ECS 235A. Computer Security

Fall 2012CRN: 20910
Lectures: Monday, Wednesday, and Friday, 1000-1050, 1070 Bainer.
Office hours:Wednesday 1400-1600, 2211 Watershed.
Instructor: Hao Chen <>
Communications:SmartSite (for discussions)


This class introduces modern topics in computer systems security, and prepares students to do research on these topics. It plans to cover the following topics:

Requirements and Grading


Note: reading is subject to change.

1September 28 Introduction
2October 01 Principles Basic principles of information protection. Saltzer and Schroeder.
(Only read Section A: Considerations Surrounding the Study of Protection)
Brandon Hee
October 03 Ross Gegan
October 05 Software vulnerabilities Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns. Pincus and Baker.
Optional (no review necessary): Smashing The Stack For Fun And Profit. Aleph One.
Bogdan Copos
3October 08 Static analysis EXE: Automatically Generating Inputs of Death. Cadar, Ganesh, Pawlowski, Dill, Engler. Michael Bierma
October 10 Carlos Rojas
October 12 Runtime analysis Dynamic Taint Analysis: Automatic Detection, Analysis, and Signature Generation of Exploit Attacks on Commodity Software. Newsome and Song. Stewart He
4October 15 Application of static analysis Intrusion Detection via Static Analysis . Wagner, Dean. Julia Matsieva
October 17 Sandbox A secure environment for untrusted helper applications:confining the wily hacker. Goldberg, Wagner, Thomas, and Brewer. Iuri Prilepov
October 19 Sandbox in Mobile OS Android Permissions Demystified. Felt, Chin, Hanna, Song, and Wagner.
Background: Android Security and Permissions.
Teng Wang
5October 22 Java Security Extensible security architectures for Java. Wallach, Balfanz, Dean, Felten. Jiaqi Zhao
October 24 Privilege separation The Security Architecture of the Chromium Browser, Barth, Jackson, Reis, Google Chrome Team. Georgia Koutsandria
October 26 Preventing Privilege Escalation. Provos, Friedl, Honeyman.
Dara Hazeghi
6October 29 Web security Robust Defenses for Cross-Site Request Forgery. Barth, Jackson, and Mitchell.
Background: (No review necessary) Cross-Site Request Forgeries: Exploitation and Prevention. Zeller and Felten.
Arun Raghuramu
October 31 Capabilities The Confused Deputy. Hardy.
Access Control (v0.1), Laurie.
Kristen Kennedy
November 02 Permission Re-Delegation: Attacks and Defenses. Felt, Wang, Moshchuk, Hanna, and Chin. Thomas Brounstein
7November 05 Introduction to Cryptography Background (No review necessary): Symmetric key, Public key, Message authentication Arthur Arlt
November 07 Alex Kennedy
November 09 Kerboros Designing an Authentication System: a Dialogue in Four Scenes, Bryant. Irene Spanou
8November 12 Veterans Day
November 14 Cryptographical protocols Prudent engineering practice for cryptographic protocols, Abadi and Needham.
November 16
9November 19
November 21 Virtual machines A Virtual Machine Introspection Based Architecture for Intrusion Detection . Garfinkel and Rosenblum.
When Virtual is Harder than Real: Security Challenges in Virtual Machine Based Computing Environments. Garfinkel and Rosenblum.
November 23 Thanksgiving
10November 26 Guest lecture by Professor Karl Levitt No reading
November 28 No class
November 30 Underground economy Click Trajectories: End-to-End Analysis of the Spam Value Chain.
Optional (but highly recommended): Interview with Stefan Savage: On the Spam Payment Trail.
Timothy Carver, Eric Gustafson, Ke Wang
11December 03 Project presentation Timothy Carver; Ross Gegan, Jia Qi Zhao; Brandon Hee; Iuri Prilepov; Arun Raghuramu
December 05 Arthur Arlt, Bogdan Alexandrescu, Ke Wang; Fernando Fuentes, Conghao Jiang, Teng Wang; Dara Hazeghi; Stewart He, Carlos Rojas; Georgia Koutsandria, Irene Spanou
December 07 Michael Bierma; Bogdan Copos, Tom Brounstein, Alex Kennedy; Eric Gustafson, Kristen Kennedy, Thomas Provan; Julia Matsieva


From time to time, we may discuss vulnerabilities in widely-deployed computer systems. This is not intended as an invitation to go exploit those vulnerabilities. It is important that we be able to discuss real-world experience candidly; students are expected to behave responsibly.

The campus's policy (and my policy) on this should be clear: you may not break into machines that are not your own; you may not attempt to attack or subvert system security. Breaking into other people's systems is inappropriate, and the existence of a security hole is no excuse.


I always welcome any feedback on what I could be doing better. You are also welcome to send me feedback anonymously.

Hao Chen <>
Last modified September 29, 2012.
Valid XHTML 1.1! Valid CSS!