2005 Class outline and references (COMP 5407F)
Last updated: Dec.1, 2005 8:00am
Class outline - overview (tentative/subject to change):
Class 1-5: Countering password attacks: online, offline, phishing
(related: identity theft, key loggers, pharming)
Class 6-7: Buffer overflows and memory exploits
Class 8-9: Computer viruses and Trojan horses
Class 10-12: Computer worms
Class 14: Test (in class)
Class 13, 15-16: Digital signatures and public-key infrastructure: practical issues
Class 17-18: Unsolicited bulk email (spam)
Class 19-23: Student presentations
Class 24:
Software diversity
Class outline - details (updated as term progresses):
-
Class 1: On-line password dictionary attacks.
Pinkas and Sander,
Securing Passwords Against Dictionary Attacks,
ACM CCS-9: Computer and Communications Security, Nov.2002;
also visit the CAPTCHA Project site.
Begin Project 1 immediately (optional background:
Spafford, "Crisis and Aftermath (The Internet Worm)",
Comm. of the ACM, vol.32 no.6 (1989), pp.678-687;
PDF available online).
-
Class 2: Off-line password dictionary attacks.
Gong, Lomas, Needham, Saltzer,
Protecting Poorly Chosen Secrets from Guessing Attacks,
IEEE J. Selected Areas in Comm., vol.11 no.5 (June 1993).
Review reading - passwords: HAC ss10.2.1-10.2.2;
time variant parameters: HAC ss10.3.1.
-
Class 3: Countering brute-force password attacks.
Halderman, Waters, Felten,
A Convenient Method for Securely Managing Passwords,
World Wide Web Conference (WWW), May 2005..
-
Class 4: Anti-phishing - browser plug-in.
Chou, Ledesma, Teraguchi, Mitchell,
Client-Side Defense Against Web-Based Identity Theft,
NDSS'04 (11th Symposium on Network and Distributed System Security)
-
Class 5: Anti-phishing - password management inside browsers.
Ross, Jackson, Miyake, Boneh, Mitchell,
Stronger Password Authentication Using Browser Extensions,
USENIX Security 2005.
-
Class 6: Buffer overflow exploits and defenses.
Wilander and Kamkar,
A Comparison of Publicly Available Tools for Dynamic Buffer Overflow Prevention, NDSS'03.
-
Class 7: Buffer overflow exploits and defenses (cont'd).
Bhatkar et al.,
Address Obfuscation: an Efficient Approach to Combat a Broad Range of Memory Error Exploits (pdf also available online),
USENIX Security 2003.
Additonal notes from instructor.
-
Classes 8: Computer Viruses.
Nachenberg,
Computer Virus-Antivirus Coevolution (Comm. ACM, Jan. 1997);
pdf available online.
-
Class 9: Computer Viruses and Trojan Horses.
McIlroy,
Virology 101 (Computing Systems, Spring 1989); and
Thompson,
Reflections on Trusting Trust (Comm. ACM, Aug.1984).
-
Classes 10: The 1988 Internet Worm.
Spafford, "Crisis and Aftermath (The Internet Worm)",
Comm. of the ACM, vol.32 no.6 (1989), pp.678-687;
PDF available online.
-
Classes 11-12: More Recent Computer Worms.
Class 11: Staniford et al.,
How to 0wn the Internet in Your Spare Time
(2002 Usenix Security).
Class 12: other recents worms (Sapphire/Slammer, Blaster, Witty).
Moore et al.,
The Spread of the Sapphire/Slammer Worm (Feb.2003);
N. Weaver,
Reflections on Witty (;login, vol.29 no.3, June 2004).
-
Class 13: Digital Signatures.
A Comparison of Digital and Handwritten Signatures
(D. Fillingham, 1997 MIT course paper).
-
Class 14: Test (in class).
-
Class 15-16: Digital Signatures (continued).
Public key infrastructure for digital signatures:
RSA signatures (background) - HAC pp.433-434;
public-key certificates - HAC pp.559-560;
certificate and key life cycle - HAC pp.576-581.
Blakley and Blakley,
All Sail, No Anchor II: Acceptable High-End PKI,
Int. J. Information Security (2004) 2(2):66-77.
-
Class 17: reducing email with spoofed from addresses.
IETF internet drafts (2005) on SPF and DomainKeys/DKIM;
P. van Oorschot,
Message Authentication by Integrity with Public Corroboration,
NSPW 2005.
-
Class 18: techniques to address spam.
Class notes.
-
Class 19-23: student presentations.
Nov.16: Preeti Raman (insider attacks),
Abdulrahman Hijazi (phishing: HCI and computer security)
Nov.21:
Thomas Choi (botnets and a counter-proposal),
Fauzia Alam (detecting zero-day worms)
Nov.23:
Lindy Bryanton (RFID security and privacy),
Sonia Chiasson (usability study re: browser-entered passwords)
Nov.28:
Wei Cui (graphical passwords: survey and proposal),
Chen Li (IM security)
Nov.30:
Jianming Cui (botnets)
-
Class 24.
Redundancy and Diversity in Security
(Littlewood, Strigini, ESORICS 2004).
Notation (for background references):
"HAC ssN" denotes section N in
Handbook of Applied Cryptography (Menezes, Van Oorschot, Vanstone, 1996).