Advanced Web and E-Voting Security

We will read the following papers. The topics mentioned here are listed in the order in which they will be taken up for class discussion. Papers with a (*) can be chosen for presentation. I will present the ones that are not chosen. More papers will be added to the schedule.

The dates posted here are just to give you a rough idea, they are not definitive.

1. Web Privacy
   • (1/21) [Timing]Timing Attacks on Web Privacy by Felten and Schneider. ACM CCS 2000.
   • (1/26) [Browser-State]Protecting Browser State from Web Privacy Attacks by Jackson, Bortz, Boneh and Mitchell. WWW 2006.
   • (1/28 ) [Doppleganger]  Doppelganger: Better Browser Privacy Without the Bother by Shankar and Karloff. ACM CCS 2006. Presenter: Wiktor Lukasik.
2. Web-based Attacks
   • (2/2) [iFRAMES]All Your iFRAME’s Point to Us by Provos, Mavrommatis, Abu Rajab and Monrose. USENIX Security 2008. (*) Presenter: Ameet Kotian
   • (2/4)[HoneyMonkeys] Automated Web Patrol with Strider HoneyMonkeys:Finding Web Sites That Exploit Browser Vulnerabilities by Wang, Beck, Jiang, Roussev, Verbowski, Chen and King. Network and Distributed Systems Security 2006. (*). Presenter: Harjinder Dhadda
   • (2/9) [DNS-Rebinding]Protecting browsers from dns rebinding attacks by Jackson, Barth, Bortz, Shao and Boneh.  ACM CCS 2007. (*) Presenter: Wenyuan Fei
   • (2/11) [XSRF] Robust Defenses for Cross-Site Request Forgery by Barth, Jackson and Mitchell. ACM CCS 2008. (*) Presenter: O. Rick Fonorow
3. Browser Environment Design
   • (2/16) [OP] Secure Web Browsing with the OP Web Browser by Grier, Tang and King. IEEE S&P 2008. (*) Presenter: Nimit Shah
   • (2/18 ) [Chrome] The Security Architecture of the Chromium Browser by Barth, Jackson, Reis and Google Team (*) Presenter: Kalpana Gondi
   • (2/23 ) [TAHOMA] A safety oriented platform for Web applications Cox, Hansen, Gribble and Levy. IEEE S&P 2006. (*) Presenter: Gurumurthy Athisenbagam
   • (2/25) [SpyProxy] SpyProxy: Execution-based Detection of MaliciousWeb ContentMoshchuk, Bragin and Deville, USENIX security 2007. (*) Presenter: Karthik Thotta Ganesh
4. Misc. Web Security Papers
   • (2/4) [Web-Tripwire] Detecting In-Flight Page Changes with Web Tripwires NSDI 2008. Presenter: Himanshu Sharma (*)
   • (3/4)[Design-flaws] Analyzing Websites for User-Visible Security Design Flaws. Falk, Prakash and Borders. SOUPS 2008. Presenter: Prithvi Bisht (*)
   • (3/9) [Gazelle] The Multi-Principal OS Construction of the Gazelle Web Browser. Presenter: Sunil Shivanand.
5. XSS, JavaScript, Mashups
   • Mashups
     • (3/11) [MashupOS]MashupOS: Operating System Abstractions for Client Mashups by Howell, Jackson, Wang and Fan . SOSP 2006. (*) Presenter: Mike Ter Louw
     • (3/16) [Subspace] Subspace: Secure Cross-Domain Communication for Web Browsers by Jackson and Wang (*). WWW 2007. Presenter: Rohini Krishnamurthi
     • (3/18) [SMash] SMash: Secure Cross-Domain Mashups on Unmodified Browsers by Keukelaere, Bhola, et al. WWW 2008. (*) Presenter: Brian Beirne
     • 3/23 and 3/25. Spring Break
     • (3/30, 4/1) Classes rescheduled for later.
     • (4/6 ) Dagstuhl trip summary
     • (4/8 ) [OMash] OMash: Enabling Secure Web Mashups via Object Abstractions by Crites, Hsu and Chen. ACM CCS 2008. (*) Presenter: Sujatha Nagarajan.
6. Electronic Voting Security
   • (4/13) [Diebold-Analysis] Analysis of an Electronic Voting System. Kohno, Stubblefield, Rubin and Wallach. IEEE Security and Privacy 2004.
   • (4/20) [Voting-Design] Designing Voting Machines for Verification. Sastry, Konho and Wagner. USENIX Security 2006. (*) Presenter: Katya Kisyova
   • (4/20) [Helios] Helios: Web based Open Audit Voting by Adida. USENIX Security 2008. (*) Presenter: Balamurgan Prabhakaran
   • (4/22) [Pvote] Prerendered User Interfaces for Higher-Assurance Electronic VotingYee, Wagner, Hearst and Bellovin. Electronic Voting Workshop, 2006. Presenter: Rahul Kognati(*)
   • (4/ 22 ) [Stop-Gap] You Go to Elections with the Voting System You Have: Stop-Gap Mitigations for Deployed Voting Systems . Halderman, Rescorla, Shacham and Wagner. Electronic Voting Technology 2008. Presenter: Praveen Venkatachari
7. Project Presentations start on 4/27. Plan for 20 minutes per project.