Topics in Computer and Network Security

Stanford CS 356, Fall 2018

CS 356 is graduate research seminar that covers foundational work and current topics in computer and network security. The course introduces students to reading research papers in security, provides a foundation in applied security research techniques, and prepares students to perform their own original security research. Students will read and discuss published research papers as well as complete an original research project in small groups.

Course Information

Lecture: Mon/Wed 1:30–2:50 PM. 50-51B.

Instructor: Zakir Durumeric
Office Hours: Mon/Wed 3:00–4:00 PM, or by appointment. Gates 280.

Course Assistant: Dima Kogan. Office hours by appointment.

Communication: We are using Piazza for announcements and discussion. Students can submit anonymous feedback at any time.

Assignment Submission: We are using Gradescope (enrollment code: MRZEZ3) for submission of assignments and project reports.

Prerequisites: CS 356 is open to Ph.D. and masters students as well as advanced undergraduate students. While the course has no official prerequisites, it requires a mature understanding of software systems and networks.

I strongly encourage undergraduate students to first take CS 155: Computer and Network Security. This course does not teach security foundations, but rather covers formative literature and cutting-edge research. Please contact me if you have any questions.

Tentative Schedule

The tentative schedule and required readings for the class are below:

9/24  Introduction

This World of Ours

USENIX ;login:. James Mickens.

Reflections on Trusting Trust

1984 Turing Award Lecture. Ken Thompson.

9/26  Web Privacy and Security

Reining in the Web with Content Security Policy

WWW '10. Sid Stamm, Brandon Sterne, Gervase Markham.

Online tracking: A 1M Site Measurement and Analysis

CCS '16. Steve Englehardt and Arvind Narayanan.

10/1  SSL, TLS, and HTTPS

MD5 Considered Harmful Today

2008. Alexander Sotirov, Marc Stevens, Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, Benne de Weger.

Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice

CCS '15. David Adrian, Karthikeyan Bhargavan, Zakir Durumeric, Pierrick Gaudry, Matthew Green, J. Alex Halderman, Nadia Heninger, Drew Springall, Emmanuel Thomé, Luke Valenta, Benjamin VanderSloot, Eric Wustrow, Santiago Zanella-Beguelin, Paul Zimmermann.

10/3  Usability

Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0

SEC '99. Alma Whitten, J. D. Tygar.

Alice in Warningland: A Large-Scale Field Study of Browser Security

SEC '13. Devdatta Akhawe, Adrienne Porter Felt.

10/8  Network Security

Inferring Internet Denial-of-Service Activity

SEC '01. David Moore, Geoffrey Voelker, Stefan Savage.

Understanding the Network-Level Behavior of Spammers

SIGCOMM '06. Anirudh Ramachandran and Nick Feamster.

10/10  Malware and Unwanted Software

Your Botnet is My Botnet: Analysis of a Botnet Takeover

CCS '09. Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, Giovanni Vigna.

Measuring Pay-per-Install: The Commoditization of Malware Distribution

SEC '11. Juan Caballero, Chris Grier, Christian Kreibich, Vern Paxson.

10/15  E-Crime and Economics

Click Trajectories: End-to-End Analysis of the Spam Value Chain

Oakland '11 K. Levchenko, A. Pitsillidis, N. Chachra, B. Enright, M. Felegyhazi, C. Grier, T. Halvorson, C. Kanich, C. Kreibich, H. Liu, D. McCoy, N. Weaver, V. Paxson, G. M. Voelker, and S. Savage.

Framing Dependencies Introduced by Underground Commoditization

Kurt Thomas, Danny Yuxing Huang, David Wang, Elie Bursztein, Chris Grier, Thomas Holt, Christopher Kruegel, Damon McCoy, Stefan Savage, Giovanni Vigna.

10/17  Software Attacks

The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86)

CCS '07. Hovav Shacham.

SoK: Eternal War in Memory

Oakland '13. Laszlo Szekeres, Mathias Payer, Tao Wei, Dawn Song.

10/22  Software Defenses

The Security Architecture of the Chromium Browser

Oakland '16. Adam Barth, Collin Jackson, Charles Reis, Google Chrome Team.

SCONE: Secure Linux Containers with Intel SGX

OSDI '16. Sergei Arnautov, Bohdan Trach, Franz Gregor, Thomas Knauth, Andre Martin, Christian Priebe, Joshua Lind, Divya Muthukumaran, Dan O’Keeffe, Mark Stillwell, David Goltzsche, David Eyers, Rudiger Kapitza, Peter Pietzuch, Christof Fetzer.

10/24  Side Channels and Information Leakage

Timing Analysis of Keystrokes and Timing Attacks on SSH

SEC '01. Dawn Song, David Wagner, Xuqing Tia.

Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds

CCS '09. Thomas Ristenpart, Eran Tromer, Hovav Shacham, Stefan Savage.

10/29   Hardware

Spectre Attacks: Exploiting Speculative Execution

Oakland '19. Paul Kocher, Jann Horn, Anders Fogh, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, Yuval Yarom.

Flipping Bits in Memory Without Accessing Them: An Experimental Study of DRAM Disturbance Errors

ISCA '14. Yoongu Kim, Ross Daly, Jeremie Kim, Chris Fallin, Ji Hye Lee, Donghyuk Lee, Chris Wilkerson, Konrad Lai, Onur Mutlu.

10/31  Embedded Systems and IoT

Understanding the Mirai Botnet

SEC '17. Manos Antonakakis, Tim April, Michael Bailey, Matt Bernhard, Elie Bursztein, Jaime Cochran, Zakir Durumeric, J. Alex Halderman, Luca Invernizzi, Michalis Kallitsis, Deepak Kumar, Chaz Lever, Zane Ma, Joshua Mason, Damian Menscher, Chad Seaman, Nick Sullivan, Kurt Thomas, Yi Zhou.

Multiprogramming a 64 kB Computer Safely and Efficiently

SOSP '17. Amit Levy, Bradford Campbell, Branden Ghena, Daniel B. Giffin, Pat Pannuto, Prabal Dutta, Philip Levis.

11/5  Cyber Physical Systems

Comprehensive Experimental Analyses of Automotive Attack Surfaces

SEC '11. Stephen Checkoway, Damon McCoy, Brian Kantor, Danny Anderson, Hovav Shacham, Stefan Savage.

Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses

Oakland '08. Daniel Halperin, Thomas S. Heydt-Benjamin, Benjamin Ransford, Shane S. Clark, Benessa Defend, Will Morgan, Kevin Fu, Tadayoshi Kohno, William H. Maisel.

11/7  Censorship and Anonymity

Tor: The Second-Generation Onion Router

SEC '04. Roger Dingledine, Nick Mathewson, Paul Syverson.

Towards Grounding Censorship Circumvention in Empiricism

Oakland '16. Michael Tschantz, Sadia Afroz, Anonymous, Vern Paxson.

11/12  Surveillance and The Post-Snowden Era

Decoding the Summer of Snowden

2013 CADO Policy Report. Julian Sanchez.

Global surveillance disclosures (2013--present)

Wikipedia Article

11/14   Privacy and Secure Communication

Keys Under Doormats

Harold Abelson, Ross Anderson, Steven Bellovin, Josh Benaloh, Matt Blaze, Whitfield Diffie, John Gilmore, Matthew Green, Susan Landau, Peter Neumann, Ronald Rivest, Jeffrey Schiller, Bruce Schneier, Michael Specter, Daniel Weitzner.

CONIKS: Bringing Key Transparency to End Users

SEC '15. Marcela Melara, Aaron Blankstein, Joseph Bonneau, Edward Felten, Michael Freedman.

11/19  Thanksgiving Break

No assigned reading.

11/21  Thanksgiving Break

No assigned reading.

11/26  Machine Learning

Outside the Closed World: On Using Machine Learning For Network Intrusion Detection

Oakland '10. Robin Sommer and Vern Paxson.

Towards Evaluating the Robustness of Neural Networks

Oakland '16. Nicholas Carlini and David Wagner.

11/28   Real World Attacks

The Million Dollar Dissident

Blog Post. Bill Marczak and John Scott-Railton.

A Stalker’s Paradise: How Intimate Partner Abusers Exploit Technology

CHI '18. Diana Freed, Jackeline Palmer, Diana Minchala, Karen Levy, Thomas Ristenpart, Nicola Dell.

12/3  Cyber War

Stealthy Dopant-Level Hardware Trojans

CHES. Georg Becker, Francesco Regazzoni, Christof Paar, Wayne Burleson.

W32.Stuxnet Dossier

Symantec Technical Report. Nicolas Falliere, Liam Murchu, Eric Chien.

12/5  Science of Security and Ethics

Science, Security, and the Elusive Goal of Security as a Scientific Pursuit

Oakland '17. Cormac Herley and P.C. van Oorschot.

Encore: Lightweight Measurement of Web Censorship with Cross-Origin Requests

SIGCOMM '15. Sam Burnett and Nick Feamster.

Course Structure

This course is composed of two main parts: reading and discussion, and a group project. Grading will be based on:

Readings and Discussion (40%)

We will read and discuss 1–2 topical papers for each class. Students should come prepared to actively discuss assigned papers and to make substantive intellectual contributions. This means that you need to thoroughly read each paper ahead of time. Before each section, students will submit a short (400 word) summary and reaction for each each paper, as well as a proposal of one discussion question for class.

Students should submit the reading assignments through Gradescope by noon on the day of each class.

Grading will be based 20% on these written responses and 20% on in-class participation. We do not allow any late days for paper reactions, but students may skip two paper summaries and two lectures without penalty. Participation grades are based on not only attendence, but active participation during class discussion.

Do not underestimate the amount of time required to properly read and process a research paper. Expect to spend several hours preparing for each section.

Course Project (60%)

Students will complete a quarter-long original research project in small groups (1–3 students) on a topic of their own choosing. Groups will present their work during the last two sections as well as submit a 6–10 page report, similar to the papers we read in the course.

Projects have four graded components:

  • Project Proposal (5%). Project groups will meet with course staff to discuss their project during the third week of class and submit a one page project proposal. Written proposals are due on 10/17.
  • Mid-Quarter Progress Report (5%). Submit a short (1–2 pages) progress report part way through the quarter. The report should indicate what has been accomplished, what work is remaining, obstacles the team has encountered, and any preliminary data or insights. Due 11/14.
  • Class Presentation (10%). Each group will give a 10 minute class presentation during the last week of the course.
  • Final Paper (40%). Groups will submit a final project report similar to the papers we read in the course. Papers should be 6–10 pages and use the USENIX LaTeX template. It may be helpful to read Writing Technical Articles if you haven't previously published any work in computer science. Due 12/14.

Students should submit all reports through Gradescope by 11:59PM on the day of each deadline.

In past offerings, well-executed projects have led to publications at top-tier security conferences and workshops. I'm happy to work with groups to publish their work.