Hide menu

TDDC90 Software Security

Paper presentation


General information

As part of the examination for the course, students are required to read a paper on web security (in pairs) and present it on a seminar towards the end of the course. The goal of this moment is to give a deeper understanding of the concepts discussed in the lecture, both by reading the paper and preparing the presentation, as well as from listening to the other groups' presentations.

You will do this assignment together with the person that you signed up with in Webreg. Note that both students in each group must be present and take equal part in the presentation! Participation during the entire seminar is also mandatory for all students.

The final presentations will be held on December 14:th (see schedule). Presentations will be roughly 10-15 minutes, plus a few minutes for questions. Exact time constraints will be posted later. (Since we typically have a few dropouts during the run of the course, we cannot precisely estimate how many will make it to the final presentations at the start of the course.)

There are also an additional milestone, to allow us to gauge your progress and steer you in the right direction if needed (see list of milestones below).

Requirements for presentation

To ensure high-quality presentations that are informative to the audience, we have defined several requirements. Presentations should address the following topics/questions:

  • What is the goal and purpose of the work? What problem(s) does it aim to solve, or what question(s) does it seek to answer?
  • It is also very important to provide sufficient background to the audience. When preparing your presentation, you should assume that the listeners have the background knowledge given in the web security lecture, but any prerequisite knowledge beyond that needs to be addressed in your presentation.
  • What is the practical significance of the work?
  • What were the results presented in the paper? How well did the proposed technique work, or what were the answers to the questions stated in the paper?
  • You should also critique the work. For example: Were the ideas clearly conveyed? Does the empirical results support claims made in the paper? How big was the contribution of the work, in terms of potentially improving web security?

You can (and should) use external sources when preparing the presentation, e.g. for understanding concepts you may not already be familiar with. However, in the presentation it must be clear what are results from the paper, what are your own opinions or interpretations, and what is information or material taken from other sources.

Note that addressing all the above points in a 10-15 minute presentation requires careful planning and selection of topics. (It always takes more time to prepare a short presentation than a longer one.) You should therefore make sure to start early with this assignment and allot sufficient time for it!

Deadlines and milestones

In addition to the final presentation, each group must also submit a brief outline of their presentation. This is to make sure that groups are on the right track in terms of scope and depth, and allow potential adjustments of the final presentation based on our feedback.
  • November 22 at 18.00: Request period for papers opens. Requests for papers should be emailed to ulf.kargen@liu.se. See below for formatting requirements on request emails. Papers will be assigned to groups in a first-come first-serve order. However, note that requests received before this time will be ignored! This is to give you time to carefully consider which papers to choose before doing your requests.
  • November 24 at 12.00 (noon): Deadline for paper requests.
  • November 24 afternoon: Paper assignments will be posted on this page.
  • December 4 at 18.00: Deadline to submit initial outline of the presentation. The outline should be in the form of a simple email (no slides or graphics) to ulf.kargen@liu.se.

    The email should briefly answer the question in each of the bullets under "Requirements for presentation" above. Use one paragraph (a few sentences) per bullet. Also, the email should contain a rough outline of the structure of the presentation, in the form of a bullet list or similar.

  • December 5-7: Groups will receive feedback on their outlines.
  • December 7: The final presentation schedule will be posted here, including the exact time constraints for presentations.
  • December 14, 13.15-17.00: Final presentations in two parallel tracks. (Since we allow up to two groups per paper, we split the class in two.)

Format for paper request email

Please use the following format when sending your paper requests to ulf.kargen@liu.se:

Title:
TDDC90 - paper request

Body:
Group: Webreg group number

Requested paper(s):
1. Paperxxx (your first choice of paper)
2. Paperxxx (your second choice)
3. Paperxxx (your third choice)
4. Paperxxx (your fourth choice)
5. Paperxxx (your fifth choice)

Where the Paperxxx is the paper id from the list of papers below.

Papers

This is the list of papers you may choose from. Note that some of the papers can only be accessed for free if you are on the university network. (That is, for some papers you need to click a "View PDF" or similar link to get the full paper, and this link may only be available while on the university network.)

Note: Overlined papers are already taken and no longer available for selection.

Paper001: A Systematic Analysis of XSS Sanitization in Web Application Frameworks

Paper002: Towards a Formal Foundation of Web Security

Paper003: AUTHSCAN: Automatic Extraction of Web Authentication Protocols from Implementations

Paper004: Robust Defenses for Cross-Site Request Forgery

Paper005: Document Structure Integrity: A Robust Basis for Cross-site Scripting Defense

Paper006: mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutation

Paper007: Busting Frame Busting: a Study of Clickjacking Vulnerabilities on Popular Sites

Paper008: Privilege Separation in HTML5 Applications

Paper009: Taint-Enhanced Policy Enforcement: A Practical Approach to Defeat a Wide Range of Attacks

Paper010: The Emperor's New APIs: On the (In)Secure Usage of New Client-side Primitives

Paper011: Regular Expressions Considered Harmful in Client-Side XSS Filters

Paper012: Reining in the Web with Content Security Policy

Paper013: The Devil is in the (Implementation) Details: an Empirical Analysis of OAuth SSO Systems

Paper014: State of the Art: Automated Black-Box Web Application Vulnerability Testing

Paper015: Enemy of the State: A State-Aware Black-Box Web Vulnerability Scanner

Paper016: Same-Origin Policy: Evaluation in Modern Browsers


Page responsible: Ulf Kargén
Last updated: 2023-10-29