Security and Privacy - A Beginner's Guide
Proseminar, Winter 2015/16
|Instructor||Prof. Dr. Matteo Maffei|
|Teaching Assistants||Manuel Reinert, Ilya Grishchenko, Giulio Malavolta, Niklas Grimm|
|Organizational Meeting||Monday, October 26th, 12am-1pm|
|Registration deadline||October 24th, 23:59pm|
|Place||E1.7 (MMCI), room 0.01|
|Form/Credits||Proseminar, 5 ECTS (for Bachelor students)|
|1. Presentation Session||Monday, February 29th, 2016, 9-12am|
|2. Presentation Session||Monday, February 29th, 2016, 1-4pm|
|3. Presentation Session||Tuesday, March 1st, 2016, 9-12am|
|4. Presentation Session||Tuesday, March 1st, 2016, 1-4am|
|Contact||<manuel's surname> at cs dot uni-saarland dot de, <giulio's surname> at cs dot uni-saarland dot de, <giulio's surname> at cs dot uni-saarland dot de, <niklas's surname> at cs dot uni-saarland dot de|
The permanently released news about spying on private data and personal information by the US government has received increasing attention among governments, mass media, and the scientific community. This stresses the importance of developing and deploying secure and privacy-preserving systems in our digital lives.
- How do we securely transfer messages from one party to another?
- How can we browse the Internet anonymously?
- Which attacks on prominent protocols do exist?
- And how can we prove a given protocol or system secure?
In this proseminar, we will conduct research to provide answers to these and other basic questions concerning security and privacy.
Topic I. Cryptography
- A Method for Obtaining Digital Signatures and Public-Key Cryptosystems. Ronald L. Rivest, Adi Shamir, and Leonard Adleman, in Communications of the ACM, 1978
- Secret Sharing
- How to Share a Secret. Adi Shamir, in Communications of the ACM, 1979
- Generalized Secret Sharing and Monotone Functions. Josh Cohen Benaloh and Jerry Leichter, in CRYTPO, 1988
- A Design Principle for Hash Functions. Ivan B. Damgård, in CRYPTO, 1989
- Zero-knowledge proofs
- How to Explain Zero-Knowledge Protocols to Your Children. Jean-Jacques Quisquater, Myriam Quisquater, Muriel Quisquater, Michaël Quisquater, Louis C. Guillou, Marie Annick Guillou, Gaïd Guillou, Anna Guillou, Gwenolé Guillou, Soazig Guillou, Thomas A. Berson, in CRYPTO, 1989
- The Knowledge Complexity of Interactive Proof-systems. Shafi Goldwasser, Silvio Micali, and Charles Rackoff, in STOC, 1985
Topic II. Web Security
- Robust Defenses for Cross-Site Request Forgery. Adam Barth, Collin Jackson, and John C. Mitchell, in CCS, 2008
- Noxes: A Client-Side Solution for Mitigating Cross-Site Scripting Attacks. Engin Kirda, Christopher Kruegel, Giovanni Vigna, and Nenad Jovanovic, in SAC, 2006
- A Classification of SQL Injection Attacks and Countermeasures. William G.J. Halfond, Jeremy Viegas, and Alessandro Orso, in ISSSE, 2006
- SessionShield: Lightweight Protection against Session Hijacking. Nick Nikiforakis, Wannes Meert, Yves Younan, Martin Johns, and Wouter Joosen, in ESSoS, 2011
Topic III. Mobile Security
- Android Permissions Demystified. Adrienne Porter Felt, Erika Chin, Steve Hanna, Dawn Song, and David Wagner, in CCS, 2011
- PiOS: Detecting Privacy Leaks in iOS Applications. Manuel Egele, Christopher Kruegel, Engin Kirda, and Giovanni Vigna, in NDSS, 2011
- FlowDroid: Precise Context, Flow, Field, Object-sensitive and Lifecycle-aware Taint Analysis for Android Apps. Steven Arzt, Siegfried Rasthofer, Christian Fritz, Eric Bodden, Alexandre Bartel, Jacques Klein, Yves Le Traon, Damien Octeau, and Patrick McDaniel, in PLDI, 2014
- Boxify: Full-fledged App Sandboxing for Stock Android. Michael Backes, Sven Bugiel, Christian Hammer, Oliver Schranz, and Philipp von Styp-Rekowsky, in USENIX Security, 2015
Topic IV. Privacy-Enhancing Technologies
- Path ORAM: An Extremely Simple Oblivious RAM Protocol.Emil Stefanov, Marten van Dijk, Elaine Shi, T-H. Hubert Chan, Christopher Fletcher, Ling Ren, Xiangyao Yu, and Srinivas Devadas, in CCS, 2013
- A Survey of Single-Database PIR: Techniques and Applications. Rafail Ostrovsky and William E. Skeith III, invited plenary talk in PKC, 2007
- How Unique Is Your Web Browser? Peter Eckersley, in PETS, 2010
- De-anonymizing Genomic Databases Using Phenotypic Traits. Mathias Humbert, Kévin Huguenin, Joachim Hugonot, Erman Ayday, and Jean-Pierre Hubaux, in PETS, 2015
You will be supervised by the TA who is responsible for the respective chosen topic. Then, you have to complete five milestones in order to pass the course. The milestones guide you towards a final talk, which you give in English, lasting for 30 minutes plus 15 minutes of questions and discussions.
- Discussion session: you meet with your advisor and discuss the paper so as to understand it in depth. You have to make sure to clarify any kind of problems in understanding the paper.
- Story discussion: you present and discuss the outline of your talk with your advisor. The outline is the slides of the presentation with titles only, i.e., no content. At this point in the preparation for the final talk, we are only interested in the story skeleton that you want to tell (see it as a summary of the talk).
- Practice talk: you meet with your advisor together with another student of that advisor no later than the end of the lecture period (February 12th, 2016) and give a practice talk each. The presenter will get feedback both from the advisor and the fellow student in order to improve the talk towards the final presentation. We focus not only on the content of the talk, meaning how the skeleton is filled and the paper is conveyed, but most importantly on the quality of the slides and the performance of the talk itself. These sessions usually take between two and three hours.
- Final talk: you present your improved talk to all of your fellow students and all advisors. In these sessions, every student is encouraged to actively participate in the question and answer session.
- Written summary: you summarize your talks in a four page survey which includes a short overview of the paper as well as your own thoughts on strengths and weaknesses thereof. Moreover, you should discuss the applications and influences that the paper had (or could have) on other works. The summary must be written in LaTeX (you can use our template with example bibliography file).
Any form of plagiarism is forbidden. In case of questions, do not hesitate to contact us.
Participation in the organizational meeting and all the presentation sessions is mandatory.
|Paper discussion with your advisor||before 28.11.2015|
|Story discussion (empty slides with titles only)||before 19.12.2015|
|Practice talk||before 12.02.2016|
|Final talk sessions||29.02.2016 and 01.03.2016|
|Written summary||13.03.2016, 23:59|
To pass the proseminar you are required to meet all
milestone deadlines (see the table above).
Your final grade is based on your preparation for the story of your talk (15%), your preparation for your practice talk (15%), the quality of your final talk (50%), and the quality of your written summary (20%). All grades must be 4.0 or higher.
We decided to hold this proseminar in English for several reasons.
- The research papers and book chapters that you will read are written in English.
- Many notions that occur in the security and privacy literature do not have a German translation, for instance, there is no distinguished word in German that captures the intended meaning of "privacy-preserving systems" or "differential privacy". So for a German talk you would necessarily have to invent new translations (unknown to everyone but you) or mostly speak in "Denglisch".
- The proseminar provides you with a safe space to practice your English. Speaking and writing in English will be required of you in most of your follow-up courses and seminars (if not all) and in your future career.
- English is fun!
Don't worry, the TAs speak both German and English and will help you in case of problems. Moreover, your grade will not be influenced by your language skills!
You should enjoy math and theoretical computer science!
We expect you to have passed at least the basic lectures "Programmierung 1" and "Mathematik für Informatiker 1 & 2" (or equivalent).
The proseminar is meant to be an introduction to cryptography, security, and privacy-oriented research and thus intended for Bachelor students who have not taken lectures related to security and privacy yet, in particular, Security, Cryptography, Grundlagen der Cybersicherheit, PETs, etc.
How to register
The registration deadline is Monday, October 19th, 2015 at
For registering, please send an e-mail as early as possible to <manuel's surname> at cs dot uni-saarland dot de, indicating your name, matriculation number, your study program, and courses related to security, privacy, and cryptography which you have already taken.
When distributing the spots in the proseminar, we use two policies: firstly, Bachelor students come before others; secondly, first-come-first-serve.
Please note that the number of participants is limited to 16!
As usual, you have to register in the LSF/HISPOS system.