Security & Privacy Preliminary Exam Syllabus
Spring 2013
CRYPTOGRAPY
Students should understand these core concepts: Principles of block ciphers (DES, AES), CBC,
RSA, DSA/El Gamal, Diffie-Hellman, Basic authentication, Needham-Schroeder/Kerberos,
Digital signatures, Basic knowledge of PKI and Certificates, & SSL/TLS.
A potential reference source for these core concepts is: Mao, W., MODERN
CRYPTOGRAPHY (Prentice Hall, 2003) Chapters 7, 8, 11, 12.4, 12.5, & 13.2.
http://amzn.to/WqzPzb
Additional required papers:
Abadi, M. & R. Needham, "Prudent engineering practice for cryptographic protocols," IEEE
TRANS. SOFTWARE ENGINEERING 22:1 (Jan. 1996), pp. 6-15.
http://dx.doi.org/10.1109/32.481513
Anderson, R., "Why cryptosystems fail," CACM 37:11 (Nov. 1994), pp. 32-40.
http://dx.doi.org/10.1145/188280.188291
WEB SECURITY
Students should understand these core concepts: DOM model, Same-origin policy, XSS, SQL injection,
CSRF, Clickjacking, Browser cookies, & Phishing
A potential reference sources for these core concepts is:
Zalewsk, M., THE TANGLED WEB (No Starch Press, 2011) [particularly chapter 9].
http://amzn.to/WdWuka
Required paper:
Barth, A., C. Jackson, & J. Mitchell, "Securing frame communication in browsers," USENIX SECURITY
2008. http://bit.ly/WH5Jah
ACCESS CONTROL & MEMORY PROTECTION
Students should understand these core concepts: ACLs & access control matrices, Capabilities, Reference
monitors, Complete mediation, Delegation, Principle of least privilege, Authentication, Authorization,
Virtual memory, Page-table based memory protection, Covert channels, Side channels, & Network
firewalls.
A potential resources for learning about these core concepts is:
Smith, S. & J. Marchesini, THE CRAFT OF SYSTEM SECURITY, (Addison-Wesley 2008) Chapters 14 & 16. http://amzn.to/XxnJ6i
Additional required papers:
Lampson, B., "A note on the confinement problem," CACM 16:10 (Oct. 1973), pp. 613-615.
http://dx.doi.org/10.1145/362375.362389
SOFTWARE SECURITY
Pincus, J & B. Baker., "Beyond stack smashing: recent advances in exploiting buffer overruns," IEEE
SECURITY & PRIVACY 2:4 (Jul-Aug 2007), pp. 20--27.
http://dx.doi.org/10.1109/MSP.2004.36
Barth, A., & C. Jackson, C. Reis, & Google Chrome Team, "The security architecture of the Chromium
browser."
http://www.adambarth.com/papers/2008/barth-jackson-reis.pdf
Wallach, D., D. Balfanz, D. Dean, E. Felten, "Extensible security architectures for Java," SOSP 1997, pp.
103-109. http://dx.doi.org/10.1145/269005.266668
McCamant, S & G. Morrisett, "Evaluating SFI for a CISC architecture," USENIX SECURITY 2006.
http://static.usenix.org/event/sec06/tech/mccamant.html
Enck, W., et al, "TaintDroid: An information-flow tracking system for realtime privacy monitoring on
smartphones, OSDI 2010. http://static.usenix.org/events/osdi10/tech/full_papers/Enck.pdf
SECURITY AND USABILITY
Whitten, A & J. Tygar, "Why Johnny can't encrypt," in SECURITY AND USABILITY: DESIGNING
SECURE SYSTEMS THAT PEOPLE CAN USE, ed.
L. Cranor and S. Garfinkel (O'Reilly 2005), Chapter 34 (pp. 669-692).
http://amzn.to/102UnlO
Egelman, S, L. Cranor & J. Hong, "You've been warned: An empirical study of the effectiveness of web
browser phishing warnings," CHI 2008, pp. 1065-1074.
http://dx.doi.org/10.1145/1357054.1357219
PRIVACY AND ANONYMITY
Goldberg, I., D. Wagner & E. Brewer, "Privacy-enhancing technologies for the Internet," IEEE
COMPCON 1997, pp. 103-109. http://dx.doi.org/10.1109/CMPCON.1997.584680
Dingledine, R., N. Mathewson & Paul Syverson, "Tor: The second-generation onion router, USENIX
SECURITY 2004. http://static.usenix.org/event/sec04/tech/dingledine.html
LEGAL/POLICY/ECONOMIC ISSUES
Anderson, R., "Why information security is hard - an economic perspective," ACSAC 2001, pp. 358-365.
http://www.acsac.org/2001/papers/110.pdf
Burstein, A., "Conducting cybersecurity research legally and ethically,"USENIX LEET 2008.
http://static.usenix.org/events/leet08/tech/full_papers/burstein/burstein.pdf
Caballero, J., C. Grier, C. Kreibich & V. Paxson, "Measuring pay-per-install: The commoditization of
malware distribution," USENIX SECURITY 2011.
http://static.usenix.org/event/sec11/tech/full_papers/Caballero.pdf
NETWORK SECURITY
Staniford, S., V. Paxson, N. Weaver, "How to 0wn the Internet in your spare time." USENIX SECURITY
2002. http://static.usenix.org/event/sec02/full_papers/staniford/staniford.pdf
Stone-Gross, B. et al, "Your botnet is my botnet: Analysis of a botnet takeover," CCS 2009, pp. 635-647.
http://dx.doi.org/10.1145/1653662.1653738
Yaar, A., A. Perrig & D. Song. "SIFF: A stateless internet flow filter to mitigate DDoS flooding attacks,"
IEEE SECPRI 2004, pp. 130-143. http://dx.doi.org/10.1145/1653662.1653738
Casado, M. et al, "Ethane: taking control of the enterprise," SIGCOMM 2007, pp. 1-12.
http://dx.doi.org/10.1145/1282427.1282382
INTRUSION DETECTION
Axelsson, S., "The base-rate fallacy and its implications for the difficulty of intrusion detection," TISSEC
3:3 (Aug. 2000), pp. 186-205. http://dx.doi.org/10.1145/357830.357849
Paxson, V., "Bro: A system for detecting network intruders in real-time," COMPUTER NETWORKS,
31:23 (Dec. 1999), pp. 2435—2463. http://dx.doi.org/10.1016/S1389-1286(99)00112-7
Barreno, M., B. Nelson, A. Joseph & J. Tygar, "The security of machine learning," MACHINE
LEARNING JOURNAL, 81:2 (Nov. 2010), pg. 121-148. http://dx.doi.org/10.1007/s10994-010-5188-5
CASE STUDIES
Feldman, A, J. Halderman & E. Felten, "Security analysis of the diebold AccuVote-TS voting machine,"
USENIX EVT 2007. http://static.usenix.org/event/evt07/tech/full_papers/feldman/feldman.pdf
Anderson, R., M. Kuhn, "Tamper resistance: A cautionary note," USENIX EC 1996.
http://static.usenix.org/publications/library/proceedings/ec96/kuhn.html
Download

Syllabus

get an essay or any other
homework writing help
for a fair price!
check it here!