IS542: Web Service Security and Privacy

The course provides in-depth studies of numerous attacks and defenses in web & mobile services. The course covers comprehensive security vulnerabilities / privacy risks in Web and Android mobile applications. We will also discuss how to detect and avoid such vulnerabilities and risks.

Basic Information

• Lecture: Tuesday/Thursday 10:30 - 12:00, Room 102 N1
• Instructor: Sooel Son
• Email: sl.son (at) kaist.ac.kr
• Homepage: https://sites.google.com/site/ssonkaist/
• Office: Room 2312 N5
• Office hours: Thursday 13:00 - 14:30, Room 2312 N5
• T.A.:
  • Hyuntae Kim, kimht_ (at) kaist.ac.kr
  • Sunnyeo Park, psnyeo88 (at) kaist.ac.kr

Evaluation

• Attendance: 5%
• Midterm exam: 20%
• Homework: 15%
• Presentation: 10%
• Project: 50%

Schedule

• 3/17 Course Introduction

• 3/19 Web programmging
  • Group project announced
• 3/24 Server-side Web attacks(1)
  • Reading materials

    N. Jovanovic et al. Pixy: a static analysis tool for detecting Web application vulnerabilities (S&P 2006)
    S. Bandhakavi et al. CANDID: preventing sql injection attacks using dynamic candidate evaluations (CCS 2007)
    Son et al. "Diglossia: Detecting Code-Injection Attacks with Precision and Efficiency" (CCS 2013)
    Ray et al. "Defining Code-injection Attacks" (POPL 2012)
    

• 3/26 Server-side Web attacks(2)
  • Team selection due 3/26 (2 persons for one team)
  • HW #1 will be posted!
• 3/31 Cross-site Scripting
  • Reading materials

    Zalewski. "Postcards from the Post-XSS World" (2011)
    S. Lekis et al. 25 million flows later: large-scale detection of DOM-based XSS (CCS 2013)
    

• 4/2 Content Security Policy
  • Reading materials

    L. Weichselbaum et al. CSP Is Dead, Long Live CSP! On the Insecurity of Whitelists and the Future of Content Security Policy, (CCS 2016)
    A. Doupe et al. deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation (CCS 2013)
    

  • HW #1 deadline!
• 4/7 CSRF
  • Reading materials

    A. Barth et al. Robust Defenses for Cross-Site Request Forgery, (CCS 2008)
    

  • Project proposal deadline (4/7)
  • HW #2 will be posted!
• 4/9 Clickjacking
  • Reading materials

    Huang et al. Clickjacking: Attacks and Defenses (Usenix Security 2012)
    Rydstedt et al. Busting frame busting: a study of clickjacking vulnerabilities at popular sites (W2SP 2010)
    

• 4/14 Browser extensions
  • Reading materials

    A. Kapravelos et al. Hulk: Eliciting Malicious Behavior in Browser Extensions, (USENIX 2014)
    Thomas et al. Ad Injection at Scale: Assessing Deceptive Advertisement Modifications (S&P 2015)
    Jagpal et al. Trends and Lessons from Three Years Fighting Malicious Extensions (USENIX 2015)
    

• 4/16 Phishing & Spam
  • Reading materials

    Jagatic et al. Social Phishing, (Communication of ACM, 2007)
    

• 4/21 Password & Two-factor Auth
  • Reading materials

    Bonneau et al. The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes (S&P 2012).
    Bonneau. The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords (S&P 2012)
    Universal 2nd Factor (U2F) Overview (FIDO Alliance Proposed Standard, 2015)
    

• 4/23 HTTPS (1)
  • Reading materials

    Sotirov et al. Short Chosen-Prefix Collisions for MD5 and the Creation of a Rogue CA Certificate (CRYPTO 2009)
    Lenstra et al. Ron was Wrong, Whit is Right (CRYPTO 2012).
    Adrian et al. Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice (CCS 2015)
    

• 4/28 HTTPS (2)

• 4/30
  • No class (Holiday)
• 5/5
  • No class (Holiday)
• 5/7
  • Midterm
• 5/12
  • Midterm

• 5/14 Midterm Presentation

• 5/19 Android Web Security (1)
  • Reading materials

    Enck et al. Understanding Android Security (S&P 2009)
    Felt et al. Android Permissions Demystified (CCS 2011)
    Enck et al. A Study of Android Application Security (Usenix 2011)
    

  • HW #2 deadline!

• 5/21 Android Web Security (2)

• 5/26 Webtracking & Fingerprinting (1)
  • Reading materials

    Mowery and Shacham. Pixel Perfect: Fingerprinting Canvas in HTML5 (W2SP 2012)
    Acar et al. The Web Never Forgets: Persistent Tracking Mechanisms in the Wild (CCS 2014)
    

• 5/28 Webtracking & Fingerprinting (2)

• 6/2 Student Presentation / Topic: Semantic Logic Bug
  • Reading materials

    [Soyoung Lee] Wang et al. HOW TO SHOP FOR FREE ONLINE (S&P 2011)
    [Hyunsoo Shin] Brubaker et al. Using Frankencerts for Automated Adversarial Testing of Certificate Validation in SSL/TLS Implementations (S&P 2014)
    

• 6/4 Student Presentation / Topic: Web Security
  • Reading materials

    [Dahun Lee] William et al. Riding out DOMsday: Toward Detecting and Preventing DOM Cross-Site Scripting (NDSS 2018)
    [Daejun Kim] Lee et al. FUSE: Finding File Upload Bugs via Penetration Testing (NDSS 2020) 
    

• 6/9 Student Presentation / Topic: Side-Channel Attack
  • Reading materials

    [SongYi Hwang] Chen et al. Side-Channel Leaks in Web Applications: a Reality Today, a Challenge Tomorrow (S&P 2010)
    [Stephen Owusu-Addo] Chapman et al. Automated Black-Box Detection of Side-Channel Vulnerabilities in Web Applications (CCS 2011)
    

• 6/11 Student Presentation / Topic: Machine Learning in Information Security
  • Reading materials

    [YongHo Song] Schuster et al. Beauty and the Burst: Remote Identification of Encrypted Video Streams. (Usenix 2017)    
    [Sunnyeo Park] Ye et al. Yet Another Text Captcha Solver: A Generative Adversarial Network Based Approach (CCS 2018)
    

• 6/16 K-anonymity

• 6/18 Differential Privacy

• 6/23 Final Project Presentation (1)

• 6/25 Final Project Presentation (2) & Wrap-up

• 6/30
  • Final
• 7/2
  • Final
  • Deadline for your final course project report