Contact: andrew@cs.unc.edu
Class Meetings: Mon/Wed 11:00-12:15PM, FB007
Office Hours By Appointment, in FB340
Syllabus
The goal of this course is to give students a broad overview of research topics in the field of computer security. This involves reading and discussing both foundational and recent papers, and conducting a course research project.
Course Structure
Grades will be based upon the following:Class Participation (20%)
Students are expected to contribute to class discussions following paper presentations. Students should be able to ask insightful questions and demonstrate that they have read and understand the assigned readings.
Paper Presentations (30%)
Students will give conference style talks on assigned papers. They will prepare slides and a 15 minute presentation on the papers.
Course Project (50%)
Students will conduct original research on a topic related to computer security over the course of the semester. Students will propose a project part-way through the class, and will submit a final report (6-12 pages) by the end of the course. Students will also give a conference style talk on their results during the final week of class. Working in groups is allowed, but a more substantial product is expected when working as a group.
Reading List
Welcome
Monday, August 21 — Welcome/Course Overview
SlidesWednesday, August 23 — Instructor Presents
SlidesBinary Exploitation
Monday, August 28 — Stack Smashing
- Smashing The Stack For Fun And Profit. Aleph One. Phrack 49(14), Nov. 1996.
- StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks. USENIX Security 1998.
Wednesday, August 30 — Advanced Pwning
Nation State Attacks
Monday, September 4
No Class.Wednesday, September 6 — Russia
Side-Channels
Monday, September 11
- Timing Analysis of Keystrokes and Timing Attacks on SSH. USENIX Security 2001.
- FLUSH+RELOAD: A High Resolution, Low Noise, L3 Cache Side-Channel Attack. USENIX Security 2014.
Wednesday, September 13
- Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds. Ristenpart Tromer, Shacham, and Savage. CCS 2009.
- Spectre attacks: Exploiting Speculative Execution. Oakland 2019.
Cyber-Physical Systems
Monday, September 18 — Automotive Security
- Experimental Security Analysis of a Modern Automobile. Oakland 2010.
- Comprehensive Experimental Analyses of Automotive Attack Surfaces. USENIX Security 2011.
Wednesday, September 20
- Security Analysis of a Full-Body Scanner . USENIX Security 2014.
- Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses. Oakland 2008.
Web Security
Monday, September 25
No Class.Wednesday, September 27 — Sandboxing
- Native Client: A Sandbox for Portable, Untrusted x86 Native Code. Oakland 2009.
- Retrofitting Fine Grain Isolation in the Firefox Renderer. USENIX Security 2020.
Memory
Monday, October 2 — Rowhammer
- Exploiting the DRAM rowhammer bug to gain kernel privileges. Google blog post, 2015.
- TRRespass: Exploiting the Many Sides of Target Row Refresh. Oakland 2020.
Wednesday, October 4 — Disturbance Effects/Forensics
- Row Press. ISCA 2023
- Lest We Remember: Cold Boot Attacks on Encryption Keys. USENIX Security 2008.
Course Project Proposal Presentations
Monday, October 9
— Proposal PresentationsWednesday, October 11
— Proposal Presentations ContinuedMachine Learning
Monday, October 16
Wednesday, October 18
- Extracting Training Data from Large Language Models. USENIX Security 2021.
- Dos and Don'ts of Machine Learning in Computer Security. USENIX Security 2022.
Botnets/Spam
Monday, October 23 — Botnets
- Your Botnet is My Botnet: Analysis of a Botnet Takeover. CCS 2009.
- Understanding the Mirai Botnet. USENIX Security 2017.
Wednesday, October 25 — Spam
- Detecting and Characterizing LAteral Phishing at Scale. USENIX Security 2019.
- Spamalytics: An Empirical Analysis of Spam Marketing Conversion. CCS 2008.
Crypto Fails/Privacy
Monday, October 30 — Real World Cryptography
Wednesday, November 1 — Privacy
- BlindBox: Deep Packet Inspection over Encrypted Traffic. SIGCOMM 2015.
- Zerocash: Decentralized Anonymous Payments from Bitcoin. Oakland 2014.
Human Factors
Monday, November 6 — Usability
- Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0.. USENIX Security 1999
- Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness. USENIX Security 2013.
Wednesday, November 8 — Passwords
- Of passwords and People: Measuring the Effect of Password-composition Policies. CHI 2011.
- The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes. Oakland 2012.
- "It’s stressful having all these phones": Investigating Sex Workers' Safety Goals, Risks, and Practices Online. USENIX Security 2021.
Tracking
Monday, November 13
— Anonymous Browsing
-
Tor: The Second-Generation Onion Router.
USENIX Security 2004.
-
How Unique Is Your Web Browser?.
PETS 2010
-
Keeping a Low Profile? Technology, Risk and Privacy among Undocumented Immigrants.
CHI 2018.
Wednesday, November 15 — Web/Device Tracking
- The Web Never Forgets: Persistent Tracking Mechanisms in the Wild. CCS 2014.
- Watching You Watch: The Tracking Ecosystem of Over-the-Top TV Streaming Devices. CCS 2019.
- “Why wouldn’t someone think of democracy as a target?”: Security practices & challenges of people involved with U.S. political campaigns. USENIX Security 2021.
Network Security
Monday, November 20
- The Matter of Heartbleed. IMC 2014.
- Off-Path TCP Exploits: Global Rate Limit Considered Dangerous. USENIX Security 2016.
- The Antrim County 2020 Election Incident: An Independent Forensic Investigation. USENIX Security 2022.