Course Description

This course covers a wide range of advanced topics in the area of Systems Security. A computer system is composed by software, hardware, policies, and practices. Systems security involves both designing and building secure systems, as well as improving and evaluating the security of existing systems. During this course, students will study and present in the classroom recent papers in the area of systems security, write a literature survey on a particular topic, and work on a semester-long project, which will involve designing, implementing, and evaluating a system. Those who take the class should be skilled programmers and should already have some knowledge in the area of systems security.

Detailed information about the course can be found in the syllabus.

Prerequisites

CS-576 Systems Security

Course Material

Grading

Your final grade will be determined by your performance in the following:

Project software and report 45%
Project presentation 5%
Project proposal and literature survey 15%
Proposal presentation 5%
Presentations 20%
Reviews 5%
Attendance 5%

Announcements

1/28/19 If you are taking this course, but do not have access to its canvas page, please e-mail me immediately.

Course Schedule

1 Monday, January 28, 2019

2 Monday, February 4, 2019

  • Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software
  • Practical Control Flow Integrity & Randomization for Binary Executables
  • ASLR-Guard: Stopping Address Space Leakage for Code Reuse Attacks

3 Monday, February 11, 2019

  • CCured: Type-Safe Retrofitting of Legacy Code
  • Fast Byte-Granularity Software Fault Isolation
  • Code-Pointer Integrity

4 Tuesday, February 19, 2019

  • ShadowReplica: Efficient Parallelization of Dynamic Data Flow Tracking
  • Preventing memory error exploits with WIT
  • Readactor: Practical Code Randomization Resilient to Memory Disclosure

5 Monday, February 25, 2019

  • Architecture-Independent Dynamic Information Flow Tracking
  • GRIFFIN: Guarding Control Flows Using Intel Processor Trace
  • SoftBound: Highly Compatible and Complete Spatial Memory Safety for C

6 Monday, March 4, 2019

  • Shuffler: Fast and Deployable Continuous Code Re-Randomization
  • Untrusted Hosts and Confidentiality: Secure Program Partitioning
  • Adapting Software Fault Isolation to Contemporary CPU Architectures

7 Monday, March 11, 2019

  • Proposal presentations

Monday, March 18, 2019

  • Spring break

8 Monday, March 25, 2019

  • Low-Fat Pointers: Compact Encoding and Efficient Gate-Level Implementation of Fat Pointers for Spatial Safety and Capability-based Security
  • Compiler-assisted Code Randomization
  • Mcfi-modular control-flow integrity

9 Monday, April 1, 2019

  • Control-Flow Bending: On the Effectiveness of Control-Flow Integrity
  • PtrSplit: Supporting General Pointers in Automatic Program Partitioning
  • Cling: A Memory Allocator to Mitigate Dangling Pointers

10 Monday, April 8, 2019

  • Last-Level Cache Side-Channel Attacks are Practical
  • No Need to Hide: Protecting Safe Regions on Commodity Hardware
  • A Software-Hardware Architecture for Self-Protecting Data

11 Monday, April 15, 2019

  • Flip Feng Shui: Hammering a Needle in the Software Stack
  • Counterfeit Object-oriented Programming: On the Difficulty of Preventing Code Reuse Attacks in C++ Applications
  • Fides: Selectively Hardening Software Application Components against Kernel-level or Process-level Malware

12 Monday, April 22, 2019

  • Translation Leak-aside Buffer: Defeating Cache Side-channel Protections with TLB Attacks
  • Heisenbyte: Thwarting Memory Disclosure Attacks using Destructive Code Reads
  • TaintDroid: An Information-Flow Tracking System for Realtime Privacy

13 Monday, April 29, 2019

  • Meltdown: Reading Kernel Memory from User Space
  • The Dynamics of Innocent Flesh on the Bone: Code Reuse Ten Years Later
  • Data-Oriented Programming: On the Expressiveness of Non-Control Data Attacks

14 Monday, May 6, 2019

  • Project presentations

Optional Reading Material

Isolation

  • How to Run POSIX Apps in a Minimal Picoprocess
  • Practical and Effective Sandboxing for Non-root Users

Information flow

  • HDFI: Hardware-Assisted Data-flow Isolation
  • Enabling Refinable Cross-Host Attack Investigation with Efficient Data Flow Tagging and Tracking

Control-flow Integrity

  • Control-Flow Integrity - Principles, Implementations, and Applications
  • Practical Context-Sensitive CFI
  • Per-Input Control-Flow Integrity
  • CCFI: Cryptographically Enforced Control Flow Integrity
  • Enforcing Forward-Edge Control-Flow Integrity in GCC & LLVM
  • A Tough call: Mitigating Advanced Code-Reuse Attacks at the Binary Level

Memory & type safety

  • HeapHopper: Bringing Bounded Model Checking to Heap Implementation Security
  • Stack Bounds Protection with Low Fat Pointers
  • Delta Pointers: Buffer Overflow Checks Without the Checks

Attacks

  • Q: Exploit Hardening Made Easy
  • Just-In-Time Code Reuse: On the Effectiveness of Fine-Grained Address Space Layout Randomization
  • Out Of Control: Overcoming Control-Flow Integrity
  • Stitching the Gadgets: On the Ineffectiveness of Coarse-Grained Control-Flow Integrity Protection
  • Framing Signals - A Return to Portable Shellcode
  • Position-independent Code Reuse: On the Effectiveness of ASLR in the Absence of Information Disclosure
  • Dedup Est Machina: Memory Deduplication as an Advanced Exploitation Vector
  • Undermining Information Hiding (and What to Do about It)
  • Missing the Point(er): On the Effectiveness of Code Pointer Integrity

Moving target defenses

  • Countering code-injection attacks with instruction-set randomization
  • On the effectiveness of address-space randomizatione effectiveness of address-space randomization
  • kR^X: Comprehensive Kernel Protection against Just-In-Time Code Reuse
  • On the Effectiveness of Address-Space Randomization

Architectural-level attacks

  • Inferring Fine-grained Control Flow Inside SGX Enclaves with Branch Shadowing
  • Drammer: Deterministic Rowhammer Attacks on Mobile Platforms

Other defenses

  • CAn’t Touch This: Software-only Mitigation against Rowhammer Attacks targeting Kernel Memory