Lectures

[ Home ] [ Policies ] [ Lectures ] [ Homework ] [ Project ]

Lecture Schedule (Subject to Change)

Notice: Students are responsible for reading assigned materials prior to the lecture in which they will be discussed. Lecture slides are available via AFS in the /afs/cs.pitt.edu/usr0/adamlee/public/cs2530/lectures/ directory. As per the course policies, lecture slides are for your use only.

Lecture #	Date	Topics	Readings	Other
1	1/8 (Tue)	Administrivia and introduction	B 1	-
2	1/10 (Thu)	Introduction, cont.	B 13; [SS75]; [L04]; [BLR+04]	-
3	1/15 (Tue)	Why is security hard?	B 2-3.2; [HRU76]	-
4	1/17 (Thu)	The Take/Grant protection model	B 3.3	-
5	1/22 (Tue)	Policy Models I	B 4-5; [M85]	HW 1 due
6	1/24 (Thu)	Policy Models II	B 6-7	-
7	1/29 (Tue)	Access controls	B 15	HW 2 due
8	1/31 (Thu)	Advanced authorization	[BFL96]; [LMW02]	Project proposal due
9	2/5 (Tue)	RBAC (Guest lecture by Professor James Joshi)	[OSM00]	-
10	2/7 (Thu)	Formal analysis of access control schemes I	[CMD01]	-
11	2/12 (Tue)	Formal analysis of access control schemes II	[TL07]	HW 3 due
12	2/14 (Thu)	Symmetric key cryptography	B 9.1-9.2, 9.4, 11.1-11.2; PP 2.1-2.6	-
-	2/19 (Tue)	No Class	-	-
13	2/21 (Thu)	Public key cryptography and IBE	B 9.3; PP 2.7; [RSA78]; [S85]; [K07]	-
14	2/26 (Tue)	Public key cryptography and IBE		-
15	2/28 (Thu)	Threshold cryptography and secret sharing	[SZ05]; [S79]; [HJ+95]	-
16	3/05 (Tue)	Midterm (in class)	-	-
17	3/7 (Thu)	Authentication and identity	B 12, 14; [L81]	-
-	3/12 (Tue)	Spring break. No class.	-	-
-	3/14 (Thu)	Spring break. No class.	-	-
18	3/19 (Tue)	Authentication and key exchange protocols	B 10; [DH76]	Annotated reference list due
19	3/21(Thu)	Operating system security	PP 4-5; [AO96]	-
20	3/26 (Tue)	Network security	PP 7; B 26	-
21	3/28 (Thu)	Viruses and worms	B 22; [S89]; [SM+04]	-
22	4/02 (Tue)	Data privacy I: Syntactic protections	[S02]; [MG+06]	-
23	4/04 (Thu)	Data privacy II: Querier privacy	[CG+95]; [FL+11]	HW 4 due
Note: All readings beyond this point are required! Prior to class, you are expected to read each paper. Then fill out a copy of the review form for one of the papers and submit it to the instructor before class. The presentation schedule and instructions are here.
24	4/09 (Tue)	Advanced topics: Anonymity	[DMS04]: Joe, Ryan [HBS13]: Becca, Ben	-
25	4/11 (Thu)	Advanced topics: Cloud Security	[RT+09]: Ha, Yechen [BLS+12]: Stephen	-
26	4/16 (Tue)	Advanced topics: Location and Mobile Security/Privacy	[HRS+12]: Tim, Ruhsary [THS12]: Zhipeng, Mykolas	-
27	4/18 (Thu)	Advanced topics: Data(base) Security	[BDJ+11]: Dan, Di [PRZ+11]: Cory, Duncan	HW 5 due
28	4/23 (Tue)	Project presentations	-	Project reports due
29	4/25 (Thu)	Project presentations	-	-

Readings

NOTE: In the reading assignments listed above, "B" refers to the Bishop book, "PP" refers to the Pfleeger and Pfleeger book, and other references refer to the papers below. For instance, "B 2-3.2" means to read all of chapter 2 and sections 3.1 and 3.2 of Bishop.

Other Readings:

[AO96] Aleph One, Smashing the Stack for Fun and Profit, Phrack Issue 49, Nov. 1996.
[BDJ+11] Keven D. Bowers, Marten van Dijk, Ari Juels, Alina Oprea, Ronald L. Rivest: How to tell if your cloud files are vulnerable to drive crashes, CCS 2011.
[BL76] D.E. Bell and L.J. La Padula, Secure Computer System: Unified Exposition and Multics Interpretation, MITRE Technical Report ESD-TR-75-306, March 1976.
[BLR+04] Bharat Bhargava, Leszek Lilien, Arnon Rosenthal, Marianne Winslett, Morris Sloman, Tharam S. Dillon, Elizabeth Chang, Farookh Khadeer Hussain, Wolfgang Nejdl, Daniel Olmedilla, and Vipul Kashyap, The Pudding of Trust, IEEE Intelligent Systems 19(5): 74-88, Sep.-Oct. 2004.
[BLS+12] Shakeel Butt, H. Andres Lagar-Cavilla, Abhinav Srivastava, Vinod Ganapathy, Self-service Cloud Computing, CCS 2012.
[BFL96] Matt Blaze, Joan Feigenbaum, and Jack Lacy, Decentralized Trust Management, IEEE Symposium on Security and Privacy, May 1996.
[CG+95] B. Chor, O. Goldreich, E. Kushilevitz, M. Sudan, Private information retrieval, FOCS 1995.
[CMD01] Ajay Chander, John C. Mitchell, Drew Dean: A State-Transition Model of Trust Management and Access Control. CSFW 2001: 27-43.
[DH76] Whitfield Diffie and Martin E. Hellman, New Directions in Cryptography, IEEE Transactions on Information Theory 22(6): 644-654, Nov. 1976.
[DMS04] R. Dingledine, N. Mathewson, and P. Syverson, Tor: The Second-Generation Onion Router, USENIX Security, August 2004.
[FL+11] Nicholas L. Farnan, Adam J. Lee, Panos K. Chrysanthis, and Ting Yu, Don't Reveal My Intension: Protecting User Privacy using Declarative Preferences during Distributed Query Processing, in Proceedings of the 16th European Symposium on Research in Computer Security (ESORICS), September 2011.
[HBS13] Amir Houmansadr, Chad Brubaker, and Vitaly Shmatikov, The Parrot is Dead: Observing Unobservable Network Communications, The 34th IEEE Symposium on Security & Privacy (Oakland), May 2013.

[HJ+95] Amir Herzberg, Stanislaw Jarecki, Hugo Krawczyk, and Moti Yung, Proactive Secret Sharing or: How to Cope with Perpetual Leakage, Proceedings of CRYPTO 1995.
[HRS+12] Eiji Hayashi, Oriana Riva, Karin Strauss, A.J. Bernheim Brush, Stuart Schechter, Goldilocks and the Two Mobile Devices: Going Beyond All-Or-Nothing Access to a Device's Applications, SOUPS 2012.
[HRU76] Michael A. Harrison, Walter L. Ruzzo, and Jeffrey D. Ullman, Protection in Operating Systems, Communications of the ACM 19(8): 461-471, August 1976.
[K07] Neal Koblitz, The Uneasy Relationship Between Mathematics and Cryptography, Notices of the AMS 54(8): 972-979, Sep. 2007.
[L04] Butler Lampson, Computer Security in the Real World, IEEE Computer 37(6): 37-46, June 2004.
[L81] Leslie Lamport, Password Authentication with Insecure Communication, Communications of the ACM 24(11): 770-772, Nov. 1981.
[LMW02] Ninghui Li, John C. Mitchell, and William H. Winsborough, Design of a Role-based Trust-Management Framework, IEEE Symposium on Security and Privacy, May 2002.
[M85] John McLean, A Comment on the 'Basic Security Theorem' of Bell and LaPadula, Information Processing Letters 20(2): 67-70, Feb. 1985.
[MG+06] Ashwin Machanavajjhala, Johannes Gehrke, Daniel Kifer, Muthuramakrishnan Venkitasubramaniam, l-Diversity: Privacy Beyond k-Anonymity, ICDE 2006.
[OSM00] Sylvia Osborn, Ravi Sandhu, and Qamar Munawer, Configuring Role-Based Access Control to Enforce Mandatory and Discretionary Access Control Policies, ACM TISSEC 3(2): 85-106, 2000.
[PRZ+11] Raluca Ada Popa, Catherine M. S. Redfield, Nickolai Zeldovich, and Hari Balakrishnan: CryptDB: Protecting Confidentiality with Encrypted Query Processing, SOSP 2011.
[RSA78] R.L. Rivest, A. Shamir, and L. Adleman, A Method for Obtaining Digital Signatures and Public-Key Cryptosystems, Communications of the ACM 21(2): 120-126, Feb. 1978.
[RT+09] Thomas Ristenpart, Eran Tromer, Hovav Shacham, Stefan Savage, Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds, ACM Conference on Computer and Communications Security 2009: 199-212
[S02] Latanya Sweeney, k-Anonymity: A Model for Protecting Privacy, International Journal on Uncertainty, Fuzziness, and Knowledge-based Systems, 10(5):557-570, 2002.
[S79] Adi Shamir, How to Share a Secret, Communications of the ACM 22(11): 612-613, Nov. 1979.
[S85] Adi Shamir, Identity-Based Cryptosystems and Signature Schemes, Proceedings of CRYPTO 1984, pp. 47-53.
[S89] Eugene Spafford, The Internet Worm: Crisis and Aftermath, Communications of the ACM 32(6): 678-687, June 1989.
[SM+04] Stuart Staniford, David Moore, Vern Paxson, and Nicholas Weaver, The Top Speed of Flash Worms, Proceedings of the ACM Workshop on Rapid Malcode (WORM), Oct. 2004.
[SS75] Jerome H. Saltzer and Michael D. Schroeder, The Protection of Information in Computer Systems, Proceedings of the IEEE 63(9): 1278-1308, Sep. 1975.
[SZ05] Fred B. Scheider and Lidong Zhou, Implementing Trustworthy Services Using Replicated State Machines, IEEE Security and Privacy 3(5): 34-43, Sep.-Oct. 2005.
[THS12] Karen Tang, Jason Hong, and Dan Siewiorek. 2012. The implications of offering more disclosure choices for social location sharing, Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI '12).
[TL07] Mahesh V. Tripunitara, Ninghui Li: A theory for comparing the expressive power of access control models. Journal of Computer Security 15(2): 231-272 (2007).