Reading Samples

Introduction

• Thompson, K. 1984. Reflections on Trusting Trust. Commun. ACM 27, 8, 761–763.
• Anderson, R.J. 2001. Why Information Security Is Hard — An Economic Perspective. In Proc. ACSAC.
• Dauterman, E., Corrigan-Gibbs, H., and Mazières, D. 2022. Reflections on Trusting Distributed Trust. In Proc. ACM HotNets.
• Oosthoek, K., Cable, J., and Smaragdakis, G. 2023. A Tale of Two Markets: Investigating the Ransomware Payments Economy. Commun. ACM 66, 8.

Cryptography

• Sotirov, A. et al. 2009. MD5 Considered Harmful Today: Creating a Rogue CA Certificate. 25th Chaos Communication Congress (25C3).
• Perrig, A., Canetti, R., Tygar, J.D., and Song, D. 2005. The TESLA Broadcast Authentication Protocol. RSA CryptoBytes 5, 2.
• Eschenauer, L. and Gligor, V.D. 2002. A Key-Management Scheme for Distributed Sensor Networks. In Proc. ACM CCS.
• Egele, M., Brumley, D., Fratantonio, Y., and Kruegel, C. 2013. An Empirical Study of Cryptographic Misuse in Android Applications. In Proc. ACM CCS.
• Meli, M., McNiece, M.R., and Reaves, B. 2019. How Bad Can It Git? Characterizing Secret Leakage in Public GitHub Repositories. In Proc. NDSS.
• Krawczyk, H. 2001. The Order of Encryption and Authentication for Protecting Communications (or: How Secure Is SSL?). In Proc. CRYPTO.
• Boneh, D., Bonneau, J., Bünz, B., and Fisch, B. 2018. Verifiable Delay Functions. In Proc. CRYPTO.
• Heninger, N., Durumeric, Z., Wustrow, E., and Halderman, J.A. 2012. Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices. In Proc. USENIX Security.
• Davis, H., Green, M., Heninger, N., Ryan, K., and Suhl, A. 2023. On the Possibility of a Backdoor in the Micali-Schnorr Generator. In Proc. ACM CCS.

Public Key Infrastructure (PKI)

• Huang, L., Rice, A., Ellingsen, E., and Jackson, C. 2014. Analyzing Forged SSL Certificates in the Wild. In Proc. IEEE S&P.
• Aas, J. et al. 2019. Let's Encrypt: An Automated Certificate Authority to Encrypt the Entire Web. In Proc. ACM CCS.

Authentication and Password

• Bonneau, J., Herley, C., van Oorschot, P.C., and Stajano, F. 2012. The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes. In Proc. IEEE S&P.
• Juels, A. and Rivest, R.L. 2013. Honeywords: Making Password-Cracking Detectable. In Proc. ACM CCS.
• Das, A., Bonneau, J., Caesar, M., Borisov, N., and Wang, X. 2014. The Tangled Web of Password Reuse. In Proc. NDSS.
• Wang, K.C. and Reiter, M.K. 2019. How to End Password Reuse on the Web. In Proc. NDSS.
• Silver, D., Jana, S., Chen, E., Jackson, C., and Boneh, D. 2014. Password Managers: Attacks and Defenses. In Proc. USENIX Security.
• Gelernter, N., Kalma, S., Magnezi, B., and Porcilan, H. 2017. The Password Reset MitM Attack. In Proc. IEEE S&P.
• Brainard, J., Juels, A., Rivest, R.L., Szydlo, M., and Yung, M. 2006. Fourth-Factor Authentication: Somebody You Know. In Proc. ACM CCS.
• Goldberg, S., Haller, M., Heninger, N., Milano, M., Shumow, D., Stevens, M., and Suhl, A. 2024. RADIUS/UDP Considered Harmful. In Proc. USENIX Security.

Anonymity and Privacy

• Dingledine, R., Mathewson, N., and Syverson, P. 2004. Tor: The Second-Generation Onion Router. In Proc. USENIX Security.
• Fifield, D., Lan, C., Hynes, R., Wegmann, P., and Paxson, V. 2015. Blocking-Resistant Communication Through Domain Fronting. Proc. Privacy Enhancing Technologies (PoPETs).
• Tschantz, M.C., Afroz, S., and Paxson, V. 2016. SoK: Towards Grounding Censorship Circumvention in Empiricism. In Proc. IEEE S&P.
• Narayanan, A. and Shmatikov, V. 2008. Robust De-anonymization of Large Sparse Datasets. In Proc. IEEE S&P.
• Das, D., Meiser, S., Mohammadi, E., and Kate, A. 2018. Anonymity Trilemma: Strong Anonymity, Low Bandwidth Overhead, Low Latency — Choose Two. In Proc. IEEE S&P.
• Karlin, J. et al. 2011. Decoy Routing: Toward Unblockable Internet Communication. In Proc. USENIX FOCI.
• Narayanan, A. et al. 2011. Location Privacy via Private Proximity Testing. In Proc. NDSS.
• Englehardt, S. and Narayanan, A. 2016. Online Tracking: A 1-Million-Site Measurement and Analysis. In Proc. ACM CCS.
• Iqbal, U. et al. 2023. Tracking, Profiling, and Ad Targeting in the Alexa Echo Smart Speaker Ecosystem. In Proc. ACM IMC.
• Calderonio, A. et al. 2024. Fledging Will Continue Until Privacy Improves: Improving the Privacy Guarantees of Google Privacy Sandbox. In Proc. USENIX Security.

TCP/IP and Internet Infrastructure

• Savage, S., Wetherall, D., Karlin, A., and Anderson, T. 2000. Practical Network Support for IP Traceback. In Proc. ACM SIGCOMM.
• Bellovin, S.M. 2004. A Look Back at "Security Problems in the TCP/IP Protocol Suite." In Proc. ACSAC.
• Abdu Jyothi, S. 2021. Solar Superstorms: Planning for an Internet Apocalypse. In Proc. ACM SIGCOMM.

Border Gateway Protocol (BGP)

• Apostolaki, M., Zohar, A., and Vanbever, L. 2017. Hijacking Bitcoin: Routing Attacks on Cryptocurrencies. In Proc. IEEE S&P.
• Lychev, R., Goldberg, S., and Schapira, M. 2013. BGP Security in Partial Deployment: Is the Juice Worth the Squeeze? In Proc. ACM SIGCOMM.
• Butler, K., Farley, T.R., McDaniel, P., and Rexford, J. 2010. A Survey of BGP Security Issues and Solutions. Proc. IEEE 98, 1.
• Nordström, O. and Dovrolis, C. 2004. Beware of BGP Attacks. ACM SIGCOMM Comput. Commun. Rev. 34, 2.
• Li, W. et al. 2023. RoVista: Measuring and Analyzing the Route Origin Validation (ROV) in RPKI. In Proc. ACM IMC.

Transport Layer Security and Secure Messaging

• Clark, J. and van Oorschot, P.C. 2013. SoK: SSL and HTTPS: Revisiting Past Challenges and Evaluating Certificate Trust Model Enhancements. In Proc. IEEE S&P.
• Adrian, D. et al. 2015. Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice. In Proc. ACM CCS.
• Cremers, C., Horvat, M., Hoyland, J., Scott, S., and van der Merwe, T. 2017. A Comprehensive Symbolic Analysis of TLS 1.3. In Proc. ACM CCS.
• Al Fardan, N.J. and Paterson, K.G. 2013. Lucky Thirteen: Breaking the TLS and DTLS Record Protocols. In Proc. IEEE S&P.
• Böck, H., Zauner, A., Devlin, S., Somorovsky, J., and Jovanovic, P. 2016. Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS. In Proc. USENIX WOOT.
• Böck, H., Somorovsky, J., and Young, C. 2018. Return of Bleichenbacher's Oracle Threat (ROBOT). In Proc. USENIX Security.
• Cohn-Gordon, K., Cremers, C., Dowling, B., Garratt, L., and Stebila, D. 2017. A Formal Security Analysis of the Signal Messaging Protocol. In Proc. IEEE S&P.
• Paterson, K.G., Scarlata, M., and Truong, K.T. 2023. Three Lessons From Threema: Analysis of a Secure Messenger. In Proc. USENIX Security.

Email Security

• Hu, H. and Wang, G. 2018. End-to-End Measurements of Email Spoofing Attacks. In Proc. USENIX Security.

DNS Security

• Bau, J. and Mitchell, J.C. 2010. A Security Evaluation of DNSSEC with NSEC3. In Proc. NDSS.
• Kaminsky, D. 2008. An Illustrated Guide to the Kaminsky DNS Vulnerability. [Web article]
• Klein, A. and Pinkas, B. 2019. DNS Cache-Based User Tracking. In Proc. NDSS.
• Csikor, L., Singh, H., Kang, M.S., and Divakaran, D.M. 2021. Privacy of DNS-over-HTTPS: Requiem for a Dream? In Proc. IEEE EuroS&P.

Wireless Security

• Vanhoef, M. and Piessens, F. 2017. Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2. In Proc. ACM CCS.
• Schepers, D., Ranganathan, A., and Vanhoef, M. 2023. Framing Frames: Bypassing Wi-Fi Encryption by Manipulating Transmit Queues. In Proc. USENIX Security.

Web Security

• Barth, A., Jackson, C., and Mitchell, J.C. 2008. Robust Defenses for Cross-Site Request Forgery. In Proc. ACM CCS.

Firewall, IDS, and IPS

• Paxson, V. 1999. Bro: A System for Detecting Network Intruders in Real-Time. Comput. Networks 31, 23.
• Ioannidis, S., Keromytis, A.D., Bellovin, S.M., and Smith, J.M. 2000. Implementing a Distributed Firewall. In Proc. ACM CCS.
• Axelsson, S. 1999. The Base-Rate Fallacy and Its Implications for the Difficulty of Intrusion Detection. In Proc. ACM CCS.

DDoS Attack and Defense

• Moore, D., Voelker, G.M., and Savage, S. 2001. Inferring Internet Denial-of-Service Activity. In Proc. USENIX Security.
• Juels, A. and Brainard, J. 1999. Client Puzzles: A Cryptographic Countermeasure Against Connection Depletion Attacks. In Proc. NDSS.
• Yaar, A., Perrig, A., and Song, D. 2004. SIFF: A Stateless Internet Flow Filter to Mitigate DDoS Flooding Attacks. In Proc. IEEE S&P.
• Kang, M.S., Lee, S.B., and Gligor, V.D. 2013. The Crossfire Attack. In Proc. IEEE S&P.
• Rossow, C. 2014. Amplification Hell: Revisiting Network Protocols for DDoS Abuse. In Proc. NDSS.
• Rasti, R., Murthy, M., and Paxson, V. 2015. Temporal Lensing and Its Application in Pulsing Denial of Service Attacks. In Proc. IEEE S&P.
• Crosby, S.A. and Wallach, D.S. 2003. Denial of Service via Algorithmic Complexity Attacks. In Proc. USENIX Security.
• Ounifi, S. et al. 2020. Your Cache Has Fallen: Cache-Poisoned Denial-of-Service Attack. In Proc. ACM CCS.

Software Security

• Cowan, C. et al. 1998. StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks. In Proc. USENIX Security.
• Shacham, H., Page, M., Pfaff, B., Goh, E., Modadugu, N., and Boneh, D. 2004. On the Effectiveness of Address-Space Randomization. In Proc. ACM CCS.
• One, A. 1996. Smashing the Stack for Fun and Profit. Phrack 7, 49. [2011 update]
• Miller, B.P., Fredriksen, L., and So, B. 1990. An Empirical Study of the Reliability of UNIX Utilities. Commun. ACM 33, 12.
• Sayeed, S., Marco-Gisbert, H., and Caira, T. 2020. Smart Contract: Attacks and Protections. IEEE Access 8.
• Aghakhani, H. et al. 2024. TrojanPuzzle: Covertly Poisoning Code-Suggestion Models. In Proc. IEEE S&P.
• Ohm, M., Plate, H., Sykosch, A., and Meier, M. 2020. Backstabber's Knife Collection: A Review of Open Source Software Supply Chain Attacks. In Proc. DIMVA.

IoT Security

• Surbatovich, M., Aljuraidan, J., Bauer, L., Das, A., and Jia, L. 2017. Some Recipes Can Do More Than Spoil Your Appetite: Analyzing the Security and Privacy Risks of IFTTT Recipes. In Proc. WWW.
• Fernandes, E., Jung, J., and Prakash, A. 2016. Security Analysis of Emerging Smart Home Applications. In Proc. IEEE S&P.
• Antonakakis, M. et al. 2017. Understanding the Mirai Botnet. In Proc. USENIX Security.
• Kumar, D. et al. 2019. All Things Considered: An Analysis of IoT Devices on Home Networks. In Proc. USENIX Security.

Cloud Security

• Ristenpart, T., Tromer, E., Shacham, H., and Savage, S. 2009. Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds. In Proc. ACM CCS.
• Vissers, T., Van Goethem, T., Joosen, W., and Nikiforakis, N. 2015. Maneuvering Around Clouds: Bypassing Cloud-Based Security Providers. In Proc. ACM CCS.

System Security

• Chen, H., Wagner, D., and Dean, D. 2002. Setuid Demystified. In Proc. USENIX Security.
• Yarom, Y. and Falkner, K. 2014. FLUSH+RELOAD: A High Resolution, Low Noise, L3 Cache Side-Channel Attack. In Proc. USENIX Security.
• Kocher, P. et al. 2019. Spectre Attacks: Exploiting Speculative Execution. In Proc. IEEE S&P.
• Provos, N., Friedl, M., and Honeyman, P. 2003. Preventing Privilege Escalation. In Proc. USENIX Security.

Machine Learning and Security

• Sommer, R. and Paxson, V. 2010. Outside the Closed World: On Using Machine Learning for Network Intrusion Detection. In Proc. IEEE S&P.
• Sharif, M., Bhagavatula, S., Bauer, L., and Reiter, M.K. 2016. Accessorize to a Crime: Real and Stealthy Attacks on State-of-the-Art Face Recognition. In Proc. ACM CCS.
• Carlini, N. and Wagner, D. 2017. Towards Evaluating the Robustness of Neural Networks. In Proc. IEEE S&P.
• Choi, M. et al. 2023. BotScreen: Trust Everybody, but Cut the Aimbots Yourself. In Proc. USENIX Security.

Usability and Security

• Whitten, A. and Tygar, J.D. 1999. Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0. In Proc. USENIX Security.
• Wurster, G. and van Oorschot, P.C. 2008. The Developer Is the Enemy. In Proc. NSPW.
• Green, M. and Smith, M. 2016. Developers Are Not the Enemy! The Need for Usable Security APIs. IEEE Security & Privacy 14, 5.
• Anderson, R.J. 1994. Why Cryptosystems Fail. Commun. ACM 37, 11.
• Cranor, L.F. 2008. A Framework for Reasoning About the Human in the Loop. In Proc. UPSEC.
• Sunshine, J., Egelman, S., Almuhimedi, H., Atri, N., and Cranor, L.F. 2009. Crying Wolf: An Empirical Study of SSL Warning Effectiveness. In Proc. USENIX Security.
• Lain, D., Kostiainen, K., and Čapkun, S. 2022. Phishing in Organizations: Findings from a Large-Scale and Long-Term Study. In Proc. IEEE S&P.
• Wermke, D., Wöhler, N., Klemmer, J.H., Serwa, M., Acar, Y., and Fahl, S. 2022. Committed to Trust: A Qualitative Study of Security and Privacy in Open Source Software. In Proc. IEEE S&P.

Cryptocurrencies

• Bonneau, J., Miller, A., Clark, J., Narayanan, A., Kroll, J.A., and Felten, E.W. 2015. SoK: Research Perspectives and Challenges for Bitcoin and Cryptocurrencies. In Proc. IEEE S&P.
• Narayanan, A. et al. 2016. Bitcoin and Cryptocurrency Technologies. Princeton University Press.

Secure Voting

• Clarkson, M.R., Chong, S., and Myers, A.C. 2008. Civitas: Toward a Secure Voting System. In Proc. IEEE S&P.

Science of Security

• Herley, C. and Van Oorschot, P.C. 2017. SoK: Science, Security, and the Elusive Goal of Security as a Scientific Pursuit. In Proc. IEEE S&P.
• Herley, C. and Van Oorschot, P.C. 2018. Science of Security: Combining Theory and Measurement to Reflect the Observable. IEEE Security & Privacy 16, 1.
• Stolfo, S.J., Bellovin, S.M., and Evans, D. 2011. Measuring Security. IEEE Security & Privacy 9, 3.

Ethics

• Abelson, H. et al. 2015. Keys Under Doormats: Mandating Insecurity by Requiring Government Access to All Data and Communications. J. Cybersecurity 1, 1, 69–79.
• Böhme, R. et al. 2020. Responsible Vulnerability Disclosure in Cryptocurrencies. Commun. ACM 63, 10.
• Bailey, M. et al. 2012. The Menlo Report: Ethical Principles Guiding Information and Communication Technology Research. IEEE Security & Privacy 10, 2.
• IEEE S&P 2021 Program Committee Statement Regarding the "Hypocrite Commits" Paper.
• Burnett, S. and Feamster, N. 2015. Encore: Lightweight Measurement of Web Censorship with Cross-Origin Requests. In Proc. ACM SIGCOMM. See also: No Encore for Encore? Ethical Questions for Web-Based Censorship Measurement.

IEEE S&P: Test of Time Award (First Fifteen Years, 1980–1994)

• Merkle, R. 1980. Protocols for Public Key Cryptosystems. In Proc. IEEE S&P.
• Kemmerer, R. 1982. A Practical Approach to Identifying Storage and Timing Channels. In Proc. IEEE S&P.
• Goguen, J. and Meseguer, J. 1982. Security Policies and Security Models. In Proc. IEEE S&P.
• Simmons, G.J. 1983. Verification of Treaty Compliance Revisited. In Proc. IEEE S&P.
• Millen, J.K. 1984. The Interrogator: A Tool for Cryptographic Protocol Security. In Proc. IEEE S&P.
• Birrell, A., Lampson, B.W., Needham, R.M., and Schroeder, M.D. 1986. A Global Authentication Service without Global Trust. In Proc. IEEE S&P.
• Denning, D.E. 1987. An Intrusion-Detection Model. IEEE Trans. Softw. Eng. 13, 2. (presented at IEEE S&P 1986)
• McLean, J. 1987. Reasoning About Security Models. In Proc. IEEE S&P.
• Bellovin, S.M. and Merritt, M. 1992. Encrypted Key Exchange: Password-Based Protocols Secure Against Dictionary Attacks. In Proc. IEEE S&P.
• Abadi, M. and Needham, R.M. 1994. Prudent Engineering Practice for Cryptographic Protocols. In Proc. IEEE S&P.

IEEE S&P: Test of Time Award (1995–2006)

• Forrest, S., Hofmeyr, S.A., Somayaji, A., and Longstaff, T.A. 1996. A Sense of Self for Unix Processes. In Proc. IEEE S&P.
• Young, A.L. and Yung, M. 1996. Cryptovirology: Extortion-Based Security Threats and Countermeasures. In Proc. IEEE S&P.
• Blaze, M., Feigenbaum, J., and Lacy, J. 1996. Decentralized Trust Management. In Proc. IEEE S&P.
• Schuba, C.L. et al. 1997. Analysis of a Denial of Service Attack on TCP. In Proc. IEEE S&P.
• Syverson, P.F., Goldschlag, D.M., and Reed, M.G. 1997. Anonymous Connections and Onion Routing. In Proc. IEEE S&P.
• Perrig, A., Canetti, R., Tygar, J.D., and Song, D. 2000. Efficient Authentication and Signing of Multicast Streams Over Lossy Channels. In Proc. IEEE S&P.
• Song, D.X., Wagner, D., and Perrig, A. 2000. Practical Techniques for Searches on Encrypted Data. In Proc. IEEE S&P.
• Chan, H., Perrig, A., and Song, D. 2003. Random Key Predistribution Schemes for Sensor Networks. In Proc. IEEE S&P.
• Parno, B., Perrig, A., and Gligor, V.D. 2005. Distributed Detection of Node Replication Attacks in Sensor Networks. In Proc. IEEE S&P.

ACM CCS: Test of Time Award

• Camenisch, J. and Van Herreweghen, E. 2002. Design and Implementation of the idemix Anonymous Credential System. In Proc. ACM CCS.
• Wagner, D. and Soto, P. 2002. Mimicry Attacks on Host-Based Intrusion Detection Systems. In Proc. ACM CCS.
• Kc, G.S., Keromytis, A.D., and Prevelakis, V. 2003. Countering Code-Injection Attacks With Instruction-Set Randomization. In Proc. ACM CCS.
• Du, W., Han, Y.S., Deng, J., and Varshney, P.K. 2003. A Pairwise Key Pre-distribution Scheme for Wireless Sensor Networks. In Proc. ACM CCS.
• Molnar, D. and Wagner, D. 2004. Privacy and Security in Library RFID: Issues, Practices, and Architectures. In Proc. ACM CCS.
• Brickell, E.F., Camenisch, J., and Chen, L. 2004. Direct Anonymous Attestation. In Proc. ACM CCS.
• Abadi, M., Budiu, M., Erlingsson, Ú., and Ligatti, J. 2005. Control-Flow Integrity. In Proc. ACM CCS.
• Atallah, M.J., Frikken, K.B., and Blanton, M. 2005. Dynamic and Efficient Key Management for Access Hierarchies. In Proc. ACM CCS.
• Goyal, V., Pandey, O., Sahai, A., and Waters, B. 2006. Attribute-Based Encryption for Fine-Grained Access Control of Encrypted Data. In Proc. ACM CCS.
• Cadar, C. et al. 2006. EXE: Automatically Generating Inputs of Death. In Proc. ACM CCS.
• Shacham, H. 2007. The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86). In Proc. ACM CCS.
• Dinaburg, A., Royal, P., Sharif, M., and Lee, W. 2008. Ether: Malware Analysis via Hardware Virtualization Extensions. In Proc. ACM CCS.
• Liu, Y., Ning, P., and Reiter, M.K. 2009. False Data Injection Attacks Against State Estimation in Electric Power Grid. In Proc. ACM CCS.
• Ristenpart, T., Tromer, E., Shacham, H., and Savage, S. 2009. Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds. In Proc. ACM CCS.
• Balasubramaniyan, V.A. et al. 2010. PinDr0p: Using Single-Ended Audio Features to Determine Call Provenance. In Proc. ACM CCS.

NDSS: Test of Time Award

• Krawczyk, H. 1996. SKEME: A Versatile Secure Key Exchange Mechanism for Internet. In Proc. NDSS.
• Juels, A. and Brainard, J. 1999. Client Puzzles: A Cryptographic Countermeasure Against Connection Depletion Attacks. In Proc. NDSS.
• Garfinkel, T. and Rosenblum, M. 2003. A Virtual Machine Introspection Based Architecture for Intrusion Detection. In Proc. NDSS.

USENIX Security: Test of Time Award

• Cowan, C. et al. 1998. StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks. In Proc. USENIX Security.
• Whitten, A. and Tygar, J.D. 1999. Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0. In Proc. USENIX Security.
• Goldberg, I., Wagner, D., Thomas, R., and Brewer, E. 1996. A Secure Environment for Untrusted Helper Applications (Confining the Wily Hacker). In Proc. USENIX Security.
• Provos, N., Friedl, M., and Honeyman, P. 2003. Preventing Privilege Escalation. In Proc. USENIX Security.
• Dingledine, R., Mathewson, N., and Syverson, P. 2004. Tor: The Second-Generation Onion Router. In Proc. USENIX Security.
• McCamant, S. and Morrisett, G. 2006. Evaluating SFI for a CISC Architecture. In Proc. USENIX Security.
• Moore, D., Voelker, G.M., and Savage, S. 2001. Inferring Internet Denial-of-Service Activity. In Proc. USENIX Security.