Main Page

From Security Reading Group Wiki
Main Page
Jump to: navigation, search
Line 14: Line 14:
 
!Date
 
!Date
 
!Paper
 
!Paper
 +
|-
 +
| Mar 26, 2013
 +
| [http://www.inf.ethz.ch/personal/basin/pubs/oakland13.pdf SoK: Secure Data Deletion]
 +
Joel Reardon, David Basin, Srdjan Capkun (ETH Zurich) Oakland 2013.
 
|-
 
|-
 
| Mar 19, 2013
 
| Mar 19, 2013

Revision as of 15:41, March 24, 2013

This is the home page for our security reading group, known as SECRIT (SECurity Reading Is Terrific). The group is run by Eric Wustrow (ewust). We're looking for volunteers! For Winter 2013, security reading is on every Tuesday from 12.30pm to 1.30pm in 2733 BBB.

The format of the security reading group is that everyone reads the paper beforehand and we have a roundtable discussion of the paper over lunch. Unlike the software reading group, there's no presentation. Please send suggestions for papers to read to ewust and bengheng.

If you would like to receive announcements and reminders pertaining to this group, subscribe to the security-reading list at http://directory.umich.edu/ .

Because attendance is somewhat inconsistent and there are administrative limits on how much we can overprovision, we need RSVPs for each meeting by noon the day before so that we can size the lunch order appropriately. If we get higher attendance and more consistent RSVPs, we'll be able to get better food, and we'll try to remove the RSVP requirement altogether.

If you noticed any problems in this page, contact Amir Rahmati (rahmati).


Contents

Papers We've Read

Date Paper
Mar 26, 2013 SoK: Secure Data Deletion

Joel Reardon, David Basin, Srdjan Capkun (ETH Zurich) Oakland 2013.

Mar 19, 2013 PharmaLeaks: Understanding the Business of Online Pharmaceutical Affiliate Programs

Damon McCoy (2), Andreas Pitsillidis (1), Grant Jordan (1), Nicholas Weaver (1,3), Christian Kreibich (1,3), Brian Krebs (4), Geoffrey M. Voelker (1), Stefan Savage (1), Kirill Levchenko (1). (1) UCSD, (2) George Mason, (3) International Computer Science Institute, (4) KrebsOnSecurity.com. USENIX Security 2012.

Mar 12, 2013 Vanity, Cracks and Malware: Insights into the Anti-Copy Protection Ecosystem

Markus Kammerstetter, Christian Platzer, and Gilbert Wondracek (Vienna University of Technology) ACM CCS 2012.

Mar 5, 2013 The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes

Joseph Bonneau (University of Cambridge), Cormac Herley (Microsoft Research), Paul C. van Oorschot (Carleton University), Frank Stajanoy (University of Cambridge) IEEE S&P 2012.

Feb 26, 2013 Hourglass Schemes: How to Prove that Cloud Files Are Encrypted

Marten van Dijk (1), Ari Juels (1), Alina Oprea (1), Ronald L. Rivest (2), Emil Stefanov (3), Nikos Triandopoulos (1). (1) RSA Laboratories, (2) MIT, (3) UC Berkeley. ACM CCS 2012.

Feb 19, 2013 Going Bright: Wiretapping without Weakening Communications Infrastructure

Steven M. Bellovin (Columbia University), Matt Blaze (University of Pennsylvania), Sandy Clark (University of Pennsylvania), Susan Landau (Privacy Ink) IEEE S&P 2011.

Feb 12, 2013 Lucky Thirteen: Breaking the TLS and DTLS Record Protocols

Nadhem J. AlFardan and Kenneth G. Paterson (Royal Holloway, University of London) 2013.

Sep 26, 2012 Social Networking with Frientegrity: Privacy and Integrity with an Untrusted Provider

Ariel J. Feldman, Aaron Blankstein, Michael J. Freedman, and Edward W. Felten (Princeton University) USENIX Security 2012.

Sep 19, 2012 Distinguishing Users with Capacitative Touch Communication

Tam Vu, Akash Baid, Simon Gao, Marco Gruteser, Richard Howard, Janne Lindqvist, Predrag Spasojevic and Jeffrey Walling (Rutgers University) MobiCom 2012.

Sep 12, 2012 Neuroscience Meets Cryptography: Designing Crypto Primitives Secure Against Rubber Hose Attacks

Hristo Bojinov (Stanford), Daniel Sanchez, Paul Reber (Northwestern), Dan Boneh (Stanford), and Patrick Lincoln (SRI) USENIX Security 2012.

Sep 5, 2012 Memento: Learning Secrets from Process Footprints

Suman Jana and Vitaly Shmatikov. U. of Texas Austin. IEEE S&P 2012.

Aug 30, 2012 On the Feasibility of Side-Channel Attacks with Brain-Computer Interfaces

Ivan Martinovic (1), Doug Davies (2), Mario Frank (2), Daniele Perito (2), Tomas Ros (3), Dawn Song (2). (1) University of Oxford, (2) UC Berkeley, (3) University of Geneva. USENIX Security 2012.

Aug 23, 2012 Clickjacking: Attacks and Defenses

Lin-Shung Huang (1), Alex Moshchuk (2), Helen J. Wang (2), Stuart Schechter (2), and Collin Jackson (1). (1) CMU (2) MSR. USENIX Security 2012.

Jul 12, 2012 Aurasium: Practical Policy Enforcement for Android Applications

Rubin Xu (1), Hassen Saidi (2), and Ross Anderson (1). (1) Cambridge (2) SRI International. USENIX Security 2012.

Jun 28, 2012 (Canceled) Prudent Practices for Designing Malware Experiments: Status Quo and Outlook

Christian Rossow (1,4), Christian J. Dietrich (1), Chris Grier (3,2), Christian Kreibich (3,2), Vern Paxson (3,2), Norbert Pohlmann (1), Herbert Bos (4), and Maarten van Steen (4). (1) Institute for Internet Security, Gelsenkirchen (2) UC Berkeley (3) International Computer Science Institute, Berkeley (4) VU University Amsterdam, The Network Institute. IEEE S&P 2012.

Jun 14, 2012 Using Replicated Execution for a More Secure and Reliable Web Browser

Hui Xue, Nathan Dautenhahn, Samuel T. King. UIUC. NDSS 2012.

Apr 17, 2012 User-Driven Access Control: Rethinking Permission Granting in Modern Operating Systems

Franziska Roesner (1), Tadayoshi Kohno (1), Alexander Moshchuk (2), Bryan Parno (2), Helen J. Wang (2), and Crispin Cowan (2). (1) University of Washington (2) MSR (3) Microsoft. IEEE S&P 2012.

Apr 10, 2012 The Case for Prefetching and Prevalidating TLS Server Certificates

Emily Stark (1), Lin-Shung Huang (2), Dinesh Israni (2), Collin Jackson (2) and Dan Boneh (3). (1) MIT (2) CMU (3) Stanford. NDSS 2012.

Apr 3, 2012 Ghost Domain Names: Revoked Yet Still Resolvable

Jian Jiang (1), Jinjin Liang (1), Kang Li (2), Jun Li (3), Haixin Duan (1), and Jianping Wu (1). (1) Tsinghua University (2) University of Georgia (3) University of Oregon. NDSS 2012.

Mar 27, 2012 Persistent OSPF Attacks

Gabi Nakibly (1), Alex Kirshon (2), Dima Gonikman (2), and Dan Boneh (3). (1) Rafael (2) Technion – Israel Institute of Technology (3) Stanford. NDSS 2012.

Mar 20, 2012 Host Fingerprinting and Tracking on the Web: Privacy and Security Implications

Ting-Fang Yen (1), Yinglian Xie (2), Fang Yu (2), Roger Peng Yu (3), and Martin Abadi (2). (1) RSA (2) MSR (3) Microsoft. NDSS 2012.

Mar 13, 2012 An Attack on PUF-Based Session Key Exchange and a Hardware-Based Countermeasure: Erasable PUFs

Ulrich Rührmai, Christian Jaeger, and Michael Algasinger. Technische Universität München. FC 2011.

Mar 6, 2012 Analyzing Facebook Privacy Settings: User Expectations vs. Reality

Yabing Liu, Krishna P. Gummadi, Balachander Krishnamurthy, and Alan Mislove. IMC 2011.

Privacy Protection for Social Networking Platforms Adrienne Felt and David Evans. W2SP 2008.
Feb 21, 2012 Software fault isolation with API integrity and multi-principal modules

Yandong Mao, Haogang Chen (MIT), Dong Zhou (Tsinghua), Xi Wang, Nickolai Zeldovich and M. Frans Kaashoek (MIT). SOSP 2011.

Feb 14, 2012 A General Approach for Efficiently Accelerating Software-based Dynamic Data Flow Tracking on Commodity Hardware

Kangkook Jee (1), Georgios Portokalidis (1), Vasileios P. Kemerlis (1), Soumyadeep Ghosh (2), David I. August (2), and Angelos D. Keromytis (1). (1) Columbia University (2) Princeton. NDSS 2012.

Jan 31, 2012 Insights into User Behavior in Dealing with Internet Attacks

Kaan Onarlioglu (1), Utku Ozan Yilmaz (2), and Engin Kirda (1). (1) Northeastern University (2) Bilkent University. NDSS 2012.

Jan 24, 2012 Overshadow: A Virtualization-Based Approach to Retrofitting Protection in Commodity Operating Systems

Xiaoxin Chen (1), Tal Garfinkel (1), E. Christopher Lewis (1), Pratap Subrahmanyam (1), Carl A. Waldspurger (1), Dan Boneh (2), Jeffrey Dwoskin (3), and Dan R.K. Ports (4). (1) VMWare (2) Stanford (3) Princeton (4) MIT. ASPLOS 2008.

Jan 17, 2012 WarningBird: Detecting Suspicious URLs in Twitter Stream

Sangho Lee and Jong Kim. Pohang University of Science and Technology. NDSS 2012.

Dec 12, 2011 What’s Clicking What? Techniques and Innovations of Today’s Clickbots

Brad Miller (1), Paul Pearce (1), and Chris Grier (1), Christian Kreibich (2), Vern Paxson (1,2). (1) UC Berkeley (2) ICSI. DIMVA 2011.

Dec 5, 2011 Systematic Detection of Capability Leaks in Stock Android Smartphones

Michael Grace, Yajin Zhou, Zhi Wang, and Xuxian Jiang. North Carolina State University. NDSS 2012.

Nov 28, 2011 How to Shop for Free Online - Security Analysis of Cashier-as-a-Service Based Web Stores

Rui Wang (1), Shuo Chen (2), XiaoFeng Wang (1), Shaz Qadeer (2). (1) Indiana University Bloomington (2) MSR. IEEE S&P 2011.

Nov 21, 2011 Dirty Jobs: The Role of Freelance Labor in Web Service Abuse

Marti Motoyama, Damon McCoy, Kirill Levchenko, Stefan Savage, and Geoffrey M. Voelker. UC San Diego. USENIX Security 2011.

Nov 14, 2011 "You Might Also Like:" Privacy Risks of Collaborative Filtering

Joseph A. Calandrino(1), Ann Kilzer(2), Arvind Narayanan(3), Edward W. Felten(1), and Vitaly Shmatikov(2). (1) Princeton (2) U. of Texas Austin (3) Stanford. IEEE S&P 2011.

Nov 7, 2011 Security Aspects of Piecewise Hashing in Computer Forensics

Harald Baier, Frank Breitinger. Hochschule Darmstadt. 2011 Sixth International Conference on IT Security Incident Management and IT Forensics (IMF).

Oct 31, 2011 Countering Gattaca: Efficient and Secure Testing of Fully-Sequenced Human Genomes

Pierre Baldi, Roberta Baronio, Emiliano De Cristofaro, Paolo Gasti, Gene Tsudik. CCS 2011. UC Irvine.

Oct 24, 2011 Forcing Johnny to Login Safely: Long-Term User Study of Forcing and Training Login Mechanisms

Amir Herzberg and Ronen Margulies. Bar Ilan University. ESORICS 2011.

Oct 17, 2011 Canceled. Fall Break.
Oct 10, 2011 Certified Lies: Detecting and Defeating Government Interception Attacks Against SSL

Christopher Soghoian and Sid Stamm. FC 2011.

Oct 3, 2011 MACE: Model-inference-Assisted Concolic Exploration for Protocol and Vulnerability Discovery

Chia Yuan Cho, Domagoj Babi, Pongsin Poosankam, Kevin Zhijie Chen, Edward XueJun Wu, and Dawn Song. UC Berkeley. USENIX 2011.

Sep 26, 2011 Why (Special Agent) Johnny (Still) Can’t Encrypt: A Security Analysis of the APCO Project 25 Two-Way Radio System

Sandy Clark, Travis Goodspeed, Perry Metzger, Zachary Wasserman, Kevin Xu, Matt Blaze. UPenn. USENIX Security 2011.

Sep 19, 2011 Mimimorphism: A New Approach to Binary Code Obfuscation

Zhenyu Wu, Steven Gianvecchio, Mengjun Xie, and Haining Wang

Sep 12, 2011 Secure In-Band Wireless Pairing

Shyamnath Gollakota, Nabeel Ahmed, Nickolai Zeldovich, and Dina Katabi. MIT. USENIX Security 2011.

Aug 23, 2011 Cloaking Malware with the Trusted Platform Module

Alan M. Dunn, Owen S. Hofmann, Brent Waters and EmmettWitchel. UT Austin. USENIX Security 2011.

Aug 9, 2011 deSEO: Combating Search-Result Poisoning

John P. John, Fang Yu, Yinglian Xie, Arvind Krishnamurthy, and Martin Abadi. MSR. USENIX Security 2011.

Jul 26, 2011 Measuring Pay-per-Install: The Commoditization of Malware Distribution

Juan Caballero (1), Chris Grier (2), Christian Kreibich(2), and Vern Paxson (2). (1) IMDEA (2) UC Berkeley. USENIX Security 2011.

Jul 12, 2011 A Study of Android Application Security

William Enck, Damien Octeau, Patrick McDaniel, and Swarat Chaudhuri. PSU. USENIX Security 2011.

June 28, 2011 Dark Clouds on the Horizon: Using Cloud Storage as Attack Vector and Online Slack Space

Martin Mulazzani, Sebastian Schrittwieser, Manuel Leithner and Markus Huber. SBA Research. USENIX Security 2011.

June 14, 2011 I Still Know What You Visited Last Summer - Leaking browsing history via user interaction and side channel attacks

Zachary Weinberg, Eric Y. Chen, Pavithra Ramesh Jayaraman and Collin Jackson (CMU). IEEE SP2011.

May 31, 2011 Mobile Security Catching Up? Revealing the Nuts and Bolts of the Security of Mobile Devices

Michael Becher (1), Felix C. Freiling (1), Johannes Hoffmann (2), Thorsten Holz (2), Sebastian Uellenbeck (2), Christopher Wolf (2). (1) University of Mannheim, Germany (2) Horst Gortz Institute (HGI) Ruhr-University Bochum, Germany. IEEE SP2011.

Apr 07, 2011 Ensuring Operating System Kernel Integrity of OSck

Owen S. Hofmann (1), Alan M. Dunn (1), Sangman Kim (1), Indrajit Roy (2), Emmett Witchel (1). (1) UT Austin (2) HP Labs. ASPLOS 2011.

Mar 31, 2011 Folk Models of Home Computer Security

Rick Wash. Michigan State University. SOUPS 10.

Mar 24, 2011 PiOS: Detecting Privacy Leaks in iOS Applications

Manuel Egele (Vienna University of Technology, Austria & UCSB), Christopher Kruegel (UCSB) , Engin Kirda (Institute Eurecom & Northeastern University, Boston), and Giovanni Vigna (UCSB). NDSS 11.

Mar 17, 2011 Reliably Erasing Data From Flash-Based Solid State Drives

Michael Wei, Laura, M. Grupp, Frederick E. Spada, and Steven Swanson. UCSD. FAST 11.

Mar 10, 2011 Where Do Security Policies Come From?

Dinei Florencio and Cormac Herley. MSR. SOUPS 10.

Feb 24, 2011 AEG: Automatic Exploit Generation

Thanassis Avgerinos, Sang Kil Cha, Brent Lim Tze Hao and David Brumley. CMU. NDSS 11.

Feb 17, 2011 EXPOSURE: Finding Malicious Domains Using Passive DNS Analysis

Leyla Bilge (1), Engin Kirda (1,2), Christopher Kruegel (3), Marco Balduzzi(1). (1) Institute of Eurecom, Sophia Antipolis (2) Northeastern University, Boston (3) UCSB. NDSS 11.

Feb 10, 2011 Canceled.
Feb 03, 2011 Usability Testing a Malware-Resistant Input Mechanism

Alana Libonati (UNC), Jonathan M. McCune (CMU), and Michael K. Reiter (UNC). NDSS 11.

Jan 27, 2011 Losing Control of the Internet: Using the Data Plane to Attack the Control Plane

Max Schuchard (1), Eugene Y. Vasserman (2), Abedelaziz Mohaisen (1), Denis Foo Kune (1), Nicholas Hopper (1), Yongdae Kim (2). (1) Uni. of Minnesota (2) Kansas State Uni. NDSS 11.

Jan 20, 2011 Soundminer: A Stealthy and Context-Aware Sound Trojan for Smartphones

Roman Schlegel (City Uni of Hong Kong), Kehuan Zhang, Xiaoyong Zhou, Mehool Intwala, Apu Kapadia, and XiaoFeng Wang (Indiana University Bloomington). NDSS 11.

Jan 13, 2011 Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars

Aurelien Francillon, Boris Danev, and Srdjan Capkun (ETH Zurich). NDSS11.

Dec 02, 2010 AccessMiner: Using System-Centric Models for Malware Protection

Andrea Lanzi (1), Davide Balzarotti (1), Christopher Kruegel (2), Mihai Christodorescu (3) and Engin Kirda (1). (1) Institute Eurecom, (2) UCSB, (3) IBM. CCS 2010.

Nov 25, 2010 Thanksgiving.
Nov 18, 2010 Discussion with Hari Prasad.
Nov 11, 2010 Platform-Independent Programs

Sang Kl Cha, Brian Pak, David Brumley (CMU), and Richard J. Lipton (Georgia Tech). CCS 2010.

Nov 4, 2010 @spam: The Underground on 140 Characters or Less

Chris Grier (Berkeley), Kurt Thomas (UIUC), Vern Paxson (Berkeley), and Michael Zhang (Berkeley). CCS 2010.

Oct 28, 2010 W32.Stuxnet Dossier

Nicolas Falliere, Liam O Murchu, and Eric Chien. Symantec.

Oct 21, 2010 (Postponed from Sep 30) MulVAL: A Logic-based Network Security Analyzer

Xinming Ou, Sudhakar Govindavajhala, and Andrew W. Appel, Princeton. USENIX Security 2005.

Oct 14, 2010 Input Generation via Decomposition and Re-Stitching: Finding Bugs in Malware

Juan Caballero (CMU/Berkley), Pongsin Poosankam (CMU/Berkley), Stephen McCamant, Domagoj Babic, and Dawn Song (Berkley). CCS 2010.

Sep 23, 2010 Vex: Vetting Browser Extensions for Security Vulnerabilities

Sruthi Bandhakavi, Samuel T. King, P. Madhusudan, and Marianne Winslett, UIUC. USENIX Security 2010.

Sep 16, 2010 Kamouflage: Loss-Resistant Password Management

Hristo Bojinov (1), Elie Bursztein (1), Xavier Boyen (2), and Dan Boneh (1). (1) Stanford University, (2) Universite de Liege, Belgium. ESORICS 2010.

Sep 9, 2010 Capsicum: Practical Capabilities for UNIX

Robert N.M. Watson and Jonathan Anderson, University of Cambridge; Ben Laurie and Kris Kennaway, Google UK Ltd. USENIX Security 2010.

Sep 2, 2010 On Challenges in Evaluating Malware Clustering

Peng Li (University of North Carolina, Chapel Hill) , Limin Liu (Graduate School of Chinese Academy of Sciences) , Debin Gao (Singapore Management University) , and Michael K. Reiter (University of North Caroline, Chapel Hill). RAID 2010.

Aug 26, 2010 Searching the Searchers with SearchAudit

John P. John, Fang Yu, Yinglian Xie , Mart ́n Abadi, Arvind Krishnamurthy. USENIX Security 2010.

Aug 19, 2010 Automatic Generation of Remediation Procedures for Malware Infections

Roberto Paleari (1), Lorenzo Martignoni (2), Emanuele Passerini (1), Drew Davidson (3), Matt Fredrikson (3), Jon Giffin (4), Somesh Jha (3), (1) Universita degli Studi di Milano, (2) Universita degli Studi di Udine, (3) University of Wisconsin, (4) Georgia Institute of Technology. USENIX Security 2010.

Aug 5, 2010 Baaz: A System for Detecting Access Control Misconfigurations

Tathagata Das, Ranjita Bhagwan, Prasad Naldurg (MSR India). USENIX Security 2010.

July 22, 2010 An Analysis of Private Browsing Modes in Modern Browsers

Gaurav Aggarwal (Stanford), Elie Burzstein (Stanford), Collin Jackson (CMU), and Dan Boneh (Stanford). USENIX Security 2010.

July 15, 2010 Adapting Software Fault Isolation to Contemporary CPU Architectures

David Sehr, Robert Muth, Cliff Biffle, Victor Khimenko, Egor Pasko, Karl Schimpf, Bennet Yee, Brad Chen (Google, Inc). USENIX Security 2010.

July 8, 2010 Scantegrity II Municipal Election at Takoma Park: The First E2E Binding Governmental Election with Ballot Privacy

Richard Carback (UMBC CDL), David Chaum, Jeremy Clark (Uni of Waterloo), John Conway (UMBC CDL), Aleksander Essex (Uni of Waterloo), Paul S. Herrnson (UMCP CAPC), Travis Mayberry (UMBC CDL), Stefan Popoveniuc, Ronald L. Rivest, Emily Shen (MIT CSAIL), Alan T. Sherman (UMBC CDL), Poorvi L. Vora (GW). USENIX Security 2010.

June 24, 2010 Absolute Pwnage: Security Risks of Remote Administration Tools

Jay Novak, Jonathan Stribley, Kenneth Meagher, Scott Wolchok, J. Alex Halderman

Crawling BitTorrent DHTs for Fun and Profit

Scott Wolchok and J. Alex Halderman

June 17, 2010 Detecting and Removing Malicious Hardware Automatically

Matthew Hicks (UIUC), Murph Finnicum (UIUC), Samuel T. King (UIUC), Milo M. K. Martin (UPenn), Jonathan M. Smith (UPenn), IEEE SP2010.

June 10, 2010 Chip and PIN is Broken

Steven J. Murdoch, Saar Drimer, Ross Anderson, and Mike Bond (University of Cambridge), IEEE SP2010.

May 27, 2010 Experimental Security Analysis of a Modern Automobile

Karl Koscher (UW), Alexei Czeskis (UW), Franziska Roesner (UW), Shwetak Patel (UW), and Tadayoshi Kohno (UW), Stephen Checkoway (UCSD), Damon McCoy (UCSD), Brian Kantor (UCSD), Danny Anderson (UCSD), Hovav Shacham (UCSD), and Stefan Savage (UCSD), IEEE SP2010.

May 6, 2010 Security Analysis of India's Electronic Voting Machines

Hari K. Prasad (1), J. Alex Halderman (2), Rop Gonggrijp, Scott Wolchok (2), Eric Wustrow (2), Arun Kankipati (1), Sai Krishna Sakhamuri (1), and Vasavya Yagati(1), (1) NetIndia, (P) Ltd., Hyderabad (2) University of Michigan, submitted to CCS 2010.

April 29, 2010 A Practical Attack to De-Anonymize Social Network Users

Gilbert Wondracek (1), Thorsten Holz (1), Engin Kirda (2), Christopher Kruegel (3), (1) Technical University Vienna (2) Institute Eurecom (3) University of California, IEEE SP2010.

April 15, 2010 When Good Randomness Goes Bad: Virtual Machine Reset Vulnerabilities and Hedging Deployed Cryptography

Thomas Ristenpart and Scott Yilek, University of California San Diego, NDSS 2010.

April 8, 2010 State of the Art: Automated Black-Box Web Application Vulnerability Testing

Jason Bau, Elie Bursztein, Divij Gupta, John Mitchell, Stanford University, IEEE SP2010.

April 1, 2010 Side-Channel Leaks in Web Applications: a Reality Today, a Challenge Tomorrow

Shuo Chen (1), Rui Wang (2), XiaoFeng Wang (2), Kehuan Zhang (2), (1) MSR (2) Indiana University Bloomington, IEEE SP2010.

March 25, 2010 How Good are Humans at Solving CAPTCHAs? A Large Scale Evaluation

Elie Bursztein, Steven Bethard, Celine Fabry, John C. Mitchell, Dan Jurafsky, Stanford University, IEEE SP2010.

March 18, 2010 Server-Side Verification of Client Behavior in Online Games

Darrell Bethea, Robert Cochran and Michael Reiter, University of North Carolina at Chapel Hill, NDSS 2010.

March 11, 2010 A Systematic Characterization of IM Threats Using Honeypots

Spiros Antonatos, Iasonas Polakis, Thanasis Petsas and Evangelos P. Markatos, Foundation for Research and Technology Hellas, NDSS 2010.

February 25, 2010 FLAX: Systematic Discovery of Client-side Validation Vulnerabilities in Rich Web Applications

Prateek Saxena, Steve Hanna, Pongsin Poosankam and Dawn Song, UC Berkeley, NDSS 2010.

February 18, 2010 Active Botnet Probing to Identify Obscure Command and Control Channels

Guofei Gu (1) , Vinod Yegneswaran (2), Phillip Porras (2) , Jennifer Stoll (3) , and Wenke Lee (3), (1) Texas A&M, (2) SRI International, (3) Georgia Institute of Technology

February 11, 2010 Where Do You Want to Go Today? Escalating Privileges By Pathname Manipulation

Suresh Chari, Shai Halevi and Wietse Venema, IBM Research, to appear in NDSS 2010.

February 4, 2010 Botnet Judo: Fighting Spam with Itself

Andreas Pitsillidis, Kirill Levchenko, Christian Kreibich, Chris Kanich, Geoffrey M. Voelker, Vern Paxson, Nicholas Weaver and Stefan Savage, to appear in NDSS 2010.

January 28, 2010 Efficient Detection of Split Personalities in Malware

Davide Balzarotti (1), Marco Cova(3), Christoph Karlberger (2), Christopher Kruegel (3), Engin Kirda (2), and Giovanni Vigna (3), to appear in NDSS 2010. (1) Institute Eurecom, Sophia Antipolis (2) Secure Systems Lab, Vienna University of Technology (3) University of California, Santa Barbara

January 21, 2010 Contractual Anonymity

Edward J. Schwartz, David Brumley and Jonathan M. McCune. to appear in NDSS 2010.

January 14, 2010 Protecting Browsers from Extension Vulnerabilities

Adam Barth, Adrienne Porter Felt, Prateek Saxena (UC Berkeley), and Aaron Boodman (Google, Inc.), to appear in NDSS 2010.

December 16, 2009 (postponed from December 9) EPC RFID Tag Security Weaknesses and Defenses: Passport Cards, Enhanced Drivers Licenses, and Beyond

Karl Koscher (UW), Ari Juels (RSA Labs), Vjekoslav Brajkovic (UW), and Tadayoshi Kohno (UW), CCS 2009.

December 2, 2009 On Cellular Botnets: Measuring the Impact of Malicious Devices on a Cellular Network Core

Patrick Traynor (Georgia Tech), Michael Lin, Machigar Ongtang, Vikhyath Rao, Trent Jaeger, Thomas La Porta and Patrick McDaniel (all of Penn State), CCS 2009.

November 25, 2009 SMILE: Encounter-Based Trust for Mobile Social Services

Justin Manweiler, Ryan Scudellari, and Landon P. Cox, CCS 2009.

November 18, 2009 Can They Hear Me Now? A Security Analysis of Law Enforcement Wiretaps

Micah Sherr, Gaurav Shah, Eric Cronin, Sandy Clark, and Matt Blaze (University of Pennsylvania), CCS 2009.

November 11, 2009 Countering Kernel Rootkits with Lightweight Hook Protection

Zhi Wang (NCSU), Xuxian Jiang (NCSU), Weidong Cui (MSR), and Peng Ning (NCSU), CCS 2009.

November 4, 2009 Behavior Based Software Theft Detection

Xinran Wang, Yoon-Chan Jhi, Sencun Zhu, and Peng Liu (Penn State), CCS 2009.

October 28, 2009 Blueprint: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers

Mike Ter Louw, V.N. Venkatakrishnan (University of Illinois at Chicago), Oakland 2009.

October 21, 2009 Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds

Thomas Ristenpart (UCSD), Eran Tromer (MIT), Hovav Shacham (UCSD), and Stefen Savage (UCSD), CCS 2009.

October 14, 2009 Revealing Hidden Context: Improving Mental Models of Personal Firewall Users

Fahimeh Raja, Kirstie Hawkey, Konstantin Beznosov (UBC), SOUPS 2009.

October 7, 2009 Fabric: A Platform for Secure Distributed Computation and Storage

Jed Liu, Michael George, K. Vikram, Xin Qi, Lucas Waye, and Andrew C. Myers (Cornell University), SOSP 2009.

September 16, 2009 Heat-ray: Combating Identity Snowball Attacks using Machine Learning, Combinatorial Optimization and Attack Graphs

John Dunagan (Microsoft Research), Alice X. Zheng (Microsoft Research), Daniel R. Simon (Microsoft), SOSP 2009.

September 9, 2009 Peeping Tom in the Neighborhood: Keystroke Eavesdropping on Multi-User Systems

Kehuan Zhang and XiaoFeng Wang (Indiana University, Bloomington), USENIX Security 2009.

September 3, 2009 Crying Wolf :An Empirical Study of SSL Warning Effectiveness

Joshua Sunshine, Serge Egelman, Hazim Almuhimedi, Neha Atri, and Lorrie Faith Cranor (Carnegie Mellon University), USENIX Security 2009.

August 27, 2009 Membership-concealing overlay networks

Eugene Vasserman, Rob Jansen, James Tyra, Nicholas Hopper, and Yongdae Kim (University of Minnesota), CCS 2009.

August 20, 2009 Compromising Electromagnetic Emanations of Wired and Wireless Keyboards

Martin Vuagnoux and Sylvain Pasini (EPFL), USENIX Security 2009.

August 13, 2009 Unpacking Virtualization Obfuscators

Rolf Rolles

Pre-Patched Software

Jianing Guo, Jun Yuan, and Rob Johnson (Stony Brook University)

August 6, 2009 Null Prefix Attacks Against SSL Certificates

Moxie Marlinspike

Defeating OCSP with the Number 3

Moxie Marlinspike

Reversing and exploiting an Apple firmware update

K. Chen (Georgia Institute of Technology)

"Smart" Parking Meter Implementations, Globalism, and You

Joe Grand, Jacob Appelbaum, and Chris Tarnovsky

July 30, 2009 Hardware-Software Integrated Approaches to Defend Against Software Cache-based Side Channel Attacks

Jingfei Kong, Onur Acıiçmez, Jean-Pierre Seifert, and Huiyang Zhou

July 23, 2009 Half-Blind Attacks: Mask ROM Bootloaders Are Dangerous

Travis Goodspeed; Aurélien Francillon, INRIA Rhône-Alpes

A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators

Roberto Paleari, Università degli Studi di Milano; Lorenzo Martignoni, Università degli Studi di Udine; Giampaolo Fresi Roglia and Danilo Bruschi, Università degli Studi di Milano

July 16, 2009 It's No Secret. Measuring the Security and Reliability of Authentication via ‘Secret’ Questions

Stuart Schechter, A. J. Bernheim Brush (Microsoft Research), Serge Egelman (Carnegie Mellon University)

July 9, 2009 How to Impress Girls with Browser Memory Protection Bypasses

Mark Dowd and Alexander Sotirov

July 2, 2009 Baggy Bounds Checking: An Efficient and Backwards-Compatible Defense against Out-of-Bounds Errors

Periklis Akritidis, Computer Laboratory, University of Cambridge; Manuel Costa and Miguel Castro, Microsoft Research, Cambridge; Steven Hand, Computer Laboratory, University of Cambridge

June 25, 2009 Physical-layer Identification of RFID Devices

Boris Danev (ETH Zurich, Switzerland), Thomas S. Heydt-Benjamin (IBM Zurich Research), and Srdjan Capkun (ETH Zurich, Switzerland). USENIX Security 2009.

June 18, 2009 Nozzle: Protecting Browsers Against Heap Spraying Attacks

Ben Zorn, Ben Livshits, and Paruj Ratanaworabhan (Microsoft Research). Technical Report; paper to appear in USENIX Security 2009.

June 11, 2009 Protecting Confidential Data on Personal Computers with Storage Capsules

Kevin Borders, Eric Vander Weele, Billy Lau, and Atul Prakash (University of Michigan). Oakland 2009.

June 4, 2009 De-anonymizing Social Networks

Arvind Narayanan and Vitaly Shmatikov (University of Texas at Austin). Oakland 2009.

May 28, 2009 Automatic Reverse Engineering of Malware Emulators

Monirul Sharif, Andrea Lanzi, Jonathon Giffin, Wenke Lee from Georgia Tech. Oakland '09.

May 21, 2009 Your Botnet is My Botnet: Analysis of a Botnet Takeover

B. Stone-Gross, M. Cova, L. Cavallaro, B. Gilbert, M. Szydlowski, R. Kemmerer, C. Kruegel, G. Vigna. 2009.

May 14, 2009 BootJacker: Compromising Computers using Forced Restarts

Ellick M. Chan, Jeffrey C. Carlyle, Francis M. David, Reza Farivar, and Roy H. Campbell (all of whom are from UIUC). CCS '08.

May 7, 2009 Code Injection Attacks on Harvard-Architecture Devices

Aurelien Francillon (INRIA Rhone-Alpes) and Claude Castelluccia (INRIA Rhone-Alpes). CCS '08.

April 30, 2009 SybilInfer: Detecting Sybil Nodes using Social Networks

George Danezis (MSR UK) and Prateek Mittal (UIUC). NDSS '09.

April 16, 2009 An Efficient Black-box Technique for Defeating Web Application Attacks

R. Sekar (Stony Brook). NDSS '09.

April 9, 2009 Detecting Forged TCP Reset Packets

Nicholas Weaver (ICSI), Robin Sommer (ICSI & LBNL), and Vern Paxson (ICSI & UC Berkeley). NDSS '09.

April 2, 2009 Detecting In-Flight Page Changes with Web Tripwires.

Charles Reis, Steven D. Gribble, Tadayoshi Kohno, and Nicholas C. Weaver. NSDI '08.

March 26, 2009 Safe Passage for Passwords and Other Sensitive Data.

Jonathan M. McCune (CMU), Adrian Perrig (CMU), and Michael K. Reiter (UNC). NDSS '09.

March 19, 2009 Quantifying Information Leaks in Outbound Web Traffic

Kevin Borders and Atul Prakash. Oakland 2009.

March 12, 2009 Fingerprinting Blank Paper Using Commodity Scanners

William Clarkson, Tim Weyrich, Adam Finkelstein, Nadia Heninger, J. Alex Halderman and Edward W. Felten. Oakland 2009.

March 5, 2009 Secure Content Sniffing for Web Browsers, or How to Stop Papers from Reviewing Themselves

Adam Barth, Juan Caballero, Dawn Song. Oakland 2009

February 19, 2009 Digging for Data Structures by Cozzie et al. OSDI 2008.

Paper Suggestions

Suggested by Paper
Billy Lau Keypad: An Auditing File System for Theft-Prone Devices by Roxana Geambasu, John P. John Steven D. Gribble, Tadayoshi Kohno, Henry M. Levy.

Appeared in EuroSys 2011.

Beng Heng Ng Attacking Intel® Trusted Execution Technology by Rafal Wojtczuk & Joanna Rutkowska.

Appeared at Black Hat DC 2009.

General References

Lecture Notes on Cryptography (200+ pages)

Other Security Reading Groups

Unordered links to other security reading groups, modified from UCDavis' group, whom in turn adapted the list from UMass.

Personal tools
Namespaces
Variants
Actions
Navigation
Toolbox
EECS @ UM
Tools