Schedule

Papers not marked as Optional are required and we will have quizs based on them. Most papers are classic and have won Test of Time Award (marked as ToT) from top security conferences. It is highly recommended to read ToT papers even if they are not required.

Most papers should be publicly accessible. If any links are broken, please search for them. If any of them require paid subscription, you can access them for free when connecting on campus. For off-campus access, try UCR VPN.

MondayTuesday WednesdayThursday Friday
Sep 19 Sep 20 Sep 21 Sep 22
LEC 1: Introduction.

Preparation: Read The Security Mindset and Reflections on Trusting Trust.
First day of class
Sep 23
Sep 26 Sep 27
LEC 2: Malware

Preparation: Watch Fighting viruses, defending the net. Read Click Trajectories: End-to-End Analysis of the Spam Value Chain (ToT). (Optional) Slammer Worm.
Sep 28 Sep 29
LEC 3: Malware Mitigation

Preparation: Watch Bullet proof hosting, Read Effective and Efficient Malware Detection at the End Host. (Optional) Ether: Malware Analysis via Hardware Virtualization Extensions (ToT).
Sep 30
Oct 3 Oct 4
LEC 4: Host Intrusion Detection

Preparation: Read Virtual Machine Introspection (ToT). (Optional) Mimicry Attacks (ToT).
Oct 5 Oct 6
LEC 5: Stack Buffer Overflow

Preparation: Read Smashing the Stack for Fun and Profit and StackGuard (ToT). Notes.
Oct 7
Oct 10 Oct 11
LEC 6: Return-oriented Programming

Preparation: Read Return-oriented Programming (ToT)
Oct 12 Oct 13
LEC 7: Control-flow Integrity

Preparation: Read Control-flow Integrity (ToT).
Oct 14
Oct 17 Oct 18
LEC 8: Fuzzing

Preparation: Read An empirical study of the reliability of UNIX utilities.
Oct 19 Oct 20
LEC 9: Symboli Execution

Preparation: Read EXE: Automatically Generating Inputs of Death (ToT).
Oct 21
Oct 24 Oct 25
LEC 10: Static Analysis

Preparation: Read A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities (ToT). (Optional) Bugs as Deviant Behavior: A General Approach to Inferring Errors in Systems Code.
Oct 26 Oct 27
LEC 11: Access Control

Preparation: Read Access control: principle and practice and Android Permissions Remystified: A Field Study on Contextual Integrity. (Optional) The Orange Book
Oct 28
Oct 31 Nov 1
LEC 12: Sandbox

Preparation: Read Preventing Privilege Escalation (ToT) and Native Client (ToT).
Nov 2 Nov 3
LEC 13: Protocols, background

Preparation: Read Kerberos (ToT), The Design and Implementation of Datagram TLS (ToT). (Optional) A Detailed Look at RFC 8446. Ref: Notes on signatures.
Nov 4
Nov 7 Nov 8
LEC 14: Trusted Execution

Preparation: Watch Bootstrapping identity in the cloud, Read VC3: Trustworthy Data Analytics in the Cloud using SGX.
Nov 9 Nov 10
LEC 15: Network Security

Preparation: Read Analysis of a Denial of Service Attack on TCP (ToT). (Optional) Bro (ToT).
Nov 11
Veterans Day
Nov 14 Nov 15
LEC 16: Injection Attacks

Preparation: Read A Classification of SQL-Injection Attacks and Countermeasures. (Optional) OWASP on Injection.
Nov 16 Nov 17
LEC 17: Cross-site Attacks

Preparation: Read Cross-Site Scripting Prevention with Dynamic Data Tainting and Static Analysis and Robust Defenses for Cross-site Request Forgery.
Nov 18
Nov 21 Nov 22
LEC 18: Hardware Security

Preparation: Read A Practical Approach to Identifying Storage and Timing Channels (ToT) and Spectre Attacks. Recommend: Side-Channel Security Episodes.
Nov 23 Nov 24
Thanksgiving
Nov 25
Thanksgiving
Nov 28 Nov 29
LEC 19: Machine Learning Security

Preparation: Read Outside the Closed World (ToT) and Practical Evasion of a Learning-Based Classifier.
Nov 30 Dec 1
LEC 20: Deep Learning Security

Preparation: Read Making Machine Learning Robust Against Adversarial Inputs and DeepXplore: Automated Whitebox Testing of Deep Learning Systems. Check Security and Privacy of Machine Learning.
Dec 2
Last day of classes