CEN 5079: Secure Application Programming
Fall 2017


Instructor:
  Bogdan Carbunar
  E-mail: carbunar at gmail dot com
  Office hours: Mondays, 15:50-16:50, ECS 383.

TA:
  Zhiyuan Shi
  E-mail: zshi005 at fiu dot edu

Web page: http://www.cs.fiu.edu/~carbunar/teaching/cen5079/cen5079.2017/cen5079.html

Class time and location: Monday, 1:00-3:50pm: GL 139


Announcements

[Posted on Mon. October 7, 2017]: First homework is out. You can find it here. Homework is due on Monday October 16, at 3:15 pm (end of class). Write the solution in pdf format. In-class students should print the homework and bring it to class. Online students should e-mail it to the instructor. 10 points out of 100 are subtracted for each late day.

[Posted on Saturday August 19 2017]: Web page is up!

Course Overview

This course will cover important systems security topics that include vulnerabilities and malware, access control, key management and distribution, authentication protocols, and others.

List of course topics (tentative):


Lectures

The following schedule is tentative and subject to change.

Topic Information
Week 1 January 10 and 12 Class overview; Introduction to systems security   Slides [pdf] &
Week 2 August 28 Program Security and Vulnerabilities   Slides [pdf] and [pdf]
  Link: Aleph One's Smashing the Stack for Fun and Profit
  Link: Wenliang Du's Buffer Overflow Lab
Week 3 September 4 Labor Day, no class
Week 4 September 11 Class canceled due to Hurricane Irma
Week 5 September 18 Malware   Slides [pdf].   Slides: Advice for presentations [pdf]
Week 6 September 25 Network Security   Slides [pdf].
Week 7 October 2 Authentication   Slides [pdf].
Week 8 October 9 Access Control   Slides [pdf].   Slides [pdf].
Week 9 October 16 Student presentations EVILCOHORT: Detecting Communities of Malicious Accounts on Online Services. To be presented by Daimion Reid.
Walkie-Talkie: An Efficient Defense Against Passive Website Fingerprinting Attacks. To be presented by Luis Puche.
USB Snooping Made Easy: Crosstalk Leakage Attacks on USB Hubs. To be presented by Juan Medina.
Week 10 October 23 Student presentations Skyfire: Data-Driven Seed Generation for Fuzzing. To be presented by Federico Zickbauer.
Automated Crowdturfing Attacks and Defenses in Online Review Systems. To be presented by Mario Reyes.
Week 11 October 30 Student presentations The Dark Menace: Characterizing Network-based Attacks in the Cloud. To be presented by Fernando Cruz.
Neither Snow Nor Rain Nor MITM... An Empirical Analysis of Email Delivery Security. To be presented by Rorey Cowan.
IoT Goes Nuclear: Creating a ZigBee Chain Reaction. To be presented by Rennie Larios.
Counter-RAPTOR: Safeguarding Tor Against Active Routing Attacks. To be presented by Dorian Williams.
Week 12 November 6 Student presentations SmartPool: Practical Decentralized Pooled Mining. To be presented by Khrystsina Navumenka.
Measurement and Analysis of Traffic Exchange Services. To be presented by Alexa Castillo.
Secure Cloud Computing with a Virtualized Network Infrastructure. To be presented by Yehya Abu Qatrieh.
The Wolf of Name Street: Hijacking Domains Through Their Nameservers. To be presented by Micheal Adeyosoye.
Week 13 November 13 Student presentations How to Learn Klingon Without a Dictionary: Detection and Measurement of Black Keywords Used by the Underground Economy. To be presented by Marc Roger.
Measuring the Security Harm of TLS Crypto Shortcuts. To be presented by Yoangel Ramos.
Digtool: A Virtualization-Based Framework for Detecting Kernel Vulnerabilities. To be presented by Daniela Hernandez.
What Happens After You Are Pwnd: Understanding the Use of Leaked Webmail. To be presented by Sharon Ly.
Week 14 November 20 Student presentations Weak Keys Remain Widespread in Network Devices. To be presented by Zuo Wang.
Fast Memory-efficient Anomaly Detection in Streaming Heterogeneous Graphs. To be presented by Christopher Zickbauer.
CONIKS: Bringing Key Transparency to End Users. To be presented by Omar Burgos.
SoK: Exploiting Network Printers. Jens Müller, Vladislav Mladenov, Juraj Somorovsky. To be presented by Ryan Wong.
Week 15 November 27 Student presentations Measuring the Adoption of DDoS Protection Services. To be presented by Karen Torres Ruiz.
Measuring and Applying Invalid SSL Certificates: The Silent Majority. To be presented by Kenneth Rodriguez.
Your Exploit is Mine: Automatic Shellcode Transplant for Remote Exploits. To be presented by Roberto Galdamez.
Opprentice: Towards Practical and Automatic Anomaly Detection Through Machine Learning. To be presented by Beth Thompson.
Week 16 December 4 Student presentations The Doppelganger Bot Attack: Exploring Identity Impersonation in Online Social Networks. To be presented by Armando Losa.
Hijacking Bitcoin: Routing Attacks on Cryptocurrencies. To be presented by Sarai Nobrega.
Automatic Detection of Online Recruitment Frauds: Characteristics, Methods, and a Public Dataset. To be presented by Mario Milian.
Understanding the Mirai Botnet, To be presented by David Pita.
Week 17 December 11 (Monday) Final exam 12 - 2pm, GL 139

Suggested Publications for Class Presentations

  • SmartPool: Practical Decentralized Pooled Mining. [pdf]. Luu L, Velner Y, Teutsch J, Saxena P. To be presented by Khrystsina Navumenka.

  • Automatic Detection of Online Recruitment Frauds: Characteristics, Methods, and a Public Dataset. [pdf]. Sokratis Vidros, Constantinos Kolias, Georgios Kambourakis, Leman Akoglu. To be presented by Mario Milian.

  • What Happens After You Are Pwnd: Understanding the Use of Leaked Webmail. [pdf]. Credentials in the Wild: Jeremiah Onaolapo, Enrico Mariconti, Gianluca Stringhini. To be presented by Sharon Ly.

  • EVILCOHORT: Detecting Communities of Malicious Accounts on Online Services. [pdf]. Gianluca Stringhini, Pierre Mourlanne, Gregoire Jacob, Manuel Egele, Christopher Kruegel and Giovanni Vigna. To be presented by Daimion Reid.

  • USB Snooping Made Easy: Crosstalk Leakage Attacks on USB Hubs. Yang Su, Daniel Genkin, Damith Ranasinghe, Yuval Yarom. [pdf]. To be presented by Juan Medina.

  • Fast Memory-efficient Anomaly Detection in Streaming Heterogeneous Graphs. Emaad A. Manzoor, Sadegh Momeni, Venkat N. Venkatakrishnan, Leman Akoglu. [pdf]. To be presented by Christopher Zickbauer.

  • Inferring Fine-grained Control Flow Inside SGX Enclaves with Branch Shadowing. Sangho Lee, Ming-Wei Shih, Prasun Gera, Taesoo Kim, Hyesoon Kim, Marcus Peinado. [pdf].

  • Your Exploit is Mine: Automatic Shellcode Transplant for Remote Exploits. Tiffany Bao, Ruoyu Wang, Yan Shoshitaishvili, David Brumley. [pdf]. To be presented by Roberto Galdamez.

  • SoK: Exploiting Network Printers. Jens Müller, Vladislav Mladenov, Juraj Somorovsky. [pdf]. To be presented by Ryan Wong.

  • CONIKS: Bringing Key Transparency to End Users. Marcela S. Melara, Aaron Blankstein, Joseph Bonneau, Edward W. Felten, Michael J. Freedman. [pdf]. To be presented by Omar Burgos.

  • How to Learn Klingon Without a Dictionary: Detection and Measurement of Black Keywords Used by the Underground Economy. Hao Yang, Xiulin Ma, Kun Du, Zhou Li, Haixin Duan, Xiaodong Su, Guang Liu, Zhifeng Geng, Jianping Wu. [pdf]. To be presented by Marc Roger.

  • Hijacking Bitcoin: Routing Attacks on Cryptocurrencies. Maria Apostolaki, Aviv Zohar, Laurent Vanbever. [pdf]. To be presented by Sarai Nobrega.

  • Counter-RAPTOR: Safeguarding Tor Against Active Routing Attacks. Yixin Sun, Anne Edmundson, Nick Feamster, Mung Chiang, Prateek Mittal. [pdf]. To be presented by Dorian Williams.

  • IoT Goes Nuclear: Creating a ZigBee Chain Reaction. Eyal Ronen, Colin O'Flynn, Adi Shamir, Achi-Or Weingarten. [pdf]. To be presented by Rennie Larios.

  • Skyfire: Data-Driven Seed Generation for Fuzzing. Junjie Wang, Bihuan Chen, Lei Wei, and Yang Liu. [pdf]. To be presented by Federico Zickbauer.

  • Digtool: A Virtualization-Based Framework for Detecting Kernel Vulnerabilities. Jianfeng Pan, Guanglu Yan, Xiaocao Fan. [pdf]. To be presented by Daniela Hernandez.

  • Same-Origin Policy: Evaluation in Modern Browsers. Jorg Schwenk, Marcus Niemietz, and Christian Mainka. [pdf]. To be presented by Ivana Rodriguez.

  • Understanding the Mirai Botnet, Manos Antonakakis, Tim April, Michael Bailey, Matthew Bernhard, Elie Bursztein, Jaime Cochran, Zakir Durumeric, J. Alex Halderman, Luca Invernizzi, Michalis Kallitsis, Deepak Kumar, Chaz Lever, Zane Ma, Joshua Mason, Damian Menscher, Chad Seaman, Nick Sullivan, Kurt Thomas, Yi Zhou. [pdf]. To be presented by David Pita.

  • Walkie-Talkie: An Efficient Defense Against Passive Website Fingerprinting Attacks. Tao Wang, Ian Goldberg. [pdf]. To be presented by Luis Puche.

  • Measuring the Adoption of DDoS Protection Services. Mattijs Jonker, Anna Sperotto, Roland M. van Rijswijk, R. Sadre, Aiko Pras. [pdf]. To be presented by Karen Torres Ruiz.

  • Measuring and Applying Invalid SSL Certificates: The Silent Majority. Taejoong Chung, Yabing Liu, David Choffnes, Dave Levin, Bruce Maggs, Alan Mislove, Christo Wilson. [pdf]. To be presented by Kenneth Rodriguez.

  • Weak Keys Remain Widespread in Network Devices. Marcella Hastings, Joshua Fried, Nadia Heninger. [pdf]. To be presented by Zuo Wang.

  • Measuring the Security Harm of TLS Crypto Shortcuts. Drew Springall, Zakir Durumeric, J. Alex Halderman. [pdf]. To be presented by Yoangel Ramos.

  • Measurement and Analysis of Traffic Exchange Services. Mobin Javed, Cormac Herley, Marcus Peinado, Vern Paxson. [pdf]. To be presented by Alexa Castillo.

  • Neither Snow Nor Rain Nor MITM... An Empirical Analysis of Email Delivery Security. Zakir Durumeric, David Adrian, Ariana Mirian, James Kasten, Elie Bursztein, Nicolas Lidzborski, Kurt Thomas, Vijay Eranti, Michael Bailey, J. Alex Halderman. [pdf]. To be presented by Rorey Cowan.

  • The Doppelganger Bot Attack: Exploring Identity Impersonation in Online Social Networks. Oana Goga, Giridhari Venkatadri, and Krishna P Gummadi. [pdf]. To be presented by Armando Losa.

  • The Dark Menace: Characterizing Network-based Attacks in the Cloud. Rui Miao, Rahul Potharaju, Minlan Yu, and Navendu Jain. [pdf]. To be presented by Fernando Cruz.

  • Opprentice: Towards Practical and Automatic Anomaly Detection Through Machine Learning. Dapeng Liu, Youjian Zhao, Haowen Xu, Yongqian Sun, Dan Pei, Jiao Luo, Xiaowei Jing, and Mei Feng. [pdf]. To be presented by Beth Thompson.

  • Automated Crowdturfing Attacks and Defenses in Online Review Systems. Yuanshun Yao, Bimal Viswanath, Jenna Cryan, Haitao Zheng, Ben Y. Zhao. [pdf]. To be presented by Mario Reyes.

  • The Wolf of Name Street: Hijacking Domains Through Their Nameservers. Thomas Vissers, Timothy Barron, Tom Van Goethem, Wouter Joosen, Nick Nikiforakis. [pdf]. To be presented by Micheal Adeyosoye.

  • Secure Cloud Computing with a Virtualized Network Infrastructure. Fang Hao, T.V. Lakshman, Sarit Mukherjee, Haoyu Song. [pdf]. To be presented by Yehya Abu Qatrieh.

    Grading Summary

    Your final grade will be computed from the following categories - this is however subject to radical change

    Policies

    Following grading of homeworks and final, you have three weeks to challenge your grade.

    Warning

    In this class we discuss vulnerabilities in widely-deployed computer systems. This is not intended as an invitation to exploit those vulnerabilities. It is important that we be able to discuss real-world experience candidly; students are expected to behave responsibly.

    You may not break into machines that are not your own; you may not attempt to attack or subvert system security. Breaking into other people's systems is inappropriate, and the existence of a security hole is no excuse.

    Unethical or inappropriate actions may result in failing the course and being referred for further discipline.


    Collaboration and Academic Integrity Policy

    Homeworks are to be done individually, on your own (not in groups).

    For homeworks, you must always write up the solutions on your own. Similarly, you may use references to help solve homework problems, but you must write up the solution on your own and cite your sources. You may not share written work or programs with anyone else.

    Back to main page