
Checking
System Rules Using System-Specific, Programmer-Written Compiler
Extensions, by Dawson Engler, Benjamin Chelf, Andy Chou, and Seth
Hallem
- Feb 14: Guest Lecture (Lujo Bauer)
Proof
Carrying Code, by George Necula and Peter Lee.
- Feb 16:
Bugs as Deviant Behavior: A General Approach to Inferring Errors in
Systems Code, by Dawson Engler, David Yu Chen, Seth Hallem, Andy
Chou, and
Benjamin Chelf
Part II: Secure OS
- Feb 21:
The
protection of information in computer systems, Saltzer and
Schroeder. (Skip, or skim, Section II.)
Efficient
Software-Based Fault Isolation
- Feb 23:
A
Sense
of Self for Unix Processes by S. Forrest, S. A. Hofmeyr, A.
Somayaji
and T. A. Longstaff
On Gray-Box
Program
Tracking for Anomaly Detection by Debin Gao, Michael K. Reiter and
Dawn
Song
- Feb 28:
Privtrans:
Automatic Privilege Separation by David Brumley and Dawn Song
A
Flexible Containment Mechanism for Executing Untrusted Code
- Mar 2: Guest lecturer (Lujo Bauer)
Enforceable
security policies, Fred B. Schneider
SASI
Enforcement of Security Policies: A Retrospective, Erlingsson and
Schneider
- Mar 7 & 9: spring break, no class
- Mar 14: midterm review
- Mar 16: midterm
- Mar 21:
Checking
for Race Conditions in File Accesses, by M. Bishop and M. Dilger.
Dynamic
Detection and Prevention of Race Conditions in File Accesses, by
Eugene Tsyrklevich and Bennet Yee
- Mar 23:
Self-stabilizing systems in spite of distributed control by Edsger W. Dijkstra
How to securely replicate services by Michael K. Reiter and Kenneth P. Birman
- Mar 28: Virtual Machines
A
Virtual Machine Introspection Based Architecture for Intrusion Detection
Xen:
the Art of Virtualization
- Mar 30:
Automated Generation and Analysis of Attack Graphs, Oleg Sheyner,
Somesh Jha, and Jeannette M. Wing,
Part III: Malcode Analysis and Defense and Other Topics
- Apr 4:
Nachenberg,
Computer Virus-Antivirus Coevolution
Static
Analysis of Executables to Detect Malicious Patterns, by M.
Christodorescu and S. Jha.
- Apr 6:
Remote timing attacks are practical , by Dan Boneh and David Brumley
Timing Analysis of Keystrokes and SSH Timing Attacks, by Dawn Song, David Wagner, and Xuqing Tian.
- Apr 11: Guest lecturer (Sagar Chaki)
Efficient Verification of Sequential and Concurrent C Programs by Sagar Chaki, Edmund Clarke, Alex Groce, Joel Ouaknine, Ofer Strichman and Karen Yorav
State/Event-based Software Model Checking by Sagar Chaki, Edmund Clarke, Joel Ouaknine, Natasha Sharygina and Nishant Sinha
- Apr 13:
How to 0wn the Internet in Your Spare Time, by Stuart Staniford, Vern Paxson, Nicholas Weaver.
- Apr 18: Guest Lecturer (James Newsome)
Dynamic
Taint Analysis: Automatic Detection, Analysis, and Signature Generation
of
Exploit Attacks on Commodity Software by James Newsome and Dawn Song
Polygraph: Automatic Signature Generation for Polymorphic Worms, by
James Newsome, Brad Karp, Dawn Song
- Apr 20:
- Apr 25 & 27 : Project presentation & Demo