Course DescriptionAs the world becomes increasingly connected and driven by computing, failures of secure design have tremendous real world impact. USB flash drives are secreted across physical security checkpoints in order to steal sensitive information. The Stuxnet worm, a sophisticated strain of malware, was designed to destroy centrifuges used for uranium enrichment. Preserving the integrity of software-controlled automobiles and medical devices carries life-or-death implications. Infrastructure is tied to computing, and understanding how the practices of computer security have real-life, real-world implications is important to secure software and hardware design. From lockpicking to cyber-physical systems, from cell phones to radios, this seminar will examine recent work in security that influences a wide variety of physical world phenomena, sometimes in unexpected ways. The course readings will come from top security conferences, featuring both seminal and late-breaking papers in the field. Links to these papers will be provided on the course pages. In addition, links to critical reference materials will also be provided. A detailed list of lecture by lecture contents, assignments, and due dates (subject to change as the term evolves) will be available on the course schedule. Please contact the instructor if you have questions regarding the material or concerns about whether your background is suitable for the course. Class ParticipationThe expectations for the course are that students will attend every class, do the readings assigned for class, and actively and constructively participate in class discussions. Students will be called upon to present some of the material for the class and to scribe notes. Class participation will be a measure of contributing to the discourse both in class, through discussion and questions, and outside of class through contributing and responding to the mailing list. I have little interest in having people spam the class or the list with content-free statements in the hopes of sounding like they are participating; this will be more a measure of engagement with the material. More information about course requirements will be made available leading up to the start of classes Course ProjectThere will also be a major research project in security, with the chief product being a conference-style paper. Project topics will be discussed in class after the introductory material is completed, and may be proposed through email or during meetings outside of class with Prof. Butler. Be realistic about what can be accomplished in a single semester; in order to be able to perform any interesting work, the sooner a topic is chosen, the better the end-result will be. However, the work should reflect real thought and effort - projects executed in the closing days of the semester are unlikely to be well received. The grade will be based on the following factors: novelty, depth, correctness, clarity of presentation, and effort. Projects teams may include groups of up to three students; however, groups of greater size will be expected to make greater progress. I will advise each team/individual independently as needed. The project grade will be a combination of grades received for a number of milestone artifacts and the final conference-quality report. Details of the milestones and content will be given in class with the other project details. Academic Integrity PolicyStudents are required to follow the university guidelines on academic conduct at all times. Students failing to meet these standards will be reported to the Dean of Students, which can results in the student receiving an 'E' grade for the course. The instructor carefully monitors for instances of offenses such as plagiarism and illegal collaboration, so it is very important that students use their best possible judgement in meeting this policy. Ethics StatementThis course considers topics involving personal and public privacy and security. As part of this investigation we will cover technologies whose abuse may infringe on the rights of others. As security professionals, we rely on the ethical use of these technologies. Unethical use may include circumvention of existing security or privacy measurements for any purpose, or the dissemination, promotion, or exploitation of vulnerabilities of these services. Exceptions to these guidelines may occur in the process of reporting vulnerabilities through public and authoritative channels. Any activity outside the letter or spirit of these guidelines will be reported to the proper authorities and may result in dismissal from the class and possible more severe academic and legal sanctions. When in doubt, please contact Professor Bates for advice. Do not undertake any action which could be perceived as technology misuse anywhere and/or under any circumstances unless you have received explicit permission from Professor Bates. |