CS 708 - Fall 2013 - Advanced Data Security and Privacy


Class schedule: Thursday 6:00 - 9:05pm, room: GITC 4415

Instructor: Reza Curtmola ; Email: ; Office: GITC 4301
Office hours (GITC 4301): M 1-2pm, Wed 4-5pm, and also by appointment (email me if you cannot come during office hours).

This course addresses the ever-growing security and privacy concerns associated with the massive amount of data that is collected, stored, shared, and distributed in today's society. New paradigms are needed to address the security/privacy challenges when data is outsourced at untrusted servers (such as in cloud computing) or when data is anonymized in order to be shared among untrusted parties. The course involves a substantial amount of reading, critically analyzing, and presenting research papers, participation in class discussions, and a semester-long project.

The goals of the course are to familiarize students with the main security and privacy challenges associated with managing data throughout its lifecycle (collection, storage, distribution), and to examine how to address these challenges.

A tentative list of topics includes:

Course format
The course will involve a substantial amount of reading, participation in class discussions, and a semester-long research project. Each lecture will focus on a specific topic and will be based on presentations and class discussions. Each student is responsible for preparing at least one presentation (based on research papers) and leading the discussion on the respective topic. The students are required to read the assigned papers for each week. In addition, each student is responsible for submitting weekly a report for one of the papers assigned for that week, which must include: (1) strengths/weaknesses (2) two possible extensions. This report has to be turned in at the beginning of class each week.

Course project: Students will work on the course project in teams. There is flexibility on the nature of the project: Both theoretical and system contributions will be appreciated, although projects with theoretical contribution should have a clear practical significance. Potential topics for system-oriented projects include addressing security aspects of cloud services such as the Amazon Web Services or Windows Azure Platform. The outcome of the project will be in the form of a final report, describing the design/implementation efforts. Students will present their results to the class.

Due to the dynamic nature of this field, there is no one textbook required for this course. Each selected topic will be based on handouts and research papers from recent top conferences and journals.

Who should take this course
Graduate students (PhD and MS) interested in having a deeper understanding of the ever-growing security and privacy concerns associated with the massive amount of data that is collected, stored and distributed in today's society.
The course is also an excellent opportunity to conduct research on the security/privacy of cloud services and find research topics for Ph.D. and M.S. theses.

Students should have taken an introductory course related to information security prior to this course.
For example, any of the following will satisfy this prerequisite:
CS 608/408 OR CS 645 OR CS 696/ECE 683 OR instructor permission.
If in doubt about the prerequisites, please consult with the instructor for permission to take the class. Familiarity with basic security and cryptographic primitives, or storage and database systems will be required to understand the details of the assigned papers. The instructor will review in the first lecture the building blocks that will be used throughout the course.

Grading policy
course assignment 15%
course project 30%
paper presentations + weekly reports
+ participation in class discussion
final exam 20%

Weekly schedule
Date Topic Discussion
09/05/13 Class overview + Building blocks Reza
  • lecture 1
  • 09/12/13 Database as a Service Reza Hacigumus et al. Providing Database as a Service. IEEE ICDE 2002.
    Reza Mykletun et al. Authentication and Integrity in Outsourced Databases. ISOC NDSS 2004.
  • lecture 2, presentation 1, presentation 2
  • 09/19/13 Remote Data Integrity Checking Reza Ateniese et al. Provable Data Possession at Untrusted Stores. ACM CCS 2007.
    Bo Bowers et al. HAIL: A High-Availability and Integrity Layer for Cloud Storage. ACM CCS 2009.
  • lecture 3, presentation 1
  • 09/26/13 Working over Encrypted Data Reza Curtmola et al. Searchable Symmetric Encryption: Improved Definitions and Efficient Constructions. ACM CCS 2006.
    Arwa + Kirtan Popa et al. CryptDB: Protecting Confidentiality with Encrypted Query Processing. ACM SOSP 2011.
  • lecture 4, presentation 1, presentation 2
  • 10/03/13 Security of Outsourced Databases +
    Anonymity and Privacy
    Wadood Bajaj and Sion. CorrectDB: SQL Engine with Practical Query Authentication. VLDB 2013.
    Nafi Hsiao et al. LAP: Lightweight Anonymity and Privacy. IEEE S&P 2012.
  • lecture 5, presentation 1, presentation 2
  • 10/10/13 Privacy in Mobile and Vehicular Systems Jigang Popa et al. VPriv: Protecting Privacy in Location-Based Vehicular Services. USENIX Security 2009.
    Susan Popa et al.Privacy and Accountability for Location-Based Aggregate Statistics. ACM CCS 2011.
  • lecture 6, presentation 1, presentation 2
  • 10/17/13 (De)Anonymization Nafize Srivatsa and Hicks. Deanonymizing Mobility Traces: Using Social Networks as a Side-Channel. ACM CCS 2012.
    Tarik Narayanan et al. On the Feasibility of Internet-Scale Author Identification. IEEE S&P 2012.
  • lecture 7, presentation 1, presentation 2
  • 10/24/13 Attacks against Cloud Storage Wadood Mulazzani et al. Dark Clouds on the Horizon: Using Cloud Storage as Attack Vector and Online Slack Space. USENIX Security 2011.
    Anil Halevi et al. Proofs of Ownership in Remote Storage Systems. ACM CCS 2011.
  • lecture 8, presentation 1, presentation 2
  • 10/31/13 Security of Search Engines Vishal + Arwa John et al. deSEO: Combating Search-Result Poisoning. USENIX Security 2011.
    Jigang Lu et al. SURF: detecting and measuring search poisoning. ACM CCS 2011.
  • lecture 9, presentation 1, presentation 2
  • 11/07/13 Oblivious RAM +
    Intermediate Project Presentations
  • Intermediate project presentations: team 1, team 2, team 3, team 4
  • Reza Goldreich and Ostrovsky. Software Protection and Simulation on Oblivious RAMs. JACM 1996.
    Anil + Nafize Stefanov and Shi. ObliviStore: High Performance Oblivious Cloud Storage. IEEE S&P 2013.
  • presentation 1, presentation 2
  • 11/14/13 Secure Deletion Vishal + Tarik Wolchok et al. Defeating Vanish with Low-Cost Sybil Attacks Against Large DHTs. ISOC NDSS 2010.
    Kirtan Skillen and Mannan. On Implementing Deniable Storage Encryption for Mobile Devices. ISOC NDSS 2013.
  • lecture 11, presentation 1, presentation 2
  • 11/21/13 Digital Rights Management Stephen Halderman and Felten. Lessons from the Sony CD DRM Episode. USENIX Security 2006.
  • AACS - DVD Protection, AACS specifications.
  • Reza related readings: Naor, Naor, and Lotspiech. Revocation and Tracing Schemes for Stateless Receivers. IACR CRYPTO 2001.
  • lecture 12, presentation 1, presentation 2
  • 11/26/13 Security of Online Advertising Nafi Toubiana et al. Adnostic: Privacy Preserving Targeted Advertising. ISOC NDSS 2010.
    Stephen Hardt and Nath. Privacy-Aware Personalization for Mobile Advertising. ACM CCS 2012.
  • lecture 13, presentation 1, presentation 2
  • 12/05/13 Final Project Presentations
  • Final project presentations: team 1, team 2, team 3, team 4
  • Academic integrity

    Modifications to syllabus