This class schedule is preliminary, and will be altered as the semester progresses. While I will try to announce changes as they happen, it is the responsibility of the students to frequently check this web-page for any changes to the schedule, readings or assignments.
Note: The slides will be available after each lecture via a slides link below the lecture topic.
| Date | Topics | Readings | Notes |
|---|---|---|---|
| 01/25/2024 | Course Introduction Slides |
1. Ken Thompson, Reflections on Trusting Trust. Turing Award Lecture, 1983. (link) 2. Building your first Android app (link) |
1. Homework 1 assigned; due January 30th at 11:59pm 2. Project Proposal (Milestone 1) assigned; due February 8th at 11:59pm |
| 01/30/2024 | Android and Security Fundamentals Slides |
Security Engineering, Chapter 1 (link) | Homework 1 due |
| 02/01/2024 | CLASS CANCELLED, CONFERENCE TRAVEL | February 2nd Last Day to ADD/DROP | |
| 02/06/2024 | Crypto Basics 1 Slides |
1. Security Engineering, Chapter 5.1-5.5 (link) | |
| 02/08/2024 | Crypto Basics 2 Slides |
Security Engineering, Chapter 5.6 (link) | 1. Project Proposal due 2. Homework 2 assigned; due February 22nd at 11:59pm |
| 02/13/2024 | Crypto Basics 3 Slides |
1. Security Engineering, Chapter 5.7 (link) 2. R. Rivest, A. Shamir, and L. Adlemani, A Method for Obtaining Digital Signatures and Public-Key Cryptosystems. Communications of the ACM, 1978. (link) 3. Creating your own Certificate Authority (link) |
Project Application (Milestone 2) assigned, due March 7th at 11:59pm |
| 02/15/2024 | SSL/TLS, Cryptography in Mobile Apps Slides |
1. SSL and TLS: A Beginners Guide (link) 2. Anderson, R. 1993. Why cryptosystems fail. In Proceedings of the 1st ACM Conference on Computer and Communications Security (Fairfax, Virginia, United States, November 03 - 05, 1993). CCS ‘93. (link) |
|
| 02/20/2024 | Access Control Basics Slides |
1. Operating System Security, Chapters 1, 2, and 5 (link) 2. [Part 1 Only] J. Saltzer and M. Schroeder, The Protection of Information in Computer Systems. Proceedings of the IEEE 63(9) (1975) pp. 1278-1308. (link) |
|
| 02/22/2024 | Managing Privilege in Mobile Apps Slides |
1. Homework 2 due | |
| 02/27/2024 | Secure Inter-application Communication Slides |
[Sections 1 – 3 only] Adwait Nadkarni, B. Andow, W. Enck, and S. Jha, “Practical DIFC Enforcement on Android,” in Proceedings of the 25th USENIX Security Symposium (USENIX), Austin, TX, USA, 2016, pp. 1119–1136. (link) | |
| 02/29/2024 | Storage in Mobile Apps Slides |
[Read Previously] 1. Operating System Security, Chapters 1, 2, and 5 (focus on security models) (link) 2. J. Saltzer and M. Schroeder, The Protection of Information in Computer Systems. Proceedings of the IEEE 63(9) (1975) pp. 1278-1308. (link) |
Homework 3 assigned, due March 19th at 11:59pm |
| 03/05/2024 | Application Security Analysis Goals Slides |
Reaves, B., Bowers, J., Gorski III, S.A., Anise, O., Bobhate, R., Cho, R., Das, H., Hussain, S., Karachiwala, H., Scaife, N. and Wright, B., 2016. * droid: Assessment and Evaluation of Android Application Analysis Tools. ACM Computing Surveys (CSUR), 49(3), p.55. (link) | |
| 03/07/2024 | Evaluating Security Analysis and Research Methods 1 Slides |
S. Axelsson, The Base-Rate Fallacy and Its Implications for the Difficulty of Intrusion Detection. In Proceedings of the ACM Conference on Computer and Communication Security. November, 1999. (link) | 1. Project Application due 2. Analysis Plan (Milestone 3) assigned; due April 11th at 11:59pm. EXTENDED to April 16th 3. Project Report (Milestone 4) assigned, due on May 2nd at 11:59pm |
| 03/12/2024 | SPRING BREAK | ||
| 03/14/2024 | SPRING BREAK | ||
| 03/19/2024 | Guest Lecture: Crypto-API misuse in the wild (Amit Seal Ami, Prianka Mandal) | Homework 3 due | |
| 03/21/2024 | NO CLASS, CONFERENCE TRAVEL | March 25th Last Day to Withdraw | |
| 03/26/2024 | Intro to Static Analysis Slides |
1. Fahl, Sascha, Marian Harbach, Thomas Muders, Lars Baumgärtner, Bernd Freisleben, and Matthew Smith. “Why Eve and Mallory love Android: An analysis of Android SSL (in) security.” In Proceedings of the 2012 ACM conference on Computer and communications security, pp. 50-61. ACM, 2012. (link) 2. [Optional] Egele, Manuel, David Brumley, Yanick Fratantonio, and Christopher Kruegel. “An empirical study of cryptographic misuse in android applications.” In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security, pp. 73-84. ACM, 2013. (link) |
|
| 03/28/2024 | Mobile vulnerabilities in IoT, and Liability, in collab with Dr. Iria Guiffrida | Homework 4 assigned, due April 16th at 11:59pm | |
| 04/02/2024 | Permission Analysis Slides |
1. Enck, William, Machigar Ongtang, and Patrick McDaniel. “On lightweight mobile phone application certification.” In Proceedings of the 16th ACM conference on Computer and communications security, pp. 235-245. ACM, 2009. (link) 2. Felt, Adrienne Porter, Erika Chin, Steve Hanna, Dawn Song, and David Wagner. “Android permissions demystified.” In Proceedings of the 18th ACM conference on Computer and communications security, pp. 627-638. ACM, 2011. (link) |
|
| 04/04/2024 | Detecting Privacy Leaks Slides |
1. Enck, William, Peter Gilbert, Seungyeop Han, Vasant Tendulkar, Byung-Gon Chun, Landon P. Cox, Jaeyeon Jung, Patrick McDaniel, and Anmol N. Sheth. “TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones.” ACM Transactions on Computer Systems (TOCS) 32, no. 2 (2014) (link) 2. Arzt, Steven, Siegfried Rasthofer, Christian Fritz, Eric Bodden, Alexandre Bartel, Jacques Klein, Yves Le Traon, Damien Octeau, and Patrick McDaniel. “Flowdroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps.” Acm Sigplan Notices 49, no. 6 (2014): 259-269.(link) |
|
| 04/09/2024 | Sound vs Sound(y) analysis Slides |
1. Bonett, R., Kafle, K., Moran, K., Nadkarni, A., & Poshyvanyk, D. (2018). Discovering flaws in security-focused static analysis tools for android using systematic mutation. Proceedings of the USENIX Security Symposium (link) 2. Livshits, Benjamin, Manu Sridharan, Yannis Smaragdakis, Ondřej Lhoták, J. Nelson Amaral, Bor-Yuh Evan Chang, Samuel Z. Guyer, Uday P. Khedker, Anders Møller, and Dimitrios Vardoulakis. “In defense of soundiness: a manifesto.” Communications of the ACM 58, no. 2 (2015): 44-46. (link) |
|
| 04/11/2024 | Inter-app communication analysis Slides |
1. Chin, Erika, Adrienne Porter Felt, Kate Greenwood, and David Wagner. “Analyzing inter-application communication in Android.” In Proceedings of the 9th international conference on Mobile systems, applications, and services, pp. 239-252. ACM, 2011.(link) 2. Grace, Michael C., Yajin Zhou, Zhi Wang, and Xuxian Jiang. “Systematic Detection of Capability Leaks in Stock Android Smartphones.” In NDSS, vol. 14, p. 19. 2012. (link) 3. [Optional] Felt, Adrienne Porter, Helen J. Wang, Alexander Moshchuk, Steve Hanna, and Erika Chin. “Permission Re-Delegation: Attacks and Defenses.” Proceedings of the USENIX Security Symposium, vol. 30, p. 88. 2011. (link) |
|
| 04/16/2024 | Malware Basics Slides |
1. Zhou, Yajin, and Xuxian Jiang. “Dissecting android malware: Characterization and evolution.” In Security and Privacy (SP), 2012 IEEE Symposium on, pp. 95-109. IEEE, 2012. (link) 2. Arp, Daniel, Michael Spreitzenbarth, Malte Hubner, Hugo Gascon, Konrad Rieck, and C. E. R. T. Siemens. “DREBIN: Effective and Explainable Detection of Android Malware in Your Pocket.” In NDSS, vol. 14, pp. 23-26. 2014. (link) |
1. Analysis Plan due 2. Homework 4 due |
| 04/18/2024 | Understanding Mutants for Security: Tutorial (w/ Amit Seal Ami) | Ami, Amit S., Cooper, N., Kafle, K., Moran, K., Poshyvanyk, D., & Nadkarni, A. Why Crypto-detectors Fail: A Systematic Evaluation of Cryptographic Misuse Detection Techniques. Proceedings of the IEEE Symposium on Security and Privacy, 2022. (link) | |
| 04/23/2024 | Intro to Dynamic Analysis Slides |
[Read Previously] Enck, William, Peter Gilbert, Seungyeop Han, Vasant Tendulkar, Byung-Gon Chun, Landon P. Cox, Jaeyeon Jung, Patrick McDaniel, and Anmol N. Sheth. “TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones.” ACM Transactions on Computer Systems (TOCS) 32, no. 2 (2014) (link) | |
| 04/25/2024 | Malware Slides |
Extra Credit assignment Homework 5 assigned, due May 3rd at 11:59pm | |
| 04/30/2024 | Project Presentations | - | Homework 5, EXTRA CREDIT, due |
| 05/02/2024 | Finals Review | Zoom | Project Report due |
| 05/14/2024 | Final Exam, In class | 2 PM - 5 PM |