Class Schedule
Here is a tentative schedule for the semester. You are expected to read the papers assigned for each class before you come to class. You may not understand everything in a paper when you first read it. That is okay; the class discussion will fill gaps in your understanding.
There will be no postponements of the exam dates. Please do not ask. These dates have been announced at the beginning of the semester. Plan your semester accordingly
Many links on this page (papers, homeworks, slides, etc.) will be accessible only from within the IISc network. Please log in via VPN and access the papers.
- Topic
- Readings
- Slides
- YouTube
- Logistics, Introduction
- -
- Slides
- video-link
- Stack smashing attacks
- [AlephOne]
Link to VM to try examples in slides - Slides
Do-it-yourself: Buffer overflows - video-link
video link
- Code-reuse attacks
- [ROP]
- (contd.)
- video link
- Design space of defenses
- (contd.)
- video link
- Memory-bounds Checking
- [SoftBound]
- Slides
- video link
- Control-flow Integrity
- [CFI]
- Slides
- video link
video link
- System Call Sandboxes
- [Dyck]
- Intel MPK
- [MPK]
- Slides
- video link
- Sep 19, 2024
- Mid-term exam
- Mid-term
- Mid-term
- Mid-term
- Authentication and Protocols
- [Authentication]
[Crypto-1]
[Crypto-2] [Crypto-3] - Slides
Slides
Slides - video link (Pt-1)
video link (Pt-2)
video link
- Capabilities and Access Control
- [ConfDep], [AccessControl], [MLS]
- Slides
- video link
- Web Apps: SOP, CSP, Cookies, XSS, XSRF, SQL Injection
- [SOP]
- Slides
Video - video link
video link
- Injection Attacks and Defenses
- [XSSDefenses] [XSRFDefenses]
- Slides
- video link
- Trusted Computing
- [Attestation]
- Slides
Do-it-yourself: TPM-JS - video link
- Intel SGX
- [SGX], [SCONE]
- Slides
- video link
- Side-channel attacks
- [Meltdown]
- Slides
- video link
- Unmapped speculation contract
- [USC/Ward]
- Slides
- ARM TrustZone
- [TrustZone]
- Slides
- video link
- Mobile Apps Security
- [TaintDroid]
- Slides
- video link
- Virtualization: VMI and Applications
- [VMI1] [VMI2] [VMI3]
- Slides
- video link
- Containers
- [Containers]
- Slides-1
Slides-2 - video link (Pt-1)
video link (Pt-2)
Syllabus and Readings
The syllabus is as follows. We will cover a broad spectrum of topics, ranging from attacks to defenses. The readings assigned for each topic appear below, and are also referenced in the schedule. I might occassionally use slides for class presentations, and will post those slides to Sakai. Many of the links to readings below point to files that sit behind a paywall. IISc has subscriptions to these paid sites. To access such readings for free, please click on the links from a machine on the iisc.ac.in domain or, if you're outside campus, using IISc VPN. Many authors also post their papers to their Web pages. Just Google the title of the paper and you will likely find a free copy.
- Topic
- Required Readings
- Memory-error Attacks
-
- [AlephOne] Smashing the Stack for Fun and Profit, Aleph One, Phrack 1996.
- [ROP] The Geometry of Innocent Flesh on the Bone: Return-to-LibC without Function Calls
- Sandboxing Mechanisms
-
- [SoftBound] SoftBound: Highly compatible and complete spatial memory safety for C
- [CFI] Control-flow Integrity
- [Dyck] Efficient Context-sensitive Intrusion Detection
- [MPK] Secure, Efficient In-process Isolation with Protection Keys
- [Taint] Dynamic Taint Analysis
- [PrivSep] Building Secure High-performance Web Services with OKWS
- [VMI1] A Virtual Machine Introspection-based Architecture for Intrusion Detection
- [VMI2] A comparison of software and hardware techniques for x86 virtualization
- [VMI3] Ensuring operating system kernel integrity with OSck
- Classic Topics
-
- [ConfDep] The Confused Deputy Problem
- [AccessControl] Access Control (till 4.2.10)
- [MLS] Multi-level Security
- [Authentication] Authentication Protocols
- [Crypto-1] Basics and historical context of crypto
- [Crypto-2] Symmetric key crypto
- [Crypto-3] Number theory and RSA
- Web Security
-
- [SOP] Beware of finer-grained origins
- [XSRFDefenses] Robust Defenses for XSRF
- [XSSDefenses] Robust Defenses for XSS
- Cloud Platforms and Hardware Support
-
- [Attestation] TCG based Integrity Measurement (Also, Anderson book 4.2.11 onwards)
- [SGX] Innovative Instructions and Software Model for Isolated Execution
- [SCONE] SCONE: Secure Linux Containers with Intel SGX
- [Containers] Introduction to Docker
- [Meltdown] Meltdown
- [USC] USC/Ward
- Mobile Apps and Devices