CMPS 223: Advanced Computer Security

Overview

This course explores the foundations and applications of computer security. We will read papers on a variety of topics, including security semantics, authorization logic, information flow control, trusted hardware, cryptocurrencies, and smart contracts.

Information

Meeting time and place

The course meets Monday, Wednesdays, and Fridays from 9:20am to 10:25am in Engineering Building 2, room 192.

Canvas

We will use the course Canvas site for submissions, communication, and announcements.

Course Staff

Name Position Email Phone Office/consulting hours
Owen Arden Instructor Turn on JavaScript to view the email address 2-7044 TBA

Prerequisites

  • Security — Familiarity with systems security, cryptography, and access control. CMPS 122 or similar should be adequate.
  • Programming languages — Familiarity with program semantics and type systems. CMPS 203 or possibly CMPS 112
       Background resources:
    • Andrew Myers lecture notes (especially Operational Semantics and Types sections)
    • Types and Programming Languages, by Benjamin Pierce
  • Formal methods — Some degree of mathematical maturity, ability to understand and do formal proofs, logical reasoning.

Coursework

The main work of the course will be reading classic and recent research papers in computer security, writing short responses, and discussing the papers in class. Each student will also present one paper to the class and lead the discussion.

Students, individually or in small groups, will also design and complete a small project related to computer security.

Evaluation will be based on presentations, paper discussions (online and in class), and the final project. There will be no exams.

Writing paper responses

Before each paper is discussed in class, students post a response to the paper on Canvas. The response should discuss:

  • A summary of the article and its contributions
  • Why the contributions are important
  • What you liked about the article (and why)
  • What you disliked about the article (and why)
  • Any parts you didn't understand and want to discuss in class
After posting their own response, students will be able to read and comment on other student responses. Read some of the other responses and possibly reply to them to help jumpstart the in-class discussion. Post responses early enough (ideally by 2pm the day before discussion) to allow you and others to read them.

Schedule (subject to change)

Lecture Date Topic/notes Readings Assignments
Overview
Fri 09/29/17 Course overview and introduction sign up for papers
Mon 10/02/17 Authentication Schneider Ch.1 and Ch.5
Semantics of Security
Wed 10/04/17 Enforceable Security Policies Enforceable Security Policies (Schneider)
Fri 10/06/17 Hyperproperties Hyperproperties (Clarkson, Schneider)
Authorization Logic
Mon 10/09/17 Authentication in Distributed Systems: Theory and Practice Authentication in Distributed Systems: Theory and Practice (Lampson, Abadi, Burrows, Wobber)
Wed 10/11/17 Nexus Authorization Logic Nexus Authorization Logic (NAL): Design Rationale and Applications (Schneider, Walsh, Sirer)
Fri 10/13/17 Access control in a core calculus of dependency Access control in a core calculus of dependency (Abadi)
Information Flow Control
Mon 10/16/17 Language-based Information-Flow Security Language-based Information-Flow Security (Sabelfeld and Myers)
Wed 10/18/17 Information Flow Inference for ML Information Flow Inference for ML (Pottier and Simonet)
Fri 10/20/17 Declassification Declassification: Dimensions and principles (Sabelfeld and Sands)
Mon 10/23/17 Robust Declassification Enforcing Robust Declassification and Qualified Robustness (Myers, Sabelfeld, Zdancewic)
Wed 10/25/17 Nonmalleable Information Flow Control Nonmalleable information flow control (Cecchetti, Myers, Arden)
Fri 10/27/17 Flow-Limited Authorization A Calculus for Flow-Limited Authorization (Arden and Myers)
Mon 10/30/17 Guest lecture TBD (Owen @ CCS)
Wed 11/01/17 Guest lecture TBD (Owen @ CCS)
Fri 11/03/17 Dynamic Information Flow Control (DIFC) Information Flow Control for Standard OS Abstractions (Krohn et al.)
Mon 11/06/17 Language-based DIFC Flexible dynamic information flow control in the presence of exceptions (Stefan, Mazières, Mitchell, Russo)
Wed 11/08/17 Fabric Fabric: Building Open Distributed Systems Securely by Construction (Liu, Arden, George, Myers)
Fri 11/10/17 Veterans Day (No class)
Trusted Hardware
Mon 11/13/17 Intel SGX Explained Intel SGX Explained (Costan and Devadas)
Wed 11/15/17 SCONE SCONE: Secure Linux Containers with Intel SGX (Arnautov et el.)
Fri 11/17/17 Information flow control with enclaves Automatic Enforcement of Expressive Security Policies using Enclaves (Gollamudi and Chong)
Mon 11/20/17 Logical attestation Logical Attestation: An Authorization Architecture for Trustworthy Computing (Sirer et al.)
Cryptocurrencies and smart contracts
Wed 11/22/17 Bitcoin Research Perspectives and Challenges for Bitcoin and Cryptocurrencies (Bonneau et al.)
Fri 11/24/17 Thanksgiving (No class)
Mon 11/27/17 Selfish mining Majority is not Enough: Bitcoin Mining is Vulnerable (Eyal and Sirer)
Wed 11/29/17 Authenticated Data Structures Authenticated Data Structures, Generically (Miller, Hicks, Katz, Shi)
Fri 12/01/17 Making smart contracts smarter Making Smart Contracts Smarter (Luu et al.)
Mon 12/04/17 Authenticated data feeds Town Crier: An Authenticated Data Feed for Smart Contracts (Zhang et al.)
Final Projects
Wed 12/06/17 Project presentations
Fri 12/08/17 Project presentations