CS 7936 — Computer Security & Privacy Seminar, Fall 2015
Wednesdays, 12:00–1:00 PM, 3515 MEB (Graphics Annex)
Past offerings: Spring 2015
||Mo(bile) Money, Mo(bile) Problems: Analysis of Branchless Banking Applications in the Developing World (Reaves et al), USENIX 2015
||Where Have You Been? Using Location-Based Security Questions for Fallback Authentication (Hang et al), SOUPS 2015
||To Pin or Not to Pin—Helping App Developers Bullet Proof Their TLS Connections (Oltrogge et al), USENIX 2015
||Measuring the Longitudinal Evolution of the Online Anonymous Marketplace Ecosystem (Soska and Christin), USENIX 2015
||Hardware Security Issues in Memory Access (timing channels, authentication, and ORAM) (slides here)
||Preventing Lunchtime Attacks: Fighting Insider Threats With Eye Movement Biometrics (Eberz et al), NDSS 2015
||No class - Fall break
||Towards Automatic Generation of Security-Centric Descriptions for Android Apps (Zhang et al), CCS 2015.
||IEMI Threats for Information Security: Remote Command Injection on Modern Smartphones (Kamsi and Lopes Esteves), IEEE Transactions on Electromagnetic Compatibility, August 2015
||Ocelot: User-Centered Design of a Decision Support Visualization for Network Quarantine, (Arendt et al), VizSec 2015
||Inside Anonymous (WATCH Series - Gabriella Coleman)
||Cybersecurity for the Internet of Everything (IoE) (WATCH Series - Bret Hartman)
(Page formatting cheerfully borrowed from CS 7934.) The Fall 2015 offering of CS 7936 will focus on reading and discussing papers from recent security conferences on a variety of topics.
The goal is to increase participants' familiarity with recent and important
results in the area of computer security & privacy research. Attendees will read and
discuss papers from recent top-tier security
Attendees will typically discuss one paper
each week. Papers will be selected by presenters based on their interests.
Students may enroll for one (1) credit. Although the University lists
the course as “variable credit,” the two- and three-credit
options are not currently available.
Students enrolled in the seminar are expected to read the papers prior to the seminar. Additionally, students are expected to sign up to lead the discussion on one or more seminar meeting. Leading the disucssion means:
- Choosing the paper and submitting it the week before the seminar meeting;
- Preparing a 7-10 minute summary of the paper and its pertinent points;
- Preparing potential discussion points if the discussion needs prompting.
Upcoming and recent conference proceedings are good sources of papers for
discussion. Below are links to some relevant conference series.
- Mainstream Security & Privacy Venues
- Security & Privacy Papers can be found in these venues
And the following is a curated list of papers of possible interest:
- Cookieless Monster: Exploring the Ecosystem of Web-based Device Fingerprinting
Nikiforakis et al
- Bootstrapping Trust in Commodity Computers
Parno et al
- GenoGuard: Protecting Genomic Data against Brute-Force Attacks
Huang et al
- Cracking-Resistant Password Vaults using Natural Language Encoders
Chatterjee et al
- Ad Injection at Scale: Assessing Deceptive Advertisement Modifications
Thomas et al
- A Messy State of the Union: Taming the Composite State Machines of TLS
Beurdouche et al
- BIG DATA'S DISPARATE IMPACT
Barocas and Selbst
California Law Review, Vol. 104, 2016
- An Epidemiological Study of Malware Encounters in a Large Enterprise
Yen et al
- Increasing Security Sensitivity With Social Proof: A Large-Scale Experimental Confirmation
Das et al
- Your Location has been Shared 5,398 Times! A Field Study on Mobile App Privacy Nudging
Almuhimedi et al
- Scaling the Security Wall: Developing a Security Behavior Intentions Scale (SeBIS)
Egelman and Peer
- Somebody's Watching Me?: Assessing the Effectiveness of Webcam Indicator Lights
Portnoff et al
Mo(bile) Money, Mo(bile) Problems: Analysis of Branchless Banking Applications in the Developing World
Reaves et al
- "My Data Just Goes Everywhere:" User Mental Models of the Internet and Implications for Privacy and Security
Kang et al
- Usability of Augmented Reality for Revealing Secret Messages to Users but Not Their Devices
Andrabi et al
- User Perceptions of Sharing, Advertising, and Tracking
Chanchary and Chiasson
- Social Media As a Resource for Understanding Security Experiences: A Qualitative Analysis of #Password Tweets
Dunphy et al
Where Have You Been? Using Location-Based Security Questions for Fallback Authentication
Hang et al
- Too Much Knowledge? Security Beliefs and Protective Behaviors Among United States Internet Users
Wash and Rader
- "...No one Can Hack My Mind": Comparing Expert and Non-Expert Security Practices
Ion et al
- Anatomization and Protection of Mobile Apps' Location Privacy Threats
Fawaz et al
USENIX Security 2015
- PyCRA: Physical Challenge-Response Authentication for Active Sensors Under Spoofing Attacks
Shoukry et al
- TrustOTP: Transforming Smartphones into Secure One-Time Password Tokens
Sun et al
- Face/Off: Preventing Privacy Leakage From Photos in Social Networks
Ilia et al
Towards Automatic Generation of Security-Centric Descriptions for Android Apps
Zhang et al
- Multi-Modal Neuro-Physiological Study of Phishing Detection and Malware Warnings
Neupane et al
- VCCFinder: Finding Potential Vulnerabilities in Open-Source Projects to Assist Code Audit
Perl et al
- Defeating IMSI Catchers
van den Broek et al
- Breaking and Fixing VoLTE: Exploiting Hidden Data Channels and Mis-implementations (or maybe Insecurity of Voice Solution VoLTE in LTE Mobile Networks)
Kim et al
- Surpass: System-initiated user-replaceable passwords
Ho Huh et al
Reading and Presenting
It can be useful to look up the video of the presentation (if it was at USENIX, the video was recorded and is available online) and/or the slides (which may be available on the presenting author's page).
The following questions (some of which are pulled from Writing for Computer Science) can be useful to keep in mind when reading a paper (although not all questions will apply to all papers):
- What phenomena or properties are being investigated? Why are they of interest?
- Has the aim of the research been articulated? What are the specific hypotheses and research questions? Are these elements convincingly connected to each other?
- To what extent is the work innovative? How does it differ from past work?
- What are the underlying assumptions? Are they sensible?
- What forms of evidence are used?
- How is the evidence measured? Are the chosen methods of measurement objective, appropriate, and reasonable?
- What compromises or simplifications are inherent in the choice of measure?
- To what extent do the results persuasively confirm the hypothesis?
- What are the likely weaknesses of or limitations to the approach?
- Which results are the most surprising?
- What is the main contribution of the work?
- Are appropriate conclusions drawn from the results, or are there other possible interpretations?
- Could the results be verified?
- Do the results have applicability to other problems or domains?
- Do the title, abstract, and introduction appropriately set the context for the work?
- Is there anything unusual about the organization of the write-up, and, if so, is there a reason for this organization?
- Are the Tables and Figures clear and useful?
- Are the results of practical applicability, or are they more theoretical in nature?
- What are the main strengths of the paper? What are its weaknesses?
- If you were to cite this paper, what kinds of things might you be citing it for?
- Are there interesting future directions for work that the authors have not discussed?
- Are there particular steps in the methodology or presentation that you would have done differently?
- Are there any methodological decisions that seem to have been motivated by restrictions on time or resources, rather than absolute feasibility?
- Are there any ethical issues associated with the paper, and if so, how were they (or how weren't they) dealt with?