Lecture topics and readings are subject to change as the semester evolves.

Reading Types

  • [BG]: Background reading for lecture content
  • [DISC]: Reading for in-class and online forum discussion
  • [OPT]: Optional related reading on related topics, often seminal papers for an area

Note: You should never need to pay to download an article from the reading (e.g., from the ACM Digital Library). If you are on campus, you won’t be prompted to purchase articles. If you are off campus, you can go through the University Library. Alternatively, you can use the library’s EZproxy. You can even define a Chrome bookmark in your bookmark bar to automatically redirect the current page through the EZProxy.



Date Topic Readings Assignments
Mon 1/18 No Class
  • MLK Jr. Day
Wed 1/20 Course Introduction / Research Methods I
(Lecture 1)
  • Ken Thompson, Reflections on Trusting Trust. Turing Award Lecture, 1983. (link)
  • Michael J. Hanson, Efficient Reading of Papers in Science and Technology. University of Washington, 1989. (link)
  • [OPT] SUNSPOT: An Implant in the Build Process (link)
  • Intro and Ethics Quiz (Moodle): Due Mon 1/25 11:59pm ET
Mon 1/25 Security Fundamentals
(Lecture 2)
  • [BG] Tools and Jewels, Ch 1

Topic: Crypto and Crypto Protocols

Date Topic Readings Assignments
Wed 1/27 Secret Key Crypto
(Lecture 3)
  • [BG] Tools and Jewels, Ch 2.1-2.2
  • [DISC] Egele et al., An Empirical Study of Cryptographic Misuse in Android Applications, ACM CCS, 2013. (link)
  • [OPT] Anderson, Why cryptosystems fail. In Proc. of ACM CCS, 1993. (link)
Mon 2/1 Hashes and Message Authentication
(Lecture 4)
  • [BG] Tools and Jewels, Ch 2.5-2.7
  • [DISC] Namprempre et al., Reconsidering Generic Composition, EuroCrypt, 2014. (link)
Wed 2/3 Asymmetric Cryptography
(Lecture 5)
  • [BG] Tools and Jewels, Ch 2.3-2.4
  • [OPT] Boneh. Twenty years of attacks on the RSA cryptosystem, Notices of AMS, 46(2), 1999. (link)
Mon 2/8 Key Management
(Lecture 6)
  • [BG] Tools and Jewels, Ch 4.3, Ch 8
  • [DISC] Adrian et al., Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice. In Proc. of ACM CCS, 2015. (link)
  • [OPT] Stark et al., Does Certificate Transparency Break the Web? Measuring Adoption and Error Rate. In Proc. of IEEE S&P, 2019. (link)
Tue 2/9
  • University Wellness Day
Wed 2/10 User Authentication
(Lecture 7)
  • [BG] Tools and Jewels, Ch 3
  • [DISC] Li et al., The Emperor’s New Password Manager: Security Analysis of Web-based Password Managers. In Proc. of USENIX Security, 2014. (link)
Mon 2/15 Authentication Protocols
(Lecture 8)
  • [BG] Tools and Jewels, Ch 4
  • [BG] Designing an Authentication System: A Dialogue in Four Scenes (link)
  • [DISC] Fett et al., A Comprehensive Formal Security Analysis of OAuth 2.0., In Proc. ACM CCS, 2016. (link)
  • MP1: Due Mon 2/15 11:59pm ET
  • RM1: Due Mon 2/15 11:59pm ET

Topic: Network Security

Date Topic Readings Assignments
Wed 2/17 Transport Layer Security
(Lecture 9)
  • [BG] Tools and Jewels, Ch 9.2
  • [DISC] Cremers et al., A Comprehensive Symbolic Analysis of TLS 1.3. In Proc. ACM CCS 2017. (link)
  • [OPT] The Illustrated TLS Connection (link)
Mon 2/22 TCP Attacks
(Lecture 10)
  • [BG] Tools and Jewels, Ch 11.3-11.7
  • [DISC] Jero et al., Identifier Binding Attacks and Defenses in Software-Defined Networks. In Proc of USENIX Security, 2017. (link)
  • [OPT] Saltzer et al. End-to-end arguments in system design. ACM ToCS. 2(4). 1984. (link)
Wed 2/24 Firewalls and Tunnels
(Lecture 11)
  • [BG] Tools and Jewels, Ch 10
  • [DISC] Wool. A quantitative study of firewall configuration errors. IEEE Computer, 37(6), 2005. (link)
Mon 3/1 Intrusion Detection Systems
(Lecture 12)
  • [BG] Tools and Jewels, Ch 11.1-11.2
  • [DISC] The Base-Rate Fallacy and Its Implications for the Difficulty of Intrusion Detection (link)
Wed 3/3 Routing Security
(Lecture 13)
  • [DISC] Goldberg. Why is it Taking so Long to Secure Internet Routing?. Communications of the ACM. 57(10). 2014 (link)
Fri 3/5
  • University Wellness Day
Mon 3/8 DNS Security
(Lecture 14)
  • [BG] An Illustrated Guide to the Kaminsky DNS Vulnerability (link)
  • [DISC] Chung et al., A Longitudinal, End-to-End View of the DNSSEC Ecosystem. In Proc. of USENIX Security, 2017. (link)
  • RM2: Due Mon 3/8 11:59pm ET

Midterm and Research Methods

Date Topic Readings Assignments
Wed 3/10 Midterm Exam
  • Course Intro and Threat Models
  • Crypto and Crypto Protocols
  • Network Security
Mon 3/15 Research Methods II / Exam Debrief
(Lecture 15)
  • MP2: Due Mon 3/15 11:59pm ET

Topic: Systems Security

Date Topic Readings Assignments
Wed 3/17 Vulnerabilities
(Lecture 16)
  • [BG] Tools and Jewels, Ch 6
  • [BG] Chapter 2, 3.6: Younan et al., Code Injection in C and C++: A Survey of Vulnerabilities and Countermeasures (link)
  • [OPT] NSF SEED Labs - Software Security Labs (link)
Mon 3/22 Access Control
(Lecture 17)
  • [BG] Operating System Security, Chapters 1, 2, and 5. (link)
  • [BG] [Part 1.A Only] Saltzer and Schroeder, The Protection of Information in Computer Systems. Proc. of the IEEE 63(9). 1975. (link)
  • [DISC] Krohn et al., Information Flow Control for Standard OS Abstractions. In PRoc. SOSP, 2007. (link)
  • RM3: Due Mon 3/22 11:59pm ET
Wed 3/24 No Class
  • University Wellness Day
Mon 3/29 Operating System Security
(Lecture 18)
  • [BG] Tools and Jewels, Ch 5
  • [BG] Operating System Security, Chapters 3, 4, and 10. (link)
  • [DISC] Sun et al., Security Namespace: Making Linux Security Frameworks Available to Containers. In Proc. USENIX Security, 2018. (link)
  • [OPT] Karger and Schell. Thirty Years Later: Lessons from the Multics Security Evaluation. In Proc. of ACSAC. 2002. (link)
Wed 3/31 Web Security
(Lecture 19)
  • [BG] Tools and Jewels, Ch 9
  • [DISC] Azad et al. Less is More: Quantifying the Security Benefits of Debloating Web Applications. In Proc. USENIX Security, 2019. (link)
Mon 4/5 Mobile Security
(Lecture 20)
  • [DISC] Deshotels et al., SandScout: Automatic Detection of Flaws in iOS Sandbox Profiles, In Proc. of ACM CCS 2016. (link)
  • [OPT] Mayrhofer et al., The Android Platform Security Model, 2019, arXiv:1904.05572 (link)
Wed 4/7 Cloud Security
(Lecture 21)
  • [BG] Operating System Security, Chapters 11 (link)
  • [DISC] Arnautov et al., SCONE: Secure Linux Containers with Intel SGX, In Proc. of USENIX OSDI 2016. (link)
  • RM4: Due Wed 4/7 11:59pm ET

Topic: Privacy

Date Topic Readings Assignments
Mon 4/12 Inference Attacks and Defenses
(Lecture 22)
  • [DISC] Calandrino et al., “You Might Also Like:” Privacy Risks of Collaborative Filtering, In Proc. IEEE S&P, 2011. (link)
  • MP3: Due Mon 4/12 11:59pm ET
Wed 4/14 Web Privacy
(Lecture 23)
  • [BG] Behind the One-Way Mirror: A Deep Dive Into the Technology of Corporate Surveillance (Only Part 1 is required) (link)
  • [DISC] Li, Shim Shimmeny: Evaluating the Security and Privacy Contributions of Link Shimming in the Modern Web. In Proc. USENIX Security, 2020. (link)
Thu 4/15
  • University Wellness Day
Mon 4/19 Mobile Privacy
(Lecture 24)
  • [BG] Twelve Million Phones, One Dataset, Zero Privacy (link)
  • [DISC] Reardon et al., 50 Ways to Leak Your Data: An Exploration of Apps' Circumvention of the Android Permissions System, In Proc. of USENIX Security, 2019. (link)
  • [OPT] Enck et al., TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones, In Proc. of OSDI, 2010. (link)
Wed 4/21 IoT Privacy
(Lecture 25)
  • [DISC] OConnor et al., HomeSnitch: Behavior Transparency and Control for Smart Home IoT Devices, In Proc. of WiSec 2019. (link)
Mon 4/26 Anonymous Communication
(Lecture 26)
  • [DISC] Perta et al., A Glance through the VPN Looking Glass: IPv6 Leakage and DNS Hijacking in Commercial VPN clients. In Proc. of PETS, 2015. (link)
  • [OPT] Dingledine et al., Tor: The second-generation onion router. In Proc. of USENIX Security, 2004. (link)


Date Topic Readings Assignments
Wed 4/28 Research Project Presentations
  • MP4: Due Fri 4/30 11:59pm ET
  • RM5: Due Wed 4/28 in class
Mon 5/3 Final Exam
  • Final exam is cummulative
  • 12n-2:30pm
  • RM6: Due Fri 5/7 11:59pm ET