The papers marked (♦) are highly recommended by the instructor.
1)
Techniques for Protecting Software (and Media Objects)
a)
Watermarking
¨
S Craver, N Memon, B-L
Yeo, and M Yeung, “Resolving Rightful Ownerships with Invisible Watermarking
Techniques: Limitations, Attacks, and Implications,” IEEE Journal on
Selected Areas in Communications 16(4), 573-586, May 1998.
¨
S Greenberg, “Easter
Egg Insertion, Detection and Deletion in Commercial Software”, 600.505
Independent Research Project, Department of Computer Science, Johns Hopkins
University (USA), 29 June 2000.
Available http://www.cs.jhu.edu/~kalb,
March 2002.
¨ J Palsberg, S Krishnaswamy, M Kwon, D Ma, Q Shao, and Y Zhang, Experience with software watermarking, In Proceedings of the 16th Annual Computer Security Applications Conference, ACSAC '00, IEEE, 308-316, 2000. Available: http://www.cs.purdue.edu/homes/madi/wm/, March 2002.
¨ J Stern, G Hachez, F Koeune, and J-J Quisquater, "Robust Object Watermarking: Application to Code." In LNCS 1768, Springer Verlag, 368-378, 2000.
¨ R Venkatesan, V Vazirani, S Sinha, “A Graph Theoretic Approach to Software Watermarking”. In .S. Moskowitz (ed.), Proc. 4th International Workshop on Information Hiding (IHW 2001), LNCS 2137, Springer-Verlag, 157-168, 2001.
· D Grover (ed.), “Program Identification”, Chapter 6 of The Protection of Computer Software --- Its Technology and Applications, 2nd edition, Cambridge University Press, 1992 (out of print).
· E Praun, H Hoppe, A Finkelstein, “Robust Mesh Watermarking”, Proc SIGGRAPH 1999, 69-76, 1999.
· J Rosen and B Javidi, “Hidden Images in Halftone Pictures”, Applied Optics 40(20), 3346-3353, 10 July 2001.
b)
Obfuscation
¨ B Barak, O Goldreich, R Impagliazzo, S Rudich, A Sahai, S Vadhan, and K Yang, “On the (Im)possibility of Obfuscating Programs (Extended Abstract)”. In J Kilian (ed.), Advances in Cryptology – Crypto 2001, LNCS 2139, Springer-Verlag, 2001.
¨ E Valdez, M Yung, "Software DisEngineering: Program Hiding Architecture and Experiments." In Proc IH’99, LNCS 1768, Springer Verlag, 379-394, 2000. A technical report on a related subject is available at http://cis.poly.edu/tr/tr-cis-2000-01.htm (but page 5 won't print as at 1 Aug 00).
¨ C Wang, J Hill, J Knight, J Davidson, “Software Tamper Resistance: Obstructing Static Analysis of Programs”, Technical eport CS-2000-12, Department of Computer Science, U Virginia (USA). Available: ftp://ftp.cs.virginia.edu/pub/techreports, May 2001.
c)
Tamperproofing
¨ H Chang and M Atallah, “Protecting Software Code by Guards”. In Workshop on Security and Privacy in Digital Rights Management 2001. Available: http://www.star-lab.com/sander/spdrm/papers.html, February 2002.
¨ B Horne, L Matheson, C Sheehan, and R Tarjan, “Dynamic Self-Checking Techniques for Improved Tamper Resistance”. In Workshop on Security and Privacy in Digital Rights Management 2001. Available: http://www.star-lab.com/sander/spdrm/papers.html, February 2002.
d)
Copy Detection
¨ N Shivakumar and H Garcia-Molina, “Building a Scalable and Accurate Copy Detection Mechanism”. In Proceedings of 1st ACM Conference on Digital Libraries (DL'96), Bethesda, Maryland, 160-168, March 1996.
e)
Language-Based Security
¨ D Wallach, E Felten, and A Appel, “SAFKASI: A Security Mechanism for Language-based Systems”, ACM Transactions on Software Engineering and Methodology 9(4), October 2000, pp. 341-378.
· D Volpano, G Smith, “Language Issues in Mobile Program Security”, In Mobile Agents and Security, Springer Verlag, LNCS 1419, pp. 25-43, 1998.
f)
Legal and Ethical Controls
·
R Vaughan, “Defining Terms in the Intellectual Property Protection
Debate: Are the North and South Arguing Past Each Other When We Say
“Property”? A Lockean, Confucian, and
Islamic Comparison”, ILSA Journal of International and Comparative Law 2(2),
Winter 1996. Available: http://www.nsulaw.nova.edu/student/organizations/ILSAJournal/2-2/2-2%20toc.htm,
March 2002.
g)
Attacks on Hardware and Software
¨ R Anderson and M Kuhn, “Low Cost Attacks on Tamper Resistant Devices”. In M Lomas et al. (ed.), Proc. of 5th International Workshop on Security Protocols, Paris, LNCS 1361, Springer-Verlag, 125-136, April 1997.
¨ M Bond and R Anderson, “API-Level Attacks on Embedded Systems”, IEEE Computer, 67-75, October 2001.
¨ M Kuhn and R Anderson, "Soft Tempest: Hidden Data Transmission Using Electromagnetic Emanations", in David Aucsmith (ed.) Information Hiding 1998, LNCS 1525, Springer-Verlag, 124-142, 1998.
¨ M Kuhn, “Optical Time-Domain Eavesdropping Risks of CRT Displays”. To appear, Proc of IEEE Symposium on Security and Privacy, May 2002. Available: http://www.cl.cam.ac.uk/~mgk25/ieee02-optical.pdf, March 2002.
¨ B Miller, M Christodorescu, R Iverson, T Kosar, A Mirgorodskii, F Popovici, “Playing Inside the Black Box: Using Dynamic Instrumentation to Create Security Holes”, Parallel Processing Letters (to appear, 2001). Also appears in the Second Los Alamos Computer Science Institute Symposium, Sante Fe, NM (October 2001). Available: http://www.cs.wisc.edu/paradyn/papers/index.html#dyninst-security, March 2002.
· P Gutmann, “Secure deletion of data from magnetic and solid-state memory,” Proc 6th USENIX Security Symposium, July 1996. Available: http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html, March 2001.
2)
Secure Systems Design and Analysis
a)
Digital Rights Management
¨
T Budd, “Protecting and Managing Electronic Content with a Digital
Battery”, IEEE Computer, 2-8, August 2001.
¨
J Feigenbaum, M Freedman, T Sander, A Shostack, “Privacy Engineering for
Digital Rights Management Systems”. In Workshop
on Security and Privacy in Digital Rights Management 2001. Available: http://www.star-lab.com/sander/spdrm/papers.html,
February 2002.
¨
M Jakobsson, M Reiter, “Discouraging Software Piracy Using Software
Aging”. In Workshop on Security and
Privacy in Digital Rights Management 2001.
Available: http://www.star-lab.com/sander/spdrm/papers.html,
February 2002.
·
S Bechtold, “From Copyright to Information Law – Implications of Digital
Rights Management”. In Workshop on
Security and Privacy in Digital Rights Management 2001. Available: http://www.star-lab.com/sander/spdrm/papers.html,
February 2002.
·
R Merkle,
"Protected Shareware: A Solution to the Software Distribution
Problem." Online document in PDF dated "October 19, 1998" and
marked "Copyright 1993 by Xerox Corporation. All Rights Reserved. This
draft is being distributed for the purpose of feedback and commentary. As a
courtesy to the author, please limit its distribution." http://www.merkle.com/protectedShareware.pdf.
b)
Mobile Agents
¨ R Gray, D Kotz, G Cybenko, D Rus, “D’Agents: Security in a multiple-language, mobile-language system,” in Mobile Agents and Security, Lecture Notes in Computer Science 1419, ed. Giovanni Vigna, 154-187, Springer-Verlag, 1998.
¨ T Sander and Chr. Tschudin, “Towards Mobile Cryptography”. In Proceedings of the 1998 IEEE Symposium on Security and Privacy, 215–224, May 1998.
· U Wilhelm, “A pessimistic approach to trust in mobile agent platforms,” IEEE Internet Computing, 40-48, Sept-Oct 2000.
c)
Privacy, Authentication, and Reliable Service in Messaging Systems
¨
O Berthold, M Kohntopp,
“Identity Management Based on P3P,” in H. Frederrath (Ed.), Designing
Privacy Enhancing Technologies (Proceedings of the International
Workshop on Design Issues in Anonymity and Unobservability), LNCS 2009, pp. 141-160, Springer-Verlag,
2001.
¨
D Davis, “Compliance
Defects in Public-Key Cryptography”. In
Proc 6th USENIX Security Symposium, 1996. Available: http://www.sage.usenix.org/publications/library/proceedings/sec96/davis.html,
March 2002.
¨
M Jakobsson and S
Wetzel, “Security Weaknesses in Bluetooth.”
In D Naccache (ed.), Progress in Cryptology – CT-RSA 2001 (LNCS 2020),
176-191, 2001.
¨
M Sirbu, J Chuang,
“Distributed authentication in Kerberos using public key cryptography,” Proc
Network and Dist Sys Security 1997, IEEE, 134-141, 1997.
·
T Parks, D Kassay, C Weinstein, “Vulnerabilities of Reliable Multicast
Protocols.” In Proc. 1998 IEEE
Military Communications Conference (MILCOM’98), Vol. 3, 934-938, October
1998.
d)
Hardware-Based
Security
·
P Bieber, J Cazin, P Girard, J-L Lanet, V Wiels, G Zanon, “Checking
Secure Interactions of Smart Card Applets”.
In Proc ESORICS 2000, LNCS 1895, Springer-Verlag, 2000. Extended version available http://www.cert.fr/francais/deri/bieber/papers/2000esorics_long.ps.gz,
March 2002.
·
Trusted Computer
Platform Alliance, TCPA Trusted Subsystem Specification V1.1a, 1
December 2001. Available: http://www.trustedpc.org/home/Specification.htm,
March 2002.
e)
System Vulnerabilities
¨
S Christey and C Wysopal, “Responsible Vulnerability Disclosure
Process.” Internet Engineering Task
Force, Internet Draft (valid for six months), February 2002. Available: http://www.ietf.org/internet-drafts/draft-christey-wysopal-vuln-disclosure-00.txt,
February 2002.
¨
F Cohen, “Computer
Viruses – Theory and Experiments.” In Proc.
DOD/NBS 7th Conf on Computer Security, 1984. Available: http://www.all.net/resume/papers, 5
September 2001.
¨
C Landwehr, A Bull, J
McDermott, W Choi, “A Taxonomy of Computer Program Security Flaws”, ACM
Computing Surveys 26(3), 211-254, September 1994.
3)
Project Ideas
a)
Experiment with, or
add functionality to, the Javascript obfuscation system developed as a class
project by Erik Walle of the University of Waterloo. Code available at http://walle.dyndns.org/morass/misc/code/obfus.pl,
and report available at http://walle.dyndns.org/morass/misc/wtr3b.doc,
March 2002. You might also take a look
at the obfuscated JavaScript spam email I received in January 2002: available
as ObfJavascriptSpam.htm in the CompSci725 Lectures directory (hyperlink is not
provided here, to minimize the risk of executing it by mistake – be careful).
b)
Perform a security
audit on some software system you have developed. Your methodology might be based on the checklist approach of G
McGraw and E Felten, “Twelve Rules for Developing More Secure Java Code”, JavaWorld,
01 December 1998. Available: http://www.javaworld.com/javaworld/jw-12-1998/jw-12-securityrules.html?,
March 2002. See also John Viega and
Gary McGraw, Building Secure Software, Addison-Wesley, 2001.
c)
Experiment with the
X.509 authentication certificates for email, perhaps along the lines of my
Assignment 2 for CompSci 725 last year.
See http://www.cs.auckland.ac.nz/compsci725fc/archive/2001/lectures/asst2.htm,
available March 2002. A simple
introduction to X.509 certificates may be found in P Tremblatt, “X.509
Certificates”, Dr Dobbs Journal, July 1999. Available: http://www.ddj.com/articles/1999/9907/,
March 2002.
d)
Try to find the watermark in http://iquest.net/~bpc/wm6.tgz,
and in other Linux Redhat binaries written by “Brad C”, a Master’s student
studying software watermarking overseas.
Write to bpc_uccs@hotmail.com
for more information.
e)
Use forensic examination software, such as ComputerCop Professional
P3 (I have a CD in my office) to make inferences about what an anonymous person
was doing on their PC on some specific dates, (say) one month and six months in
the past.
f) More project ideas may be found on Christian Collberg’s CS 620 website, in http://www.cs.arizona.edu/~collberg/Teaching/620/2002/Projects/Pro3.ps.
g)
Local software developer Ripple Effects Ltd are launching
their new anti-virus software in the US shortly, to plug a major gap in the
virus security area. Work with Dave Waterson (dave@privatebase.com, 309-2491) and your
instructor to define a project that involves testing of the pre-release version
of this software.
h)
Join the PhP audit project (http://phpaudit.42-networks.com/)
or find some other way to participate in, or report on, a security audit of
open-source software. See “Building
Trust in Open-Source Software”, CNET news.com, 20 March 2002 (available http://news.com.com/2102-1001-864236.html,
21 March 2002).
Last modified: 20 March 2002 by cdt.