Teaching

Current teaching

COMPGA11: Research in Information Security

The aims of this course are for students to develop an understanding of what research in information security is about, how to identify a contribution, what the quality standards in scientific publications are, and to study selected technical sub-topics in depth. Students will read original scientific literature, present the key contributions of the work (in both written form and as a presentation), and discuss the works’ ethical implications and suitability of the methodology used.

  • Syllabus
  • Moodle page (UCL students only)
  • Office hours will be held on Thursdays at 11:45–12:45 in 5.03 MPEB in Term 1 (2017/18 academic year). Before coming, please visit this webpage to check if there are any alterations.
    • No office hours on 7 December. Please email if you would like to make an alternative appointment.

Slides (2016/17)

Taught postgraduate course in University College London (core module of the MSc Information Security (ISec))

Computer Security: Current Applications and Research

In this seminar course we turn our attention to active research topics in computer security at the Computer Laboratory. One unifying theme is how to build secure systems at scale that contain more secure and less secure components. Building on the lessons from multilevel secure systems and security protocols discussed in the first course, we will explore infrastructure versus applications; services versus clients; the use of smartcards and other cryptographic processors; API security; and failure modes from covert channels to concurrency vulnerabilities.

Guest lecturer in R210 – Computer Security: Current Applications and Research, Computer Laboratory, University of Cambridge (2012/13–).

Banking Security: Attacks & Defences

This lecture provides an introduction to payment card and online banking security mechanisms and the fraud techniques which are designed to break or bypass these measures. An overview of the EMV protocol is given, along with an illustration of how skimming attacks and the no-PIN attack exploit protocol weaknesses. The man-in-the-browser attack is outlined, and how transaction authentication is intended to defend against this.

Guest lecturer in COMPGA03 – Introduction to Cryptography, University College London: slides (2014/15)

Also presented as an invited lecture as part of 3F6: Software Engineering, Department of Engineering, University of Cambridge: slides (2014/15)

Anonymous Communications and Tor

The history of anonymous communications on the Internet dates back to the early 80’s but since then there have been dramatic changes in how anonymous communication systems have been built and how they have been used. In this lecture I will describe some of these key changes, and what has motivated them. These include the web taking over from email as the major means of communications, and users of anonymous communication systems prioritising censorship-resistance over privacy. The growing popularity of anonymous communication systems has also led to commercial and political realities effecting how projects are run and software is designed. In particular, I will discuss how the Tor software has changed, and the Tor project evolved in this environment. I will conclude by summarising what might be the future for anonymous communication systems and how they may have to adapt themselves to changing circumstances.

Invited lecturer in Security II, Computer Laboratory, University of Cambridge: slides (2014/15)

Previous teaching

Introduction to Trusted Execution Environments (TEE) (2013/14)

Learning objectives for this lecture are for students to:

  • understand what a TEE is and why it is of interest;
  • appreciate the range of standards and products that offer TEE capability;
  • be able to describe the basic building blocks of a typical TEE;
  • compare the attack resistance of a TEE product w.r.t. security evaluated smart cards;
  • contrast ownership and management issues w.r.t. a traditional smart card/SIM model.

Invited lecturer in IY5606: Smart Cards/Token Security and Applications, Royal Holloway, University of London: slides (2013/14)

Online Payment Methods (2013/14)

This lecture discusses online payment methods, including payment schemes such as Visa and MasterCard, contrasting card-present and card-not-present transactions. Attacks against online banking systems are described, along with the techniques used to defend against them. The EMV-CAP authentication scheme is outlined, along with the potential weaknesses it introduces. Typical methods for integrating online payments into a website are described, including how 3D-Secure attempts to reduce card-not-present fraud. Other innovative payment techniques are introduced, including SOFORT Überweisung and mobile payments.

Invited lecturer in COMPM041: Web Economics, University College London: slides (2013/14)

Principles and Foundations of Computer Security (2012/13)

This seminar course aims to provide students with an introduction to the history and central themes of computer security, from its 1970s foundations to some current research topics, with a theme of how to defend cloud-based systems against capable motivated opponents. The course considers first local computer systems and then distributed systems; however, we will rapidly discover that this is an artificial distinction that only becomes more awkward as we enter the current period. Throughout the course, we will consider proposed systems along with the adversarial research intended to identify gaps and vulnerabilities.

Part III/ACS (taught postgraduate) course in the Computer Laboratory, University of Cambridge.

Security II (2011/12)

This course aims to give students a thorough understanding of computer security technology. This includes high-level issues such as security policy (modelling what ought to be protected) and engineering (how we can obtain assurance that the protection provided is adequate). It also involves the protection mechanisms supported by modern processors and operating systems; cryptography and its underlying mathematics; electrical engineering issues such as emission security and tamper resistance; and a wide variety of attacks ranging from network exploits through malicious code to protocol failure. At the end of the course students should be able to tackle an information protection problem by drawing up a threat model, formulating a security policy, and designing specific protection mechanisms to implement the policy.

Part II (3rd year undergraduate) course in the Computer Laboratory, University of Cambridge.

Slides (2011/12)

Operating and Distributed System Security (2011/12)

This seminar course aims to provide students with an introduction to the history and central themes of operating system and distributed system security, from its 1970s foundations to current research into how to defend cloud-based systems against capable motivated opponents. The course considers first local computer systems and then distributed systems; however, we will rapidly discover that this is an artificial distinction that only becomes more awkward as we enter the current period. Throughout the course, we will consider proposed systems along with the adversarial research intended to identify gaps and vulnerabilities.

Part III/ACS (taught postgraduate) course in the Computer Laboratory, University of Cambridge.

Introduction to Security (2009/10)

This course is a broad introduction to both computer security and cryptography. It covers important basic concepts and techniques. By the end of the course students should:

  • be familiar with some common security terms and concepts
  • have a basic understanding of some commonly used attack techniques and protection mechanisms
  • have gained basic insight into aspects of modern cryptography and its applications
  • appreciate the range of meanings that “security” has across different applications

Part 1B (2nd year undergraduate) course in the Computer Laboratory, University of Cambridge: slides (2009/10)