Topics in Computer and Network Security

Stanford CS 356, Fall 2024

CS 356 is graduate course that covers foundational work and current topics in computer and network security. The course consists of reading and discussing published research papers, presenting recent security work, and completing an original research project.

📌 Course Information

Discussion: M/W 3:00–4:20 PM. Hewlett Teaching Center 1020.
⚠️ This course is based on in-person discussion of research. On time, in-person attendance and participation is required.

Instructor: Zakir Durumeric. Office Hours: M/W 4:30–5:00 PM, after class.

Course Assistant: Catherine Han. Office hours by appointment.

Prerequisites: CS 356 is open to all graduate students as well as advanced undergraduate students. While the course has no official prerequisites, it requires a mature understanding of software systems and networks. Students are expected to have taken CS 155: Computer and Network Security or equivalent.

Communication: We use Ed Discussion for announcements and discussion. Students can submit anonymous feedback at any time.

Submissions: All course assignments are to be submitted through Gradescope. Enrollment code: 5KD4V3.

🗓️ Topics and Schedule

The tentative schedule and required readings for the class are below:

9/23  Introduction

Against Security Nihilism

Blog Post. 2016. Chris Palmer.

Mining Your Ps and Qs: Detection of Widespread Weak Keys...

SEC '12. N. Heninger, Z. Durumeric, E. Wustrow, J.A. Halderman.

How to Read a Paper

S. Keshav.

9/25  Web Privacy and Security

The Web Never Forgets: Persistent Tracking Mechanisms in the...

CCS '14. Gunes Acar, Christian Eubank, Steven Englehardt, Marc Juarez, Arvind Narayanan, Claudia Diaz.

Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice

CCS '15. D. Adrian, K. Bhargavan, Z. Durumeric, P. Gaudry, M. Green, J.A. Halderman, N. Heninger, A. Springall, E. Thomé, L. Valenta, B. VanderSloot, E. Wustrow, S. Zanella-Beguelin, P. Zimmermann.

9/30  Usability [CH]

Alice in Warningland: A Large-Scale Field Study of Browser Security

SEC '13. Devdatta Akhawe, Adrienne Porter Felt.

...no one can hack my mind”: Comparing Expert and Non-Expert Security Practices

SOUPS '15. Iulia Ion, Rob Reeder, Sunny Consolvo.

10/2  Authentication and Phishing

The Tangled Web of Password Reuse

NDSS '14. Anupam Das, Joseph Bonneau, Matthew Caesar, Nikita Borisov, XiaoFeng Wang.

Detecting credential spearphishing in enterprise settings

SEC '17. Grant Ho, Aashish Sharma, Mobin Javed, Vern Paxson, David Wagner.

10/7  Denial of Service

Inferring Internet Denial-of-Service Activity

SEC '01. David Moore, Geoffrey Voelker, Stefan Savage.

Understanding the Mirai Botnet

SEC '17. M. Antonakakis, T. April, M. Bailey, M. Bernhard, E. Bursztein, J. Cochran, Z Durumeric, J.A. Halderman, L. Invernizzi, M. Kallitsis, D. Kumar, C. Lever, Z. Ma, J. Mason, D. Menscher, C. Seaman, N. Sullivan, K. Thomas, Y. Zhou.

10/9  Spam and eCrime

Spamalytics: An Empirical Analysis of Spam Marketing Conversion

CCS '08. Chris Kanich, Christian Kreibich, Kirill Levchenko, Brandon Enright, Geoffrey Voelker, Vern Paxson, and Stefan Savage.

Framing Dependencies Introduced by Underground Commoditization

WEIS '15. Kurt Thomas, Danny Huang, David Wang, Elie Bursztein, Chris Grier, Thomas Holt, Christopher Kruegel, Damon McCoy, Stefan Savage, Giovanni Vigna.

10/14  Software Attacks

Hacking Blind

S&P '14. Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazieres, Dan Boneh.

SoK: Eternal War in Memory

S&P '13. Laszlo Szekeres, Mathias Payer, Tao Wei, Dawn Song.

10/16  Software Defenses

Bringing the Web up to Speed with WebAssembly

PLDI '17. A. Haas, A. Rossberg, D. Schuff, B. Titzer, M. Holman, D. Gohman, L. Wagner, A. Zakai, J. Bastien.

Multiprogramming a 64 kB Computer Safely and Efficiently

SOSP '17. Amit Levy, Bradford Campbell, Branden Ghena, Daniel B. Giffin, Pat Pannuto, Prabal Dutta, Philip Levis.

10/21  Malware and Supply Chain

Towards Measuring Supply Chain Attacks on Package Managers for Interpreted Languages

NDSS '21. Ruian Duan, Omar Alrawi, Ranjita Pai Kasturi, Ryan Elder, Brendan Saltaformaggio, Wenke Lee.

SoK: Taxonomy of Attacks on Open-Source Software Supply Chains

S&P '23. Piergiorgio Ladisa∗‡, Henrik Plate∗, Matias Martinez†, and Olivier Barais

10/23  Side Channels and Information Leakage

Timing Analysis of Keystrokes and Timing Attacks on SSH

SEC '01. Dawn Song, David Wagner, Xuqing Tia.

Spectre Attacks: Exploiting Speculative Execution

S&P '19. P. Kocher, J. Horn, A. Fogh, D. Genkin, D. Gruss, W. Haas, M. Hamburg, M. Lipp, S. Mangard, T. Prescher, M. Schwarz, Y. Yarom.

10/28   Hardware

Stealthy Dopant-Level Hardware Trojans

CHES '13. Georg Becker, Francesco Regazzoni, Christof Paar, Wayne Burleson.

Flipping Bits in Memory Without Accessing Them: An Experimental Study of DRAM Disturbance Errors

ISCA '14 Y. Kim, R. Daly, J. Kim, C. Fallin, J.H. Lee, D. Lee, C. Wilkerson, K. Lai, O. Mutlu.

10/30  Cyber Physical Systems

Comprehensive Experimental Analyses of Automotive Attack Surfaces

SEC '11. Stephen Checkoway, Damon McCoy, Brian Kantor, Danny Anderson, Hovav Shacham, Stefan Savage.

Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses

S&P '08. D. Halperin, T. Heydt-Benjamin, B. Ransford, S. Clark, B. Defend, W. Morgan, K. Fu, T. Kohno, W. Maisel.

11/4  Vulnerable Populations / Security For Everyone [CH, VR]

A Stalker’s Paradise: How Intimate Partner Abusers Exploit Technology

CHI '18 Diana Freed, Jackeline Palmer, Diana Minchala, Karen Levy, Thomas Ristenpart, Nicola Dell.

When the Weakest Link is Strong: Secure Collaboration in the Case of the Panama Papers

SEC '17. S. E. McGregor, E. A. Watkins, M. N. Al-Ameen, K. Caine, F. Roesner.

11/6  Censorship and Anonymity [RM]

Tor: The Second-Generation Onion Router

SEC '04. Roger Dingledine, Nick Mathewson, Paul Syverson.

How the Great Firewall of China Detects and Blocks Fully Encrypted Traffic

USENIX '23. M. Wu, J. Sippe, D. Sivakumar, J. Burg, P. Anderson, X. Wang, K. Bock, A. Houmansadr, D. Levin, E. Wustrow.

11/11  Machine Learning

Towards Evaluating the Robustness of Neural Networks

S&P '16. Nicholas Carlini and David Wagner.

Outside the Closed World: On Using Machine Learning For Network Intrusion Detection

S&P '10. Robin Sommer and Vern Paxson.

11/13  Privacy and Dark Patterns

Robust De-anonymization of Large Sparse Datasets

S&P '08. Arvind Narayanan and Vitaly Shmatikov.

Dark patterns at scale: Findings from a crawl of 11K shopping websites

S&P '08. Arunesh Mathur, Gunes Acar, Michael Friedman, Eli Lucherini, Jonathon Mayer, Marshini Chetty, Arvind Narayanan.

11/18  Government Attacks

When Governments Hack Opponents: A Look at Actors and Technology

SEC '14. Bill Marczak, John Scott-Railton, Morgan Marquis-Boire, Vern Paxson.

Keys Under Doormats

MIT Technical Report '15. H. Abelson, R. Anderson, S. Bellovin, J. Benaloh, M. Blaze, W. Diffie, J. Gilmore, M. Green, S. Landau, P. Neumann, R. Rivest, J. Schiller, B. Schneier, M. Specter, D. Weitzner.

11/20  Problem Selection

The Moral Character of Cryptographic Work

Phillip Rogaway.

Science, Security, and the Elusive Goal of Security as a Scientific Pursuit

S&P '17. Cormac Herley and P.C. van Oorschot.

11/25   Thanksgiving Break

No class.

11/27   Thanksgiving Break

No class.

12/2   Final Presentations

No required reading. Attendance mandatory.

12/4   Final Presentations

No required reading. Attendance mandatory.

🚩 Course Structure

This course is composed of three parts: reading and discussing foundational papers in every class, reading and presenting recent work for one class, and completing a group research project. Grading will be based on:

📚 Readings and Discussion (30%)

We will read and discuss 1–2 papers for each class. Typically, these are formative works in an area of security. Students should come prepared to actively discuss assigned papers and to make substantive intellectual contributions. This means that you need to thoroughly read each paper ahead of time. Before each section, students will submit a short (400 word) summary and reaction for each each paper, as well as a proposal of one discussion question for class.

📨 Students should submit the reading assignments through Gradescope by 3:00 pm on the day of each class. Paper responses should be completed individually without the assistance of LLMs (e.g., ChatGPT).

Grading will be based 20% on these written responses and 10% on in-class participation. We do not allow any late days for paper reactions, but students may skip two paper summaries and two lectures without penalty. We will take class attendance. However, participation grades are based on not only attendence, but active participation during class discussion.

📣 Do not underestimate the amount of time required to properly read and process a research paper. Expect to spend several hours preparing for each section.

🧑‍🏫 Topic Presentation (15%)

While reading formative papers helps to demonstrate how a subfield started, it oftentimes leaves us wondering how the area has evolved. To fill this gap, each student in the class will present one recent paper during the quarter topically relevant to that day's class. At the start of the quarter, students will have the opportunity to sign up for the topic/date that they want to present their paper.

Students are expected to perform a literature search and to select a paper that was published in the last three years from a top-tier venue in security (e.g., IEEE Security and Privacy, USENIX Security, ACM Computer or Communication Security) or adjacent field (e.g., CHI, NSDI, ASPLOS, PLDI, SIGCOMM, etc.). Be wary of other publications from IEEE, most are not top-tier venues and papers will not be accepted for presentation.

⚠️ Student presentations must be 10-12 minutes and allow for 2-5 minutes of questions. We will cut presentations off at 12 minutes, which will impact your presentation grade. Be prepared to answer questions about the paper you present.

⚠️ Students must submit their papers to approval to the teaching staff a minimum three days prior to their presentation.

🔬 Course Project (55%)

Students will complete a quarter-long original research project in small groups (1–3 students) on a topic of their own choosing. Groups will present their work during the last two sections as well as submit a 6–10 page report, similar to the papers we read in the course.

Projects have four graded components:

  • Project Proposal (5%). Project groups will meet with course staff to discuss their project during the third week of class and submit a one page project proposal. Reports must include a complete Related Work section. Due 10/11.
  • Mid-Quarter Progress Report (5%). Submit a short (1–2 pages) progress report part way through the quarter. The report should indicate what has been accomplished, what work is remaining, obstacles the team has encountered, and any preliminary data or insights. Reports must include a complete Methodology section. Due 11/13.
  • Class Presentation (10%). Each group will give a 10 minute class presentation during the last week of the course.
  • Final Paper (35%). Groups will submit a final project report similar to the papers we read in the course. Papers should be 6–10 pages. Due 12/6.

All written submissions related to the course project are to be written in paragraph form, in English, using LaTeX, and submitted in PDF form, inline with the examples provided at the start of the quarter. Submissions must use the USENIX LaTeX template. We strongly encourage you to read Writing Technical Articles if you haven't previously published academic research work in computer science.

⚙️ Administrivia

Students should submit all reports through Gradescope by classtime at 3:00PM on the day of each deadline.

In past offerings, well-executed projects have led to publications at top-tier security conferences and workshops. The teaching team is happy to work with groups to publish their work.

All submitted work for this course must by directly written by the submitting student(s). Using generative AI tools to complete assignments or projects (e.g. generating text) is prohibited.

Attendance on 12/2 and 12/4 is required for all students. This class has no final exam.

Stanford as an institution is committed to the highest quality education, and as your teaching team, our first priority is to uphold your educational experience. To that end we are committed to following the syllabus as written here, including through short- or long-term disruptions, such as public health emergencies, natural disasters, or protests and demonstrations. However, there may be extenuating circumstances that necessitate some changes. Should adjustments be necessary, we will communicate clearly and promptly to ensure you understand the expectations and are positioned for successful learning.