BYR Achieve · 镜像论坛

Cryptography Core concepts: principles of block ciphers (DES, AES), CBC, RSA, DSA/El Gamal, Diffie-Hellman, basic authentication, Needham-Schroeder/Kerberos, digital signatures, basic knowledge of PKI and certificates, SSL/TLS. Potential resource for learning about these: Mao, Modern Cryptography: Theory and Practice Chapter 7, 8, 11, 12.4, 12.5, 13.2 Required papers: Why Cryptosystems Fail, Ross Anderson, ACM CCS 1993. Prudent engineering practice for cryptographic protocols, Martin Abadi, Roger Needham, IEEE Transactions on Software Engineering 22(1):6--15. Web security Core concepts: DOM model, same-origin policy, XSS, SQL injection, CSRF, clickjacking, browser cookies, phishing Potential resources for learning about these: Zalewsk, The Tangled Web: A Guide to Securing Modern Web Applications Chapter 9 Goodrich and Tamassia, Introduction to Computer Security Chapter 7 Access control and Memory protection Core concepts: ACLs and access control matrices, capabilities, reference monitors, complete mediation, delegation, the principle of least privilege, authentication, authorization, virtual memory, page-table based memory protection, covert channels, side channels, network firewalls. Potential resources for learning about these: Sean Smith and John Marchesini, The Craft of System Security, Addison-Wesley, 2007. Required paper: A note on the confinement problem, Butler Lampson, CACM 16(10):613--615. Software security Beyond stack smashing: recent advances in exploiting buffer overruns, Jonathan Pincus, Brandon Baker, IEEE Security & Privacy 2(4):20--27, Jul-Aug 2007. The Security Architecture of the Chromium Browser, Adam Barth, Collin Jackson, Charles Reis, and The Google Chrome Team. http://www.adambarth.com/papers/2008/barth-jackson-reis.pdf Extensible security architectures for Java, Dan Wallach, Dirk Balfanz, Drew Dean, Edward Felten, SOSP 1997. Evaluating SFI for a CISC Architecture, Stephen McCamant and Greg Morrisett, USENIX Security 2006. TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones, W. Enck et al., OSDI 2010 Security and usability Why Johnny Can't Encrypt, Alma Whitten, J.D. Tygar, in "Security and Usability: Designing Secure Systems that People Can Use." You've been warned: An empirical study of the effectiveness of web browser phishing warnings, Serge Egelman, Lorrie Faith Cranor, and Jason Hong, SIGCHI 2008. Privacy and anonymity Privacy-enhancing technologies for the Internet, Ian Goldberg, David Wagner, Eric Brewer, IEEE COMPCON 1997. Tor: The Second-Generation Onion Router, Roger Dingledine, Nick Mathewson, Paul Syverson, USENIX Security 2004. Legal/policy/economic issues Why Information Security is Hard - An Economic Perspective, Ross Anderson, ACSAC 2001. Conducting Cybersecurity Research Legally and Ethically, Aaron Burstein, USENIX LEET 2008. Measuring Pay-per-Install: The Commoditization of Malware Distribution, J. Caballero, C. Grier, C. Kreibich and V. Paxson, USENIX Security 2011 Network security How to 0wn the Internet in Your Spare Time, Stuart Staniford, Vern Paxson, Nicholas Weaver, USENIX Security 2002. Your Botnet is My Botnet: Analysis of a Botnet Takeover, Brett Stone-Gross et al, CCS 2009 SIFF: A Stateless Internet Flow Filter to Mitigate DDoS Flooding Attacks, Abraham Yaar, Adrian Perrig, Dawn Song, IEEE S&P 2004. Ethane: Taking Control of the Enterprise, Martin Casado et al., SIGCOMM 2007 Intrusion detection The Base-Rate Fallacy and its Implications for the Difficulty of Intrusion Detection, Stefan Axelsson, RAID 1999. Bro: A System for Detecting Network Intruders in Real-Time, Vern Paxson, Computer Networks, 31(23-24), pp. 2435--2463, 14 Dec. 1999. The Security of Machine Learning, Marco Barreno, Blaine Nelson, Anthony D. Joseph, and J. D. Tygar, Machine Learning Journal, 81(2), 2010, pg. 121-148. Case studies Security Analysis of the Diebold AccuVote-TS Voting Machine, Ariel J. Feldman, J. Alex Halderman, Edward W. Felten, EVT 2007. Tamper Resistance-- A cautionary note, Ross Anderson, Markus Kuhn, USENIX Electronic Commerce 1996.

UC Berkley Security Prelim的参考资料，供有兴趣同学参考