CMPS 223: Advanced Computer Security

Overview

This course explores the foundations and applications of computer security. We will read papers on a variety of topics, including security semantics, authorization logic, information flow control, trusted hardware, cryptocurrencies, and smart contracts.

Information

Meeting time and place

The course meets Monday, Wednesdays, and Fridays from 9:20am to 10:25am in Engineering Building 2, room 192.

Canvas

We will use the course Canvas site for submissions, communication, and announcements.

Course Staff

Name Position Email Phone Office/consulting hours
Owen Arden Instructor Turn on JavaScript to view the email address 2-7044 Wednesdays and Fridays 10:30am - 11:30am
or by appointment

Prerequisites

  • Security — Familiarity with systems security, cryptography, and access control. CMPS 122 or similar should be adequate.
  • Programming languages — Familiarity with program semantics and type systems. CMPS 203 or possibly CMPS 112
       Background resources:
    • Andrew Myers lecture notes (especially Operational Semantics and Types sections)
    • Types and Programming Languages, by Benjamin Pierce
  • Formal methods — Some degree of mathematical maturity, ability to understand and do formal proofs, logical reasoning.

Coursework

The main work of the course will be reading classic and recent research papers in computer security, writing short responses, and discussing the papers in class. Each student will also present one paper to the class and lead the discussion.

Students, individually or in small groups, will also design and complete a small project related to computer security.

Evaluation will be based on presentations, paper discussions (online and in class), and the final project. There will be no exams.

Writing paper responses

Before each paper is discussed in class, students post a response to the paper on Canvas. The response should discuss:

  • A summary of the article and its contributions
  • Why the contributions are important
  • What you liked about the article (and why)
  • What you disliked about the article (and why)
  • Any parts you didn't understand and want to discuss in class
After posting their own response, students will be able to read and comment on other student responses. Read some of the other responses and possibly reply to them to help jumpstart the in-class discussion. Post responses early enough (ideally by 2pm the day before discussion) to allow you and others to read them.

Schedule (subject to change)

Lecture Date Topic/notes Readings Assignments
Overview
Fri 09/29/17 Course overview and introduction Slides: Course Overview, Intro sign up for papers
Mon 10/02/17 Assurance and Accountability Schneider Ch.1 and Ch.5 (Slides)
Semantics of Security
Wed 10/04/17 Enforceable Security Policies (Sohum Banerjea) (Slides) Enforceable Security Policies (Schneider)
Fri 10/06/17 Hyperproperties (Priyanka Mondal) (Slides) Hyperproperties (Clarkson, Schneider)
Authorization Logic
Mon 10/09/17 Authentication in Distributed Systems: Theory and Practice (Austen Barker) (Slides) Authentication in Distributed Systems: Theory and Practice (Lampson, Abadi, Burrows, Wobber)
Wed 10/11/17 Nexus Authorization Logic (Owen Arden) Nexus Authorization Logic (NAL): Design Rationale and Applications (Schneider, Walsh, Sirer)
Fri 10/13/17 Access control in a core calculus of dependency (Owen Arden) Access control in a core calculus of dependency (Abadi)
Information Flow Control
Mon 10/16/17 Language-based Information-Flow Security (Yiming Zhang) (slides) Language-based Information-Flow Security (Sabelfeld and Myers)
Wed 10/18/17 Information Flow Inference for ML (Tommy Schmitz) Information Flow Inference for ML (Pottier and Simonet)
Fri 10/20/17 Declassification (Christine Quintana) Declassification: Dimensions and principles (Sabelfeld and Sands)
Mon 10/23/17 Robust Declassification (Owen Arden) Enforcing Robust Declassification and Qualified Robustness (Myers, Sabelfeld, Zdancewic)
Wed 10/25/17 Nonmalleable Information Flow Control (Tuan Tran) Nonmalleable information flow control (Cecchetti, Myers, Arden)
Fri 10/27/17 Flow-Limited Authorization (Oceane Bel) A Calculus for Flow-Limited Authorization (Arden and Myers)
Mon 10/30/17 Faceted Information Flow (Guest lecture: Cormac Flanagan) Multiple Facets for Dynamic Information Flow with Exceptions (Austin, Schmitz, Flanagan)
Wed 11/01/17 No class (Owen @ CCS)
Fri 11/03/17 Dynamic Information Flow Control (Kavya Jha) (Slides) Information Flow Control for Standard OS Abstractions (Krohn et al.) Project proposals due
Mon 11/06/17 Language-based DIFC (Tommy Schmitz) Flexible dynamic information flow control in the presence of exceptions (Stefan, Mazières, Mitchell, Russo)
Wed 11/08/17 Fabric (Tanay Parekhji) Fabric: Building Open Distributed Systems Securely by Construction (Liu, Arden, George, Myers)
Fri 11/10/17 Veterans Day (No class)
Trusted Hardware
Mon 11/13/17 Secure Enclaves (Haofan Zhang) A Formal Foundation for Secure Remote Execution of Enclaves (Subramanyan et. al)
Wed 11/15/17 SCONE (Aniket Kulkarni) SCONE: Secure Linux Containers with Intel SGX (Arnautov et el.)
Fri 11/17/17 Information flow control with enclaves (Myron Pow) Automatic Enforcement of Expressive Security Policies using Enclaves (Gollamudi and Chong)
Mon 11/20/17 Logical attestation (Yiming Zhang) Logical Attestation: An Authorization Architecture for Trustworthy Computing (Sirer et al.)
Cryptocurrencies and smart contracts
Wed 11/22/17 Bitcoin (Kavya Jha) Research Perspectives and Challenges for Bitcoin and Cryptocurrencies (Bonneau et al.)
Fri 11/24/17 Thanksgiving (No class)
Mon 11/27/17 Selfish mining (Tanay Parekhji) Majority is not Enough: Bitcoin Mining is Vulnerable (Eyal and Sirer)
Wed 11/29/17 Authenticated Data Structures (Sohum Banerjea) Authenticated Data Structures, Generically (Miller, Hicks, Katz, Shi)
Fri 12/01/17 Making smart contracts smarter (Tuan Tran) Making Smart Contracts Smarter (Luu et al.)
Mon 12/04/17 Authenticated data feeds (Priyanka Mondal) Town Crier: An Authenticated Data Feed for Smart Contracts (Zhang et al.)
Final Projects
Wed 12/06/17 Project presentations
Fri 12/08/17 Project presentations