CPSC 538P 2026
This course aims to introduce students to a broad range of topics in Security and Privacy, which inherently intersect with many computer science subdisciplines. Designed as a breadth course, it is open to all students in the department, fostering interdisciplinary engagement and diverse perspectives. The core objective is to facilitate thought-provoking discussions by bringing together varied viewpoints. While this course provides a broad overview, its project component allows students to delve deeply into a specific topic of interest. Students are encouraged to leverage their expertise in machine learning, programming languages, human-computer interaction, computer architecture, or other areas to address specific Security or Privacy challenges. The selected readings emphasize the interdisciplinary nature of Security & Privacy and celebrate the value of diverse approaches and insights.
There is no specific pre-requisite for this course outside of an undergraduate degree in Computer Science or closely related topics. Undergraduate students interested by this course should discuss with their advisor.
This is a seminar-style course. In each class, we will discuss a different paper, and I have selected a mix of recent work. Each session will have one student presenter. As the presenter, your role is to briefly introduce the paper (keeping in mind that everyone should have read it, so this should not take long), connect it to other papers we have read when possible, identify its key contributions, and highlight topics or questions that can spark discussion.
You should expect to present at least 2 or 3 times during the term depending on the number of students registered. After the presentation, we will take a 10 minutes break and discuss the paper. All students should come prepared for those discussions and be ready to engage. Submissions are to be made on Canvas, unless specified otherwise.
Classes take place on Tuesday (Tu) and Thursday (Th) from 9:00am to 10:30am (check Workday for the location).
| Date | Topic | Title | Link |
|---|---|---|---|
| Tu 6 Jan | Intro | ||
| Th 8 Jan | Ethic in Security Research [NO REPORT] | The Menlo Report | link |
| Tu 13 Jan | Ethical Frameworks and Computer Security Trolley Problems: Foundations for Conversations [NO REPORT] | link | |
| Th 15 Jan | Research introductions | ||
| Tu 20 Jan | OSS Security | “Threat modeling is very formal, it’s very technical, and also very hard to do correctly”: Investigating Threat Modeling Practices in Open-Source Software Projects | link |
| Th 22 Jan | A Mixed-Methods Study of Open-Source Software Maintainers On Vulnerability Management and Platform Security Features | link | |
| Tu Jan 27 | Attributing Open-Source Contributions is Critical but Difficult: A Systematic Analysis of GitHub Practices and Their Impact on Software Supply Chain Security | link | |
| Thrusday 29 Jan | An Empirical Study of Rust-for-Linux: The Success, Dissatisfaction, and Compromise | link | |
| Tu 3 Feb | Proposal Presentation | ||
| Th 5 Feb | ML for Security | TESSERACT: Eliminating Experimental Bias in Malware Classification across Space and Time | link |
| Tu 10 Feb | Dos and Don’ts of Machine Learning in Computer Security | link | |
| Th 12 Feb | Chasing Shadows: Pitfalls in LLM Security Research | link | |
| Tu 17 Feb | Break | ||
| Th 19 Feb | Break | ||
| Tu 24 Feb | LLM and Security | AirGapAgent: Protecting Privacy-Conscious Conversational Agents | link |
| Th 26 Feb | Malicious LLM-Based Conversational AI Makes Users Reveal Personal Information | link | |
| Tu 3 Mar | When LLMs Go Online: The Emerging Threat of Web-Enabled LLMs | link | |
| Th 5 Mar | Research Progress | ||
| Tu 10 Mar | Internet Privacy | Information Exposure From Consumer IoT Devices: A Multidimensional, Network-Informed Measurement Approach | link |
| Thrusday 12 Mar | CookieGuard: Characterizing and Isolating the First-Party Cookie Jar | link | |
| Tu 17 Mar | Where in the World Are My Trackers? Mapping Web Tracking Flow Across Diverse Geographic Regions | link | |
| Th 19 Mar | Research Progress | ||
| Tu 24 Mar | Usable Security | How WEIRD is Usable Privacy and Security Research? | link |
| Th 26 Mar | Improving Logging to Reduce Permission Over-Granting Mistakes | link | |
| Tu 31 Mar | “I Wonder if These Warnings Are Accurate”: Security and Privacy Advice in Nine Majority World Countries | link | |
| Th 2 Apr | Research Artifacts | SoK: Towards a Unified Approach to Applied Replicability for Computer Security [NO REPORT] | link |
| Tu 7 Apr | TBC | ||
| Th 9 Apr | TBC | ||
Your presentation should be approximately 5 minutes long and is designed to help you connect with classmates for the final project. Start by introducing yourself, including your background and current research or areas of interest. Then, either outline a specific project idea you have in mind along with the type of collaborators you are seeking, or describe the types of projects you are interested in joining. The project proposal is due during the first week of February, so forming groups promptly is essential.
Your final grade is based is divided among the following assessment:
You can check the deadlines on Canvas.
You should aim for your course project to be roughly the scope of a workshop paper (i.e., I have this neat idea and I did some preliminary experiments). It is important to reasonably scope your work as to be able to deliver before the end of the term. If you embark on a computationally heavy project (e.g., ML-based malware detection), you need to consider computational cost/time when planning your project.
You have relative freedom on the topic as long as it relates to security and/or privacy. You are welcome and encouraged to work on a security topic related to your own area of research expertise. USENIX Security, ACM CCS, IEEE S&P and NDSS are considered top security venues. You may find research inspirations there.
If exploring a new topic seems to daunting a task, you can consider a replication or comparison study. If you embark on such a task, ensure that you have access to the relevant software and/or the paper(s) you aim to study are sufficiently clear for you to reproduce the work.
You should interact with the teaching team before settling down on a particular topic.
For each assigned paper you must write a report. You are to use the USENIX latex template for formatting. You must submit your reports on Canvas. In your report, please, follow this structure:
Provide a brief summary of the paper (3-5 sentences is usually enough). The aim is to demonstrate that you’ve read (and understood) the paper, so try to paraphrase and extract the essentials. At this stage you should aim to be objective; later sections allow for your own opinion.
What is the problem? Why is it important? Why is previous work insufficient (or Why has the problem not been solved before, e.g. it’s a new problem the authors have identified). This is your take on what the authors say in the paper (so again should be fairly objective). If the paper doesn’t seem to tackle a particular problem, then focus on the primary motivation for the work. 1-2 sentences for each of the three questions is probably sufficient.
What is their approach/solution? How does it solve the problem? How is the solution unique and/or innovative (if it is)? What are the details? Once more you should use the paper itself as the source to help you answer these questions– but, as in previous parts, please do not just copy sections from the paper. Instead, you should focus on paraphrasing/synopsizing, and extracting the essential details. Depending on the paper, you’ll probably need 5-10 sentences here.
How do they evaluate their solution? What questions do they set out to answer? What does the evaluation say about the strengths and weaknesses of their system? What are the strengths and weaknesses of the evaluation itself do you think? A total of 3-4 sentences should suffice here – we’re looking for highlights, not a point-by-point reproduction of the evaluation section(s). In the rare case that there is no evaluation section, skip this part of the report.
Imagine you’re attending a talk about this paper given by one of the authors. List at least 2 questions that you would like to ask. These should ideally be specific to the paper/research.
You should submit 16 paper reports (subject to change) The 5 worst report score will be ignored (this gives you 5 effective jokers).
The project must address a non-trivial problem relevant to systems security. The project can resolve the problem by building a system, collecting data/carrying out experiments, developing algorithms and proving them correct, etc. I strongly prefer that you do your project in a team of 2-3 people. You are encouraged to apply techniques from your main area of expertise to the topic of security (e.g., perform intrusion detection using ML techniques).
You should plan to schedule some time to chat about your project idea with me. Please, do not hesitate to send me an e-mail as soon as you want to discuss it.
The required project deliverables are listed below. Written submissions will be made through hotcrp and must be formatted using the USENIX latex template.
Your proposal should be short (at most 4 pages). The main objective is to assess the viability of the proposed project. You are expected to have completed a limited amount of work at this stage.
It must contain the following element:
The proposal presentation should last no more than 15 minutes. You should expect questions at the end of the presentation and may allow questions during the presentation. You should clearly explain what problem you are planning to explore and why it is an important problem. You should walk your audience through your research plan and how you are planning to evaluate the outcome of your project. The presentation should be accessible to a knowledgeable but non-expert audience. The presentation is graded as a group, how you want to present is the responsibility of the group members.
Audience should read through the proposal they have been assigned to review beforehand and be ready to ask some questions. This should be non-adversarial and with the intent of helping your classmates.
The progress presentations are mid-point checks to ensure your project is heading toward the right direction. It will be an opportunity to get feedback from your peer and the teaching team. You should refer back to your original proposal (and/or previous progress report), discussing how far along you are and what remains to be done. You should also discuss any unexpected deviation from your original plan (e.g., things that did not work as originally planned). The presentation should not last more than 15 minutes, be prepared to answer questions. The presentation is graded as a group, how you want to present is the responsibility of the group members.
You should write your final report as you would write a research paper. Your report should be at least 6 pages and at most 8 pages, including figures and tables, but excluding references, ethical, open-science and use of AI statements. Be sure to highlight your work’s limitations honestly and discuss when your results did not meet your expectations/hypothesis. Try to explain why this happens. I expect some of the reports you submit to be suitable to be turned into conference submissions. I am more than happy to work with you to make it happen. You MUST include a link to the software artifact(s) backing your paper.
Drawing inspiration from the USENIX Security 2026 policies, please include three statements with your submission: an Ethics statement, an Open Science statement, and a Use of AI statement. The Ethics statement should explain how you considered ethical issues throughout your research. The Open Science statement should describe the steps you took to make your work usable and reproducible by others, such as sharing code, data, or documentation when possible. The Use of AI statement should clearly describe whether and how AI tools were used during the research and writing process. These statements may be as brief or as detailed as appropriate for your project.
The final presentation should not last more than 20 minutes. You should expect 5/10 minutes of questions at the end of the presentation. You presentation must discuss the motivation behind your work, the design of your solution, the evaluation you have performed, and discuss explicitly any limitations of your work. The presentation should be accessible to a knowledgeable but non-expert audience. The presentation is graded as a group, how you want to present is the responsibility of the group members.
Audience should read through the final report they have been assigned to review beforehand and be ready to ask some questions. This should be non-adversarial and with the intent of helping your classmates.
You will receive a 0 for late work unless you have an approved extension.
For individual assignments, the deadline for one assignment can be extended by 24 hours with no penalty to the mark. Extension requests must be made explicitly through e-mail. Extension requests must be made no later than 24 hours past the deadline.
For group tasks, you can request an extension of 24 hours as long as someone in your group has an unused extension. You cannot receive an extension of more than 24 hours for a group deliverable.
The department has a detailed policy regarding collaboration and plagiarism. You must familiarize yourself with this policy.
Paper reports: You should write your reports individually. You are free to discuss with others, but you must write the reports on your own. You should clearly reference any resources you have used.
Projects: you are free to use any code you find in your project. However, a non-trivial fraction of functionality in your prototype must be constructed by your team. You must cite and attribute sources of the code that you borrow/utilize in your project. When writing the project reports, you should follow the same citation standard as expected from conference papers.