Rice University logo
 
Top blue bar image
Comp527: Computer Systems Security
A graduate seminar: current topics in computer security
 

Reading List

This is the reading list for Comp527. There are more papers here than we have time to cover, but I want to err on the side of having too many good things here. Most of these papers are fairly recent (the oldest from 2002). That isn’t to say that no interesting research happened before then, but I want to focus on current active topics of research in the field.

If you, the Comp527 student, feels that you want to dig deeper into any of these areas, you’ll find many examples from much earlier in the literature. For example, the Zeldovich-2008 paper below directly echoes ideas straight from the 1970’s, some of which you can track down by following the citations in the bibliography.

Web Security

Dongseok Jang, Ranjit Jhala, Sorin Lerner, Hovav Shacham. An Empirical Study of Privacy-Violating Information Flows in JavaScript Web Applications, 17th ACM Conference on Computer and Communications Security (CCS 2010) (Oct. 2010).

Lin-Shung Huang, Zack Weinberg, Chris Evans, Collin Jackson. Protecting Browsers from Cross-Origin CSS Attacks, 17th ACM Conference on Computer and Communications Security (CCS 2010) (Oct. 2010).

Adam Barth, Joel Weinberger, and Dawn Song. Cross-Origin JavaScript Capability Leaks: Detection, Exploitation, and Defense, 18th USENIX Security Symposium (USENIX Security 2009) (Montreal, Canada, Aug. 2009).

Lin-Shung Huang, Alex Moshchuk, Helen J. Wang, Stuart Schechter, Collin Jackson, Clickjacking: Attacks and Defenses, USENIX Security 2012 (Seattle, WA, August 2012).

Smartphone Security

Adrienne Porter Felt, Erika Chin, Steve Hanna, Dawn Song, David Wagner. Android Permissions Demystified, ACM Conference on Computer and Communication Security (CCS 2011).

Michael Dietz, Shashi Shekhar, Yuliy Pisetsky, Anhei Shu, Dan S. Wallach. QUIRE: Lightweight Provenance for Smart Phone Operating Systems, USENIX Security 2011 (San Francisco, CA, August 2011).

M. Egele, C. Kruegel, E. Kirda, and G. Vigna. PiOS: Detecting Privacy Leaks in iOS Applications, Network and Distributed System Security Symposium (NDSS) (San Diego, CA, Feb, 2011).

William Enck, Peter Gilbert, Byung-Gon Chun, Landon P. Cox, Jaeyeon Jung, Patrick McDaniel, and Anmol N. Sheth. TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones, 9th USENIX Symposium on Operating Systems Design and Implementation (OSDI) (Vancouver, BC, Canada, Oct., 2010).

Yajin Zhou, Xuxian Jiang, Dissecting Android Malware: Characterization and Evolution, Proceedings of the 33rd IEEE Symposium on Security and Privacy (Oakland 2012), San Francisco, CA, May 2012

Static Analysis

Joe Gibbs Politz, Spiridon Aristides Eliopoulos, Arjun Guha, Shriram Krishnamurthi. ADsafety: Type-Based Verification of JavaScript Sandboxing, USENIX Security Symposium (San Francisco, CA, Aug. 2011).

Edward J. Schwartz, Thanassis Avgerinos, David Brumley. All You Ever Wanted to Know About Dynamic Taint Analysis and Forward Symbolic Execution (but might have been afraid to ask), IEEE Security and Privacy Symposium (Oakland, CA, May 2010).

W. Robertson and G. Vigna. Static Enforcement of Web Application Integrity Through Strong Typing, USENIX Security Symposium (Montreal, Canada, Aug. 2009).

Stephen Chong, Jed Liu, Andrew C. Myers, Xin Qi, K. Vikram, Lantian Zheng, Xin Zheng. Secure web applications via automatic partitioning, 21st ACM Symposium on Operating Systems Principles (SOSP ’07), (Stevenson, WA, Oct. 2007).

B. Zeng, G. Tan, and G. Morrisett. Combining control-flow integrity and static analysis for efficient and validated data sandboxing. 18th ACM Conference on Computer and Communications Security, (Chicago, IL, Oct. 2011).

Operating Systems

Suman Jana, Vitaly Shmatikov, Donald E. Porter. TxBox: Building Secure, Efficient Sandboxes with System Transactions, IEEE Symposium on Security and Privacy, (Oakland, CA, May 2011).

Gerwin Klein, Kevin Elphinstone, Gernot Heiser, June Andronick, David Cock, Philip Derrin, Dhammika Elkaduwe, Kai Engelhardt, Rafal Kolanski, Michael Norrish, Thomas Sewell, Harvey Tuch, Simon Winwood, seL4: Formal verification of an OS kernel, Proceedings of the 22nd ACM Symposium on Operating Systems Principles (SOSP ’09) (Big Sky, MT, Oct. 2009).

Helen J. Wang, Chris Grier, Alex Moshchuk, Samuel T. King, Piali Choudhury Herman Venter, The Multi-Principal OS Construction of the Gazelle Web Browser, 18th USENIX Security Symposium (USENIX Security 2009) (Montreal, Canada, Aug. 2009).

Nickolai Zeldovich, Silas Boyd-Wickizer, and David Mazières. Securing distributed systems with information flow control. In Proceedings of the 6th Symposium on Networked Systems Design and Implementation (San Francisco, CA, April 2008).

Galen C. Hunt and James R. Larus, Singularity: Rethinking the Software Stack, in ACM SIGOPS Operating Systems Review, vol. 41, no. 2, pp. 37-49, April 2007. (Other Singularity papers)

A. Dehon, B. Karel, B. Montagu, B. Pierce, J. Smith, T. Knight, S. Ray, G. Sullivan, G. Malecha, G. Morrisett, R. Pollack, R. Morisset, O. Shivers. Preliminary design of the SAFE platform.Proceedings of the 6th Workshop on Programming Languages and Operating Systems (PLOS 2011), Oct. 2011.

Botnets and Internet Miscreants

K. Levchenko, A. Pitsillidis, N. Chachra, B. Enright, M. Felegyhazi, C. Grier, T. Halvorson, C. Kanich, C. Kreibich, H. Liu, D. McCoy, N. Weaver, V. Paxson, G. Voelker and S. Savage, Click Trajectories: End-to-End Analysis of the Spam Value Chain, IEEE Symposium on Security and Privacy, (Oakland, CA, May 2011).

Nicolas Falliere, Liam O Murchu, Eric Chien. W32.Stuxnet Dossier, Symantec Security Response (Technical Report), February 2011.

B. Stone-Gross, M. Cova, L. Cavallaro, B. Gilbert, M. Szydlowski, R. Kemmerer, C. Kruegel, and G. Vigna. Your Botnet is My Botnet: Analysis of a Botnet Takeover, ACM Conference on Computer and Communications Security (CCS) (Chicago, IL, Nov. 2009).

John P. John, Alexander Moshchuk, Steven D. Gribble, Arvind Krishnamurthy. Studying Spamming Botnets Using Botlab, Proceedings of the 6th USENIX Symposium on Networked Systems Design and Implementation (NSDI ’09) (Boston, MA, April 2009).

Niels Provos, Panayiotis Mavrommatis, Moheeb Rajab, Fabian Monrose. All Your iFrames Point to Us, 17th USENIX Security Symposium, (San Jose, CA, Aug. 2008).

Real-World Security Problems

Sandy Clark, Travis Goodspeed, Perry Metzger, Zachary Wasserman, Kevin Xu, and Matt Blaze. Why (Special Agent) Johnny (Still) Can’t Encrypt: A Security Analysis of the APCO Project 25 Two-Way Radio System, USENIX Security 2011 (San Francisco, CA, August 2011).

Nadia Heninger, Zakir Durumeric, Eric Wustrow and J. Alex Halderman, Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices, USENIX Security 2012 (Seattle, WA, August 2012).

Stephen Checkoway, Damon McCoy, Brian Kantor, Danny Anderson, Hovav Shacham, Stefan Savage, Karl Koscher, Alexei Czeskis, Franziska Roesner, and Tadayoshi Kohno. Comprehensive Experimental Analyses of Automotive Attack Surfaces, USENIX Security 2011 (San Francisco, CA, August 2011).

Scott Wolchok, Eric Wustrow, J. Alex Halderman, Hari K. Prasad, Arun Kankipati, Sai Krishna Sakhamuri, Vasavya Yagati, and Rop Gonggrijp. Security Analysis of India’s Electronic Voting Machines (web site and video). 17th ACM Conference on Computer and Communications Security (CCS ’10), (Chicago, IL, Oct. 2010).

Daniel Halperin, Thomas S. Heydt-Benjamin, Benjamin Ransford, Shane S. Clark, Benessa Defend, Will MOrgan, Kevin Fu, Tadayoshi Kohno, William H. Maisel. Pacemakers and implantable cardiac defibrillators: Software radio attacks and zero-power defenses, IEEE Symposium on Security and Privacy (Oakland, CA, May 2008)

Anti-Censorship / Privacy

Eric Wustrow, Scott Wolchok, Ian Goldberg, J. Alex Halderman. Telex: Anticensorship in the Network Infrastructure, USENIX Security 2011 (San Francisco, CA, August 2011).

Joseph A. Calandrino, Ann Kilzer, Arvind Narayanan, Edward W. Felten, Vitaly Shmatikov. “You Might Also Like:” Privacy Risks of Collaborative Filtering, IEEE Symposium on Security and Privacy, (Oakland, CA, May 2011).

Xueyang Xu, Z. Morley Mao, J. Alex Halderman, Internet Censorship in China: Where Does the Filtering Occur? 12th Passive and Active Measurement Conference (PAM ’11) (Atlanta, GA, March 2011).

Roger Dingledine, Nick Mathewson, Paul Syverson, Tor: The Second-Generation Onion Router, 13th USENIX Security Symposium (San Diego, CA, Aug. 2004). (Be sure to also read over other documents at the Tor site.)

Miscellaneous Things to Worry About

Ryan Roemer, Erik Buchanan, Hovav Shacham, and Stefan Savage. Return-Oriented Programming: Systems, Languages, and Applications, ACM Transactions on Information and System Security (TISSEC), to appear.

Andrew M. White, Kevin Snow, Austin Matthews, Fabian Monrose. Hookt on fon-iks: Phonotactic Reconstruction of Encrypted VoIP Conversations, IEEE Symposium on Security and Privacy, (Oakland, CA, May 2011).

Y. Xu, G. Reynaga, S. Chiasson, J.-M. Frahm, F. Monrose, P. van Oorschot, Security and Usability Challenges of Moving-Object CAPTCHAs: Decoding Codewords in Motion, USENIX Security 2012 (Seattle, WA, August 2012).

Wenchao Zhou, Qiong Fei, Arjun Narayan, Andreas Haeberlen, Boon Thau Loo, Micah Sherr, Secure Network Provenance, 23rd ACM Symposium on Operating Systems Principles (SOSP ’11), (Cascais, Portugal, Oct. 2011).

Hardware Security

J. Alex Halderman, Seth D. Schoen, Nadia Heninger, William Clarkson, William Paul, Joseph A. Calandrino, Ariel J. Feldman, Jacob Appelbaum, Edward W. Felten. Lest We Remember: Cold Boot Attacks on Encryption Keys, USENIX Security Symposium (San Jose, CA, July 2008).

Andrew “Bunnie” Huang, Keeping Secrets In Hardware: The Microsoft Xbox Case Study, Workshop on Cryptographic Hardware and Embedded Systems (CHES) (Redwood City, CA, Aug. 2002). (Everyone should read over the whole page and follow the links.)