COMP 790 - 185 - Reading List

Instructor: Andrew Kwong
Contact: andrew@cs.unc.edu
Class Meetings: Mon/Wed 12:20-1:35PM, FB007
Office Hours By Appointment, in FB340
Syllabus

The goal of this course is to give students a broad overview of research topics in the field of computer security. This involves reading and discussing both foundational and recent papers, and conducting a course research project.

Course Structure

Grades will be based upon the following:

Class Participation (20%)

Students are expected to contribute to class discussions following paper presentations. Students should be able to ask insightful questions and demonstrate that they have read and understand the assigned readings.

Paper Presentations (20%)

Students will give conference style talks on assigned papers. They will prepare slides and a 15 minute presentation on the papers.

Paper Reviews (20%)

Students will submit mini-reviews on assigned papers to Canvas.

Course Project (40%)

Students will conduct original research on a topic related to computer security over the course of the semester. Students will propose a project part-way through the class, and will submit a final report (6-12 pages) by the end of the course. Students will also give a conference style talk on their results during the final week of class. Working in groups is allowed, but a more substantial product is expected when working as a group.

Reading List

Welcome

Monday, August 19 — Welcome/Course Overview

Slides

Wednesday, August 21 — Instructor Presents

Slides

Binary Exploitation

Monday, August 26 — Stack Smashing

Smashing The Stack For Fun And Profit. Aleph One. Phrack 49(14), Nov. 1996.
StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks. USENIX Security 1998.

Wednesday, August 28 — Advanced Pwning

The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86). CCS 2007
Hacking Blind. Oakland 2014

Nation State Attacks

Monday, September 2

Labor Day-No Class.

Wednesday, September 4 — Russia

Side-Channels

Monday, September 9

Timing Analysis of Keystrokes and Timing Attacks on SSH. USENIX Security 2001.
FLUSH+RELOAD: A High Resolution, Low Noise, L3 Cache Side-Channel Attack. USENIX Security 2014.

Wednesday, September 11

Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds. Ristenpart Tromer, Shacham, and Savage. CCS 2009.
Spectre attacks: Exploiting Speculative Execution. Oakland 2019.

Cyber-Physical Systems

Monday, September 16 — Automotive Security

Experimental Security Analysis of a Modern Automobile. Oakland 2010.
Comprehensive Experimental Analyses of Automotive Attack Surfaces. USENIX Security 2011.

Wednesday, September 18

Security Analysis of a Full-Body Scanner . USENIX Security 2014.
Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses. Oakland 2008.

Web Security

Monday, September 23

Well-Being day-No Class.

Wednesday, September 25 — Sandboxing

Native Client: A Sandbox for Portable, Untrusted x86 Native Code. Oakland 2009.
Retrofitting Fine Grain Isolation in the Firefox Renderer. USENIX Security 2020.

Memory

Monday, September 30 — Rowhammer

Exploiting the DRAM rowhammer bug to gain kernel privileges. Google blog post, 2015.
BLACKSMITH: Scalable Rowhammering in the Frequency Domain. Oakland 2022.

Wednesday, October 2

Extracting Training Data from Large Language Models. USENIX Security 2021.
Dos and Don'ts of Machine Learning in Computer Security. USENIX Security 2022.

Course Project Proposal Presentations

Monday, October 7

— Proposal Presentations

Wednesday, October 9

— Proposal Presentations Continued

Machine Learning

Monday, October 14

Robust Physical-World Attacks on Deep Learning Visual Classification. CVPR 2018
Towards Evaluating the Robustness of Neural Networks. Oakland 2017.

Wednesday, October 16

-No Class.

Botnets/Spam

Monday, October 21 — Botnets

Your Botnet is My Botnet: Analysis of a Botnet Takeover. CCS 2009.
Understanding the Mirai Botnet. USENIX Security 2017.

Wednesday, October 23 — Spam

Detecting and Characterizing LAteral Phishing at Scale. USENIX Security 2019.
Spamalytics: An Empirical Analysis of Spam Marketing Conversion. CCS 2008.

Crypto Fails/Privacy

Monday, October 28 — Real World Cryptography

Wednesday, October 30 — Privacy

BlindBox: Deep Packet Inspection over Encrypted Traffic. SIGCOMM 2015.
Zerocash: Decentralized Anonymous Payments from Bitcoin. Oakland 2014.

Human Factors

Monday, November 4 — Usability

Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0.. USENIX Security 1999
Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness. USENIX Security 2013.

Wednesday, November 6 — Passwords

Tracking

Monday, November 11 — Anonymous Browsing

Tor: The Second-Generation Onion Router. USENIX Security 2004.

How Unique Is Your Web Browser?. PETS 2010

Wednesday, November 13 — Web/Device Tracking

Network/Election Security

Monday, November 18 — Disturbance Effects/Forensics

Row Press. ISCA 2023
Lest We Remember: Cold Boot Attacks on Encryption Keys. USENIX Security 2008.

Wednesday, November 20

The Antrim County 2020 Election Incident: An Independent Forensic Investigation. USENIX Security 2022.
“Why wouldn’t someone think of democracy as a target?”: Security practices & challenges of people involved with U.S. political campaigns. USENIX Security 2021.

Research Topics in Computer Security

COMP 790 – 149 – Fall 2024