Course Syllabus - 600.625 --- Spring 07

This course focuses on selected topics in Computer and Network Forensics. Particular attention is given to new techniques for recovering information from anonymized sources, file system recovery techniques, malware propagation analysis, secure remote logging, traffic classification, among others. We also examine virtualization techniques for process isolation, kernel-level rootkit detection (and subversion), network traceback and its limitations. The course is structured as a research seminar where students present research papers to their peers.

Prerequisites of 600.424 (or equivalent) and Operationg Systems are strongly advised. In addition, familiarity with basic cryptographic primitives will be necessary to understand the details of some of the assigned papers. Familarity with C is highly recommended.

Your course project will entail submitting (to me) a workshop quality research paper outlining novel ideas. This project can involve application of concepts learned from other research papers, but MUST depict original ideas. As this is an "Applications" course, the project can entain a critical comparison of techniques (some of which may be off-the-shelve) but the analysis taken must be original. There will be some checkpoints throughout the semester and will include a survey paper on work related to your topic. The course project constitutes 50% of your final grade. Although I will provide a few suggestions on projects, students are encouraged to come up with ideas on their own. Students are also strongly encouraged to use LaTeX when preparing many material of this course, including critiques of assigned papers.

Students are required to read all papers assigned during the semester and be able to competently discuss the material in class. Each student will be responsible for presenting one lecture (depending on the class size) -- that lecture will be based on the assigned paper for the week including as much relevant related work as necessary to distill the work presented in the paper. The speaker should try to present a comprehensive view of the topic suitable for a 1 hour talk. Additionally, each student is responsible for submitting a summary of the paper, which includes (1) contributions, strengths and weaknesses, (2) at least two thought-provoking questions on the assigned paper (3) two possible directions for extensions on the ideas / topic presented in the paper. Your questions should critically evaluate the paper (eg, questioning the assumptions, questioning whether the experiments are lacking (and why), flaws in the analysis, etc). Examples will be provided. This summary will be turned in to the moderator (and me) on the Thursday session.

The moderator is responsible for recapping the ideas for the previous day (15 mins max) and presenting any supplimentary material not covered by the presenter. The moderator will lead the general discussions on Friday. Notes on the week's discussion must also be compiled by the moderator, and submitted to me no later than 1 week after the lecture. These notes will be made publicly available (via the website) to rest of the class.

send email to majordomo (at) cs dot jhu dot edu with subscribe cs624 in the message body (its okay that you subscribe to 624, even if this is 625).

This is intended to be an interactive class, and as such, class participation will play a significant role in my grading criteria. Students will be graded on the presentation of their assigned papers, their participation in discussions and questions, and their course project. Weights are as follows:

Reading List (Subject to change!)

Date

Topic

Presenter
(Thursday)

Moderator (Friday)

Jan. 25th

Course Introduction, selection of presenters, project discussion.

Feb 1,2

Speculative Execution in a Distributed File System

E. Nightingale, P. Chen, Jason Flinn
Proceedings of ACM Transactions on Computer Systems (TOCS), 2006

related readings:

Crandall et al. Temporal Search: Detecting Hidden Malware Timebombs with Virtual Machines. In 12 Conference on Architectural Support for Programming Languages and OS (ASPLOS XII), 2006.

Jay

Fabian

Feb 8,9

File System Design with Assured Delete

R. Perlman
Proceedings of ISOC NDSS, 2007

Secure File Deletion in a Versioning File System

Z. Peterson et al.
Proceedings of USENIX FAST, 2005

related readings:

P. Gutmann. Secure Deletion of Data from Magnetic and Solid-State Memory.
Ephemerizer: Making Data Disappear.

Kevin

Fabian

Feb. 15,16

ReVirt: Enabling Intrusion Analysis through Virtual-Machine Logging and Replay

G. Dunlap, S. King, S. Cinar, A. Basrai, and P. Chen
Proceedings of OSDI, 2005

related readings:

Backtracking Intrusions. S. King and P. Chen. In Proceedings of ACM SOSP, 2003.
Xen and the Art of Virtualization. P. Barham et al. In Proceedings of ACM SOSP, 2003:
(A must see): Detecting Past and Present Intrusions Through Vulnerability-Specific Predicates. A. Joshi, S. King, G. Dunlap and P. Chen. In Proceedings of SOSP'05.

Kristine

Fabian

Feb 22,23

An Architecture for Specification-Based Detection of Semantic Integrity Violations in Kernel Dynamic Data

N. Petroni, T. Fraser, A. Walters, W. Arbaugh
USENIX Security, 2006

related readings:

Chen et al. Log-based architectures for general-purpose monitoring of deployed code. In ASID, 2006.
Copilot: A Coprocessor-based Kernetl Runtime Integrity Monitor. USENIX Security, 2003.

Chuck

Fabian

March 1/2

NO CLASS (I'm away at a conference)

March 8,9

Behavior-based Spyware Detection

E. Kirda, C. Kruegel. G. Banks, G. Vigna, R. Kemmerer
Proceedings of 15th USENIX Security Symposium, 2006

related readings:

Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software. In Proceedings of NDSS 2005.
Siren: Catching Evasive Malware (short paper). Borders, Zhao and Prakash. In Proceeding of IEEE Security and Privacy, 2006.

Dan

Fabian

March 15,16

SPRING BREAK

March 22,23

Understanding Data lifetime via whole system simulation

related readings:

J. Chow et al. Shredding your garbage: Reducing data lifetime. USENIX Sec, 2005.
P. Broadwell et al. Scrach: A system for generating secure crash information.

Ryan

March 29,30

Prefix-preserving IP address anonymization: measurement-based security analysis and a new cryptography-based scheme

J. Fan, J. Xu, Mostafa. H, S. Moon.
International Journal of Computer Networks, 2004

related readings:

W. Chen et al. Anonymization of IP Traffic Monitoring Data -- Attacks on Two Prefix-preserving Anonymization Schemes and Some Proposed Remedies. In Passive and Active Measurement Workshop, 2005.

Scott

Charles

April 5,6

Cryptographic Support for Secure Logs on Untrusted Machines

B. Schneier and J. Kelsey.
Proceedings of USENXI Security, 1998

related readings:

J. Kelsey and B. Schneier. Minimizing Bandwidth for Remote Access to Cryptographically Protected Audit Logs, RAID, 1999.
B. Waters, D. Balfanz, G. Durfe and D. Smetters. Building and Encrypted and Searchable Audit Log. In NDSS, 2004.

Jay

Kevin

Survey paper due

April 12,13

Outwitting the Witty Worm: Exploiting Underlying Structure for Detailed Reconstruction of an Internet-wide event

A. Kumar, V. Paxson, and N. Weaver
Proceedings of USENIX/ACM Internet Measurement Conference, 2005

related readings:

Rajab et al. Worm Evolution Tracking via Timing Analysis.

Kristine

Fabian

April 19,20

Pioneer: Verifying Integrity and Guaranteeing Execution of code on Legacy Platforms

A. Seshadri et al.
Proceedings of SOSP, 2005

Protecting software codes by guards

H. Chang and J. Atallah
ACM CCS Workshop on Security and Privacy in Digitial Rights Management, 2002

related readings:

A Generic Attack on Checksumming-Based Software Tamper Resistance. Wurster et al, IEEE Security and Privacy, 2005.

Chuck

Fabian

April 26,27

Project meetings

May 3,4th

In-class Presentations

May 4th

Final Projects due by 10pm. NO EXCEPTIONS

Deliverable	Grade
Presentations	30%
Project	50%
Class participation	20%

Network and Computer Forensics (Spring 07)

Reading List (Subject to change!)