Schedule & Readings


You are usually only required to read one paper for each class. Any additional papers listed are optional.

Check back regularly for updates to the schedule.


unit date topic instr. reading notes
Unit 1: Introduction
1/16/17 No class, Martin Luther King Day
1/18/17 Class cancelled
1/23/17 Introduction I
1/25/17 Introduction II
Unit 2: Browser Components
1/30/17 Policies [1] [2]
2/1/17 Frames [3] [4] [5] Homework 1 out
2/6/17 Cookies [6]
Unit 3: Better browser architecture
2/8/17 Browser vulnerability mitigation I [7] [8]
2/13/17 Project proposal
2/15/17 Browser vulnerability mitigation II [9] [10] single singn on, Homework 1 due
2/20/17 Language based isolation [11] Ransomware
2/22/17 Sandboxing [12] Homework 2 out, Test 1 (45 minutes)
Unit 4: Extensions
2/27/17 Browser extension architecture [13] [14] Web cloaking
3/1/17 Extension Vulnerabilities [15] [16] [17] Spearphishing (sv)
Unit 5: Privacy
3/6/17 Tracking [18] [19] [20] [21] [22] Pentesting like a grandmaster with OWTF
3/8/17 Browser fingerprinting [23] [24]
3/13/17 No class, spring break
3/15/17 No class, spring break
3/20/17 Midterm project presentation Homework 2 due
3/22/17 Midterm project presentation FOXACID, Homework 3 out
Unit 6: Other vulnerabilities
3/27/17 Protocol attack 1 [25] [26] Test 2 (45 minutes), HW3 out
3/29/17 Protocol attack 2 [27] [28] Logjam attack
4/3/17 Heap spray attacks [29] [30]
Unit 7: Information flow browsers
4/5/17 Flowfox [31] Domain parking
4/10/17 Taint tracking [32] [33] [34] Security indicators, Private browsing mode (sv)
4/12/17 Test 3 HW3 checkpoint due
Unit 8: Advanced topics
4/17/17 COWL: A confinement system for web [35] Servo
4/19/17 Browser shim verification [36] DDos (sv)
4/24/17 Formal models [37] Browsers extension mechanisms
Unit 9: Wrapping up
4/26/17 No class, work on project HW3 due
5/1/17 Project presentation
5/3/17 Project presentation

[1]Reining in the web with content security policy.
Stamm Sid, Sterne Brandon and Markham Gervase.
In Proceedings of the 19th International Conference on World Wide Web, 2010.
[2]On the incoherencies in web browser access control policies.
Singh Kapil, Moshchuk Alexander, Wang Helen J., and Lee Wenke.
In Proceedings of the 2010 IEEE Symposium on Security and Privacy, 2010.
[3]Busting frame busting: a study of clickjacking vulnerabilities at popular sites.
Gustav Rydstedt, Elie Bursztein, Dan Boneh, and Collin Jackson.
In IEEE Oakland Web 2.0 Security and Privacy (W2SP 2010), 2010.
[4]Securing frame communication in browsers.
Barth Adam, Jackson Collin and Mitchell John C..
In Proceedings of the 17th Conference on Security Symposium, 2008.
[5]The postman always rings twice: attacking and defending postmessage.
Sooel Son and.
In 20th Annual Network and Distributed System Security Symposium, NDSS, 2013.
[6]Cookies lack integrity: real-world implications.
Zheng Xiaofeng, Jiang Jian, Liang Jinjin, Duan Haixin, Chen Shuo, Wan Tao, and Weaver Nicholas.
In Proceedings of the 24th USENIX Conference on Security Symposium, 2015.
[7]Secure web browsing with the op web browser.
Grier Chris, Tang Shuo and King Samuel T..
In Proceedings of the 2008 IEEE Symposium on Security and Privacy, 2008.
[8]A safety-oriented platform for web applications.
Cox Richard S., Gribble Steven D., Levy Henry M., and Hansen Jacob Gorm.
In Proceedings of the 2006 IEEE Symposium on Security and Privacy, 2006.
[9]The multi-principal os construction of the gazelle web browser.
Wang Helen J., Grier Chris, Moshchuk Alexander, King Samuel T., Choudhury Piali, and Venter Herman.
In Proceedings of the 18th Conference on USENIX Security Symposium, 2009.
[10]The security architecture of the chromium browser.
Adam Barth, Charles Reis, Collin Jackson, and Google Chrome Team Google Inc..
2008.
[11]Automated analysis of security-critical javascript apis.
Taly Ankur, Erlingsson \'Ulfar, Mitchell John C., Miller Mark S., and Nagra Jasvir.
In Proceedings of the 2011 IEEE Symposium on Security and Privacy, 2011.
[12]Native client: a sandbox for portable, untrusted x86 native code.
Bennet Yee, David Sehr, Gregory Dardyk, J. Bradley Chen, Robert Muth, Tavis Orm, Shiki Okasaka, Neha Narula, Nicholas Fullagar, and Google Inc.
In Proceedings of the 2009 IEEE Symposium on Security and Privacy, 2009.
[13]An evaluation of the google chrome extension security architecture.
Carlini Nicholas, Felt Adrienne Porter and Wagner David.
In Proceedings of the 21st USENIX Conference on Security Symposium, 2012. USENIX Association.
[14]Protecting browsers from extension vulnerabilities.
Adam Barth, Adrienne Porter Felt, Prateek Saxena, and Aaron Boodman.
In Proceedings of the Network and Distributed System Security Symposium, 2010.
[15]Analyzing the dangers posed by Chrome extensions.
Lujo Bauer, Shaoying Cai, Limin Jia, Timothy Passaro, and Yuan Tian.
In Proceedings of the IEEE Conference on Communications and Network Security, 2014.
[16]Hulk: eliciting malicious behavior in browser extensions.
Kapravelos Alexandros, Grier Chris, Chachra Neha, Kruegel Christopher, Vigna Giovanni, and Paxson Vern.
In Proceedings of the 23rd USENIX Conference on Security Symposium, 2014.
[17]Crossfire: an analysis of firefox extension-reuse vulnerabilities.
Ahmet Buyukkayhan, Kaan Onarlioglu, William Robertson, and Engin Kirda.
In Proceedings of the Network and Distributed System Security Symposium, 2016.
[18]Detecting and defending against third-party tracking on the web.
Roesner Franziska, Kohno Tadayoshi and Wetherall David.
In Proceedings of the 9th USENIX Conference on Networked Systems Design and Implementation, 2012.
[19]Third-party web tracking: policy and technology.
Mayer Jonathan R. and Mitchell John C..
In Proceedings of the 2012 IEEE Symposium on Security and Privacy, 2012.
[20]The web never forgets: persistent tracking mechanisms in the wild.
Acar Gunes, Eubank Christian, Englehardt Steven, Juarez Marc, Narayanan Arvind, and Diaz Claudia.
In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, 2014.
[21]Online tracking: a 1-million-site measurement and analysis.
Englehardt Steven and Narayanan Arvind.
In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, 2016.
[22]Cookies that give you away: the surveillance implications of web tracking.
Englehardt Steven, Reisman Dillon, Eubank Christian, Zimmerman Peter, Mayer Jonathan, Narayanan Arvind, and Felten Edward W..
In Proceedings of the 24th International Conference on World Wide Web, 2015.
[23]How unique is your web browser?
Eckersley Peter.
In Proceedings of the 10th International Conference on Privacy Enhancing Technologies, pages 1–18, 2010.
[24]Cookieless monster: exploring the ecosystem of web-based device fingerprinting.
Nikiforakis Nick, Kapravelos Alexandros, Joosen Wouter, Kruegel Christopher, Piessens Frank, and Vigna Giovanni.
In Proceedings of the 2013 IEEE Symposium on Security and Privacy,
[25]Protecting browsers from dns rebinding attacks.
Jackson Collin, Barth Adam, Bortz Andrew, Shao Weidong, and Boneh Dan.
In Proceedings of the 14th ACM Conference on Computer and Communications Security, 2007.
[26]Dynamic pharming attacks and locked same-origin policies for web browsers.
Karlof Chris, Shankar Umesh, Tygar J. D., and Wagner David.
In Proceedings of the 14th ACM Conference on Computer and Communications Security, 2007.
[27]Pretty-bad-proxy: an overlooked adversary in browsers' https deployments.
Chen Shuo, Mao Ziqing, Wang Yi-Min, and Zhang Ming.
In Proceedings of the 2009 30th IEEE Symposium on Security and Privacy, 2009.
[28]Drown: breaking tls using sslv2.
Nimrod Aviram, Sebastian Schinzel, Juraj Somorovsky, Nadia Heninger, Maik Dankel, Jens Steube, Luke Valenta, David Adrian, J. Alex Halderman, Viktor Dukhovni, Emilia K\"asper, Shaanan Cohney, Susanne Engels, Christof Paar, and Yuval Shavitt.
In 25th USENIX Security Symposium (USENIX Security 16), 2016.
[29]Zozzle: fast and precise in-browser javascript malware detection.
Curtsinger Charlie, Livshits Benjamin, Zorn Benjamin, and Seifert Christian.
In Proceedings of the 20th USENIX Conference on Security, 2011.
[30]The devil is in the constants: bypassing defenses in browser JIT engines.
Michalis Athanasakis, Elias Athanasopoulos, Michalis Polychronakis, Georgios Portokalidis, and Sotiris Ioannidis.
In Proceedings of the Network and Distributed System Security Symposium, 2015.
[31]Flowfox: a web browser with flexible and precise information flow control.
De Groef Willem, Devriese Dominique, Nikiforakis Nick, and Piessens Frank.
In Proceedings of the 2012 ACM Conference on Computer and Communications Security, 2012.
[32]Information flow control for event handling and the dom in web browsers.
Rajani Vineet, Bichhawat Abhishek, Garg Deepak, and Hammer Christian.
In Proceedings of the 2015 IEEE 28th Computer Security Foundations Symposium, 2015.
[33]Information flow control in webkit’s javascript bytecode.
Rajani Vineet, Bichhawat Abhishek, Garg Deepak, and Hammer Christian.
In Proceedings of International Conference on Principles of Security and Trust, 2014.
[34]Run-time monitoring and formal analysis of information flows in chromium.
Lujo Bauer, Shaoying Cai, Limin Jia, Timothy Passaro, Michael Stroucken, and Yuan Tian.
In Proceedings of the Network and Distributed System Security Symposium, 2015.
[35]Protecting users by confining javascript with cowl.
Stefan Deian, Yang Edward Z., Marchenko Petr, Russo Alejandro, Herman Dave, Karp Brad, and Mazi\'eres David.
In Proceedings of the 11th USENIX Conference on Operating Systems Design and Implementation, 2014.
[36]Establishing browser security guarantees through formal shim verification.
Jang Dongseok, Tatlock Zachary and Lerner Sorin.
In Proceedings of the 21st USENIX Conference on Security Symposium, 2012.
[37]Verified security for browser extensions.
Guha Arjun, Fredrikson Matthew, Livshits Benjamin, and Swamy Nikhil.
In Proceedings of the 2011 IEEE Symposium on Security and Privacy, 2011.