Main Page
(→Papers We've Read) |
(→Papers We've Read) |
||
| Line 20: | Line 20: | ||
|- | |- | ||
| May 13, 2014 | | May 13, 2014 | ||
| − | | [ | + | | [http://cure53.de/fp170.pdf mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations] |
| − | + | Heiderich, M., Schwenk, J., Frosch, T., Magazinius, J., & Yang, E. Z. (2013, November). mXSS attacks: attacking well-secured web-applications by using innerHTML mutations. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security (pp. 777-788). ACM. | |
|- | |- | ||
| May 6, 2014 | | May 6, 2014 | ||
| + | | [https://www.cs.cmu.edu/~maverick/files/2013-usenix-lineage.pdf Towards Automatic Software Lineage Inference] | ||
| + | Jang, J., Woo, M., & Brumley, D. (2013, August). Towards automatic software lineage inference. In Proceedings of the 22nd USENIX conference on Security (pp. 81-96). USENIX Association. | ||
|- | |- | ||
| March 25, 2014 | | March 25, 2014 | ||
Revision as of 17:09, May 20, 2014
This is the home page for our security reading group, known as SECRIT (SECurity Reading Is Terrific). The group is run by Eric Wustrow (ewust). We're looking for volunteers! Security reading meets every Tuesday from 12.30pm to 1.30pm in 4901 BBB.
The format of the security reading group is that everyone reads the paper beforehand and we have a roundtable discussion of the paper over lunch. Unlike the software reading group, there's no presentation. Please send suggestions for papers to read to ewust and zakir.
If you would like to receive announcements and reminders pertaining to this group, subscribe to the security-reading list at http://directory.umich.edu/ .
Because attendance is somewhat inconsistent and there are administrative limits on how much we can overprovision, we need RSVPs for each meeting by noon the day before so that we can size the lunch order appropriately. If we get higher attendance and more consistent RSVPs, we'll be able to get better food, and we'll try to remove the RSVP requirement altogether.
If you noticed any problems in this page, contact Amir Rahmati (rahmati).
Contents |
Papers We've Read
| Date | Paper |
|---|---|
| May 20, 2014 | Analyzing Forged SSL Certificates in the Wild
Huang, L. S., Rice, A., Ellingsen, E., & Jackson, C. Analyzing Forged SSL Certificates in the Wild. |
| May 13, 2014 | mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations
Heiderich, M., Schwenk, J., Frosch, T., Magazinius, J., & Yang, E. Z. (2013, November). mXSS attacks: attacking well-secured web-applications by using innerHTML mutations. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security (pp. 777-788). ACM. |
| May 6, 2014 | Towards Automatic Software Lineage Inference
Jang, J., Woo, M., & Brumley, D. (2013, August). Towards automatic software lineage inference. In Proceedings of the 22nd USENIX conference on Security (pp. 81-96). USENIX Association. |
| March 25, 2014 | On Subversive Miner Strategies and Block Withholding Attack in Bitcoin Digital Currency
Courtois, N. T., & Bahack, L. (2014). On Subversive Miner Strategies and Block Withholding Attack in Bitcoin Digital Currency. arXiv preprint arXiv:1402.1718. |
| March 18, 2014 | PlaceAvoider: Steering First-Person Cameras away from Sensitive Spaces
Templeman, R., Korayem, M., Crandall, D., & Kapadia, A. (2014). PlaceAvoider: Steering First-Person Cameras away from Sensitive Spaces. |
| March 11, 2014 | Copker: Computing with Private Keys without RAM
Guan, L., Lin, J., Luo, B., & Jing, J. (2014). Copker: Computing with Private Keys without RAM. |
| March 4, 2014 | Auditable Version Control Systems
Bo Chen, Reza Curtmola (New Jersey Institute of Technology) |
| February 25, 2014 | Toward Black-Box Detection of Logic Flaws in Web Applications
Giancarlo Pellegrino, Davide Balzarotti (EURECOM, France) |
| February 18, 2014 | ROPecker: A Generic and Practical Approach for Defending Against ROP Attacks
Yueqiang Cheng‡, Zongwei Zhou*, Miao Yu*, Xuhua Ding‡, Robert H. Deng‡ * Carnegie Mellon University ‡ Singapore Management University |
| February 11, 2014 | The Sniper Attack: Anonymously Deanonymizing and Disabling the Tor Network
Rob Jansen* , Florian Tschorsch‡, Aaron Johnson* , Bjorn Scheuermann‡ * U.S. Naval Research Laboratory ‡ Humboldt University of Berlin, Germany |
| February 4, 2014 | Avatar: A Framework to Support Dynamic Security Analysis of Embedded Systems’ Firmwares
Zaddach, J., Bruno, L., Francillon, A., & Balzarotti, D. (2010). AVATAR: A framework to support dynamic security analysis of embedded system's firmwares. IEEE Transactions on Software Engineering, 36(4). |
| January 28, 2014 | Botcoin: Monetizing Stolen Cycles
Huang, D. Y., Dharmdasani, H., Meiklejohn, S., Dave, V., Grier, C., McCoy, D., ... & Levchenko, K. (2014). Botcoin: monetizing stolen cycles. In Proceedings of NDSS (Vol. 2014). |
| January 21, 2014 | Model-Based Evaluation of GPS Spoofing Attacks on Power Grid Sensors
Akkaya, I., Lee, E. A., & Derler, P. (2013, May). Model-based evaluation of GPS spoofing attacks on power grid sensors. In Modeling and Simulation of Cyber-Physical Energy Systems (MSCPES), 2013 Workshop on (pp. 1-6). IEEE. |
| Nov 26, 2013 | GOTCHA Password Hackers!
Jeremiah Blocki, Manuel Blum, Anupam Datta (Carnegie Mellon University) |
| Nov 19, 2013 | Ed Felton Discussion |
| Nov 12, 2013 | On the Security of RC4 in TLS
Nadhem AlFardan (University of London), Daniel J. Bernstein (University of Illinois at Chicago and Technische Universiteit Eindhoven), Kenneth G. Paterson, Bertram Poettering, Jacob C.N. Schuldt (University of London) |
| Nov 5, 2013 | SAuth: Protecting User Accounts from Password Database Leaks,
RFC 6749: The OAuth 2.0 Authorization Framework Georgios Kontaxis, Elias Athanasopoulos (Columbia University), Georgios Portokalidis (Stevens Inst. of Technology), Angelos D. Keromytis (Columbia University) |
| Oct 29, 2013 | Take This Personally: Pollution Attacks on Personalized Services
Xinyu Xing, Wei Meng, Dan Doozan (Georgia Institute of Technology), Alex C. Snoeren (University of California, San Diego), Nick Feamster, Wenke Lee (Georgia Institute of Technology) |
| Oct 22, 2013 | Dowsing for Overflows: A Guided Fuzzer to Find Buffer Boundary Violations
Istvan Haller, Asia Slowinska (VU University Amsterdam), Matthias Neugschwandtner (Vienna University of Technology), Herbert Bos (VU University Amsterdam) |
| Oct 15, 2013 | |
| Oct 8, 2013 | Silk Road New York Trial Document, |
| Oct 1, 2013 | Stealthy Dopant-Level Hardware Trojans
Georg T. Becker (UMASS Amherst), Francesco Regazzoni (TU Delft and ALaRI, University of Lugano), Christof Paar (UMASS Amherst), Wayne P. Burleson (UMASS Amherst), CHES 2013. |
| Sep 24, 2013 | Users Get Routed: Traffic Correlation on Tor by Realistic Adversaries
Aaron Johnson (U.S. Naval Research Laboratory), Chris Wacek (Georgetown University), Rob Jansen (U.S. Naval Research Laboratory), Micah Sherr (Georgetown University), Paul Syverson (U.S. Naval Research Laboratory), CCS 2013 |
| Sep 17, 2013 | Trafficking Fraudulent Accounts: The Role of the Underground Market in Twitter Spam and Abuse
Kurt Thomas (UC Berkeley and Twitter), Damon McCoy (George Mason University), Chris Grier (UC Berkeley and International Computer Science Institute), Alek Kolcz (Twitter), Vern Paxson (UC Berkeley and International Computer Science Institute), USENIX 2013. |
| Sep 10, 2013 | Control Flow Integrity for COTS Binaries
Mingwei Zhang, R. Sekar (Stony Brook University), USENIX 2013. |
| Sep 3, 2013 | Securing Computer Hardware Using 3D Integrated Circuit (IC) Technology and Split Manufacturing for Obfuscation
Frank Imeson, Ariq Emtenan, Siddharth Garg, Mahesh V. Tripunitara (University of Waterloo), USENIX 2013. |
| Aug 27, 2013 | |
| Aug 20, 2013 | |
| Aug 13, 2013 | |
| Aug 6, 2013 | |
| July 30, 2013 | Measuring the practical impact of DNSSEC Deployment
Wilson Lian (UC San Diego), Eric Rescorla (RTFM, Inc.), Hovav Shacham, Stefan Savage (UC San Diego), USENIX 2013. |
| July 16, 2013 | seL4: from General Purpose to a Proof of Information Flow Enforcement
Toby Murray, Daniel Matichuk, Matthew Brassil, Peter Gammie, Timothy Bourke, Sean Seefried, Corey Lewis, Xin Gao, Gerwin Klein (NICTA), IEEE S&P 2013. |
| July 9, 2013 | PRIVEXEC: Private Execution as an Operating System Service
Kaan Onarlioglu, Collin Mulliner, William Robertson and Engin Kirda (Northeastern), IEEE S&P 2013. |
| July 2, 2013 | ObliviStore: High Performance Oblivious Cloud Storage
Emil Stefanov (UC Berkeley), Elaine Shi (Maryland), IEEE S&P 2013. |
| June 25, 2013 | Trawling for Tor Hidden Services: Detection, Measurement, Deanonymization
Alex Biryukov, Ivan Pustogarov, Ralf-Philipp Weinmann (University of Luxembourg), IEEE S&P 2013. |
| June 18, 2013 | Breakthrough silicon scanning discovers backdoor in military chip
Sergei Skorobogatov (Cambridge), Christopher Woods (Quo Vadis Labs), CHES 2012. |
| June 11, 2013 | Hiding Information in Flash Memory
Yinglei Wang, Wing-kei Yu, Sarah Q. Xu, Edwin Kan, and G. Edward Suh (Cornell), IEEE S&P 2013. |
| June 4, 2013 | The Crossfire Attack
Min Suk Kang, Soo Bum Lee, Virgil D. Gligor (CMU), IEEE S&P 2013. |
| May 28, 2013 | Just-In-Time Code Reuse: On the Effectiveness of Fine-Grained Address Space Layout Randomization
Kevin Z. Snow, Fabian Monrose (University of North Carolina), Lucas Davi, Alexandra Dmitrienko, Christopher Liebchen, Ahmad-Reza Sadeghi (CASED/Technische Universitat Darmstadt), IEEE S&P 2013. |
| May 21, 2013 | Honeywords: Making Password-Cracking Detectable
Ari Juels (RSA Labs), Ronald L. Rivest (MIT CSAIL). |
| May 14, 2013 | SoK: Eternal War in Memory
Laszlo Szekeres(Stony Brook University), Mathias Payerz, Tao Weiz, Dawn Song (UCB), IEEE S&P 2013. |
| May 7, 2013 | A Scanner Darkly: Protecting User Privacy From Perceptual Applications
Suman Jana (UT Austin), Arvind Narayanany (Princeton), Vitaly Shmatikov (UT Austin), IEEE S&P 2013. |
| Apr 30, 2013 | Cookieless Monster: Exploring the Ecosystem of Web-based Device Fingerprinting
Nick Nikiforakis(1), Alexandros Kapravelosy(2), Wouter Joosen(1), Christopher Kruegely(2), Frank Piessens(1), Giovanni Vigna(2); (1) iMinds-DistriNet, (2) UCSB, IEEE S&P 2013. |
| Apr 23, 2013 | SkyNET: a 3G-enabled mobile attack drone and stealth botmaster
Theodore Reed, Joseph Geis, Sven Dietrich (Stevens Institute of Technology) USENIX WOOT'11. |
| Apr 16, 2013 | Zerocoin: Anonymous Distributed E-Cash from Bitcoin
Ian Miers, Christina Garman, Matthew Green, Aviel D. Rubin (Johns Hopkins) IEEE S&P 2013. |
| Apr 9, 2013 | Anon-Pass: Practical Anonymous Subscriptions
Michael Z. Lee, Alan M. Dunn, Brent Waters, Emmett Witchel (University of Texas at Austin), Jonathan Katz (University of Maryland) IEEE S&P 2013. |
| Apr 2, 2013 | I can be You: Questioning the use of Keystroke Dynamics as Biometrics
Tey Chee Meng, Payas Gupta, Debin Gao (Singapore Management University) NDSS 2013. |
| Mar 26, 2013 | SoK: Secure Data Deletion
Joel Reardon, David Basin, Srdjan Capkun (ETH Zurich) Oakland 2013. |
| Mar 19, 2013 | PharmaLeaks: Understanding the Business of Online Pharmaceutical Affiliate Programs
Damon McCoy (2), Andreas Pitsillidis (1), Grant Jordan (1), Nicholas Weaver (1,3), Christian Kreibich (1,3), Brian Krebs (4), Geoffrey M. Voelker (1), Stefan Savage (1), Kirill Levchenko (1). (1) UCSD, (2) George Mason, (3) International Computer Science Institute, (4) KrebsOnSecurity.com. USENIX Security 2012. |
| Mar 12, 2013 | Vanity, Cracks and Malware: Insights into the Anti-Copy Protection Ecosystem
Markus Kammerstetter, Christian Platzer, and Gilbert Wondracek (Vienna University of Technology) ACM CCS 2012. |
| Mar 5, 2013 | The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes
Joseph Bonneau (University of Cambridge), Cormac Herley (Microsoft Research), Paul C. van Oorschot (Carleton University), Frank Stajanoy (University of Cambridge) IEEE S&P 2012. |
| Feb 26, 2013 | Hourglass Schemes: How to Prove that Cloud Files Are Encrypted
Marten van Dijk (1), Ari Juels (1), Alina Oprea (1), Ronald L. Rivest (2), Emil Stefanov (3), Nikos Triandopoulos (1). (1) RSA Laboratories, (2) MIT, (3) UC Berkeley. ACM CCS 2012. |
| Feb 19, 2013 | Going Bright: Wiretapping without Weakening Communications Infrastructure
Steven M. Bellovin (Columbia University), Matt Blaze (University of Pennsylvania), Sandy Clark (University of Pennsylvania), Susan Landau (Privacy Ink) IEEE S&P 2011. |
| Feb 12, 2013 | Lucky Thirteen: Breaking the TLS and DTLS Record Protocols
Nadhem J. AlFardan and Kenneth G. Paterson (Royal Holloway, University of London) 2013. |
| Sep 26, 2012 | Social Networking with Frientegrity: Privacy and Integrity with an Untrusted Provider
Ariel J. Feldman, Aaron Blankstein, Michael J. Freedman, and Edward W. Felten (Princeton University) USENIX Security 2012. |
| Sep 19, 2012 | Distinguishing Users with Capacitative Touch Communication
Tam Vu, Akash Baid, Simon Gao, Marco Gruteser, Richard Howard, Janne Lindqvist, Predrag Spasojevic and Jeffrey Walling (Rutgers University) MobiCom 2012. |
| Sep 12, 2012 | Neuroscience Meets Cryptography: Designing Crypto Primitives Secure Against Rubber Hose Attacks
Hristo Bojinov (Stanford), Daniel Sanchez, Paul Reber (Northwestern), Dan Boneh (Stanford), and Patrick Lincoln (SRI) USENIX Security 2012. |
| Sep 5, 2012 | Memento: Learning Secrets from Process Footprints
Suman Jana and Vitaly Shmatikov. U. of Texas Austin. IEEE S&P 2012. |
| Aug 30, 2012 | On the Feasibility of Side-Channel Attacks with Brain-Computer Interfaces
Ivan Martinovic (1), Doug Davies (2), Mario Frank (2), Daniele Perito (2), Tomas Ros (3), Dawn Song (2). (1) University of Oxford, (2) UC Berkeley, (3) University of Geneva. USENIX Security 2012. |
| Aug 23, 2012 | Clickjacking: Attacks and Defenses
Lin-Shung Huang (1), Alex Moshchuk (2), Helen J. Wang (2), Stuart Schechter (2), and Collin Jackson (1). (1) CMU (2) MSR. USENIX Security 2012. |
| Jul 12, 2012 | Aurasium: Practical Policy Enforcement for Android Applications
Rubin Xu (1), Hassen Saidi (2), and Ross Anderson (1). (1) Cambridge (2) SRI International. USENIX Security 2012. |
| Jun 28, 2012 (Canceled) | Prudent Practices for Designing Malware Experiments: Status Quo and Outlook
Christian Rossow (1,4), Christian J. Dietrich (1), Chris Grier (3,2), Christian Kreibich (3,2), Vern Paxson (3,2), Norbert Pohlmann (1), Herbert Bos (4), and Maarten van Steen (4). (1) Institute for Internet Security, Gelsenkirchen (2) UC Berkeley (3) International Computer Science Institute, Berkeley (4) VU University Amsterdam, The Network Institute. IEEE S&P 2012. |
| Jun 14, 2012 | Using Replicated Execution for a More Secure and Reliable Web Browser
Hui Xue, Nathan Dautenhahn, Samuel T. King. UIUC. NDSS 2012. |
| Apr 17, 2012 | User-Driven Access Control: Rethinking Permission Granting in Modern Operating Systems
Franziska Roesner (1), Tadayoshi Kohno (1), Alexander Moshchuk (2), Bryan Parno (2), Helen J. Wang (2), and Crispin Cowan (2). (1) University of Washington (2) MSR (3) Microsoft. IEEE S&P 2012. |
| Apr 10, 2012 | The Case for Prefetching and Prevalidating TLS Server Certificates
Emily Stark (1), Lin-Shung Huang (2), Dinesh Israni (2), Collin Jackson (2) and Dan Boneh (3). (1) MIT (2) CMU (3) Stanford. NDSS 2012. |
| Apr 3, 2012 | Ghost Domain Names: Revoked Yet Still Resolvable
Jian Jiang (1), Jinjin Liang (1), Kang Li (2), Jun Li (3), Haixin Duan (1), and Jianping Wu (1). (1) Tsinghua University (2) University of Georgia (3) University of Oregon. NDSS 2012. |
| Mar 27, 2012 | Persistent OSPF Attacks
Gabi Nakibly (1), Alex Kirshon (2), Dima Gonikman (2), and Dan Boneh (3). (1) Rafael (2) Technion – Israel Institute of Technology (3) Stanford. NDSS 2012. |
| Mar 20, 2012 | Host Fingerprinting and Tracking on the Web: Privacy and Security Implications
Ting-Fang Yen (1), Yinglian Xie (2), Fang Yu (2), Roger Peng Yu (3), and Martin Abadi (2). (1) RSA (2) MSR (3) Microsoft. NDSS 2012. |
| Mar 13, 2012 | An Attack on PUF-Based Session Key Exchange and a Hardware-Based Countermeasure: Erasable PUFs
Ulrich Rührmai, Christian Jaeger, and Michael Algasinger. Technische Universität München. FC 2011. |
| Mar 6, 2012 | Analyzing Facebook Privacy Settings: User Expectations vs. Reality
Yabing Liu, Krishna P. Gummadi, Balachander Krishnamurthy, and Alan Mislove. IMC 2011. |
| Privacy Protection for Social Networking Platforms Adrienne Felt and David Evans. W2SP 2008. | |
| Feb 21, 2012 | Software fault isolation with API integrity and multi-principal modules
Yandong Mao, Haogang Chen (MIT), Dong Zhou (Tsinghua), Xi Wang, Nickolai Zeldovich and M. Frans Kaashoek (MIT). SOSP 2011. |
| Feb 14, 2012 | A General Approach for Efficiently Accelerating Software-based Dynamic Data Flow Tracking on Commodity Hardware
Kangkook Jee (1), Georgios Portokalidis (1), Vasileios P. Kemerlis (1), Soumyadeep Ghosh (2), David I. August (2), and Angelos D. Keromytis (1). (1) Columbia University (2) Princeton. NDSS 2012. |
| Jan 31, 2012 | Insights into User Behavior in Dealing with Internet Attacks
Kaan Onarlioglu (1), Utku Ozan Yilmaz (2), and Engin Kirda (1). (1) Northeastern University (2) Bilkent University. NDSS 2012. |
| Jan 24, 2012 | Overshadow: A Virtualization-Based Approach to Retrofitting Protection in Commodity Operating Systems
Xiaoxin Chen (1), Tal Garfinkel (1), E. Christopher Lewis (1), Pratap Subrahmanyam (1), Carl A. Waldspurger (1), Dan Boneh (2), Jeffrey Dwoskin (3), and Dan R.K. Ports (4). (1) VMWare (2) Stanford (3) Princeton (4) MIT. ASPLOS 2008. |
| Jan 17, 2012 | WarningBird: Detecting Suspicious URLs in Twitter Stream
Sangho Lee and Jong Kim. Pohang University of Science and Technology. NDSS 2012. |
| Dec 12, 2011 | What’s Clicking What? Techniques and Innovations of Today’s Clickbots
Brad Miller (1), Paul Pearce (1), and Chris Grier (1), Christian Kreibich (2), Vern Paxson (1,2). (1) UC Berkeley (2) ICSI. DIMVA 2011. |
| Dec 5, 2011 | Systematic Detection of Capability Leaks in Stock Android Smartphones
Michael Grace, Yajin Zhou, Zhi Wang, and Xuxian Jiang. North Carolina State University. NDSS 2012. |
| Nov 28, 2011 | How to Shop for Free Online - Security Analysis of Cashier-as-a-Service Based Web Stores
Rui Wang (1), Shuo Chen (2), XiaoFeng Wang (1), Shaz Qadeer (2). (1) Indiana University Bloomington (2) MSR. IEEE S&P 2011. |
| Nov 21, 2011 | Dirty Jobs: The Role of Freelance Labor in Web Service Abuse
Marti Motoyama, Damon McCoy, Kirill Levchenko, Stefan Savage, and Geoffrey M. Voelker. UC San Diego. USENIX Security 2011. |
| Nov 14, 2011 | "You Might Also Like:" Privacy Risks of Collaborative Filtering
Joseph A. Calandrino(1), Ann Kilzer(2), Arvind Narayanan(3), Edward W. Felten(1), and Vitaly Shmatikov(2). (1) Princeton (2) U. of Texas Austin (3) Stanford. IEEE S&P 2011. |
| Nov 7, 2011 | Security Aspects of Piecewise Hashing in Computer Forensics
Harald Baier, Frank Breitinger. Hochschule Darmstadt. 2011 Sixth International Conference on IT Security Incident Management and IT Forensics (IMF). |
| Oct 31, 2011 | Countering Gattaca: Efficient and Secure Testing of Fully-Sequenced Human Genomes
Pierre Baldi, Roberta Baronio, Emiliano De Cristofaro, Paolo Gasti, Gene Tsudik. CCS 2011. UC Irvine. |
| Oct 24, 2011 | Forcing Johnny to Login Safely: Long-Term User Study of Forcing and Training Login Mechanisms
Amir Herzberg and Ronen Margulies. Bar Ilan University. ESORICS 2011. |
| Oct 17, 2011 | Canceled. Fall Break. |
| Oct 10, 2011 | Certified Lies: Detecting and Defeating Government Interception Attacks Against SSL
Christopher Soghoian and Sid Stamm. FC 2011. |
| Oct 3, 2011 | MACE: Model-inference-Assisted Concolic Exploration for Protocol and Vulnerability Discovery
Chia Yuan Cho, Domagoj Babi, Pongsin Poosankam, Kevin Zhijie Chen, Edward XueJun Wu, and Dawn Song. UC Berkeley. USENIX 2011. |
| Sep 26, 2011 | Why (Special Agent) Johnny (Still) Can’t Encrypt: A Security Analysis of the APCO Project 25 Two-Way Radio System
Sandy Clark, Travis Goodspeed, Perry Metzger, Zachary Wasserman, Kevin Xu, Matt Blaze. UPenn. USENIX Security 2011. |
| Sep 19, 2011 | Mimimorphism: A New Approach to Binary Code Obfuscation
Zhenyu Wu, Steven Gianvecchio, Mengjun Xie, and Haining Wang |
| Sep 12, 2011 | Secure In-Band Wireless Pairing
Shyamnath Gollakota, Nabeel Ahmed, Nickolai Zeldovich, and Dina Katabi. MIT. USENIX Security 2011. |
| Aug 23, 2011 | Cloaking Malware with the Trusted Platform Module
Alan M. Dunn, Owen S. Hofmann, Brent Waters and EmmettWitchel. UT Austin. USENIX Security 2011. |
| Aug 9, 2011 | deSEO: Combating Search-Result Poisoning
John P. John, Fang Yu, Yinglian Xie, Arvind Krishnamurthy, and Martin Abadi. MSR. USENIX Security 2011. |
| Jul 26, 2011 | Measuring Pay-per-Install: The Commoditization of Malware Distribution
Juan Caballero (1), Chris Grier (2), Christian Kreibich(2), and Vern Paxson (2). (1) IMDEA (2) UC Berkeley. USENIX Security 2011. |
| Jul 12, 2011 | A Study of Android Application Security
William Enck, Damien Octeau, Patrick McDaniel, and Swarat Chaudhuri. PSU. USENIX Security 2011. |
| June 28, 2011 | Dark Clouds on the Horizon: Using Cloud Storage as Attack Vector and Online Slack Space
Martin Mulazzani, Sebastian Schrittwieser, Manuel Leithner and Markus Huber. SBA Research. USENIX Security 2011. |
| June 14, 2011 | I Still Know What You Visited Last Summer - Leaking browsing history via user interaction and side channel attacks
Zachary Weinberg, Eric Y. Chen, Pavithra Ramesh Jayaraman and Collin Jackson (CMU). IEEE SP2011. |
| May 31, 2011 | Mobile Security Catching Up? Revealing the Nuts and Bolts of the Security of Mobile Devices
Michael Becher (1), Felix C. Freiling (1), Johannes Hoffmann (2), Thorsten Holz (2), Sebastian Uellenbeck (2), Christopher Wolf (2). (1) University of Mannheim, Germany (2) Horst Gortz Institute (HGI) Ruhr-University Bochum, Germany. IEEE SP2011. |
| Apr 07, 2011 | Ensuring Operating System Kernel Integrity of OSck
Owen S. Hofmann (1), Alan M. Dunn (1), Sangman Kim (1), Indrajit Roy (2), Emmett Witchel (1). (1) UT Austin (2) HP Labs. ASPLOS 2011. |
| Mar 31, 2011 | Folk Models of Home Computer Security
Rick Wash. Michigan State University. SOUPS 10. |
| Mar 24, 2011 | PiOS: Detecting Privacy Leaks in iOS Applications
Manuel Egele (Vienna University of Technology, Austria & UCSB), Christopher Kruegel (UCSB) , Engin Kirda (Institute Eurecom & Northeastern University, Boston), and Giovanni Vigna (UCSB). NDSS 11. |
| Mar 17, 2011 | Reliably Erasing Data From Flash-Based Solid State Drives
Michael Wei, Laura, M. Grupp, Frederick E. Spada, and Steven Swanson. UCSD. FAST 11. |
| Mar 10, 2011 | Where Do Security Policies Come From?
Dinei Florencio and Cormac Herley. MSR. SOUPS 10. |
| Feb 24, 2011 | AEG: Automatic Exploit Generation
Thanassis Avgerinos, Sang Kil Cha, Brent Lim Tze Hao and David Brumley. CMU. NDSS 11. |
| Feb 17, 2011 | EXPOSURE: Finding Malicious Domains Using Passive DNS Analysis
Leyla Bilge (1), Engin Kirda (1,2), Christopher Kruegel (3), Marco Balduzzi(1). (1) Institute of Eurecom, Sophia Antipolis (2) Northeastern University, Boston (3) UCSB. NDSS 11. |
| Feb 10, 2011 | Canceled. |
| Feb 03, 2011 | Usability Testing a Malware-Resistant Input Mechanism
Alana Libonati (UNC), Jonathan M. McCune (CMU), and Michael K. Reiter (UNC). NDSS 11. |
| Jan 27, 2011 | Losing Control of the Internet: Using the Data Plane to Attack the Control Plane
Max Schuchard (1), Eugene Y. Vasserman (2), Abedelaziz Mohaisen (1), Denis Foo Kune (1), Nicholas Hopper (1), Yongdae Kim (2). (1) Uni. of Minnesota (2) Kansas State Uni. NDSS 11. |
| Jan 20, 2011 | Soundminer: A Stealthy and Context-Aware Sound Trojan for Smartphones
Roman Schlegel (City Uni of Hong Kong), Kehuan Zhang, Xiaoyong Zhou, Mehool Intwala, Apu Kapadia, and XiaoFeng Wang (Indiana University Bloomington). NDSS 11. |
| Jan 13, 2011 | Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars
Aurelien Francillon, Boris Danev, and Srdjan Capkun (ETH Zurich). NDSS11. |
| Dec 02, 2010 | AccessMiner: Using System-Centric Models for Malware Protection
Andrea Lanzi (1), Davide Balzarotti (1), Christopher Kruegel (2), Mihai Christodorescu (3) and Engin Kirda (1). (1) Institute Eurecom, (2) UCSB, (3) IBM. CCS 2010. |
| Nov 25, 2010 | Thanksgiving. |
| Nov 18, 2010 | Discussion with Hari Prasad. |
| Nov 11, 2010 | Platform-Independent Programs
Sang Kl Cha, Brian Pak, David Brumley (CMU), and Richard J. Lipton (Georgia Tech). CCS 2010. |
| Nov 4, 2010 | @spam: The Underground on 140 Characters or Less
Chris Grier (Berkeley), Kurt Thomas (UIUC), Vern Paxson (Berkeley), and Michael Zhang (Berkeley). CCS 2010. |
| Oct 28, 2010 | W32.Stuxnet Dossier
Nicolas Falliere, Liam O Murchu, and Eric Chien. Symantec. |
| Oct 21, 2010 (Postponed from Sep 30) | MulVAL: A Logic-based Network Security Analyzer
Xinming Ou, Sudhakar Govindavajhala, and Andrew W. Appel, Princeton. USENIX Security 2005. |
| Oct 14, 2010 | Input Generation via Decomposition and Re-Stitching: Finding Bugs in Malware
Juan Caballero (CMU/Berkley), Pongsin Poosankam (CMU/Berkley), Stephen McCamant, Domagoj Babic, and Dawn Song (Berkley). CCS 2010. |
| Sep 23, 2010 | Vex: Vetting Browser Extensions for Security Vulnerabilities
Sruthi Bandhakavi, Samuel T. King, P. Madhusudan, and Marianne Winslett, UIUC. USENIX Security 2010. |
| Sep 16, 2010 | Kamouflage: Loss-Resistant Password Management
Hristo Bojinov (1), Elie Bursztein (1), Xavier Boyen (2), and Dan Boneh (1). (1) Stanford University, (2) Universite de Liege, Belgium. ESORICS 2010. |
| Sep 9, 2010 | Capsicum: Practical Capabilities for UNIX
Robert N.M. Watson and Jonathan Anderson, University of Cambridge; Ben Laurie and Kris Kennaway, Google UK Ltd. USENIX Security 2010. |
| Sep 2, 2010 | On Challenges in Evaluating Malware Clustering
Peng Li (University of North Carolina, Chapel Hill) , Limin Liu (Graduate School of Chinese Academy of Sciences) , Debin Gao (Singapore Management University) , and Michael K. Reiter (University of North Caroline, Chapel Hill). RAID 2010. |
| Aug 26, 2010 | Searching the Searchers with SearchAudit
John P. John, Fang Yu, Yinglian Xie , Mart ́n Abadi, Arvind Krishnamurthy. USENIX Security 2010. |
| Aug 19, 2010 | Automatic Generation of Remediation Procedures for Malware Infections
Roberto Paleari (1), Lorenzo Martignoni (2), Emanuele Passerini (1), Drew Davidson (3), Matt Fredrikson (3), Jon Giffin (4), Somesh Jha (3), (1) Universita degli Studi di Milano, (2) Universita degli Studi di Udine, (3) University of Wisconsin, (4) Georgia Institute of Technology. USENIX Security 2010. |
| Aug 5, 2010 | Baaz: A System for Detecting Access Control Misconfigurations
Tathagata Das, Ranjita Bhagwan, Prasad Naldurg (MSR India). USENIX Security 2010. |
| July 22, 2010 | An Analysis of Private Browsing Modes in Modern Browsers
Gaurav Aggarwal (Stanford), Elie Burzstein (Stanford), Collin Jackson (CMU), and Dan Boneh (Stanford). USENIX Security 2010. |
| July 15, 2010 | Adapting Software Fault Isolation to Contemporary CPU Architectures
David Sehr, Robert Muth, Cliff Biffle, Victor Khimenko, Egor Pasko, Karl Schimpf, Bennet Yee, Brad Chen (Google, Inc). USENIX Security 2010. |
| July 8, 2010 | Scantegrity II Municipal Election at Takoma Park: The First E2E Binding Governmental Election with Ballot Privacy
Richard Carback (UMBC CDL), David Chaum, Jeremy Clark (Uni of Waterloo), John Conway (UMBC CDL), Aleksander Essex (Uni of Waterloo), Paul S. Herrnson (UMCP CAPC), Travis Mayberry (UMBC CDL), Stefan Popoveniuc, Ronald L. Rivest, Emily Shen (MIT CSAIL), Alan T. Sherman (UMBC CDL), Poorvi L. Vora (GW). USENIX Security 2010. |
| June 24, 2010 | Absolute Pwnage: Security Risks of Remote Administration Tools
Jay Novak, Jonathan Stribley, Kenneth Meagher, Scott Wolchok, J. Alex Halderman Crawling BitTorrent DHTs for Fun and Profit Scott Wolchok and J. Alex Halderman |
| June 17, 2010 | Detecting and Removing Malicious Hardware Automatically
Matthew Hicks (UIUC), Murph Finnicum (UIUC), Samuel T. King (UIUC), Milo M. K. Martin (UPenn), Jonathan M. Smith (UPenn), IEEE SP2010. |
| June 10, 2010 | Chip and PIN is Broken
Steven J. Murdoch, Saar Drimer, Ross Anderson, and Mike Bond (University of Cambridge), IEEE SP2010. |
| May 27, 2010 | Experimental Security Analysis of a Modern Automobile
Karl Koscher (UW), Alexei Czeskis (UW), Franziska Roesner (UW), Shwetak Patel (UW), and Tadayoshi Kohno (UW), Stephen Checkoway (UCSD), Damon McCoy (UCSD), Brian Kantor (UCSD), Danny Anderson (UCSD), Hovav Shacham (UCSD), and Stefan Savage (UCSD), IEEE SP2010. |
| May 6, 2010 | Security Analysis of India's Electronic Voting Machines
Hari K. Prasad (1), J. Alex Halderman (2), Rop Gonggrijp, Scott Wolchok (2), Eric Wustrow (2), Arun Kankipati (1), Sai Krishna Sakhamuri (1), and Vasavya Yagati(1), (1) NetIndia, (P) Ltd., Hyderabad (2) University of Michigan, submitted to CCS 2010. |
| April 29, 2010 | A Practical Attack to De-Anonymize Social Network Users
Gilbert Wondracek (1), Thorsten Holz (1), Engin Kirda (2), Christopher Kruegel (3), (1) Technical University Vienna (2) Institute Eurecom (3) University of California, IEEE SP2010. |
| April 15, 2010 | When Good Randomness Goes Bad: Virtual Machine Reset Vulnerabilities and Hedging Deployed Cryptography
Thomas Ristenpart and Scott Yilek, University of California San Diego, NDSS 2010. |
| April 8, 2010 | State of the Art: Automated Black-Box Web Application Vulnerability Testing
Jason Bau, Elie Bursztein, Divij Gupta, John Mitchell, Stanford University, IEEE SP2010. |
| April 1, 2010 | Side-Channel Leaks in Web Applications: a Reality Today, a Challenge Tomorrow
Shuo Chen (1), Rui Wang (2), XiaoFeng Wang (2), Kehuan Zhang (2), (1) MSR (2) Indiana University Bloomington, IEEE SP2010. |
| March 25, 2010 | How Good are Humans at Solving CAPTCHAs? A Large Scale Evaluation
Elie Bursztein, Steven Bethard, Celine Fabry, John C. Mitchell, Dan Jurafsky, Stanford University, IEEE SP2010. |
| March 18, 2010 | Server-Side Verification of Client Behavior in Online Games
Darrell Bethea, Robert Cochran and Michael Reiter, University of North Carolina at Chapel Hill, NDSS 2010. |
| March 11, 2010 | A Systematic Characterization of IM Threats Using Honeypots
Spiros Antonatos, Iasonas Polakis, Thanasis Petsas and Evangelos P. Markatos, Foundation for Research and Technology Hellas, NDSS 2010. |
| February 25, 2010 | FLAX: Systematic Discovery of Client-side Validation Vulnerabilities in Rich Web Applications
Prateek Saxena, Steve Hanna, Pongsin Poosankam and Dawn Song, UC Berkeley, NDSS 2010. |
| February 18, 2010 | Active Botnet Probing to Identify Obscure Command and Control Channels
Guofei Gu (1) , Vinod Yegneswaran (2), Phillip Porras (2) , Jennifer Stoll (3) , and Wenke Lee (3), (1) Texas A&M, (2) SRI International, (3) Georgia Institute of Technology |
| February 11, 2010 | Where Do You Want to Go Today? Escalating Privileges By Pathname Manipulation
Suresh Chari, Shai Halevi and Wietse Venema, IBM Research, to appear in NDSS 2010. |
| February 4, 2010 | Botnet Judo: Fighting Spam with Itself
Andreas Pitsillidis, Kirill Levchenko, Christian Kreibich, Chris Kanich, Geoffrey M. Voelker, Vern Paxson, Nicholas Weaver and Stefan Savage, to appear in NDSS 2010. |
| January 28, 2010 | Efficient Detection of Split Personalities in Malware
Davide Balzarotti (1), Marco Cova(3), Christoph Karlberger (2), Christopher Kruegel (3), Engin Kirda (2), and Giovanni Vigna (3), to appear in NDSS 2010. (1) Institute Eurecom, Sophia Antipolis (2) Secure Systems Lab, Vienna University of Technology (3) University of California, Santa Barbara |
| January 21, 2010 | Contractual Anonymity
Edward J. Schwartz, David Brumley and Jonathan M. McCune. to appear in NDSS 2010. |
| January 14, 2010 | Protecting Browsers from Extension Vulnerabilities
Adam Barth, Adrienne Porter Felt, Prateek Saxena (UC Berkeley), and Aaron Boodman (Google, Inc.), to appear in NDSS 2010. |
| December 16, 2009 (postponed from December 9) | EPC RFID Tag Security Weaknesses and Defenses: Passport Cards, Enhanced Drivers Licenses, and Beyond
Karl Koscher (UW), Ari Juels (RSA Labs), Vjekoslav Brajkovic (UW), and Tadayoshi Kohno (UW), CCS 2009. |
| December 2, 2009 | On Cellular Botnets: Measuring the Impact of Malicious Devices on a Cellular Network Core
Patrick Traynor (Georgia Tech), Michael Lin, Machigar Ongtang, Vikhyath Rao, Trent Jaeger, Thomas La Porta and Patrick McDaniel (all of Penn State), CCS 2009. |
| November 25, 2009 | SMILE: Encounter-Based Trust for Mobile Social Services
Justin Manweiler, Ryan Scudellari, and Landon P. Cox, CCS 2009. |
| November 18, 2009 | Can They Hear Me Now? A Security Analysis of Law Enforcement Wiretaps
Micah Sherr, Gaurav Shah, Eric Cronin, Sandy Clark, and Matt Blaze (University of Pennsylvania), CCS 2009. |
| November 11, 2009 | Countering Kernel Rootkits with Lightweight Hook Protection
Zhi Wang (NCSU), Xuxian Jiang (NCSU), Weidong Cui (MSR), and Peng Ning (NCSU), CCS 2009. |
| November 4, 2009 | Behavior Based Software Theft Detection
Xinran Wang, Yoon-Chan Jhi, Sencun Zhu, and Peng Liu (Penn State), CCS 2009. |
| October 28, 2009 | Blueprint: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers
Mike Ter Louw, V.N. Venkatakrishnan (University of Illinois at Chicago), Oakland 2009. |
| October 21, 2009 | Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds
Thomas Ristenpart (UCSD), Eran Tromer (MIT), Hovav Shacham (UCSD), and Stefen Savage (UCSD), CCS 2009. |
| October 14, 2009 | Revealing Hidden Context: Improving Mental Models of Personal Firewall Users
Fahimeh Raja, Kirstie Hawkey, Konstantin Beznosov (UBC), SOUPS 2009. |
| October 7, 2009 | Fabric: A Platform for Secure Distributed Computation and Storage
Jed Liu, Michael George, K. Vikram, Xin Qi, Lucas Waye, and Andrew C. Myers (Cornell University), SOSP 2009. |
| September 16, 2009 | Heat-ray: Combating Identity Snowball Attacks using Machine Learning, Combinatorial Optimization and Attack Graphs
John Dunagan (Microsoft Research), Alice X. Zheng (Microsoft Research), Daniel R. Simon (Microsoft), SOSP 2009. |
| September 9, 2009 | Peeping Tom in the Neighborhood: Keystroke Eavesdropping on Multi-User Systems
Kehuan Zhang and XiaoFeng Wang (Indiana University, Bloomington), USENIX Security 2009. |
| September 3, 2009 | Crying Wolf :An Empirical Study of SSL Warning Effectiveness
Joshua Sunshine, Serge Egelman, Hazim Almuhimedi, Neha Atri, and Lorrie Faith Cranor (Carnegie Mellon University), USENIX Security 2009. |
| August 27, 2009 | Membership-concealing overlay networks
Eugene Vasserman, Rob Jansen, James Tyra, Nicholas Hopper, and Yongdae Kim (University of Minnesota), CCS 2009. |
| August 20, 2009 | Compromising Electromagnetic Emanations of Wired and Wireless Keyboards
Martin Vuagnoux and Sylvain Pasini (EPFL), USENIX Security 2009. |
| August 13, 2009 | Unpacking Virtualization Obfuscators
Rolf Rolles Jianing Guo, Jun Yuan, and Rob Johnson (Stony Brook University) |
| August 6, 2009 | Null Prefix Attacks Against SSL Certificates
Moxie Marlinspike Defeating OCSP with the Number 3 Moxie Marlinspike Reversing and exploiting an Apple firmware update K. Chen (Georgia Institute of Technology) "Smart" Parking Meter Implementations, Globalism, and You Joe Grand, Jacob Appelbaum, and Chris Tarnovsky |
| July 30, 2009 | Hardware-Software Integrated Approaches to Defend Against Software Cache-based Side Channel Attacks
Jingfei Kong, Onur Acıiçmez, Jean-Pierre Seifert, and Huiyang Zhou |
| July 23, 2009 | Half-Blind Attacks: Mask ROM Bootloaders Are Dangerous
Travis Goodspeed; Aurélien Francillon, INRIA Rhône-Alpes A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators Roberto Paleari, Università degli Studi di Milano; Lorenzo Martignoni, Università degli Studi di Udine; Giampaolo Fresi Roglia and Danilo Bruschi, Università degli Studi di Milano |
| July 16, 2009 | It's No Secret. Measuring the Security and Reliability of Authentication via ‘Secret’ Questions
Stuart Schechter, A. J. Bernheim Brush (Microsoft Research), Serge Egelman (Carnegie Mellon University) |
| July 9, 2009 | How to Impress Girls with Browser Memory Protection Bypasses
Mark Dowd and Alexander Sotirov |
| July 2, 2009 | Baggy Bounds Checking: An Efficient and Backwards-Compatible Defense against Out-of-Bounds Errors
Periklis Akritidis, Computer Laboratory, University of Cambridge; Manuel Costa and Miguel Castro, Microsoft Research, Cambridge; Steven Hand, Computer Laboratory, University of Cambridge |
| June 25, 2009 | Physical-layer Identification of RFID Devices
Boris Danev (ETH Zurich, Switzerland), Thomas S. Heydt-Benjamin (IBM Zurich Research), and Srdjan Capkun (ETH Zurich, Switzerland). USENIX Security 2009. |
| June 18, 2009 | Nozzle: Protecting Browsers Against Heap Spraying Attacks
Ben Zorn, Ben Livshits, and Paruj Ratanaworabhan (Microsoft Research). Technical Report; paper to appear in USENIX Security 2009. |
| June 11, 2009 | Protecting Confidential Data on Personal Computers with Storage Capsules
Kevin Borders, Eric Vander Weele, Billy Lau, and Atul Prakash (University of Michigan). Oakland 2009. |
| June 4, 2009 | De-anonymizing Social Networks
Arvind Narayanan and Vitaly Shmatikov (University of Texas at Austin). Oakland 2009. |
| May 28, 2009 | Automatic Reverse Engineering of Malware Emulators
Monirul Sharif, Andrea Lanzi, Jonathon Giffin, Wenke Lee from Georgia Tech. Oakland '09. |
| May 21, 2009 | Your Botnet is My Botnet: Analysis of a Botnet Takeover
B. Stone-Gross, M. Cova, L. Cavallaro, B. Gilbert, M. Szydlowski, R. Kemmerer, C. Kruegel, G. Vigna. 2009. |
| May 14, 2009 | BootJacker: Compromising Computers using Forced Restarts
Ellick M. Chan, Jeffrey C. Carlyle, Francis M. David, Reza Farivar, and Roy H. Campbell (all of whom are from UIUC). CCS '08. |
| May 7, 2009 | Code Injection Attacks on Harvard-Architecture Devices
Aurelien Francillon (INRIA Rhone-Alpes) and Claude Castelluccia (INRIA Rhone-Alpes). CCS '08. |
| April 30, 2009 | SybilInfer: Detecting Sybil Nodes using Social Networks
George Danezis (MSR UK) and Prateek Mittal (UIUC). NDSS '09. |
| April 16, 2009 | An Efficient Black-box Technique for Defeating Web Application Attacks
R. Sekar (Stony Brook). NDSS '09. |
| April 9, 2009 | Detecting Forged TCP Reset Packets
Nicholas Weaver (ICSI), Robin Sommer (ICSI & LBNL), and Vern Paxson (ICSI & UC Berkeley). NDSS '09. |
| April 2, 2009 | Detecting In-Flight Page Changes with Web Tripwires.
Charles Reis, Steven D. Gribble, Tadayoshi Kohno, and Nicholas C. Weaver. NSDI '08. |
| March 26, 2009 | Safe Passage for Passwords and Other Sensitive Data.
Jonathan M. McCune (CMU), Adrian Perrig (CMU), and Michael K. Reiter (UNC). NDSS '09. |
| March 19, 2009 | Quantifying Information Leaks in Outbound Web Traffic
Kevin Borders and Atul Prakash. Oakland 2009. |
| March 12, 2009 | Fingerprinting Blank Paper Using Commodity Scanners
William Clarkson, Tim Weyrich, Adam Finkelstein, Nadia Heninger, J. Alex Halderman and Edward W. Felten. Oakland 2009. |
| March 5, 2009 | Secure Content Sniffing for Web Browsers, or How to Stop Papers from Reviewing Themselves
Adam Barth, Juan Caballero, Dawn Song. Oakland 2009 |
| February 19, 2009 | Digging for Data Structures by Cozzie et al. OSDI 2008. |
Paper Suggestions
| Suggested by | Paper |
|---|---|
| Billy Lau | Keypad: An Auditing File System for Theft-Prone Devices by Roxana Geambasu, John P. John Steven D. Gribble, Tadayoshi Kohno, Henry M. Levy.
Appeared in EuroSys 2011. |
| Beng Heng Ng | Attacking Intel® Trusted Execution Technology by Rafal Wojtczuk & Joanna Rutkowska.
Appeared at Black Hat DC 2009. |
General References
Lecture Notes on Cryptography (200+ pages)
Other Security Reading Groups
Unordered links to other security reading groups, modified from UCDavis' group, whom in turn adapted the list from UMass.
