18732 Reading List
  Part I: Secure Coding
   
  -  Jan 10: Introduction 
 Reflections on
trusting trust, by Thompson
 Rudimentary
treatise on the construction of locks, Tomlinson.
 
 
-  Jan 12:
 Smashing The
Stack For Fun And Profit, Aleph One.
 Buffer
Overflows: Attacks and Defenses for the Vulnerability of the Decade,
Crispin Cowan, et al.
 
  - Jan 19:
 A
First Step Towards Automated Detection of Buffer Overrun
Vulnerabilities, by David Wagner and Drew Dean
 High
Coverage Detection of Input-Related Security Faults, by Eric Larson
and Todd Austin.
 
  - Jan 24:
 Exploiting
Format String Vulnerabilities, team teso.
 Detecting
Format String Vulnerabilities With Type Qualifiers, by Shankar,
Talwar, Foster, Wagner
 
 
- Jan 26:
 CCured:
Type-Safe Retrofitting of Legacy Code. George C. Necula, Scott
McPeak, Westley Weimer.
 A Practical
Dynamic Buffer Overflow Detector, by O. Ruwase and M. Lam.
 
 
- Jan 31: Guest lecture (Sanjit Seshia) 
 Automatic Discovery of API-Level Exploits by Vinod Ganapathy, Sanjit A. Seshia, Somesh Jha, Thomas W. Reps and Randal E. Bryant
 
  
  - Feb 2: Guest lecture (Chris Long)
 Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0 by Alma
Whitten and J. D. Tygar
 Trusted Paths for Browsers by E. Ye and S.W. Smith
  - Feb 7: mid mini break, no class
 
 
- Feb 9:
 Checking
System Rules Using System-Specific, Programmer-Written Compiler
Extensions, by Dawson Engler, Benjamin Chelf, Andy Chou, and Seth
Hallem
 
- Feb 14: Guest Lecture (Lujo Bauer) 
 Proof 
Carrying   Code, by George Necula and Peter Lee.
 
 
  - Feb 16:
    
Bugs as Deviant Behavior: A General Approach to Inferring Errors in
Systems Code, by Dawson Engler, David Yu Chen, Seth Hallem, Andy
Chou, and
Benjamin Chelf
 
 Part II: Secure OS  
-  Feb 21: 
 The
protection of information in computer systems, Saltzer and
Schroeder. (Skip, or skim, Section II.)
 Efficient
Software-Based Fault Isolation
 
 
- Feb 23:
 A
Sense
of Self for Unix Processes by S. Forrest, S. A. Hofmeyr, A.
Somayaji
and T. A. Longstaff
 On Gray-Box
Program
Tracking for Anomaly Detection by Debin Gao, Michael K. Reiter and
Dawn
Song
 
 
- Feb 28:
 Privtrans:
Automatic Privilege Separation by David Brumley and Dawn Song
 A
Flexible Containment Mechanism for Executing Untrusted Code
 
 
- Mar 2: Guest lecturer (Lujo Bauer)
 Enforceable
security policies, Fred B. Schneider
 SASI
Enforcement of Security Policies: A Retrospective, Erlingsson and
Schneider
 
 
- Mar 7 & 9: spring break, no class
 
 
- Mar 14: midterm review
 
 
- Mar 16: midterm 
 
 
- Mar 21: 
 Checking
for Race Conditions in File Accesses, by M. Bishop and M. Dilger.
 Dynamic
Detection and Prevention of Race Conditions in File Accesses, by
Eugene Tsyrklevich and Bennet Yee
 
 
- Mar 23: 
 Self-stabilizing systems in spite of distributed control by Edsger W. Dijkstra
 How to securely replicate services by Michael K. Reiter and Kenneth P. Birman
 
  - Mar 28: Virtual Machines 
 A
Virtual Machine Introspection Based Architecture for Intrusion Detection
 Xen:
the Art of Virtualization
 
 
- Mar 30: 
 Automated Generation and Analysis of Attack Graphs, Oleg Sheyner,
Somesh Jha, and Jeannette M. Wing,
 
 
 Part III: Malcode Analysis and Defense and Other Topics
  
  - Apr 4:
 Nachenberg, 
Computer Virus-Antivirus Coevolution
 Static
Analysis of Executables to Detect Malicious Patterns, by M.
Christodorescu and S. Jha.
 
 
- Apr 6:
 Remote timing attacks are practical , by Dan Boneh and David Brumley
 Timing Analysis of Keystrokes and SSH Timing Attacks, by Dawn Song, David Wagner, and Xuqing Tian.
 
 
- Apr 11: Guest lecturer (Sagar Chaki)
 Efficient Verification of Sequential and Concurrent C Programs by Sagar Chaki, Edmund Clarke, Alex Groce, Joel Ouaknine, Ofer Strichman and Karen Yorav
 State/Event-based Software Model Checking by Sagar Chaki, Edmund Clarke, Joel Ouaknine, Natasha Sharygina and Nishant Sinha
 
 
- Apr 13:
 How to 0wn the Internet in Your Spare Time, by Stuart Staniford, Vern Paxson, Nicholas Weaver. 
  
- Apr 18: Guest Lecturer (James Newsome)
 Dynamic
Taint Analysis: Automatic Detection, Analysis, and Signature Generation
of
Exploit Attacks on Commodity Software by James Newsome and Dawn Song
 Polygraph: Automatic Signature Generation for Polymorphic Worms, by
          James Newsome, Brad Karp, Dawn Song
 
- Apr 20:
 
- Apr 25 & 27 : Project presentation & Demo