Topics in Computer and Network Security

Stanford CS 356, Fall 2020

CS 356 is graduate course that covers foundational work and current topics in computer and network security. The course consists of reading and discussing published research papers, presenting recent security work, and completing an original research project.

Course Information

Discussion: Mon/Wed 1:00–2:20 PM. Via Zoom.
This course is largely based on in-person discussion rather than lecture. Online attendance and participation is required.

Instructor: Zakir Durumeric
Office Hours: Monday 1:30–3:00 PM, or by appointment. Using Lecture Zoom.

Course Assistant: Fraser Brown. Office hours by appointment.

Prerequisites: CS 356 is open to all graduate students as well as advanced undergraduate students. While the course has no official prerequisites, it requires a mature understanding of software systems and networks. I encourage undergraduate students to first take CS 155: Computer and Network Security.

Communication: We use Ed for announcements and discussion. Students can submit anonymous feedback at any time.

Submissions: All course assignments should be submitted through Gradescope. Enrollment code: MGNYR2.

Topics and Readings

The tentative schedule and required readings for the class are below:

9/14  Introduction

How to Read a Paper

S. Keshav.

Mining Your Ps and Qs: Detection of Widespread Weak Keys...

SEC '12. N. Heninger, Z. Durumeric, E. Wustrow, J.A. Halderman.

Against Security Nihilism

Short Blog Post. Chris Palmer.

9/16  Web Privacy and Security

The Web Never Forgets: Persistent Tracking Mechanisms in the...

CCS '14. Gunes Acar, Christian Eubank, Steven Englehardt, Marc Juarez, Arvind Narayanan, Claudia Diaz.

Native Client: A Sandbox for Portable, Untrusted x86 Native Code

Oakland '09. Bennet Yee, David Sehr, Gregory Dardyk, J. Bradley Chen, Robert Muth, Tavis Ormandy, Shiki Okasaka, Neha Narula, and Nicholas Fullagar.

9/21  SSL, TLS, and HTTPS

MD5 Considered Harmful Today

2008. Alexander Sotirov, Marc Stevens, Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, Benne de Weger.

Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice

CCS '15. D. Adrian, K. Bhargavan, Z. Durumeric, P. Gaudry, M. Green, J.A. Halderman, N. Heninger, A. Springall, E. Thomé, L. Valenta, B. VanderSloot, E. Wustrow, S. Zanella-Beguelin, P. Zimmermann.

9/23  Usability

Alice in Warningland: A Large-Scale Field Study of Browser Security

SEC '13. Devdatta Akhawe, Adrienne Porter Felt.

Can Voters Detect Malicious Manipulation of Ballot Marking Devices?

Oakland '20. Matthew Bernhard, Allison McDonald, Henry Meng, Jensen Hwa, Nakul Bajaj, Kevin Chang, J. Alex Halderman

9/28  Spam and Phishing

Spamalytics: An Empirical Analysis of Spam Marketing Conversion

CCS '08. Chris Kanich, Christian Kreibich, Kirill Levchenko, Brandon Enright, Geoffrey Voelker, Vern Paxson, and Stefan Savage.

Detecting and Characterizing Lateral Phishing at Scale

SEC '19. Grant Ho, Asaf Cidon, Lior Gavish, Marco Schweighauser, Vern Paxson, Stefan Savage, Geoffrey Voelker, David Wagner

9/30  Malware and Unwanted Software

Framing Dependencies Introduced by Underground Commoditization

WEIS '15. Kurt Thomas, Danny Yuxing Huang, David Wang, Elie Bursztein, Chris Grier, Thomas Holt, Christopher Kruegel, Damon McCoy, Stefan Savage, Giovanni Vigna.

Investigating Commercial Pay-Per-Install and the Distribution of Unwanted Software

SEC '16. K. Thomas, J. Elices Crespo, R. Rasti, J. Picod, C. Phillips, M. Decoste, C. Sharp, F. Tirelo, A. Tofigh, M. Courteau, L. Ballard, R. Shield, N. Jagpal, M. Abu Rajab, P. Mavrommatis, N. Provos, E. Bursztein, D. McCoy.

10/5  Denial of Service

Inferring Internet Denial-of-Service Activity

SEC '01. David Moore, Geoffrey Voelker, Stefan Savage.

Understanding the Mirai Botnet

SEC '17. M. Antonakakis, T. April, M. Bailey, M. Bernhard, E. Bursztein, J. Cochran, Z Durumeric, J.A. Halderman, L. Invernizzi, M. Kallitsis, D. Kumar, C. Lever, Z. Ma, J. Mason, D. Menscher, C. Seaman, N. Sullivan, K. Thomas, Y. Zhou.

10/7  Software Attacks

Hacking Blind

Oakland '14. Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazieres, Dan Boneh.

SoK: Eternal War in Memory

Oakland '13. Laszlo Szekeres, Mathias Payer, Tao Wei, Dawn Song.

10/12  Software Defenses

iOS Security

Apple Whitepaper.

A very deep dive into iOS Exploit chains found in the wild

Google Blogpost.

10/14  Side Channels and Information Leakage

Timing Analysis of Keystrokes and Timing Attacks on SSH

SEC '01. Dawn Song, David Wagner, Xuqing Tia.

Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds

CCS '09. Thomas Ristenpart, Eran Tromer, Hovav Shacham, Stefan Savage.

10/19   Hardware

Spectre Attacks: Exploiting Speculative Execution

Oakland '19. P. Kocher, J. Horn, A. Fogh, D. Genkin, D. Gruss, W. Haas, M. Hamburg, M. Lipp, S. Mangard, T. Prescher, M. Schwarz, Y. Yarom.

On Subnormal Floating Point and Abnormal Timing

Oakland '15. Marc Andrysco, David Kohlbrenner, Keaton Mowery, Ranjit Jhala, Sorin Lerner, and Hovav Shacham

10/21  Cyber Physical Systems and IoT

Comprehensive Experimental Analyses of Automotive Attack Surfaces

SEC '11. Stephen Checkoway, Damon McCoy, Brian Kantor, Danny Anderson, Hovav Shacham, Stefan Savage.

Multiprogramming a 64 kB Computer Safely and Efficiently

SOSP '17. Amit Levy, Bradford Campbell, Branden Ghena, Daniel B. Giffin, Pat Pannuto, Prabal Dutta, Philip Levis.

10/26  Machine Learning

Guest Speaker: Florian Tramèr
Towards Evaluating the Robustness of Neural Networks

Oakland '16. Nicholas Carlini and David Wagner.

Outside the Closed World: On Using Machine Learning For Network Intrusion Detection

Oakland '10. Robin Sommer and Vern Paxson.

10/28 Censorship and Anonymity

Tor: The Second-Generation Onion Router

SEC '04. Roger Dingledine, Nick Mathewson, Paul Syverson.

Encore: Lightweight Measurement of Web Censorship with Cross-Origin Requests

SIGCOMM '15. Sam Burnett and Nick Feamster.

11/2  Surveillance and Privacy

Decoding the Summer of Snowden

2013 CADO Policy Report. Julian Sanchez.

Global surveillance disclosures (2013--present)

Wikipedia Article

Keys Under Doormats

H. Abelson, R. Anderson, S. Bellovin, J. Benaloh, M. Blaze, W. Diffie, J. Gilmore, M. Green, S. Landau, P. Neumann, R. Rivest, J. Schiller, B. Schneier, M. Specter, D. Weitzner.

11/4   Real World Attacks

Guest Speaker: Bill Marczak
The Million Dollar Dissident

Blog Post. Bill Marczak and John Scott-Railton.

A Stalker’s Paradise: How Intimate Partner Abusers Exploit Technology

CHI '18. Diana Freed, Jackeline Palmer, Diana Minchala, Karen Levy, Thomas Ristenpart, Nicola Dell.

11/9  Cyberwar

Stealthy Dopant-Level Hardware Trojans

CHES '13. Georg Becker, Francesco Regazzoni, Christof Paar, Wayne Burleson.

W32.Stuxnet Dossier

Symantec Technical Report. Nicolas Falliere, Liam Murchu, Eric Chien.

11/11   Ethics and the Science of Security

The Moral Character of Cryptographic Work

Phillip Rogaway.

Science, Security, and the Elusive Goal of Security as a Scientific Pursuit

Oakland '17. Cormac Herley and P.C. van Oorschot.

11/16  Project Presentations

Attendance required. No assigned reading.

11/18  Project Presentations

Attendance required. No assigned reading.

Course Structure

This course is composed of three parts: reading and discussing foundational papers in every class, reading and presenting recent work for one class, and completing a group research project. Grading will be based on:

Readings and Discussion (30%)

We will read and discuss 1–2 papers for each class. Typically, these are formative works in an area of security. Students should come prepared to actively discuss assigned papers and to make substantive intellectual contributions. This means that you need to thoroughly read each paper ahead of time. Before each section, students will submit a short (400 word) summary and reaction for each each paper, as well as a proposal of one discussion question for class.

Students should submit the reading assignments through Gradescope by noon on the day of each class.

Grading will be based 20% on these written responses and 10% on in-class participation. We do not allow any late days for paper reactions, but students may skip two paper summaries and two lectures without penalty. Participation grades are based on not only attendence, but active participation during class discussion.

Do not underestimate the amount of time required to properly read and process a research paper. Expect to spend several hours preparing for each section.

Topic Presentation (15%)

While reading a few formative papers helps demonstrate how a subfield started, it oftentimes leaves us wondering how the area has evolved. To fill this gap, pairs of students will read 3-4 more recent papers and provide a 20 minute presentation about the current state of a research area at the start of one class.

Course Project (55%)

Students will complete a quarter-long original research project in small groups (1–3 students) on a topic of their own choosing. Groups will present their work during the last two sections as well as submit a 6–10 page report, similar to the papers we read in the course.

Projects have four graded components:

  • Project Proposal (5%). Project groups will meet with course staff to discuss their project during the third week of class and submit a one page project proposal. Written proposals are due on 10/2.
  • Mid-Quarter Progress Report (5%). Submit a short (1–2 pages) progress report part way through the quarter. The report should indicate what has been accomplished, what work is remaining, obstacles the team has encountered, and any preliminary data or insights. Due 10/30.
  • Class Presentation (10%). Each group will give a 10 minute class presentation during the last week of the course.
  • Final Paper (35%). Groups will submit a final project report similar to the papers we read in the course. Papers should be 6–10 pages and use the USENIX LaTeX template. It may be helpful to read Writing Technical Articles if you haven't previously published any work in computer science. Due 11/20.

Students should submit all reports through Gradescope by 11:59PM on the day of each deadline.

In past offerings, well-executed projects have led to publications at top-tier security conferences and workshops. I'm happy to work with groups to publish their work.