Paper Reviews

As mentioned in the syllabus, each lecture will be accompanied by a short student-led presentation and discussion of an assigned paper. Another student will be required to take notes during the discussion and write up a summary of what was discussed on the HowToHack wiki. All students are expected to read the paper before coming to class that week. In order to explain how these presentations will be graded, I'll be using guidelines posted by Michael Hicks for his Software Security class at UMD.

Presentations: Students making presentations will be graded on the following criteria:

  • understanding: does the presenter understand the material?
  • thoughtfulness: does the presenter have insights and opinions beyond what was in the paper?
  • clarity: can the audience understand the presentation? is the "big picture" clear? are there useful examples?
  • materials: do the slides or use of blackboard illustrate and support the talk? are there diagrams to help convey the technicalities? (when your talk gets into deep territory, a diagram is worth 10K words)
  • delivery: has the the presenter practiced?
  • non-regurgitation: did the presenter do something beyond simply typing sections of the paper as bullet points? did the presenter motivate the ideas in their own words or just state ideas from the paper verbatim?
  • answering questions: can the presenter handle questions from the audience?

Remember that you will likely be able to explain more detail than you can hope to cover in a single lecture. This is one reason that it's hard work to prepare a good presentation: not only do you need to understand the paper, but you need to filter out the irrelevant details and amplify the key arguments. You'll probably have omit entire sections of the paper from your talk -- don't worry about it. Simply mimicking the structure of the paper ("regurgitating it") tends to produce a disconnected sequence of boring facts. A good talk should tell a story; every idea should be motivated, and all facts should fit together in a coherent picture. Telling such a story in a short time often requires creating your own explanations, motivation, and examples. I would recommend reading some advice by Simon Peyton Jones on giving good presentations.

Required Readings

The application security class will be reviewing the following papers in the Spring 2012 semester, broken down into several broad categories and arranged roughly in the order they should be presented in the class. Students should choose which papers they want to present via the Google Form posted on Blackboard.

Threat Modeling and Secure Design

Vulnerability Analysis

Exploit Mitigations



Web Security