COMP 5407W (Winter 2017): Authentication and Software Security [A, S]

Last updated: Mar.21, 2017. Send comments to: paulv (insert @ here)

Course web site for updates:

Calendar course description: Specialized topics in security including those selected from: advanced authentication techniques, user interface aspects, electronic and digital signatures, security infrastructures and protocols, software vulnerabilities affecting security, untrusted software and hosts, protecting software and digital content.

Essential Course Details References and Sources. Lectures will largely be drawn from research papers (generally available online), and supplementary material given in class; students are thus expected to attend all classes. For those wishing to brush up on background reading, recommendations include Stallings and Brown (2014) and Gollman (2011) among others found on this list. No specific access to computing labs should be required, but labs in the Herzberg Building require a Carleton University Campus Card, with access based on the courses you are registered in and the School's Lab Access Schedule.

University Policies. See the bottom of this page.

Detailed Topics. Topics are updated each year. A preliminary plan for this year is below (these are representative and will be updated as the term progresses ). Notation for background references: "HAC ssN" denotes section N in Handbook of Applied Cryptography, which is available free online; tbd = to be determined.

  • Class 1 (Jan.5): Security metrics for password distributions. Metrics for guessing difficulty, Bonneau (Ch.3 in: Guessing Human-chosen Secrets, PhD thesis, Cambridge, 2012). Begin Project 1 immediately. Advanced reading: The science of guessing: analyzing an anonymized corpus of 70 million passwords, Bonneau (Oakland 2012).

  • Class 2 (Jan.10): Analyzing a leaked password distribution. Testing Metrics for Password Creation Policies, Weir et al. (ACM CCS 2010 - also here);

  • Class 3 (Jan.12): Strong Password-Protocols. EKE: Password-Based Protocols Secure Against Dictionary Attack, Bellovin and Merritt (IEEE S&P 1992). Optional/supplementary (attacks on EKE; alternatives SPEKE, SRP): Number Theoretic Attacks on Secure Password Schemes, S. Patel (IEEE S&P 1997); Strong Password-Only Authenticated Key Exchange, D. Jablon (ACM Computer Communcations Review, October 1996); Extended Password Key Exchange Protocols Immune to Dictionary Attack, D. Jablon (WET-ICE 1997); The Secure Remote Password Protocol, T. Wu (NDSS 1998).

  • Class 4 (Jan.17): Off-line dictionary attacks and verifiable text. Protecting Poorly Chosen Secrets from Guessing Attacks, Gong et al. (IEEE JSAC vol.11 no.5 June 1993). Background review: passwords (HAC ss10.2.1-10.2.2), time variant parameters (HAC ss10.3.1).

  • Class 5 (Jan.19): Password Aging. The Security of Modern Password Expiration, Zhang et al. (ACM CCS, 2010). Optional/supplementary: Quantifying the Security Advantage of Password Expiration Policies, Chiasson and van Oorschot (DCC 2015); see these slides with graphs not found in the paper.

  • Classes 6 & 7 (Jan.24, 26): Defending password attacks; on-line vs. offline attacks. An Administrator's Guide to Internet Password Research, Florencio et al. (USENIX LISA, 2014). Florencio et al. (CACM Nov.2016), Pushing on string: The don't care region of password strength.

  • Classes 8 & 9 (Jan.31, Feb.2): Evaluating alternatives for web user authentication. The Quest to Replace Passwords, Bonneau et al. (IEEE Oakland, 2012).

  • Classes 10-12 (Feb.7, 9, 14): Web server certificates, server authentication/browser trust model, TLS infrastructure. Project 1 is due in class Feb.9 (hard copy). The Inconvenient Truth about Web Certificates, Vratonjic et al. (WEIS 2011); and SSL and HTTPS: Revisiting past challenges and evaluating certificate trust model enhancements (omit section III), Clark et al. (IEEE Oakland, 2013). Background review (supplementary): certificate infrastructure and trust models (HAC, pp.559-560; 572-581) and implementation issues, RSA signatures (pp.433-434).

  • Class 13 (Feb.16): Enhancements to HTTPS. Upgrading HTTPS in Mid-Air (sections I-III), Kranch & Bonneau (NDSS2015); Certificate Transparency, Laurie (CACM Oct.2014) and IETF RFC 6962 (Certificate Transparency); see also Google's certificate transparency project site. Supplementary (issues with SSL infrastructure): 48-minute video SSL and the Future of Authenticity (Convergence Project), Marlinspike (BlackHat USA 2011).

  • Feb.20-24: No classes (winter reading week). Project 2 (see above) topic proposal due: Feb.27.

  • Classes 14-15 (Feb.28, Mar.2): HTTPS and content delivery networks (CDNs). Measurement and Analysis of Private Key Sharing in the HTTPS Ecosystem, Cangialosi et al. (ACM CCS 2016) and Bruce Maggs' related invited talk on CDN's (USENIX Security 2016); When HTTPS meets CDN: A Case of Authentication in Delegated Service, Liang et al. (IEEE Oakland 2014).

  • Class 16 (Mar.7): Test (in class).

  • Class 17 (Mar.9): Secure OSs, mandatory access control (MAC), trusted computing. The Inevitability of Failure: The Flawed Assumption of Security in Modern Computing Environments, Loscocco et al. (NISSC 1998). Supplementary: the previous paper motivates SELinux and trusted computing. Flask microkernel-based OS: The Flask Security Architecture: System Support for Diverse Security Policies, Spencer et al. (USENIX Security 1999). SELinux: Integrating Flexible Support for Security Policies into the Linux Operating System, Loscocco & Smalley (FREENIX/USENIX Annual, 2001; 62-page extended version also available). Linux Security Modules: General Security Support for the Linux Kernel, Wright et al. (USENIX Security 2002). Bootstrapping Trust in Commodity Computers, Parno et al. (IEEE Oakland 2010; optionally see also extended book version). Intel SGX (Software Guard Extensions).

  • Classes 18-23 (Mar.14-30): student presentations (Project 2, see above). Plan 30 minutes each (40 minutes max). It is strongly recommended that topics selected are based on 2014-2016 papers presented at the big-four security conferrences (NDSS, IEEE Symp. Security & Privacy, USENIX Security, ACM CCS).
    Class 18 (Mar.14):
    Heng Sun Chao: password meters and the online-offline gap.
    Sophie Le Page: federated ID systems/OpenID/OAuth 2.0.
    Class 19 (Mar.16):
    Srivastav Janapalli: password managers (evolution and our trust in them).
    Michael Lutaaya: password managers (evaluation of latest proposals).
    Class 20 (Mar.21):
    Sana Maqsood: content security policy/web security and XSS/website code injection.
    Ramandeep Kaur: web security.
    Class 21 (Mar.23):
    Jennifer Ubah: secure messaging (IM)/Signal Protocol (TextSecure).
    Nelson Umunna: secure email.
    Class 22 (Mar.28):
    Janarthana Sivaraman: password mneumonics and memorability.
    Nilofar Mansourzadeh: password vaults.
    Class 23 (Mar.30):
    Venkata Brundavanan: phishing.
    Amandeep Kaur: big-data security.

  • Class 24 (Apr.4): Heartbleed TLS incident. The Matter of Heartbleed (Durumeric et al., IMC'14).

  • Class 25 (Apr.6): Device finger-printing, Internet geolocation, and authentication.

  • Supplementary background on malware: classic introductory papers. McIlroy, Virology 101 (Computing Systems, Spring 1989). Thompson, Reflections on Trusting Trust (Comm. ACM, Aug.1984). Computer Virus-Antivirus Coevolution, Nachenberg (Comm. ACM, Jan. 1997; pdf available online). The Internet Worm (Spafford, C.ACM 1989 32(6):678-687, pdf available online. With Microscope and Tweezers: The Worm from MIT's Perspective (Rochlis and Eichin, C.ACM 1989 32(6):689-698).

    Supplementary background on drive-by downloads and browser security. The Ghost in the Browser (Provos et al., USENIX HotBots'07) and All Your iFRAMEs Point to Us (Provos et al., USENIX Security 2008). Cybercrime 2.0: When the Cloud Turns Dark (Provos et al., C.ACM 52(4):42-47, 2009).

    Supplementary background on SOP (same-origin policy), XSS attacks: Cross-site Scripting Worms and Viruses, Grossman (white paper, updated June 2007); Browser security handbook, Michal Zalewski (2008, 2009 online resource); Same-Origin Mutual Approval: Mutual Approval for Included Content in Web Pages, Oda et al. (ACM CCS 2008).

    Supplementary background on malware, malware networks, rootkits. The History and Evolution of Computer Viruses (Mikko Hypponen, 49min, DEFCON 2011 talk). W32.Stuxnet Dossier (v1.4, Feb.2011, Symantec report by N. Falliere, Liam O Murchu, E. Chien). The Spread of the Sapphire/Slammer Worm (Feb.2003), Moore et al. (or version in S&P magazine);

    Supplemental background on phishing (web-spoofing) and pharming (DNS-based exploits): Client-Side Defense Against Web-Based Identity Theft, Chou et al. (NDSS'04). The Phishing Guide, Gunter Ollmann (white paper, 2007); on malicious javascript/keylogging: Stronger Password Authentication Using Browser Extensions, Ross et al. (USENIX Security 2005). The Pharming Guide, Gunter Ollmann (white paper, July 2005).

    === University Policies (start) ===
    Student Academic Integrity Policy. Every student should be familiar with the Carleton University student academic integrity policy. A student found in violation of academic integrity standards may be awarded penalties which range from a reprimand to receiving a grade of F in the course or even being expelled from the program or University. Some examples of offences are: plagiarism and unauthorized co-operation or collaboration. Information on this policy may be found in the Undergraduate Calendar.
    Plagiarism. As defined by Senate, "plagiarism is presenting, whether intentional or not, the ideas, expression of ideas or work of others as one's own". Reported offences will be reviewed by the office of the Dean of Science.
    Unauthorized Co-operation or Collaboration. Senate policy states that "to ensure fairness and equity in assessment of term work, students shall not co-operate or collaborate in the completion of an academic assignment, in whole or in part, when the instructor has indicated that the assignment is to be completed on an individual basis". Please refer to the course outline statement or the instructor concerning this issue. COMP 4108 addendum: Beyond any other standard university policies, any student submitting work including uncited portions originating from someone else, is subject to a mark of negative 100% on the entire work item. For example, if an assignment is worth 10%, the 10% is lost plus an additional 10% penalty, making the best possible course mark 80%. Both students may be penalized if the infraction involves copying from another student. Each student must write up submitted work individually unless explicitly allowed otherwise per official instructions (e.g., in group-based assignments).
    Academic Accommodations for Students with Disabilities. The Paul Menton Centre for Students with Disabilities (PMC) provides services to students with Learning Disabilities (LD), psychiatric/mental health disabilities, Attention Deficit Hyperactivity Disorder (ADHD), Autism Spectrum Disorders (ASD), chronic medical conditions, and impairments in mobility, hearing, and vision. If you have a disability requiring academic accommodations in this course, please contact PMC at 613-520-6608 or for a formal evaluation. If you are already registered with the PMC, contact your PMC coordinator to send your course instructor your Letter of Accommodation at the beginning of the term, and no later than two weeks before the first in-class scheduled test or exam requiring accommodation (if applicable). After requesting accommodation from PMC, meet with your course instructor to ensure accommodation arrangements are made. Please consult the PMC website for the deadline to request accommodations for the formally-scheduled exam (if applicable) at
    Religious Obligation: Write to the course instructor with any requests for academic accommodation during the first two weeks of class, or as soon as possible after the need for accommodation is known to software and system developmest. For more details visit the Equity Services website:
    Pregnancy Obligation: Write to the course instructor with any requests for academic accommodation during the first two weeks of class, or as soon as possible after the need for accommodation is known to exist. For more details visit the Equity Services website:
    Medical Certificate: The official medical certificate (form) accepted by Carleton University for the deferral of final examinations or assignments in undergraduate courses can be accessed from:
    === University Policies (end) ===