Overview

This class schedule is preliminary, and will be altered as the semester progresses. While I will try to announce changes as they happen, it is the responsibility of the students to frequently check this web-page for any changes to the schedule, readings or assignments.

Note: The slides will be available after each lecture via a slides link below the lecture topic.

Date Topics Readings Notes
01/23/2020 Course Introduction
Slides
1. Security Engineering, Chapter 1 (link)
2. Ken Thompson, Reflections on Trusting Trust. Turing Award Lecture, 1983. (link)
3. Building your first Android app (link)
1. Homework 1 assigned; due January 28th at 11:59pm.
2. Project Proposal (Milestone 1) assigned; due February 4th at 11:59pm
01/28/2020 Android and Security Fundamentals
Slides
1. Security Engineering, Chapter 5.1-5.5 (link)
2. Introduction to Android (link)
Homework 1 Due
01/30/2020 Crypto Basics 1
Slides
1. Security Engineering, Chapter 5.1-5.5 (link)
2. Anderson, R. 1993. Why cryptosystems fail. In Proceedings of the 1st ACM Conference on Computer and Communications Security (Fairfax, Virginia, United States, November 03 - 05, 1993). CCS ‘93. (link)
Homework 2 assigned; due February 13th at 11:59pm. January 31st: ADD/DROP Date
02/04/2020 Crypto Basics 2
Slides
1. Security Engineering, Chapter 5.6 (link) 1. Project Proposal Due
2. Project Application (Milestone 2) assigned, due March 5th at 11:59pm
02/06/2020 Crypto Basics 3
Slides
1. Security Engineering, Chapter 5.7 (link)
2. Creating your own Certificate Authority (link)
 
02/11/2020 SSL/TLS, Cryptography in Mobile Apps
Slides
1. SSL and TLS: A Beginners Guide (link)
2. S. Fahl, M. Harbach, T. Muders, L. Baumgärtner, B. Freisleben, and M. Smith Why Eve and Mallory love Android: An analysis of Android SSL (in) security. In Proceedings of the 2012 ACM conference on Computer and Communications Security (pp. 50-61) (link)
 
02/13/2020 Access Control Basics
Slides
1. Operating System Security, Chapters 1, 2, and 5 (link)
2. [Part 1 Only] J. Saltzer and M. Schroeder, The Protection of Information in Computer Systems. Proceedings of the IEEE 63(9) (1975) pp. 1278-1308. (link
1. Homework 2 Due
2. Homework 3 assigned; due February 27th at 11:59pm
02/18/2020 Secure Inter-application communication
Slides
-  
02/20/2020 CLASS CANCELLED, UNIVERSITY CLOSED DUE TO ADVERSE WEATHER    
02/25/2020 CLASS CANCELLED, CONFERENCE TRAVEL    
02/27/2020 Managing Privilege
Slides
  Homework 3 Due
03/03/2020 Storage in Mobile Apps, Security Research Methods - I
Slides
1. Operating System Security, Chapters 1(link)(focus on security models)
2. J. Saltzer and M. Schroeder, The Protection of Information in Computer Systems. Proceedings of the IEEE 63(9) (1975) pp. 1278-1308. (link)
 
03/05/2020 IFC basics
Slides
Operating System Security, Chapters 1, 2, and 5 (link) 1. Homework 4 assigned; due March 26th at 11:59pm
2. Project Milestone 2 (Application) Due.
03/10/2020 UNIVERSITY HOLIDAY SPRING BREAK  
03/12/2020 UNIVERSITY HOLIDAY SPRING BREAK  
03/17/2020 UNIVERSITY HOLIDAY Extended Spring Break, COVID-19  
03/19/2020 UNIVERSITY HOLIDAY Extended Spring Break, COVID-19  
03/24/2020 Application Security Analysis Goals
Slides
1. Reaves, B., Bowers, J., Gorski III, S.A., Anise, O., Bobhate, R., Cho, R., Das, H., Hussain, S., Karachiwala, H., Scaife, N. and Wright, B., 2016. * droid: Assessment and Evaluation of Android Application Analysis Tools. ACM Computing Surveys (CSUR), 49(3), p.55. (link)
2. Heuser, S., Nadkarni, A., Enck, W., & Sadeghi, A.-R. (2014). ASM: A Programmable Interface for Extending Android Security. In Proceedings of the 23rd USENIX Security Symposium. San Diego, CA, USA. (link)
1.Project Milestone 2 (Application) Final Deadline.
2. Analysis Plan (Milestone 3) assigned; due April 9th at 11:59pm
03/26/2020 Evaluating Security Analysis
Slides
S. Axelsson, The Base-Rate Fallacy and Its Implications for the Difficulty of Intrusion Detection. In Proceedings of the ACM Conference on Computer and Communication Security. November, 1999. (link) March 31: Last Day to Withdraw
03/31/2020 Intro to Static Analysis
Slides
1. Egele, Manuel, David Brumley, Yanick Fratantonio, and Christopher Kruegel. “An empirical study of cryptographic misuse in android applications.” In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security, pp. 73-84. ACM, 2013. (link)
2. Fahl, Sascha, Marian Harbach, Thomas Muders, Lars Baumgärtner, Bernd Freisleben, and Matthew Smith. “Why Eve and Mallory love Android: An analysis of Android SSL (in) security.” In Proceedings of the 2012 ACM conference on Computer and communications security, pp. 50-61. ACM, 2012. (link)
 
04/02/2020 Intro to Dynamic Analysis
Slides
1. Enck, William, Peter Gilbert, Seungyeop Han, Vasant Tendulkar, Byung-Gon Chun, Landon P. Cox, Jaeyeon Jung, Patrick McDaniel, and Anmol N. Sheth. “TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones.” ACM Transactions on Computer Systems (TOCS) 32, no. 2 (2014) (link)
2. Sounthiraraj, David, Justin Sahs, Garret Greenwood, Zhiqiang Lin, and Latifur Khan. “Smv-hunter: Large scale, automated detection of ssl/tls man-in-the-middle vulnerabilities in android apps.” In In Proceedings of the 21st Annual Network and Distributed System Security Symposium (NDSS’14) (link)
3. [OPTIONAL] Onwuzurike, Lucky, and Emiliano De Cristofaro. “Danger is my middle name: experimenting with SSL vulnerabilities in Android apps.” In Proceedings of the 8th ACM Conference on Security & Privacy in Wireless and Mobile Networks, p. 15. ACM, 2015. (link)
1. Homework 4 Due.
2. Homework 5 assigned, due April 16th at 11:59pm
04/07/2020 Permission Analysis
Slides
1. Enck, William, Machigar Ongtang, and Patrick McDaniel. “On lightweight mobile phone application certification.” In Proceedings of the 16th ACM conference on Computer and communications security, pp. 235-245. ACM, 2009. (link)
2. Felt, Adrienne Porter, Erika Chin, Steve Hanna, Dawn Song, and David Wagner. “Android permissions demystified.” In Proceedings of the 18th ACM conference on Computer and communications security, pp. 627-638. ACM, 2011. (link)
Project Report (Milestone 4) assigned, due on April 30th at 11:59pm
04/09/2020 Detecting Privacy Leaks 1. Enck, William, Peter Gilbert, Seungyeop Han, Vasant Tendulkar, Byung-Gon Chun, Landon P. Cox, Jaeyeon Jung, Patrick McDaniel, and Anmol N. Sheth. “TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones.” ACM Transactions on Computer Systems (TOCS) 32, no. 2 (2014) (link)
2. Arzt, Steven, Siegfried Rasthofer, Christian Fritz, Eric Bodden, Alexandre Bartel, Jacques Klein, Yves Le Traon, Damien Octeau, and Patrick McDaniel. “Flowdroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps.” Acm Sigplan Notices 49, no. 6 (2014): 259-269.(link)
[DEEP DIVE] 3. Nadkarni, Adwait, Benjamin Andow, William Enck, and Somesh Jha. “Practical DIFC Enforcement on Android.” In USENIX Security Symposium, pp. 1119-1136. 2016. (link)
Analysis Plan (Milestone 3) Due, 11:59PM
04/14/2020 Inter-app communication analysis 1. Chin, Erika, Adrienne Porter Felt, Kate Greenwood, and David Wagner. “Analyzing inter-application communication in Android.” In Proceedings of the 9th international conference on Mobile systems, applications, and services, pp. 239-252. ACM, 2011.(link)
2. Grace, Michael C., Yajin Zhou, Zhi Wang, and Xuxian Jiang. “Systematic Detection of Capability Leaks in Stock Android Smartphones.” In NDSS, vol. 14, p. 19. 2012. (link)
3. [DEEP DIVE] Felt, Adrienne Porter, Helen J. Wang, Alexander Moshchuk, Steve Hanna, and Erika Chin. “Permission Re-Delegation: Attacks and Defenses.” In USENIX Security Symposium, vol. 30, p. 88. 2011. (link)
 
04/16/2020 Sound vs Sound(y) analysis 1. Bonett, R., Kafle, K., Moran, K., Nadkarni, A., & Poshyvanyk, D. (2018). Discovering flaws in security-focused static analysis tools for android using systematic mutation. arXiv preprint arXiv:1806.09761. (link)
2. Livshits, Benjamin, Manu Sridharan, Yannis Smaragdakis, Ondřej Lhoták, J. Nelson Amaral, Bor-Yuh Evan Chang, Samuel Z. Guyer, Uday P. Khedker, Anders Møller, and Dimitrios Vardoulakis. “In defense of soundiness: a manifesto.” Communications of the ACM 58, no. 2 (2015): 44-46. (link)
3. King, Dave, Boniface Hicks, Michael Hicks, and Trent Jaeger. “Implicit flows: Can’t live with ‘em, can’t live without ‘em.” In International Conference on Information Systems Security, pp. 56-70. Springer, Berlin, Heidelberg, 2008. (link)
Homework 5 Due
04/21/2020 Malware 1. Zhou, Yajin, and Xuxian Jiang. “Dissecting android malware: Characterization and evolution.” In Security and Privacy (SP), 2012 IEEE Symposium on, pp. 95-109. IEEE, 2012. (link)
2. Arp, Daniel, Michael Spreitzenbarth, Malte Hubner, Hugo Gascon, Konrad Rieck, and C. E. R. T. Siemens. “DREBIN: Effective and Explainable Detection of Android Malware in Your Pocket.” In NDSS, vol. 14, pp. 23-26. 2014. (link)
 
04/23/2020 Malware Analysis -  
04/28/2020 Final Exam Review -  
04/30/2020 Project Presentations   Final Report Due (extensions will be provided as needed)
05/05/2020   FINAL EXAM, 2PM - 5PM, in class  

back to the top