Main Page

From Security Reading Group Wiki
Main Page
Jump to: navigation, search

This is the home page for our security reading group, known as SECRIT (SECurity Reading Is Terrific). The group is run by Matt Bernhard (matber). Security reading meets every Tuesday from 12.30pm to 1.30pm in 3725 BBB (the stained-glass conference room).

The format of the security reading group is that everyone reads the paper beforehand and we have a roundtable discussion of the paper over lunch. Unlike the systems reading group, there's no presentation. Please send suggestions for papers to read to security-reading-suggestions.

If you would like to receive announcements and reminders pertaining to this group, subscribe to the security-reading list at .

We removed the RSVP requirement this year, so don't bother sending in an RSVP, just show up!

If you noticed any problems in this page, contact Matt Bernhard (matber).


Papers We've Read

Date Paper
January 31, 2016 The Effect of DNS on Tor’s Anonymity

Benjamin Greschbach, Tobias Pulls,Laura M. Roberts, Philipp Winter, Nick Feamster

January 24, 2016 Blocking-resistant Communication Through Domain Fronting

David Fifield, Chang Lan, Rod Hynes, Percy Wegmann, and Vern Paxson

January 17, 2016 Eclipse Attacks on Bitcoin’s Peer-to-Peer Network

Ethan Heilman, Alison Kendler, Aviv Zohar, Sharon Goldberg

January 3, 2016 How I Learned to be Secure: a Census-Representative Survey of Security Advice Sources and Behavior

Elissa M. Redmiles, Sean Kross, Michelle L. Mazurek

December 20, 2016 WireGuard: Next Generation Kernel Network Tunnel

Jason A. Donenfeld

November 29, 2016 Should You Use the App for That?: Comparing the Privacy Implications of App- and Web-based Online Services

Christophe Leung, Jingjing Ren, David Choffnes, Christo Wilson

November 22, 2016 Slitheen: Perfectly Imitated Decoy Routing through Traffic Replacement

Cecylia Bocovich, Ian Goldberg

November 15, 2016 Shuffler: Fast and Deployable Continuous Code Re-Randomization

David Williams-King, Graham Gobieski, Kent Williams-King, James P. Blake, Xinhao Yuan, Patrick Colp, Michelle Zheng, Vasileios P. Kemerlis, Junfeng Yang, William Aiello

November 8, 2016 STAR-Vote: A Secure, Transparent, Auditable, and Reliable Voting System

Susan Bell, Josh Benaloh, Michael D. Byrne, Dana DeBeauvoir, Bryce Eakin, Gail Fisher, Philip Kortum, Neal McBurnett, Julian Montoya, Michelle Parker, Olivier Pereira, Philip B. Stark, Dan S. Wallach, Michael Winn

October 25, 2016 Indiscreet Logs: Persistent Diffie-Hellman Backdoors in TLS

Kristen Dorey, Nicholas Chang-Fong, Aleksander Essex

October 18, 2016 What Happens After You Are Pwnd: Understanding the Use of Leaked Webmail Credentials in the Wild

Jeremiah Onaolapo, Enrico Mariconti, and Gianluca Stringhini

October 11, 2016 Measuring and Applying Invalid SSL Certificates: The Silent Majority

Taejoong Chung, Yabing Liu, David Choffnes, Dave Levin, Bruce M. Maggs, Alan Mislove, Christo Wilson

October 4, 2016 A Comprehensive Measurement Study of Domain Generating Malware

Daniel Plohmann, Khaled Yakdan, Michael Klatt, Johannes Bader

September 27, 2016 Making USB Great Again with usbfilter

Dave (Jing) Tian, Nolen Scaife, Adam Bates, Kevin R. B. Butler, and Patrick Traynor

September 20, 2016 An Empirical Study of Textual Key-Fingerprint Representations

Sergej Dechand, Dominik Schürmann, Karoline Busse, Yasemin Acar, Sascha Fahl and Matthew Smith

September 13, 2016 Lock It and Still Lose It—On the (In)Security of Automotive Remote Keyless Entry Systems

Flavio D. Garcia, David Oswald, Timo Kasper and Pierre Pavlidès,

September 6, 2016 Fast, Lean, and Accurate: Modeling Password Guessability Using Neural Networks

William Melicher, Blase Ur, Sean M. Segreti, Saranga Komanduri, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor

August 30, 2016 The Million-Key Question—Investigating the Origins of RSA Public Keys

Petr Švenda, Matúš Nemec, Peter Sekan, Rudolf Kvašňovský, David Formánek, David Komárek, and Vashek Matyáš

August 23, 2016 Post-quantum Key Exchange—A New Hope

Erdem Alkim, Léo Ducas, Thomas Pöppelmann, Peter Schwabe

August 9 & 16, 2016 No paper.
August 2, 2016 Riffle: An Efficient Communication System With Strong Anonymity

Albert Kwon, David Lazar, Srinivas Devadas, and Bryan Ford

July 19, 2016 Access Denied! Contrasting Data Access in the United States and Ireland

Samuel Grogan and Aleecia M. McDonald

June 9, 2015 Mind Your Blocks: On the Stealthiness of Malicious BGP Hijacks

Pierre-Antoine Vervier, Olivier Thonnard and Marc Dacier

June 2, 2015 Why Wassenaar Arrangement's Definitions of Intrusion Software and Controlled Items Put Security Research and Defense At Risk And How To Fix It, What Is the U.S. Doing About Wassenaar, and Why Do We Need to Fight It?

Sergey Bratus, D J Capelis, Michael Locasto and Anna Shubina; Nate Cardozo and Eva Galperin

May 26, 2015 Secrets, Lies, and Account Recovery: Lessons from the Use of Personal Knowledge Questions at Google

Joseph Bonneau, Elie Bursztein, Ilan Caron, Rob Jackson and Mike Williamson

May 12, 2015 Ad Injection at Scale: Assessing Deceptive Advertisement Modifications

Kurt Thomas, Elie Bursztein, Chris Grier, Grant Ho, Nav Jagpal, Alexandros Kapravelos, Damon McCoy, Antonio Nappa, Vern Paxson, Paul Pearce, Niels Provos and Moheeb Abu Rajab

April 28, 2015 FAA Needs a More Comprehensive Approach to Address Cybersecurity As Agency Transitions to NextGen


April 21, 2015 Optimizing TLS for High–Bandwidth Applications in FreeBSD

Randall Stewart, John-Mark Gurney and Scott Long

April 14, 2015 How Secure and Quick is QUIC? Provable Security and Performance Analyses

Robert Lychev, Samuel Jero, Alexandra Boldyreva, and Cristina Nita-Rotaru

April 7, 2015 What the App is That? Deception and Countermeasures in the Android User Interface

Antonio Bianchi, Jacopo Corbetta, Luca Invernizzi, Yanick Fratantonio, Christopher Kruegel and Giovanni Vigna

March 31, 2015 SoK: Secure Messaging

Nik Unger, Sergej Dechand, Joseph Bonneau, Sascha Fahl, Henning Perl, Ian Goldberg and Matthew Smith

March 24, 2015 Iago Attacks: Why the System Call API is a Bad Untrusted RPC Interface

Stephen Checkoway and Hovav Shacham

March 17, 2015 A Messy State of the Union: Taming the Composite State Machines of TLS

Benjamin Beurdouche, Karthikeyan Bhargavan, Antoine Delignat-Lavaud, Cedric Fournet, Markulf Kohlweiss, Alfredo Pironti, Pierre-Yves Strub and Jean Karim Zinzindohoue

March 10, 2015 Surreptitiously Weakening Cryptographic Systems

Bruce Schneier, Matthew Fredrikson, Tadayoshi Kohno and Thomas Ristenpart

February 24, 2015 Code Reuse Attacks in PHP

Johannes Dahse, Nikolai Krein, and Thorsten Holz

February 17, 2015 The Web Never Forgets: Persistent Tracking Mechanisms in the Wild

Gunes Acar, Christian Eubank, Steven Englehardt, Marc Juarez, Arvind Narayanan and Claudia Diaz

February 10, 2015 Internet of Things: Privacy and Security in Connected World

FTC Report

February 3, 2015 Enhanced Certificate Transparency and End-to-end Encrypted Mail

Mark Ryan

January 27, 2015 Information Leaks without Memory Disclosures

Jeff Seibert, Hamed Okhravi, and Eric Söderström

January 20, 2015 DP5: A Private Presence Service

Nikita Borisov, George Danezis and Ian Goldberg

January 13, 2015 The Emperor's New API's: On the (In)Secure Usage of New Client-Side Primitives

Steve Hanna, Eui Chul Richard Shin, Devdatta Akhawe, Arman Boehm, Prateek Saxena and Dawn Song

December 9, 2014 Securing SSL Certificate Verification through Dynamic Linking

Adam Bates, Joe Pletcher, Tyler Nichols, Braden Hollembaek, Dave Tian, Kevin R.B. Butler and Abdulrahman Alkhelaifi

December 2, 2014 Lawful Hacking: Using Existing Vulnerabilities for Wiretapping on The Internet

Steven M. Bellovin, Matt Blaze, Sandy Clark and Susan Landau

November 18, 2014 On the Effectiveness of Traffic Analysis Against Anonymity Networks Using Flow Records

Sambuddho Chakravarty, Marco V. Barbera, Georgios Portokalidis, Michalis Polychronakis and Angelos D. Keromytis

November 11, 2014 Moving Targets: Security and Rapid-Release in Firefox

Sandy Clark, Michael Collis, Matt Blaze, and Jonathan M. Smith

October 28, 2014 From Patches to Honey-Patches: Lightweight Attacker Misdirection, Deception, and Disinformation

Frederico Araujo, Kevin W. Hamlen, Sebastian Biedermann, and Stefan Katzenbeisser

October 21, 2014 Analaysis of SSL Certificate Reissues and Recocations in the Wake of Heartbleed

Liang Zhang, David Choffnes, Dave Levin, Tudor Dumitras, Alan Mislove, Aaron Schulman and Christo Wilson

October 7, 2014 ROP is Still Dangerous - Breaking Modern Defenses

Nicholas Carlini and David Wagner

September 30, 2014 From the Aether to the Ethernet – Attacking the Internet using Broadcast Digital Television

Yossef Oren and Angelos D. Keromytis

September 23, 2014 On the Practical Exploitability of Dual EC in TLS Implementations

Stephen Checkoway, Matthew Fredrikson, Ruben Niederhagen, Adam Everspaugh, Matthew Green, Tanja Lange, Thomas Ristenpart, Daniel J. Bernstein, Jake Maskiewicz and Hovav Shacham

September 16, 2014 Exit from Hell? Reducing the Impact of Amplification DDoS Attacks

Marc Kührer, Thomas Hupperich, Christian Rossow, and Thorsten Holz

September 9, 2014 Gyrophone: Recognizing Speech from Gyroscope Signals

Yan Michalevsky and Dan Boneh

August 26, 2014 Get Your Hands Off My Laptop: Physical Side-Channel Key-Extraction Attacks on PCs

Daniel Genkin, Itamar Pipman, and Eran Tromer

August 19, 2014 Hacking Blind

Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazieres, and Dan Boneh

August 12, 2014 RFC 5246: The Transport Layer Security (TLS) Protocol Version 1.2
August 5, 2014 Spoiled Onions: Exposing Malicious Tor Exit Relays

Philipp Winter, Richard Köwer, Martin Mulazzani, Markus Huber, Sebastian Schrittwieser, Stefan Lindskog, and Edgar Weipp

July 29, 2014 When Governments Hack Opponents: A Look at Actors and Technology

William R. Marczak, John Scott-Railton, Morgan Marquis-Boire, and Vern Paxson

July 22, 2014 Framing Signals—A Return to Portable Shellcode

Erik Bosman and Herbert Bos

July 15, 2014 Neural Signatures of User-Centered Security: An fMRI Study of Phishing, and Malware Warnings

Ajaya Neupane, Nitesh Saxena, Keya Kuruvilla, Michael Georgescu, and Rajesh Kana.

July 8, 2014 When HTTPS Meets CDN: A Case of Authentication in Delegated Service

Liang, J., Jiang, J., Duan, H., Li, K., Wan, T., Wu, J.

July 1, 2014 Nazca: Detecting Malware Distribution in Large-Scale Networks

Invernizzi, L., Lee, S. J., Miskovic, S., Mellia, M., Torres, R., Kruegel, C., Saha, S., Vigna, G.

June 24, 2014 SNARKSs for C: Verifying Program Execution Succinctly and in Zero Knowledge

Ben-Sasson, E., Chiesa, A., Genkin, D., Tromer, E., Virza, M.

June 17, 2014 Pivot: Fast, Synchronous Mashup Isolation Using Generator Chains

Mikens, J.

June 10, 2014 Chip and Skim: Cloning EMV Cards with the Pre-Play Attack

Bond, M., Choudary, O., Murdoch, S., Skorobogatov, S., Anderson, R.

June 3, 2014 Zerocash: Decentralized Anonymous Payments from Bitcoin

Ben-Sasson, E., Chiesa, A., Garma, C., Green, M., Miers, I., Tromer, E., Virza, M.

May 27, 2014 Triple Handshakes and Cookie Cutters: Breaking and Fixing Authentication over TLS

Karthikeyan Bhargavan, Antoine Delignat-Lavaud, Cedric Fournet, Alfredo Pironti and Pierre-Yves Strub

May 20, 2014 Analyzing Forged SSL Certificates in the Wild

Huang, L. S., Rice, A., Ellingsen, E., & Jackson, C. Analyzing Forged SSL Certificates in the Wild.

May 13, 2014 mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations

Heiderich, M., Schwenk, J., Frosch, T., Magazinius, J., & Yang, E. Z. (2013, November). mXSS attacks: attacking well-secured web-applications by using innerHTML mutations. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security (pp. 777-788). ACM.

May 6, 2014 Towards Automatic Software Lineage Inference

Jang, J., Woo, M., & Brumley, D. (2013, August). Towards automatic software lineage inference. In Proceedings of the 22nd USENIX conference on Security (pp. 81-96). USENIX Association.

March 25, 2014 On Subversive Miner Strategies and Block Withholding Attack in Bitcoin Digital Currency

Courtois, N. T., & Bahack, L. (2014). On Subversive Miner Strategies and Block Withholding Attack in Bitcoin Digital Currency. arXiv preprint arXiv:1402.1718.

March 18, 2014 PlaceAvoider: Steering First-Person Cameras away from Sensitive Spaces

Templeman, R., Korayem, M., Crandall, D., & Kapadia, A. (2014). PlaceAvoider: Steering First-Person Cameras away from Sensitive Spaces.

March 11, 2014 Copker: Computing with Private Keys without RAM

Guan, L., Lin, J., Luo, B., & Jing, J. (2014). Copker: Computing with Private Keys without RAM.

March 4, 2014 Auditable Version Control Systems

Bo Chen, Reza Curtmola (New Jersey Institute of Technology)

February 25, 2014 Toward Black-Box Detection of Logic Flaws in Web Applications

Giancarlo Pellegrino, Davide Balzarotti (EURECOM, France)

February 18, 2014 ROPecker: A Generic and Practical Approach for Defending Against ROP Attacks

Yueqiang Cheng‡, Zongwei Zhou*, Miao Yu*, Xuhua Ding‡, Robert H. Deng‡ * Carnegie Mellon University ‡ Singapore Management University

February 11, 2014 The Sniper Attack: Anonymously Deanonymizing and Disabling the Tor Network

Rob Jansen* , Florian Tschorsch‡, Aaron Johnson* , Bjorn Scheuermann‡ * U.S. Naval Research Laboratory ‡ Humboldt University of Berlin, Germany

February 4, 2014 Avatar: A Framework to Support Dynamic Security Analysis of Embedded Systems’ Firmwares

Zaddach, J., Bruno, L., Francillon, A., & Balzarotti, D. (2010). AVATAR: A framework to support dynamic security analysis of embedded system's firmwares. IEEE Transactions on Software Engineering, 36(4).

January 28, 2014 Botcoin: Monetizing Stolen Cycles

Huang, D. Y., Dharmdasani, H., Meiklejohn, S., Dave, V., Grier, C., McCoy, D., ... & Levchenko, K. (2014). Botcoin: monetizing stolen cycles. In Proceedings of NDSS (Vol. 2014).

January 21, 2014 Model-Based Evaluation of GPS Spoofing Attacks on Power Grid Sensors

Akkaya, I., Lee, E. A., & Derler, P. (2013, May). Model-based evaluation of GPS spoofing attacks on power grid sensors. In Modeling and Simulation of Cyber-Physical Energy Systems (MSCPES), 2013 Workshop on (pp. 1-6). IEEE.

January 7, 2014 CyberProbe: Towards Internet-Scale Active Detection of Malicious Servers

Antonio Nappa, Zhaoyan Xu, M. Zubair Rafique, Juan Caballero, Guofei Gu

Nov 26, 2013 GOTCHA Password Hackers!

Jeremiah Blocki, Manuel Blum, Anupam Datta (Carnegie Mellon University)

Nov 19, 2013 Ed Felton Discussion
Nov 12, 2013 On the Security of RC4 in TLS

Nadhem AlFardan (University of London), Daniel J. Bernstein (University of Illinois at Chicago and Technische Universiteit Eindhoven), Kenneth G. Paterson, Bertram Poettering, Jacob C.N. Schuldt (University of London)

Nov 5, 2013 SAuth: Protecting User Accounts from Password Database Leaks,

RFC 6749: The OAuth 2.0 Authorization Framework Georgios Kontaxis, Elias Athanasopoulos (Columbia University), Georgios Portokalidis (Stevens Inst. of Technology), Angelos D. Keromytis (Columbia University)

Oct 29, 2013 Take This Personally: Pollution Attacks on Personalized Services

Xinyu Xing, Wei Meng, Dan Doozan (Georgia Institute of Technology), Alex C. Snoeren (University of California, San Diego), Nick Feamster, Wenke Lee (Georgia Institute of Technology)

Oct 22, 2013 Dowsing for Overflows: A Guided Fuzzer to Find Buffer Boundary Violations

Istvan Haller, Asia Slowinska (VU University Amsterdam), Matthias Neugschwandtner (Vienna University of Technology), Herbert Bos (VU University Amsterdam)

Oct 15, 2013
Oct 8, 2013 Silk Road New York Trial Document,

Silk Road Maryland Trial Document

Oct 1, 2013 Stealthy Dopant-Level Hardware Trojans

Georg T. Becker (UMASS Amherst), Francesco Regazzoni (TU Delft and ALaRI, University of Lugano), Christof Paar (UMASS Amherst), Wayne P. Burleson (UMASS Amherst), CHES 2013.

Sep 24, 2013 Users Get Routed: Traffic Correlation on Tor by Realistic Adversaries

Aaron Johnson (U.S. Naval Research Laboratory), Chris Wacek (Georgetown University), Rob Jansen (U.S. Naval Research Laboratory), Micah Sherr (Georgetown University), Paul Syverson (U.S. Naval Research Laboratory), CCS 2013

Sep 17, 2013 Trafficking Fraudulent Accounts: The Role of the Underground Market in Twitter Spam and Abuse

Kurt Thomas (UC Berkeley and Twitter), Damon McCoy (George Mason University), Chris Grier (UC Berkeley and International Computer Science Institute), Alek Kolcz (Twitter), Vern Paxson (UC Berkeley and International Computer Science Institute), USENIX 2013.

Sep 10, 2013 Control Flow Integrity for COTS Binaries

Mingwei Zhang, R. Sekar (Stony Brook University), USENIX 2013.

Sep 3, 2013 Securing Computer Hardware Using 3D Integrated Circuit (IC) Technology and Split Manufacturing for Obfuscation

Frank Imeson, Ariq Emtenan, Siddharth Garg, Mahesh V. Tripunitara (University of Waterloo), USENIX 2013.

Aug 27, 2013
Aug 20, 2013
Aug 13, 2013
Aug 6, 2013
July 30, 2013 Measuring the practical impact of DNSSEC Deployment

Wilson Lian (UC San Diego), Eric Rescorla (RTFM, Inc.), Hovav Shacham, Stefan Savage (UC San Diego), USENIX 2013.

July 16, 2013 seL4: from General Purpose to a Proof of Information Flow Enforcement

Toby Murray, Daniel Matichuk, Matthew Brassil, Peter Gammie, Timothy Bourke, Sean Seefried, Corey Lewis, Xin Gao, Gerwin Klein (NICTA), IEEE S&P 2013.

July 9, 2013 PRIVEXEC: Private Execution as an Operating System Service

Kaan Onarlioglu, Collin Mulliner, William Robertson and Engin Kirda (Northeastern), IEEE S&P 2013.

July 2, 2013 ObliviStore: High Performance Oblivious Cloud Storage

Emil Stefanov (UC Berkeley), Elaine Shi (Maryland), IEEE S&P 2013.

June 25, 2013 Trawling for Tor Hidden Services: Detection, Measurement, Deanonymization

Alex Biryukov, Ivan Pustogarov, Ralf-Philipp Weinmann (University of Luxembourg), IEEE S&P 2013.

June 18, 2013 Breakthrough silicon scanning discovers backdoor in military chip

Sergei Skorobogatov (Cambridge), Christopher Woods (Quo Vadis Labs), CHES 2012.

June 11, 2013 Hiding Information in Flash Memory

Yinglei Wang, Wing-kei Yu, Sarah Q. Xu, Edwin Kan, and G. Edward Suh (Cornell), IEEE S&P 2013.

June 4, 2013 The Crossfire Attack

Min Suk Kang, Soo Bum Lee, Virgil D. Gligor (CMU), IEEE S&P 2013.

May 28, 2013 Just-In-Time Code Reuse: On the Effectiveness of Fine-Grained Address Space Layout Randomization

Kevin Z. Snow, Fabian Monrose (University of North Carolina), Lucas Davi, Alexandra Dmitrienko, Christopher Liebchen, Ahmad-Reza Sadeghi (CASED/Technische Universitat Darmstadt), IEEE S&P 2013.

May 21, 2013 Honeywords: Making Password-Cracking Detectable

Ari Juels (RSA Labs), Ronald L. Rivest (MIT CSAIL).

May 14, 2013 SoK: Eternal War in Memory

Laszlo Szekeres(Stony Brook University), Mathias Payerz, Tao Weiz, Dawn Song (UCB), IEEE S&P 2013.

May 7, 2013 A Scanner Darkly: Protecting User Privacy From Perceptual Applications

Suman Jana (UT Austin), Arvind Narayanany (Princeton), Vitaly Shmatikov (UT Austin), IEEE S&P 2013.

Apr 30, 2013 Cookieless Monster: Exploring the Ecosystem of Web-based Device Fingerprinting

Nick Nikiforakis(1), Alexandros Kapravelosy(2), Wouter Joosen(1), Christopher Kruegely(2), Frank Piessens(1), Giovanni Vigna(2); (1) iMinds-DistriNet, (2) UCSB, IEEE S&P 2013.

Apr 23, 2013 SkyNET: a 3G-enabled mobile attack drone and stealth botmaster

Theodore Reed, Joseph Geis, Sven Dietrich (Stevens Institute of Technology) USENIX WOOT'11.

Apr 16, 2013 Zerocoin: Anonymous Distributed E-Cash from Bitcoin

Ian Miers, Christina Garman, Matthew Green, Aviel D. Rubin (Johns Hopkins) IEEE S&P 2013.

Apr 9, 2013 Anon-Pass: Practical Anonymous Subscriptions

Michael Z. Lee, Alan M. Dunn, Brent Waters, Emmett Witchel (University of Texas at Austin), Jonathan Katz (University of Maryland) IEEE S&P 2013.

Apr 2, 2013 I can be You: Questioning the use of Keystroke Dynamics as Biometrics

Tey Chee Meng, Payas Gupta, Debin Gao (Singapore Management University) NDSS 2013.

Mar 26, 2013 SoK: Secure Data Deletion

Joel Reardon, David Basin, Srdjan Capkun (ETH Zurich) Oakland 2013.

Mar 19, 2013 PharmaLeaks: Understanding the Business of Online Pharmaceutical Affiliate Programs

Damon McCoy (2), Andreas Pitsillidis (1), Grant Jordan (1), Nicholas Weaver (1,3), Christian Kreibich (1,3), Brian Krebs (4), Geoffrey M. Voelker (1), Stefan Savage (1), Kirill Levchenko (1). (1) UCSD, (2) George Mason, (3) International Computer Science Institute, (4) USENIX Security 2012.

Mar 12, 2013 Vanity, Cracks and Malware: Insights into the Anti-Copy Protection Ecosystem

Markus Kammerstetter, Christian Platzer, and Gilbert Wondracek (Vienna University of Technology) ACM CCS 2012.

Mar 5, 2013 The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes

Joseph Bonneau (University of Cambridge), Cormac Herley (Microsoft Research), Paul C. van Oorschot (Carleton University), Frank Stajanoy (University of Cambridge) IEEE S&P 2012.

Feb 26, 2013 Hourglass Schemes: How to Prove that Cloud Files Are Encrypted

Marten van Dijk (1), Ari Juels (1), Alina Oprea (1), Ronald L. Rivest (2), Emil Stefanov (3), Nikos Triandopoulos (1). (1) RSA Laboratories, (2) MIT, (3) UC Berkeley. ACM CCS 2012.

Feb 19, 2013 Going Bright: Wiretapping without Weakening Communications Infrastructure

Steven M. Bellovin (Columbia University), Matt Blaze (University of Pennsylvania), Sandy Clark (University of Pennsylvania), Susan Landau (Privacy Ink) IEEE S&P 2011.

Feb 12, 2013 Lucky Thirteen: Breaking the TLS and DTLS Record Protocols

Nadhem J. AlFardan and Kenneth G. Paterson (Royal Holloway, University of London) 2013.

Sep 26, 2012 Social Networking with Frientegrity: Privacy and Integrity with an Untrusted Provider

Ariel J. Feldman, Aaron Blankstein, Michael J. Freedman, and Edward W. Felten (Princeton University) USENIX Security 2012.

Sep 19, 2012 Distinguishing Users with Capacitative Touch Communication

Tam Vu, Akash Baid, Simon Gao, Marco Gruteser, Richard Howard, Janne Lindqvist, Predrag Spasojevic and Jeffrey Walling (Rutgers University) MobiCom 2012.

Sep 12, 2012 Neuroscience Meets Cryptography: Designing Crypto Primitives Secure Against Rubber Hose Attacks

Hristo Bojinov (Stanford), Daniel Sanchez, Paul Reber (Northwestern), Dan Boneh (Stanford), and Patrick Lincoln (SRI) USENIX Security 2012.

Sep 5, 2012 Memento: Learning Secrets from Process Footprints

Suman Jana and Vitaly Shmatikov. U. of Texas Austin. IEEE S&P 2012.

Aug 30, 2012 On the Feasibility of Side-Channel Attacks with Brain-Computer Interfaces

Ivan Martinovic (1), Doug Davies (2), Mario Frank (2), Daniele Perito (2), Tomas Ros (3), Dawn Song (2). (1) University of Oxford, (2) UC Berkeley, (3) University of Geneva. USENIX Security 2012.

Aug 23, 2012 Clickjacking: Attacks and Defenses

Lin-Shung Huang (1), Alex Moshchuk (2), Helen J. Wang (2), Stuart Schechter (2), and Collin Jackson (1). (1) CMU (2) MSR. USENIX Security 2012.

Jul 12, 2012 Aurasium: Practical Policy Enforcement for Android Applications

Rubin Xu (1), Hassen Saidi (2), and Ross Anderson (1). (1) Cambridge (2) SRI International. USENIX Security 2012.

Jun 28, 2012 (Canceled) Prudent Practices for Designing Malware Experiments: Status Quo and Outlook

Christian Rossow (1,4), Christian J. Dietrich (1), Chris Grier (3,2), Christian Kreibich (3,2), Vern Paxson (3,2), Norbert Pohlmann (1), Herbert Bos (4), and Maarten van Steen (4). (1) Institute for Internet Security, Gelsenkirchen (2) UC Berkeley (3) International Computer Science Institute, Berkeley (4) VU University Amsterdam, The Network Institute. IEEE S&P 2012.

Jun 14, 2012 Using Replicated Execution for a More Secure and Reliable Web Browser

Hui Xue, Nathan Dautenhahn, Samuel T. King. UIUC. NDSS 2012.

Apr 17, 2012 User-Driven Access Control: Rethinking Permission Granting in Modern Operating Systems

Franziska Roesner (1), Tadayoshi Kohno (1), Alexander Moshchuk (2), Bryan Parno (2), Helen J. Wang (2), and Crispin Cowan (2). (1) University of Washington (2) MSR (3) Microsoft. IEEE S&P 2012.

Apr 10, 2012 The Case for Prefetching and Prevalidating TLS Server Certificates

Emily Stark (1), Lin-Shung Huang (2), Dinesh Israni (2), Collin Jackson (2) and Dan Boneh (3). (1) MIT (2) CMU (3) Stanford. NDSS 2012.

Apr 3, 2012 Ghost Domain Names: Revoked Yet Still Resolvable

Jian Jiang (1), Jinjin Liang (1), Kang Li (2), Jun Li (3), Haixin Duan (1), and Jianping Wu (1). (1) Tsinghua University (2) University of Georgia (3) University of Oregon. NDSS 2012.

Mar 27, 2012 Persistent OSPF Attacks

Gabi Nakibly (1), Alex Kirshon (2), Dima Gonikman (2), and Dan Boneh (3). (1) Rafael (2) Technion – Israel Institute of Technology (3) Stanford. NDSS 2012.

Mar 20, 2012 Host Fingerprinting and Tracking on the Web: Privacy and Security Implications

Ting-Fang Yen (1), Yinglian Xie (2), Fang Yu (2), Roger Peng Yu (3), and Martin Abadi (2). (1) RSA (2) MSR (3) Microsoft. NDSS 2012.

Mar 13, 2012 An Attack on PUF-Based Session Key Exchange and a Hardware-Based Countermeasure: Erasable PUFs

Ulrich Rührmai, Christian Jaeger, and Michael Algasinger. Technische Universität München. FC 2011.

Mar 6, 2012 Analyzing Facebook Privacy Settings: User Expectations vs. Reality

Yabing Liu, Krishna P. Gummadi, Balachander Krishnamurthy, and Alan Mislove. IMC 2011.

Privacy Protection for Social Networking Platforms Adrienne Felt and David Evans. W2SP 2008.
Feb 21, 2012 Software fault isolation with API integrity and multi-principal modules

Yandong Mao, Haogang Chen (MIT), Dong Zhou (Tsinghua), Xi Wang, Nickolai Zeldovich and M. Frans Kaashoek (MIT). SOSP 2011.

Feb 14, 2012 A General Approach for Efficiently Accelerating Software-based Dynamic Data Flow Tracking on Commodity Hardware

Kangkook Jee (1), Georgios Portokalidis (1), Vasileios P. Kemerlis (1), Soumyadeep Ghosh (2), David I. August (2), and Angelos D. Keromytis (1). (1) Columbia University (2) Princeton. NDSS 2012.

Jan 31, 2012 Insights into User Behavior in Dealing with Internet Attacks

Kaan Onarlioglu (1), Utku Ozan Yilmaz (2), and Engin Kirda (1). (1) Northeastern University (2) Bilkent University. NDSS 2012.

Jan 24, 2012 Overshadow: A Virtualization-Based Approach to Retrofitting Protection in Commodity Operating Systems

Xiaoxin Chen (1), Tal Garfinkel (1), E. Christopher Lewis (1), Pratap Subrahmanyam (1), Carl A. Waldspurger (1), Dan Boneh (2), Jeffrey Dwoskin (3), and Dan R.K. Ports (4). (1) VMWare (2) Stanford (3) Princeton (4) MIT. ASPLOS 2008.

Jan 17, 2012 WarningBird: Detecting Suspicious URLs in Twitter Stream

Sangho Lee and Jong Kim. Pohang University of Science and Technology. NDSS 2012.

Dec 12, 2011 What’s Clicking What? Techniques and Innovations of Today’s Clickbots

Brad Miller (1), Paul Pearce (1), and Chris Grier (1), Christian Kreibich (2), Vern Paxson (1,2). (1) UC Berkeley (2) ICSI. DIMVA 2011.

Dec 5, 2011 Systematic Detection of Capability Leaks in Stock Android Smartphones

Michael Grace, Yajin Zhou, Zhi Wang, and Xuxian Jiang. North Carolina State University. NDSS 2012.

Nov 28, 2011 How to Shop for Free Online - Security Analysis of Cashier-as-a-Service Based Web Stores

Rui Wang (1), Shuo Chen (2), XiaoFeng Wang (1), Shaz Qadeer (2). (1) Indiana University Bloomington (2) MSR. IEEE S&P 2011.

Nov 21, 2011 Dirty Jobs: The Role of Freelance Labor in Web Service Abuse

Marti Motoyama, Damon McCoy, Kirill Levchenko, Stefan Savage, and Geoffrey M. Voelker. UC San Diego. USENIX Security 2011.

Nov 14, 2011 "You Might Also Like:" Privacy Risks of Collaborative Filtering

Joseph A. Calandrino(1), Ann Kilzer(2), Arvind Narayanan(3), Edward W. Felten(1), and Vitaly Shmatikov(2). (1) Princeton (2) U. of Texas Austin (3) Stanford. IEEE S&P 2011.

Nov 7, 2011 Security Aspects of Piecewise Hashing in Computer Forensics

Harald Baier, Frank Breitinger. Hochschule Darmstadt. 2011 Sixth International Conference on IT Security Incident Management and IT Forensics (IMF).

Oct 31, 2011 Countering Gattaca: Efficient and Secure Testing of Fully-Sequenced Human Genomes

Pierre Baldi, Roberta Baronio, Emiliano De Cristofaro, Paolo Gasti, Gene Tsudik. CCS 2011. UC Irvine.

Oct 24, 2011 Forcing Johnny to Login Safely: Long-Term User Study of Forcing and Training Login Mechanisms

Amir Herzberg and Ronen Margulies. Bar Ilan University. ESORICS 2011.

Oct 17, 2011 Canceled. Fall Break.
Oct 10, 2011 Certified Lies: Detecting and Defeating Government Interception Attacks Against SSL

Christopher Soghoian and Sid Stamm. FC 2011.

Oct 3, 2011 MACE: Model-inference-Assisted Concolic Exploration for Protocol and Vulnerability Discovery

Chia Yuan Cho, Domagoj Babi, Pongsin Poosankam, Kevin Zhijie Chen, Edward XueJun Wu, and Dawn Song. UC Berkeley. USENIX 2011.

Sep 26, 2011 Why (Special Agent) Johnny (Still) Can’t Encrypt: A Security Analysis of the APCO Project 25 Two-Way Radio System

Sandy Clark, Travis Goodspeed, Perry Metzger, Zachary Wasserman, Kevin Xu, Matt Blaze. UPenn. USENIX Security 2011.

Sep 19, 2011 Mimimorphism: A New Approach to Binary Code Obfuscation

Zhenyu Wu, Steven Gianvecchio, Mengjun Xie, and Haining Wang

Sep 12, 2011 Secure In-Band Wireless Pairing

Shyamnath Gollakota, Nabeel Ahmed, Nickolai Zeldovich, and Dina Katabi. MIT. USENIX Security 2011.

Aug 23, 2011 Cloaking Malware with the Trusted Platform Module

Alan M. Dunn, Owen S. Hofmann, Brent Waters and EmmettWitchel. UT Austin. USENIX Security 2011.

Aug 9, 2011 deSEO: Combating Search-Result Poisoning

John P. John, Fang Yu, Yinglian Xie, Arvind Krishnamurthy, and Martin Abadi. MSR. USENIX Security 2011.

Jul 26, 2011 Measuring Pay-per-Install: The Commoditization of Malware Distribution

Juan Caballero (1), Chris Grier (2), Christian Kreibich(2), and Vern Paxson (2). (1) IMDEA (2) UC Berkeley. USENIX Security 2011.

Jul 12, 2011 A Study of Android Application Security

William Enck, Damien Octeau, Patrick McDaniel, and Swarat Chaudhuri. PSU. USENIX Security 2011.

June 28, 2011 Dark Clouds on the Horizon: Using Cloud Storage as Attack Vector and Online Slack Space

Martin Mulazzani, Sebastian Schrittwieser, Manuel Leithner and Markus Huber. SBA Research. USENIX Security 2011.

June 14, 2011 I Still Know What You Visited Last Summer - Leaking browsing history via user interaction and side channel attacks

Zachary Weinberg, Eric Y. Chen, Pavithra Ramesh Jayaraman and Collin Jackson (CMU). IEEE SP2011.

May 31, 2011 Mobile Security Catching Up? Revealing the Nuts and Bolts of the Security of Mobile Devices

Michael Becher (1), Felix C. Freiling (1), Johannes Hoffmann (2), Thorsten Holz (2), Sebastian Uellenbeck (2), Christopher Wolf (2). (1) University of Mannheim, Germany (2) Horst Gortz Institute (HGI) Ruhr-University Bochum, Germany. IEEE SP2011.

Apr 07, 2011 Ensuring Operating System Kernel Integrity of OSck

Owen S. Hofmann (1), Alan M. Dunn (1), Sangman Kim (1), Indrajit Roy (2), Emmett Witchel (1). (1) UT Austin (2) HP Labs. ASPLOS 2011.

Mar 31, 2011 Folk Models of Home Computer Security

Rick Wash. Michigan State University. SOUPS 10.

Mar 24, 2011 PiOS: Detecting Privacy Leaks in iOS Applications

Manuel Egele (Vienna University of Technology, Austria & UCSB), Christopher Kruegel (UCSB) , Engin Kirda (Institute Eurecom & Northeastern University, Boston), and Giovanni Vigna (UCSB). NDSS 11.

Mar 17, 2011 Reliably Erasing Data From Flash-Based Solid State Drives

Michael Wei, Laura, M. Grupp, Frederick E. Spada, and Steven Swanson. UCSD. FAST 11.

Mar 10, 2011 Where Do Security Policies Come From?

Dinei Florencio and Cormac Herley. MSR. SOUPS 10.

Feb 24, 2011 AEG: Automatic Exploit Generation

Thanassis Avgerinos, Sang Kil Cha, Brent Lim Tze Hao and David Brumley. CMU. NDSS 11.

Feb 17, 2011 EXPOSURE: Finding Malicious Domains Using Passive DNS Analysis

Leyla Bilge (1), Engin Kirda (1,2), Christopher Kruegel (3), Marco Balduzzi(1). (1) Institute of Eurecom, Sophia Antipolis (2) Northeastern University, Boston (3) UCSB. NDSS 11.

Feb 10, 2011 Canceled.
Feb 03, 2011 Usability Testing a Malware-Resistant Input Mechanism

Alana Libonati (UNC), Jonathan M. McCune (CMU), and Michael K. Reiter (UNC). NDSS 11.

Jan 27, 2011 Losing Control of the Internet: Using the Data Plane to Attack the Control Plane

Max Schuchard (1), Eugene Y. Vasserman (2), Abedelaziz Mohaisen (1), Denis Foo Kune (1), Nicholas Hopper (1), Yongdae Kim (2). (1) Uni. of Minnesota (2) Kansas State Uni. NDSS 11.

Jan 20, 2011 Soundminer: A Stealthy and Context-Aware Sound Trojan for Smartphones

Roman Schlegel (City Uni of Hong Kong), Kehuan Zhang, Xiaoyong Zhou, Mehool Intwala, Apu Kapadia, and XiaoFeng Wang (Indiana University Bloomington). NDSS 11.

Jan 13, 2011 Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars

Aurelien Francillon, Boris Danev, and Srdjan Capkun (ETH Zurich). NDSS11.

Dec 02, 2010 AccessMiner: Using System-Centric Models for Malware Protection

Andrea Lanzi (1), Davide Balzarotti (1), Christopher Kruegel (2), Mihai Christodorescu (3) and Engin Kirda (1). (1) Institute Eurecom, (2) UCSB, (3) IBM. CCS 2010.

Nov 25, 2010 Thanksgiving.
Nov 18, 2010 Discussion with Hari Prasad.
Nov 11, 2010 Platform-Independent Programs

Sang Kl Cha, Brian Pak, David Brumley (CMU), and Richard J. Lipton (Georgia Tech). CCS 2010.

Nov 4, 2010 @spam: The Underground on 140 Characters or Less

Chris Grier (Berkeley), Kurt Thomas (UIUC), Vern Paxson (Berkeley), and Michael Zhang (Berkeley). CCS 2010.

Oct 28, 2010 W32.Stuxnet Dossier

Nicolas Falliere, Liam O Murchu, and Eric Chien. Symantec.

Oct 21, 2010 (Postponed from Sep 30) MulVAL: A Logic-based Network Security Analyzer

Xinming Ou, Sudhakar Govindavajhala, and Andrew W. Appel, Princeton. USENIX Security 2005.

Oct 14, 2010 Input Generation via Decomposition and Re-Stitching: Finding Bugs in Malware

Juan Caballero (CMU/Berkley), Pongsin Poosankam (CMU/Berkley), Stephen McCamant, Domagoj Babic, and Dawn Song (Berkley). CCS 2010.

Sep 23, 2010 Vex: Vetting Browser Extensions for Security Vulnerabilities

Sruthi Bandhakavi, Samuel T. King, P. Madhusudan, and Marianne Winslett, UIUC. USENIX Security 2010.

Sep 16, 2010 Kamouflage: Loss-Resistant Password Management

Hristo Bojinov (1), Elie Bursztein (1), Xavier Boyen (2), and Dan Boneh (1). (1) Stanford University, (2) Universite de Liege, Belgium. ESORICS 2010.

Sep 9, 2010 Capsicum: Practical Capabilities for UNIX

Robert N.M. Watson and Jonathan Anderson, University of Cambridge; Ben Laurie and Kris Kennaway, Google UK Ltd. USENIX Security 2010.

Sep 2, 2010 On Challenges in Evaluating Malware Clustering

Peng Li (University of North Carolina, Chapel Hill) , Limin Liu (Graduate School of Chinese Academy of Sciences) , Debin Gao (Singapore Management University) , and Michael K. Reiter (University of North Caroline, Chapel Hill). RAID 2010.

Aug 26, 2010 Searching the Searchers with SearchAudit

John P. John, Fang Yu, Yinglian Xie , Mart ́n Abadi, Arvind Krishnamurthy. USENIX Security 2010.

Aug 19, 2010 Automatic Generation of Remediation Procedures for Malware Infections

Roberto Paleari (1), Lorenzo Martignoni (2), Emanuele Passerini (1), Drew Davidson (3), Matt Fredrikson (3), Jon Giffin (4), Somesh Jha (3), (1) Universita degli Studi di Milano, (2) Universita degli Studi di Udine, (3) University of Wisconsin, (4) Georgia Institute of Technology. USENIX Security 2010.

Aug 5, 2010 Baaz: A System for Detecting Access Control Misconfigurations

Tathagata Das, Ranjita Bhagwan, Prasad Naldurg (MSR India). USENIX Security 2010.

July 22, 2010 An Analysis of Private Browsing Modes in Modern Browsers

Gaurav Aggarwal (Stanford), Elie Burzstein (Stanford), Collin Jackson (CMU), and Dan Boneh (Stanford). USENIX Security 2010.

July 15, 2010 Adapting Software Fault Isolation to Contemporary CPU Architectures

David Sehr, Robert Muth, Cliff Biffle, Victor Khimenko, Egor Pasko, Karl Schimpf, Bennet Yee, Brad Chen (Google, Inc). USENIX Security 2010.

July 8, 2010 Scantegrity II Municipal Election at Takoma Park: The First E2E Binding Governmental Election with Ballot Privacy

Richard Carback (UMBC CDL), David Chaum, Jeremy Clark (Uni of Waterloo), John Conway (UMBC CDL), Aleksander Essex (Uni of Waterloo), Paul S. Herrnson (UMCP CAPC), Travis Mayberry (UMBC CDL), Stefan Popoveniuc, Ronald L. Rivest, Emily Shen (MIT CSAIL), Alan T. Sherman (UMBC CDL), Poorvi L. Vora (GW). USENIX Security 2010.

June 24, 2010 Absolute Pwnage: Security Risks of Remote Administration Tools

Jay Novak, Jonathan Stribley, Kenneth Meagher, Scott Wolchok, J. Alex Halderman

Crawling BitTorrent DHTs for Fun and Profit

Scott Wolchok and J. Alex Halderman

June 17, 2010 Detecting and Removing Malicious Hardware Automatically

Matthew Hicks (UIUC), Murph Finnicum (UIUC), Samuel T. King (UIUC), Milo M. K. Martin (UPenn), Jonathan M. Smith (UPenn), IEEE SP2010.

June 10, 2010 Chip and PIN is Broken

Steven J. Murdoch, Saar Drimer, Ross Anderson, and Mike Bond (University of Cambridge), IEEE SP2010.

May 27, 2010 Experimental Security Analysis of a Modern Automobile

Karl Koscher (UW), Alexei Czeskis (UW), Franziska Roesner (UW), Shwetak Patel (UW), and Tadayoshi Kohno (UW), Stephen Checkoway (UCSD), Damon McCoy (UCSD), Brian Kantor (UCSD), Danny Anderson (UCSD), Hovav Shacham (UCSD), and Stefan Savage (UCSD), IEEE SP2010.

May 6, 2010 Security Analysis of India's Electronic Voting Machines

Hari K. Prasad (1), J. Alex Halderman (2), Rop Gonggrijp, Scott Wolchok (2), Eric Wustrow (2), Arun Kankipati (1), Sai Krishna Sakhamuri (1), and Vasavya Yagati(1), (1) NetIndia, (P) Ltd., Hyderabad (2) University of Michigan, submitted to CCS 2010.

April 29, 2010 A Practical Attack to De-Anonymize Social Network Users

Gilbert Wondracek (1), Thorsten Holz (1), Engin Kirda (2), Christopher Kruegel (3), (1) Technical University Vienna (2) Institute Eurecom (3) University of California, IEEE SP2010.

April 15, 2010 When Good Randomness Goes Bad: Virtual Machine Reset Vulnerabilities and Hedging Deployed Cryptography

Thomas Ristenpart and Scott Yilek, University of California San Diego, NDSS 2010.

April 8, 2010 State of the Art: Automated Black-Box Web Application Vulnerability Testing

Jason Bau, Elie Bursztein, Divij Gupta, John Mitchell, Stanford University, IEEE SP2010.

April 1, 2010 Side-Channel Leaks in Web Applications: a Reality Today, a Challenge Tomorrow

Shuo Chen (1), Rui Wang (2), XiaoFeng Wang (2), Kehuan Zhang (2), (1) MSR (2) Indiana University Bloomington, IEEE SP2010.

March 25, 2010 How Good are Humans at Solving CAPTCHAs? A Large Scale Evaluation

Elie Bursztein, Steven Bethard, Celine Fabry, John C. Mitchell, Dan Jurafsky, Stanford University, IEEE SP2010.

March 18, 2010 Server-Side Verification of Client Behavior in Online Games

Darrell Bethea, Robert Cochran and Michael Reiter, University of North Carolina at Chapel Hill, NDSS 2010.

March 11, 2010 A Systematic Characterization of IM Threats Using Honeypots

Spiros Antonatos, Iasonas Polakis, Thanasis Petsas and Evangelos P. Markatos, Foundation for Research and Technology Hellas, NDSS 2010.

February 25, 2010 FLAX: Systematic Discovery of Client-side Validation Vulnerabilities in Rich Web Applications

Prateek Saxena, Steve Hanna, Pongsin Poosankam and Dawn Song, UC Berkeley, NDSS 2010.

February 18, 2010 Active Botnet Probing to Identify Obscure Command and Control Channels

Guofei Gu (1) , Vinod Yegneswaran (2), Phillip Porras (2) , Jennifer Stoll (3) , and Wenke Lee (3), (1) Texas A&M, (2) SRI International, (3) Georgia Institute of Technology

February 11, 2010 Where Do You Want to Go Today? Escalating Privileges By Pathname Manipulation

Suresh Chari, Shai Halevi and Wietse Venema, IBM Research, to appear in NDSS 2010.

February 4, 2010 Botnet Judo: Fighting Spam with Itself

Andreas Pitsillidis, Kirill Levchenko, Christian Kreibich, Chris Kanich, Geoffrey M. Voelker, Vern Paxson, Nicholas Weaver and Stefan Savage, to appear in NDSS 2010.

January 28, 2010 Efficient Detection of Split Personalities in Malware

Davide Balzarotti (1), Marco Cova(3), Christoph Karlberger (2), Christopher Kruegel (3), Engin Kirda (2), and Giovanni Vigna (3), to appear in NDSS 2010. (1) Institute Eurecom, Sophia Antipolis (2) Secure Systems Lab, Vienna University of Technology (3) University of California, Santa Barbara

January 21, 2010 Contractual Anonymity

Edward J. Schwartz, David Brumley and Jonathan M. McCune. to appear in NDSS 2010.

January 14, 2010 Protecting Browsers from Extension Vulnerabilities

Adam Barth, Adrienne Porter Felt, Prateek Saxena (UC Berkeley), and Aaron Boodman (Google, Inc.), to appear in NDSS 2010.

December 16, 2009 (postponed from December 9) EPC RFID Tag Security Weaknesses and Defenses: Passport Cards, Enhanced Drivers Licenses, and Beyond

Karl Koscher (UW), Ari Juels (RSA Labs), Vjekoslav Brajkovic (UW), and Tadayoshi Kohno (UW), CCS 2009.

December 2, 2009 On Cellular Botnets: Measuring the Impact of Malicious Devices on a Cellular Network Core

Patrick Traynor (Georgia Tech), Michael Lin, Machigar Ongtang, Vikhyath Rao, Trent Jaeger, Thomas La Porta and Patrick McDaniel (all of Penn State), CCS 2009.

November 25, 2009 SMILE: Encounter-Based Trust for Mobile Social Services

Justin Manweiler, Ryan Scudellari, and Landon P. Cox, CCS 2009.

November 18, 2009 Can They Hear Me Now? A Security Analysis of Law Enforcement Wiretaps

Micah Sherr, Gaurav Shah, Eric Cronin, Sandy Clark, and Matt Blaze (University of Pennsylvania), CCS 2009.

November 11, 2009 Countering Kernel Rootkits with Lightweight Hook Protection

Zhi Wang (NCSU), Xuxian Jiang (NCSU), Weidong Cui (MSR), and Peng Ning (NCSU), CCS 2009.

November 4, 2009 Behavior Based Software Theft Detection

Xinran Wang, Yoon-Chan Jhi, Sencun Zhu, and Peng Liu (Penn State), CCS 2009.

October 28, 2009 Blueprint: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers

Mike Ter Louw, V.N. Venkatakrishnan (University of Illinois at Chicago), Oakland 2009.

October 21, 2009 Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds

Thomas Ristenpart (UCSD), Eran Tromer (MIT), Hovav Shacham (UCSD), and Stefen Savage (UCSD), CCS 2009.

October 14, 2009 Revealing Hidden Context: Improving Mental Models of Personal Firewall Users

Fahimeh Raja, Kirstie Hawkey, Konstantin Beznosov (UBC), SOUPS 2009.

October 7, 2009 Fabric: A Platform for Secure Distributed Computation and Storage

Jed Liu, Michael George, K. Vikram, Xin Qi, Lucas Waye, and Andrew C. Myers (Cornell University), SOSP 2009.

September 16, 2009 Heat-ray: Combating Identity Snowball Attacks using Machine Learning, Combinatorial Optimization and Attack Graphs

John Dunagan (Microsoft Research), Alice X. Zheng (Microsoft Research), Daniel R. Simon (Microsoft), SOSP 2009.

September 9, 2009 Peeping Tom in the Neighborhood: Keystroke Eavesdropping on Multi-User Systems

Kehuan Zhang and XiaoFeng Wang (Indiana University, Bloomington), USENIX Security 2009.

September 3, 2009 Crying Wolf :An Empirical Study of SSL Warning Effectiveness

Joshua Sunshine, Serge Egelman, Hazim Almuhimedi, Neha Atri, and Lorrie Faith Cranor (Carnegie Mellon University), USENIX Security 2009.

August 27, 2009 Membership-concealing overlay networks

Eugene Vasserman, Rob Jansen, James Tyra, Nicholas Hopper, and Yongdae Kim (University of Minnesota), CCS 2009.

August 20, 2009 Compromising Electromagnetic Emanations of Wired and Wireless Keyboards

Martin Vuagnoux and Sylvain Pasini (EPFL), USENIX Security 2009.

August 13, 2009 Unpacking Virtualization Obfuscators

Rolf Rolles

Pre-Patched Software

Jianing Guo, Jun Yuan, and Rob Johnson (Stony Brook University)

August 6, 2009 Null Prefix Attacks Against SSL Certificates

Moxie Marlinspike

Defeating OCSP with the Number 3

Moxie Marlinspike

Reversing and exploiting an Apple firmware update

K. Chen (Georgia Institute of Technology)

"Smart" Parking Meter Implementations, Globalism, and You

Joe Grand, Jacob Appelbaum, and Chris Tarnovsky

July 30, 2009 Hardware-Software Integrated Approaches to Defend Against Software Cache-based Side Channel Attacks

Jingfei Kong, Onur Acıiçmez, Jean-Pierre Seifert, and Huiyang Zhou

July 23, 2009 Half-Blind Attacks: Mask ROM Bootloaders Are Dangerous

Travis Goodspeed; Aurélien Francillon, INRIA Rhône-Alpes

A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators

Roberto Paleari, Università degli Studi di Milano; Lorenzo Martignoni, Università degli Studi di Udine; Giampaolo Fresi Roglia and Danilo Bruschi, Università degli Studi di Milano

July 16, 2009 It's No Secret. Measuring the Security and Reliability of Authentication via ‘Secret’ Questions

Stuart Schechter, A. J. Bernheim Brush (Microsoft Research), Serge Egelman (Carnegie Mellon University)

July 9, 2009 How to Impress Girls with Browser Memory Protection Bypasses

Mark Dowd and Alexander Sotirov

July 2, 2009 Baggy Bounds Checking: An Efficient and Backwards-Compatible Defense against Out-of-Bounds Errors

Periklis Akritidis, Computer Laboratory, University of Cambridge; Manuel Costa and Miguel Castro, Microsoft Research, Cambridge; Steven Hand, Computer Laboratory, University of Cambridge

June 25, 2009 Physical-layer Identification of RFID Devices

Boris Danev (ETH Zurich, Switzerland), Thomas S. Heydt-Benjamin (IBM Zurich Research), and Srdjan Capkun (ETH Zurich, Switzerland). USENIX Security 2009.

June 18, 2009 Nozzle: Protecting Browsers Against Heap Spraying Attacks

Ben Zorn, Ben Livshits, and Paruj Ratanaworabhan (Microsoft Research). Technical Report; paper to appear in USENIX Security 2009.

June 11, 2009 Protecting Confidential Data on Personal Computers with Storage Capsules

Kevin Borders, Eric Vander Weele, Billy Lau, and Atul Prakash (University of Michigan). Oakland 2009.

June 4, 2009 De-anonymizing Social Networks

Arvind Narayanan and Vitaly Shmatikov (University of Texas at Austin). Oakland 2009.

May 28, 2009 Automatic Reverse Engineering of Malware Emulators

Monirul Sharif, Andrea Lanzi, Jonathon Giffin, Wenke Lee from Georgia Tech. Oakland '09.

May 21, 2009 Your Botnet is My Botnet: Analysis of a Botnet Takeover

B. Stone-Gross, M. Cova, L. Cavallaro, B. Gilbert, M. Szydlowski, R. Kemmerer, C. Kruegel, G. Vigna. 2009.

May 14, 2009 BootJacker: Compromising Computers using Forced Restarts

Ellick M. Chan, Jeffrey C. Carlyle, Francis M. David, Reza Farivar, and Roy H. Campbell (all of whom are from UIUC). CCS '08.

May 7, 2009 Code Injection Attacks on Harvard-Architecture Devices

Aurelien Francillon (INRIA Rhone-Alpes) and Claude Castelluccia (INRIA Rhone-Alpes). CCS '08.

April 30, 2009 SybilInfer: Detecting Sybil Nodes using Social Networks

George Danezis (MSR UK) and Prateek Mittal (UIUC). NDSS '09.

April 16, 2009 An Efficient Black-box Technique for Defeating Web Application Attacks

R. Sekar (Stony Brook). NDSS '09.

April 9, 2009 Detecting Forged TCP Reset Packets

Nicholas Weaver (ICSI), Robin Sommer (ICSI & LBNL), and Vern Paxson (ICSI & UC Berkeley). NDSS '09.

April 2, 2009 Detecting In-Flight Page Changes with Web Tripwires.

Charles Reis, Steven D. Gribble, Tadayoshi Kohno, and Nicholas C. Weaver. NSDI '08.

March 26, 2009 Safe Passage for Passwords and Other Sensitive Data.

Jonathan M. McCune (CMU), Adrian Perrig (CMU), and Michael K. Reiter (UNC). NDSS '09.

March 19, 2009 Quantifying Information Leaks in Outbound Web Traffic

Kevin Borders and Atul Prakash. Oakland 2009.

March 12, 2009 Fingerprinting Blank Paper Using Commodity Scanners

William Clarkson, Tim Weyrich, Adam Finkelstein, Nadia Heninger, J. Alex Halderman and Edward W. Felten. Oakland 2009.

March 5, 2009 Secure Content Sniffing for Web Browsers, or How to Stop Papers from Reviewing Themselves

Adam Barth, Juan Caballero, Dawn Song. Oakland 2009

February 19, 2009 Digging for Data Structures by Cozzie et al. OSDI 2008.

Paper Suggestions

Suggested by Paper
Billy Lau Keypad: An Auditing File System for Theft-Prone Devices by Roxana Geambasu, John P. John Steven D. Gribble, Tadayoshi Kohno, Henry M. Levy.

Appeared in EuroSys 2011.

Beng Heng Ng Attacking Intel® Trusted Execution Technology by Rafal Wojtczuk & Joanna Rutkowska.

Appeared at Black Hat DC 2009.

General References

Lecture Notes on Cryptography (200+ pages)

Other Security Reading Groups

Unordered links to other security reading groups, modified from UCDavis' group, whom in turn adapted the list from UMass.

Personal tools