This course will primarily be a reading course. Each week
students are expected to read the assigned readings and discuss
them. There will also be a course project due at the end of
Course Readings and Presentations
Students are expected to read the 3 papers assigned each week and come
to class prepared to discuss the papers. You can sign up for
a paper presentation here. Each week a group of 2-3 students
will present their views of the papers. For each paper, one
of the students will present pro’s for the paper, and the other will
present con’s for the paper, and each student should be pro for at
least one paper and con for at least one paper. A good paper
should present a new and practical solution/technique so solve an
important problem. It should also contain a critical
evaluation of the merits of the idea, and clearly point out any flaws
or shortcomings that could be solved in future work (of if they can be
solved at all). Finally, the paper should clearly indicate
past work in the area, and indicate how their solution improves on the
existing solutions. For advice on giving presentations, refer
here. You can sign up for presentations here.
Each paper presentation should last approximately 20 minutes
(for both presenters) and be in this general format:
Summary of the paper (~20 minutes): You will summarize the
objective of the paper, the proposed technique and the
results/contributions the authors have presented. If there is
background required to understand the contents of the paper, the
presenter should touch upon this as well. Either the pro or
con presenter can handle this part.
The Pro presenter will explain what he/she thought was good
about the paper, and argue for why the paper should have been accepted.
The Con presenter will then argue for why the paper should
not have been accepted. (~5 minutes)
Discussion. (~10 minutes)
The presenters should meet before hand and discuss their views of the
paper. During the presentation some good questions to answer
(this list is neither exhaustive nor are they applicable in all cases):
Are the authors working on a real problem? What are their
contributions and are they novel/useful?
Did the authors miss any critical limitations in their
paper? Was the way they presented their evaluation honest and
Did the evaluation test the right aspects of the
solution? For example, did the presenters pick the right
benchmark? What claims to the authors make and do they
Is the solution really novel? Did the authors
identify all related work or did they miss work that is very similar to
theirs. You should spend time doing an extended literature
search for all papers ( is your friend).
Did the authors clearly differentiate between fundamental
aspects of their design as opposed to artifacts of their implementation
(that might not exist on another implementation of their design)?
In your opinion, will the solution work as the authors
indicated? Is it applicable in the general case or is it very
specific to the cases they used in their evaluation?
What questions does the paper leave unanswered?
Is there future work or is the problem essentially solved by their
solution? What improvements or additional information might
you expect from the authors? Remember that researchers
frequently construct prototypes, not products, so improvements should
answer important questions, not be requests for functionality that is
incomplete, but would be straightforward to add.
Students should work in groups of 1-3 (depending on class size) to do a
research oriented course project. The project will either
propose a solution to a security problem, or explore some aspect of
computer security. The project will have three deliverables:
Students will hand in a project proposal on
October 6th by e-mail. The proposal should be no more than 2
pages long and should:
Introduce and motivate the problem they are going to
attempt to solve or what previously unanswered question they are going
to try and answer.
Give an outline of the proposed solution.
Provide a list of related work and an explanation of how
the advantage they believe their proposal will have over existing
The instructor will meet
with students as necessary to discuss their proposals. The
proposals will then be made available to other students the class via
Project Midterm Update and Presentation: Approximately midway through
the course, students will also provide a written report no longer than
3 pages to the instructor summarizing their progress so far.
A class will be set aside for groups to make an oral presentations to
the class explaining their project and progress made up to that
point. They will highlight interesting problems they have had
and outline their plans for the remainder of the semester.
The class should comment on the project and try to give
advice. For advice on giving presentations, refer here
You will be graded mainly
on your presentation and your written report should just summarize your
presentation. Your presentation should cover the 4 main
What problem are you solving and why is
it an important problem?
What is the related work in the area
and why is it inadequate in your opinion?
What is your proposed solution?
How will you evaluate your
solution? What results do you anticipate?
Project Research Paper and Presentation: Students will hand in a
research paper describing their
project. The paper will be no longer than 10 pages.
The most important goal of any research paper is to confer knowledge
that the author learned by doing the research onto the
reader. Thus, when writing the project research paper,
students should focus on things they learned in the course of the
project, that was not obvious to them before they embarked on the
work. A good research paper should:
Introduce and motivate the problem the
paper attempts to solve.
Provide a description of the proposed
solution, as well as any interesting implementation details of the
prototype (if one was built)
Give a critical analysis of the
strengths, weaknesses and limitations of their system, making sure to
differentiate fundamental limitations of the solution from limitations
specific to the prototype implementation
Conclude with no more than 3 points
describing the enlightening things that were learned from doing the
Below are some potential projects, but students are encouraged to up
with their own as well!
With the rapid growth in power and
of mobile phones, many new security problems are emerging.
Many believe that smart phones will become the primary internet device
of the future. In addition, their location sensing abilities,
always-on internet connection and small size making them perfect for
many new applications such as location tracking, health monitoring and
mobile payments. In this project, we wish to deal with one
more several scenarios such as (but not limited to):
Malicious applications that infiltrate phones
engineering or a confusing security model
Weaknesses in the security and protection systems
on a phone that
might permit malicious applications to steal information or damage
Flaws in phone software implementation or design
that allow malicious
websites or networks to attack phones
Protection of information if a phone is lost or
security: As the cost and speed of bandwidth
drops and the
cost and complexity of device maintenance increases, distributed
applications accessed through thin clients and web browsers will become
the norm. However, web browsers were never designed to be
thin clients and so many interesting browser designs have emerged
recently. Design decisions include how to provide
extensibility, how to handle plugins and how to isolate different web
pages from each other. Starting points include open source
– the open source version of Google’s
How to protect against Web-based attacks, such as phishing,
Another interesting development in this space is the advent of thing,
non-extensible operating systems like Google’sChromeOSoperating
system, which is also open source. ChromeOS is
designed to be a simple Linux distribution that only supports one
application, a web browser. It is designed to hold a minimum
of state on the client so that it can be easily re-installed and reset
if compromised, and is also designed for easy remote
management. Some interesting points.
ChromeOS tries to ensure that attackers cannot modify the
without the user knowing. To do this they use TCG support.
Updates include an entire disk image and the entire
disk image is signed. Here is a presentation describing their
Analyze aand test the security of this design,
are there improvements or weaknesses?
ChromeOS uses your Google Account to sign in, and then uses
credentials to access various web services.
ChromeOS does not allow any other native applications other than the
web browser, persistent 3rd party code in the form of extensions, web
apps and plugins are still permitted. These must be screened
malware -- but how to do this?
ChromeOS’s updates are automatic and you can’t revert
(easily). This has interesting implications if an update
secure Virtualizaiton infrastructure: By 2013, more than
half of all workloads will be
virtualized. Virtualization frees us from having to pick one
OS for each computer and forcing all applications to run on that
OS. Instead, each application to have its own operating
system that is tailored to its needs. How can we make
configurable OSs that minimize the attack surface for
applications? Some old systems already proposed this ((OSKit,Exokernel)).
How do you build the modular, configurable
minimal OS of the future? Some problems are:
Appliances need to have small memory and disk
They should boot quickly.
It should be possible for appliances to be patched even
while off. If
there are many appliances, we don’t want them to have to be running all
the time to be patched. On the other hand, if you start up an
unpatched appliance, you don’t want to be compromised as soon as you
start the appliance.