Topics in Computer and Network Security

Stanford CS 356, Fall 2019

CS 356 is graduate course that covers foundational work and current topics in computer and network security. The course consists of reading and discussing published research papers, presenting recent security work, and completing an original research project.

Course Information

Discussion: Mon/Wed 1:30–2:50 PM. Gates B12.
This course is largely based on in-person discussion rather than lecture. Attendance is expected.

Instructor: Zakir Durumeric
Office Hours: Monday 3:00–4:00 PM, or by appointment. Gates 280.

Course Assistant: Saba Eskandarian. Office hours by appointment.

Prerequisites: CS 356 is open to all graduate students as well as advanced undergraduate students. While the course has no official prerequisites, it requires a mature understanding of software systems and networks. I encourage undergraduate students to first take CS 155: Computer and Network Security.

Communication: We use Piazza for announcements and discussion. Students can submit anonymous feedback at any time.

Submissions: All course assignments should be submitted through Gradescope. Enrollment code: ME63YZ.

Topics and Readings

The tentative schedule and required readings for the class are below:

9/23  Introduction

Against Security Nihilism

Short Blog Post. Chris Palmer.

Mining Your Ps and Qs: Detection of Widespread Weak Keys...

SEC '12. N. Heninger, Z. Durumeric, E. Wustrow, J.A. Halderman.

9/25  Web Privacy and Security

The Web Never Forgets: Persistent Tracking Mechanisms in the...

CCS '14. Gunes Acar, Christian Eubank, Steven Englehardt, Marc Juarez, Arvind Narayanan, Claudia Diaz.

Reining in the Web with Content Security Policy

WWW '10. Sid Stamm, Brandon Sterne, Gervase Markham.

9/30  SSL, TLS, and HTTPS

MD5 Considered Harmful Today

2008. Alexander Sotirov, Marc Stevens, Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, Benne de Weger.

Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice

CCS '15. D. Adrian, K. Bhargavan, Z. Durumeric, P. Gaudry, M. Green, J.A. Halderman, N. Heninger, A. Springall, E. Thomé, L. Valenta, B. VanderSloot, E. Wustrow, S. Zanella-Beguelin, P. Zimmermann.

10/2  Usability

Alice in Warningland: A Large-Scale Field Study of Browser Security

SEC '13. Devdatta Akhawe, Adrienne Porter Felt.

Securing Embedded User Interfaces: Android and Beyond

SEC '13. Franziska Roesner and Tadayoshi Kohno.

10/7  Malware and Unwanted Software

Framing Dependencies Introduced by Underground Commoditization

WEIS '15. Kurt Thomas, Danny Yuxing Huang, David Wang, Elie Bursztein, Chris Grier, Thomas Holt, Christopher Kruegel, Damon McCoy, Stefan Savage, Giovanni Vigna.

Investigating Commercial Pay-Per-Install and the Distribution of Unwanted Software

SEC '16. K. Thomas, J. Elices Crespo, R. Rasti, J. Picod, C. Phillips, M. Decoste, C. Sharp, F. Tirelo, A. Tofigh, M. Courteau, L. Ballard, R. Shield, N. Jagpal, M. Abu Rajab, P. Mavrommatis, N. Provos, E. Bursztein, D. McCoy.

10/9  Spam

Spamalytics: An Empirical Analysis of Spam Marketing Conversion

CCS '08 Chris Kanich, Christian Kreibich, Kirill Levchenko, Brandon Enright, Geoffrey Voelker, Vern Paxson, and Stefan Savage.

Understanding the Network-Level Behavior of Spammers

SIGCOMM '06. Anirudh Ramachandran and Nick Feamster.

10/14  Denial of Service

Inferring Internet Denial-of-Service Activity

SEC '01. David Moore, Geoffrey Voelker, Stefan Savage.

Understanding the Mirai Botnet

SEC '17. M. Antonakakis, T. April, M. Bailey, M. Bernhard, E. Bursztein, J. Cochran, Z Durumeric, J.A. Halderman, L. Invernizzi, M. Kallitsis, D. Kumar, C. Lever, Z. Ma, J. Mason, D. Menscher, C. Seaman, N. Sullivan, K. Thomas, Y. Zhou.

10/16  Software Attacks

The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86)

CCS '07. Hovav Shacham.

SoK: Eternal War in Memory

Oakland '13. Laszlo Szekeres, Mathias Payer, Tao Wei, Dawn Song.

10/21  Software Defenses

iOS Security

Apple Whitepaper.

10/23  Side Channels and Information Leakage

Timing Analysis of Keystrokes and Timing Attacks on SSH

SEC '01. Dawn Song, David Wagner, Xuqing Tia.

Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds

CCS '09. Thomas Ristenpart, Eran Tromer, Hovav Shacham, Stefan Savage.

10/28   Hardware

Spectre Attacks: Exploiting Speculative Execution

Oakland '19. P. Kocher, J. Horn, A. Fogh, D. Genkin, D. Gruss, W. Haas, M. Hamburg, M. Lipp, S. Mangard, T. Prescher, M. Schwarz, Y. Yarom.

Lest We Remember: Cold Boot Attacks on Encryption Keys

SEC '08. J.A. Halderman, S. Schoen, N. Heninger, W. Clarkson, W. Paul, J. Calandrino, A. Feldman, J. Appelbaum, E. Felten.

10/30  Cyber Physical Systems and IoT

Comprehensive Experimental Analyses of Automotive Attack Surfaces

SEC '11. Stephen Checkoway, Damon McCoy, Brian Kantor, Danny Anderson, Hovav Shacham, Stefan Savage.

Multiprogramming a 64 kB Computer Safely and Efficiently

SOSP '17. Amit Levy, Bradford Campbell, Branden Ghena, Daniel B. Giffin, Pat Pannuto, Prabal Dutta, Philip Levis.

11/4  Machine Learning

Guest Speaker: Nicholas Carlini
Towards Evaluating the Robustness of Neural Networks

Oakland '16. Nicholas Carlini and David Wagner.

Outside the Closed World: On Using Machine Learning For Network Intrusion Detection

Oakland '10. Robin Sommer and Vern Paxson.

11/6 Censorship and Anonymity

Tor: The Second-Generation Onion Router

SEC '04. Roger Dingledine, Nick Mathewson, Paul Syverson.

Encore: Lightweight Measurement of Web Censorship with Cross-Origin Requests

SIGCOMM '15. Sam Burnett and Nick Feamster.

11/11  Surveillance and Privacy

Decoding the Summer of Snowden

2013 CADO Policy Report. Julian Sanchez.

Global surveillance disclosures (2013--present)

Wikipedia Article

Keys Under Doormats

H. Abelson, R. Anderson, S. Bellovin, J. Benaloh, M. Blaze, W. Diffie, J. Gilmore, M. Green, S. Landau, P. Neumann, R. Rivest, J. Schiller, B. Schneier, M. Specter, D. Weitzner.

11/13   Real World Attacks

The Million Dollar Dissident

Blog Post. Bill Marczak and John Scott-Railton.

A Stalker’s Paradise: How Intimate Partner Abusers Exploit Technology

CHI '18. Diana Freed, Jackeline Palmer, Diana Minchala, Karen Levy, Thomas Ristenpart, Nicola Dell.

11/18  Cyberwar

Stealthy Dopant-Level Hardware Trojans

CHES '13. Georg Becker, Francesco Regazzoni, Christof Paar, Wayne Burleson.

W32.Stuxnet Dossier

Symantec Technical Report. Nicolas Falliere, Liam Murchu, Eric Chien.

11/20   Ethics and the Science of Security

The Moral Character of Cryptographic Work

Phillip Rogaway.

Science, Security, and the Elusive Goal of Security as a Scientific Pursuit

Oakland '17. Cormac Herley and P.C. van Oorschot.

11/25  Thanksgiving Break

No assigned reading.

11/27  Thanksgiving Break

No assigned reading.

12/2  Project Presentations

Attendance required. No assigned reading.

12/4  Project Presentations

Attendance required. No assigned reading.

Course Structure

This course is composed of three parts: reading and discussing foundational papers in every class, reading and presenting recent work for one class, and completing a group research project. Grading will be based on:

Readings and Discussion (30%)

We will read and discuss 1–2 papers for each class. Typically, these will formative works in an area of security. Students should come prepared to actively discuss assigned papers and to make substantive intellectual contributions. This means that you need to thoroughly read each paper ahead of time. Before each section, students will submit a short (400 word) summary and reaction for each each paper, as well as a proposal of one discussion question for class.

Students should submit the reading assignments through Gradescope by noon on the day of each class.

Grading will be based 20% on these written responses and 10% on in-class participation. We do not allow any late days for paper reactions, but students may skip two paper summaries and two lectures without penalty. Participation grades are based on not only attendence, but active participation during class discussion.

Do not underestimate the amount of time required to properly read and process a research paper. Expect to spend several hours preparing for each section.

Topic Presentation (15%)

While reading a few formative papers helps demonstrate how a subfield started, it oftentimes leaves us wondering how the area has evolved. To fill this gap, pairs of students will read 3-4 more recent papers and provide a 20 minute presentation about the current state of a research area at the start of one class.

Course Project (55%)

Students will complete a quarter-long original research project in small groups (1–3 students) on a topic of their own choosing. Groups will present their work during the last two sections as well as submit a 6–10 page report, similar to the papers we read in the course.

Projects have four graded components:

  • Project Proposal (5%). Project groups will meet with course staff to discuss their project during the third week of class and submit a one page project proposal. Written proposals are due on 10/17.
  • Mid-Quarter Progress Report (5%). Submit a short (1–2 pages) progress report part way through the quarter. The report should indicate what has been accomplished, what work is remaining, obstacles the team has encountered, and any preliminary data or insights. Due 11/14.
  • Class Presentation (10%). Each group will give a 10 minute class presentation during the last week of the course.
  • Final Paper (35%). Groups will submit a final project report similar to the papers we read in the course. Papers should be 6–10 pages and use the USENIX LaTeX template. It may be helpful to read Writing Technical Articles if you haven't previously published any work in computer science. Due 12/14.

Students should submit all reports through Gradescope by 11:59PM on the day of each deadline.

In past offerings, well-executed projects have led to publications at top-tier security conferences and workshops. I'm happy to work with groups to publish their work.