Schedule

Papers not marked as Optional are required and we will have quizs based on them. Most papers are classic and have won Test of Time Award (marked as ToT) from top security conferences. It is highly recommended to read ToT papers even if they are not required.

Most papers should be publicly accessible. If any links are broken, please search for them. If any of them require paid subscription, you can access them for free when connecting on campus. For off-campus access, try UCR VPN.

MondayTuesday WednesdayThursday Friday
Sep 25 Sep 26 Sep 27 Sep 28
LEC 1: Introduction.

Preparation: Read The Security Mindset and Reflections on Trusting Trust.
First day of class
Sep 29
Oct 2 Oct 3
LEC 2: Malware

Preparation: Watch Fighting viruses, defending the net. Read Click Trajectories: End-to-End Analysis of the Spam Value Chain (ToT). (Optional) Slammer Worm.
Oct 4 Oct 5
LEC 3: Malware Mitigation

Preparation: Watch Bullet proof hosting, Read Effective and Efficient Malware Detection at the End Host. (Optional) Ether: Malware Analysis via Hardware Virtualization Extensions (ToT).
Oct 6
Oct 9 Oct 10
LEC 4: Host Intrusion Detection

Preparation: Read Virtual Machine Introspection (ToT). (Optional) Mimicry Attacks (ToT).
Oct 11 Oct 12
LEC 5: Stack Buffer Overflow

Preparation: Read Smashing the Stack for Fun and Profit and StackGuard (ToT). Notes.
Oct 13
Oct 16 Oct 17
LEC 6: Return-oriented Programming

Preparation: Read Return-oriented Programming (ToT)
Oct 18 Oct 19
LEC 7: Control-flow Integrity

Preparation: Read Control-flow Integrity (ToT).
Oct 20
Oct 23 Oct 24
LEC 8: Fuzzing

Preparation: Read An empirical study of the reliability of UNIX utilities.
Oct 25 Oct 26
LEC 9: Static Analysis

Preparation: Read A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities (ToT). (Optional) Bugs as Deviant Behavior: A General Approach to Inferring Errors in Systems Code.
Oct 27
Oct 30 Oct 31
LEC 10: Access Control

Preparation: Read Android Permissions Remystified: A Field Study on Contextual Integrity. (Optional) Access control: principle and practice and The Orange Book
Nov 1 Nov 2
LEC 11: Sandbox

Preparation: Read Preventing Privilege Escalation (ToT). (Optional) Native Client (ToT).
Nov 3
Nov 6 Nov 7
LEC 12: Protocols, background

Preparation: Read Kerberos (ToT) and and A Detailed Look at RFC 8446. (Optional) The Design and Implementation of Datagram TLS (ToT). Ref: Notes on signatures.
Nov 8 Nov 9
LEC 13: Trusted Execution

Preparation: Watch Bootstrapping identity in the cloud, Read VC3: Trustworthy Data Analytics in the Cloud using SGX.
Nov 10
Veterans Day
Nov 13 Nov 14
LEC 14: Network Security

Preparation: Read Analysis of a Denial of Service Attack on TCP (ToT). (Optional) Bro (ToT).
Nov 15 Nov 16
LEC 15: Injection Attacks

Preparation: Read A Classification of SQL-Injection Attacks and Countermeasures. (Optional) OWASP on Injection.
Nov 17
Nov 20 Nov 21
LEC 16: Cross-site Attacks

Preparation: Read Cross-Site Scripting Prevention with Dynamic Data Tainting and Static Analysis and Robust Defenses for Cross-site Request Forgery.
Nov 22 Nov 23
Thanksgiving
Nov 24
Thanksgiving
Nov 27 Nov 28
LEC 17: Hardware Security

Preparation: Read A Practical Approach to Identifying Storage and Timing Channels (ToT). (Optional) Spectre Attacks. Recommend: Side-Channel Security Episodes.
Nov 29 Nov 30
LEC 18: Machine Learning Security

Preparation: Read Outside the Closed World (ToT) and Practical Evasion of a Learning-Based Classifier.
Dec 1
Dec 4 Dec 5
LEC 19: Deep Learning Security

Preparation: Read Making Machine Learning Robust Against Adversarial Inputs. (Optional) DeepXplore: Automated Whitebox Testing of Deep Learning Systems. Check Security and Privacy of Machine Learning.
Dec 6 Dec 7
LEC 20: LLM Security

Preparation: Read Not what you've signed up for: Compromising Real-World LLM-Integrated Applications with Indirect Prompt Injection. (Optional) "Do Anything Now": Characterizing and Evaluating In-The-Wild Jailbreak Prompts on Large Language Models.
Dec 8
Last day of classes