CEN 5079: Secure Application Programming
Spring 2016


Instructor:
  Bogdan Carbunar
  E-mail: carbunar at gmail dot com
  Office hours: Tuesdays, 15:15-16:15, ECS 383.

Web page: http://www.cs.fiu.edu/~carbunar/teaching/cen5079/cen5079.2017/cen5079.html

Class time and location: Tu/Th, 2:00-3:15pm: GL 137


Announcements

[Posted on Tue. March 28, 2017]: Second homework is out. Homework is due on Thursday April 13, at 3:15 pm (end of class). In-class students should print the homework and bring it to class. Online students should e-mail it to the instructor. 10 points out of 100 are subtracted for each late day.

[Posted on Tue. February 7, 2017]: First homework is out. You can find it here. Homework is due on Tuesday February 28, at 3:15 pm (end of class). Write the solution in pdf format. In-class students should print the homework and bring it to class. Online students should e-mail it to the instructor. 10 points out of 100 are subtracted for each late day.

[Posted on Wed. Jan. 11 2017]: Web page is up!

Course Overview

This course will cover important systems security topics that include vulnerabilities and malware, access control, key management and distribution, authentication protocols, and others.

List of course topics (tentative):


Lectures

The following schedule is tentative and subject to change.

Topic Information
Week 1 January 10 and 12 Class overview; Introduction to systems security   Slides [pdf] &
Week 2 January 17 and 19 Program Security and Vulnerabilities   Slides [pdf] and [pdf]
  Link: Aleph One's Smashing the Stack for Fun and Profit
  Link: Wenliang Du's Buffer Overflow Lab
Week 3 January 24 and 26 Vulnerabilities   Slides [pdf]
  Slides: Advice for presentations [pdf]
Week 4 January 31 and February 2 Malware   Slides [pdf].
Week 5 February 7 and 9 Network Security   Slides [pdf].
Week 6 February 14 and 16 Authentication   Slides [pdf].
Week 7 February 21 and 23 Access Control
Week 8 February 28 and March 2 Student presentations February 28
"A Secure Sharding Protocol For Open Blockchains". To be presented by Kidanny Mendez.
"Identifying the Scanners and Attack Infrastructure behind Amplification DDoS attacks". To be presented by Alvaro Cordero.
March 2
"Using Reflexive Eye Movements For Fast Challenge-Response Authentication". To be presented by Ryan Ramis.
"Trusted Browsers for Uncertain Times" To be presented by Alfonso Vergara.
Week 9 March 7 and 9 Student presentations March 7
"You Are Who You Know and How You Behave: Attribute Inference Attacks via Users' Social Friends and Behaviors". To be presented by Nasim Sabetpour.
"The Ever-Changing Labyrinth: A Large-Scale Analysis of Wildcard DNS Powered Blackhat SEO". To be presented by Karina Alejandra Pravia.
March 9
A Comprehensive Measurement Study of Domain Generating Malware". To be presented by Lovely Rahman.
"Forwarding-Loop Attacks in Content Delivery Networks" To be presented by Sydney Sheran.
Week 10 March 14 and 16 Spring Break! No classes!
Week 11 March 21 and 23 Student presentations March 21
"Fast, Lean, and Accurate: Modeling Password Guessability Using Neural Networks". To be presented by Otilio Alvarado.
All Your DNS Records Point to Us: Understanding the Security Threats of Dangling DNS Records". To be presented by Hector Cen.
March 23
"An Empirical Study of Textual Key-Fingerprint Representations". To be presented by Leela Mysore Panduranga Rao.
"UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware". To be presented by Moktar Diomande.
Week 12 March 28 and 30 Student presentations March 28: "An Empirical Study of Mnemonic Sentence-based Password Generation Strategies". To be presented by Vaidehi Patel.
"zxcvbn: Low-Budget Password Strength Estimation". To be presented by Mohammed Esoofally.
March 30:
"Website-Targeted False Content Injection by Network Operators". To be presented by Kanchan Patil.
"Investigating Commercial Pay-Per-Install and the Distribution of Unwanted Software". To be presented by Nishant Maurya.
Week 13 April 4 and 6 Student presentations April 4, class cancelled.
April 6:
"FeatureSmith: Automatically Engineering Features for Malware Detection by Mining the Security Literature". To be presented by Zhiyuan Shi.
"An In-Depth Study of More Than Ten Years of Java Exploitation". To be presented by Rene Manzur.
Week 14 April 11 and 13 Student presentations April 11:
"Build It, Break It, Fix It: Contesting Secure Development". To be presented by Qiulin Zhang.
"Accessorize to a Crime: Real and Stealthy Attacks on State-Of-The-Art Face Recognition". To be presented by AmirHossein Seyri.
April 13:
"How I Learned to be Secure: a Census-Representative Survey of Security Advice Sources and Behavior". To be presented by Daniel Llana.
"PhishEye: Live Monitoring of Sandboxed Phishing Kits". To be presented by Miguel San Martin.
Week 15 April 18 and 20 Student presentations April 18:
"My Smartphone Knows What You Print: Exploring Smartphone-based Side-channel Attacks Against 3D Printer". To be presented by Evelyng Morales-Jonen.
"Practical Censorship Evasion Leveraging Content Delivery Networks". To be presented by Halim Yesilyurt.
April 20:
slot 1, reserved by Andy Santana.
Week 16 April 27 Final Exam GL 137, 12-2pm

Suggested Publications for Class Presentations

  • "An In-Depth Study of More Than Ten Years of Java Exploitation". [pdf]. Philipp Holzinger, Stefan Triller, Alexandre Bartel and Eric Bodden. To be presented by Rene Manzur.

  • "Build It, Break It, Fix It: Contesting Secure Development". [pdf]. Andrew Ruef, Michael Hicks, James Parker, Dave Levin, Michelle Mazurek and Piotr Mardziel. To be presented by Qiulin Zhang.

  • "FeatureSmith: Automatically Engineering Features for Malware Detection by Mining the Security Literature". [pdf]. Ziyun Zhu and Tudor Dumitras. To be presented by Zhiyuan Shi.

  • "How I Learned to be Secure: a Census-Representative Survey of Security Advice Sources and Behavior". [pdf]. Elissa M. Redmiles, Sean Kross and Michelle L. Mazurek. To be presented by Daniel Llana.

  • "Identifying the Scanners and Attack Infrastructure behind Amplification DDoS attacks". [pdf]. Johannes Krupp, Michael Backes and Christian Rossow. To be presented by Alvaro Cordero.

  • "My Smartphone Knows What You Print: Exploring Smartphone-based Side-channel Attacks Against 3D Printer". [pdf]. Chen Song, Feng Lin, Zhongije Ba, Kui Ren, Chi Zhou, Wenyao Xu. To be presented by Evelyng Morales-Jonen.

  • "Practical Censorship Evasion Leveraging Content Delivery Networks". [pdf]. Hadi Zolfaghari and Amir Houmansadr. To be presented by Halim Yesilyurt.

  • "Using Reflexive Eye Movements For Fast Challenge-Response Authentication". [pdf]. Ivo Sluganovic, Marc Roeschlin, Kasper B. Rasmussen and Ivan Martinovic. To be presented by Ryan Ramis.

  • "A Secure Sharding Protocol For Open Blockchains". [pdf]. Loi Luu, Viswesh Narayanan, Chaodong Zheng, Kunal Baweja, Seth Gilbert and Prateek Saxena. To be presented by Kidanny Mendez.

  • "All Your DNS Records Point to Us: Understanding the Security Threats of Dangling DNS Records". [pdf]. Daiping Liu, Shuai Hao and Haining Wang. To be presented by Hector Cen.

  • "An Empirical Study of Mnemonic Sentence-based Password Generation Strategies". [pdf]. Weining Yang, Ninghui Li, Omar Chowdhury, Aiping Xiong and Robert W. Proctor. To be presented by Vaidehi Patel.

  • "zxcvbn: Low-Budget Password Strength Estimation". [pdf]. Daniel Lowe Wheeler. To be presented by Mohammed Esoofally.

  • "Fast, Lean, and Accurate: Modeling Password Guessability Using Neural Networks". [pdf]. William Melicher, Blase Ur, Sean M. Segreti, Saranga Komanduri, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. To be presented by Otilio Alvarado.

  • "An Empirical Study of Textual Key-Fingerprint Representations". [pdf] Sergej Dechand, Dominik Schürmann, Karoline Busse, Yasemin Acar and Sascha Fahl, Matthew Smith. To be presented by Leela Mysore Panduranga Rao.

  • "A Comprehensive Measurement Study of Domain Generating Malware". [pdf] Daniel Plohmann, Khaled Yakdan, Michael Klatt, Johannes Bader, Elmar Gerhards-Padilla. To be presented by Lovely Rahman.

  • "Investigating Commercial Pay-Per-Install and the Distribution of Unwanted Software". [pdf] Kurt Thomas, Juan A. Elices Crespo, Ryan Rasti, Jean-Michel Picod, Cait Phillips, Marc-André Decoste, Chris Sharp, Fabio Tirelo, Ali Tofigh, Marc-Antoine Courteau, Lucas Ballard, Robert Shield, Nav Jagpal, Moheeb Abu Rajab, Panayiotis Mavrommatis, Niels Provos, Elie Bursztein, Damon McCoy. To be presented by Nishant Maurya.

  • "UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware". [pdf] Amin Kharaz, Sajjad Arshad, Collin Mulliner, William Robertson, Engin Kirda. To be presented by Moktar Diomande.

  • "You Are Who You Know and How You Behave: Attribute Inference Attacks via Users' Social Friends and Behaviors". [pdf] Neil Zhenqiang Gong, Bin Liu. To be presented by Nasim Sabetpour.

  • "Website-Targeted False Content Injection by Network Operators". [pdf] Gabi Nakibly, Jaime Schcolnik, Yossi Rubin. To be presented by Kanchan Patil.

  • "The Ever-Changing Labyrinth: A Large-Scale Analysis of Wildcard DNS Powered Blackhat SEO". [pdf] Kun Du and Hao Yang, Zhou Li, Haixin Duan, Kehuan Zhang. To be presented by Karina Alejandra Pravia.

  • "Trusted Browsers for Uncertain Times" [pdf] David Kohlbrenner and Hovav Shacham. To be presented by Alfonso Vergara.

  • "Accessorize to a Crime: Real and Stealthy Attacks on State-Of-The-Art Face Recognition". [pdf] Mahmood Sharif, Sruti Bhagavatula, Lujo Bauer and Michael Reiter. To be presented by Amirhossein Seyri.

  • "Forwarding-Loop Attacks in Content Delivery Networks" [pdf] Jianjun Chen, Jian Jiang, Xiaofeng Zheng, Haixin Duan, Jinjin Liang, Kang Lik, Tao Wan, Vern Paxson. To be presented by Sydney Sheran.

  • "Breaking web applications built on top of encrypted data" [pdf] Paul Grubbs, Richard McPherson, Muhammed Naveed, Thomas Risenpart and Vitaly Shmatikov.

  • "PhishEye: Live Monitoring of Sandboxed Phishing Kits". [pdf] Xiao Han, Nizar Kheir, and Davide Balzarotti. To be presented by Miguel San Martin.

  • "Safely Measuring Tor". [pdf] Rob Jansen and Aaron Johnson.


    Grading Summary

    Your final grade will be computed from the following categories - this is however subject to radical change

    Policies

    Following grading of homeworks, midterm and final, you have three weeks to challenge your grade.

    Warning

    In this class we discuss vulnerabilities in widely-deployed computer systems. This is not intended as an invitation to exploit those vulnerabilities. It is important that we be able to discuss real-world experience candidly; students are expected to behave responsibly.

    You may not break into machines that are not your own; you may not attempt to attack or subvert system security. Breaking into other people's systems is inappropriate, and the existence of a security hole is no excuse.

    Unethical or inappropriate actions may result in failing the course and being referred for further discipline.


    Collaboration and Academic Integrity Policy

    Homeworks are to be done individually, on your own (not in groups).

    For homeworks, you must always write up the solutions on your own. Similarly, you may use references to help solve homework problems, but you must write up the solution on your own and cite your sources. You may not share written work or programs with anyone else.


    Code of Academic Integrity

    http://www.fiu.edu/~oabp/misconductweb/2codeofacainteg.htm

    Back to main page