Course Goals
The course teaches state-of-the-art language-based techniques for increasing
the security and reliability of software systems. Complementing other
courses on cryptography and security, this course has a strong "systems/programming
language/compiler/OS" flavor and covers both static techniques (such
as bytecode verification and proof-carrying code) as well as dynamic
techniques (such as inlined reference monitors and stack inspection). The
goal is to
bring student up to speed
Logistics
Class meets for one hour on Wednesday and for up to three hours on Friday. This is more than normal for a 4-unit class, to account for the professor's conference travel schedule. The normal complement of class time will be distributed over a slightly unusual schedule for this class. All students are expected to attend all lectures (attendance will be taken). Every student is expected to give at least one presentation in class. Students will be graded on (a) their presentation in class and (b) their participation in class discussions.
Preliminary Schedule (will be updated as quarter proceeds)
| Week/Day |
Date |
Topic |
Materials to Read (incomplete list – more papers will be added) |
| 1 Wed |
January 7th |
Introduction 1 (Michael Franz) |
|
| 1 Fri |
January 9th |
Introduction 2 (Michael Franz) |
|
| 2 Wed |
January 14th |
Overview |
|
| 2 Fri |
January 16th |
no class |
Philip Wadler. Proofs are Programs: 19th Century Logic and 21st Century Computing (This is a variant of New Languages, Old Logic, which appeared in Dr Dobbs Journal, special supplement on Software in the 21st century, December 2000.)
Fred B. Schneider, Greg Morrisett, Robert Harper. A language-based approach to security. Informatics: 10 Years Back, 10 Years Ahead, Lecture Notes in
Computer Science, Springer-Verlag, Heidelberg, 2001.
David Moore, Vern Paxson, Stefan Savage, Colleen Shannon, Stuart Staniford, Nicholas Weaver. Inside the Slammer Worm. IEEE Security and Privacy, Volume 1, Issue 4, 2003.
|
| 3 Wed |
January 21st |
Static Analysis for Security
(Mason Chang) |
Presented In Class
David A. Wagner. Static
Analysis and Computer Security: New Techniques for Software Assurance.
Doctoral Thesis, UC Berkeley 2000.
David Wagner, Drew Dean. Intrusion Detection via Static Analysis. In Proceedings of Security and Privacy, 2001.
D. Larochelle and D. Evans. Statically
detecting likely buffer overflow vulnerabilities. In Proceedings of the 10th USENIX Security Symposium, 2001.
V. Benjamin Livshits and Monica S. Lam. Finding Security Vulnerabilities in Java Applications Using Static Analysis. In Proceedings of the 14th USENIX Security Symposium, 2005.
Additional Reading
Rob Johnson and David Wagner. Finding User/Kernel Pointer Bugs With Type Inference. In Proceedings of the 13th USENIX Security Symposium, 2004. |
| 3a Fri |
January 23rd |
Buffer Overflow Prevention
(Babak Salamat) |
Overview
J. Pincus, B. Baker. Beyond stack smashing: recent advances in exploiting buffer overruns. Security & Privacy, Volume 2, Issue 4, 2004.
"Attack" Papers
Aleph One. Smashing The Stack For Fun And Profit. Phrack Volume 7, Issue 49.
Ulfar Erlingsson. Low-Level Software Security: Attacks and Defenses. Microsoft Research Technical Report 07-153, 2007.
Hovav Shacham. The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86). In Proceedings of CCS 2007.
"Defense" Papers
Crispan Cowan, Calton Pu, Dave Maier, Jonathan Walpole, Peat Bakke, SteveBeattie, Aaron Grier, Perry Wagle, and Qian Zhang. StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks. In Proceedings of the 7th USENIX Security Symposium, 1998.
Tzi-Cker Chiueh Fu-Hau Hsu. RAD: a compile-time solution to buffer overflow attacks. In Proceedings of Distributed Computing Systems, 2001.
Sandeep Bhatkar, R. Sekar and Daniel C. DuVarney. Efficient Techniques for Comprehensive Protection from Memory Error Exploits. In Proceedings of 14th USENIX Security Symposium, 2005. |
| 3b Fri |
January 23rd |
Safe Programming Languages (Nityananda Jayadevaprakash) |
George C. Necula, Jeremy Condit, Matthew Harren, Scott McPeak, and Westley Weimer. CCured:
type-safe retrofitting of legacy software. ACM Transactions on Programming Languages and Systems, Vol. 27, No. 3, 2005.
Trevor Jim, Greg Morrisett, Dan Grossman, Michael Hicks, James Cheney, and Yanling Wang. Cyclone:
A Safe Dialect of C. In Proceedings of the
2002 USENIX Annual Technical Conference.
Dan Grossman, Greg Morrisett, Trevor Jim, Michael Hicks, Yanling Wang, and James Cheney. Region-Based
Memory Management in Cyclone. In Proceedings of the ACM Conference on
Programming Language Design and Implementation, 2002. |
| 4 Wed |
January 28th |
Introduction to Type Theory, Type Inference, and Type Checking (Michael Franz) |
|
| 4a Fri |
January 30th |
Typed Assembly Language (Michael Bebenita) |
Greg Morrisett, David Walker, Karl Crary, and Neal Glew. From
system F to typed assembly language. ACM Transactions on Programming Languages and Systems, 21, 3, 1999.
Zhichen Xu, Barton P. Miller, and Thomas Reps. Safety
checking of machine code.
In Proceedings of the ACM Conference on Programming Language
Design and Implementation, 2000.
Greg Morrisett, Karl Crary, Neal Glew, Dan Grossman, Richard
Samuels, Frederick Smith, David Walker, Stephanie Weirich, and Steve
Zdancewic. TALx86:
A realistic typed assembly language. In Proceedings of the ACM
SIGPLAN Workshop on Compiler Support for System Software, 1999. |
| 4b Fri |
January 30th |
Proof Carrying Code
(Ryan Johnson) |
George C. Necula and Peter Lee. Safe
kernel extensions without run-time checking. In Proceedings of the Second USENIX Symposium on Operating Systems Design and
Implementation, 1996.
George C. Necula. Proof-carrying
code. In Proceedings of the 24th ACM SIGPLAN-SIGACT
Symposium on Principles of Programming Languages, 1997.
George C. Necula and Peter Lee. The
design and implementation of a certifying compiler. In Proceedings of the ACM Conference on Programming
Language Design and Implementation, 1998. |
| 5 |
|
no classes in Week 5 |
|
| 6 Wed |
February 11th |
Foundational PCC
(Eric Hennigan)
|
Andrew W. Appel and Amy P. Felty. A
semantic model of types and machine instructions for proof-carrying code. In Proceedings of the 27th ACM
Symposium on Principles of Programming Languages, 2000.
Karl Crary. Toward
a foundational typed assembly language. In Proceedings
of the 30th ACM Symposium on Principles of Programming Languages, 2003. |
| 6a Fri |
February 13th |
SQL Injection and Cross-Site Scripting
(Alex Yermolovich) |
"Attack" Papers
Zhendong Su and Gary Wassermann. The Essence of Command Injection Attacks in Web Applications. In Proceedings of ACM
Symposium on Principles of Programming Languages, 2006.
"Defense" Papers
V. Benjamin Livshits and Monica S. Lam. Finding Security Vulnerabilities in Java Applications Using Static Analysis. In Proceedings of the 14th USENIX Security Symposium, 2005.
Oystein Hallaraker and Giovanni Vigna. Detecting Malicious JavaScript Code in Mozilla. In Proceedings of the IEEE International Conference on Engineering of Complex Computer Systems (ICECCS), 2005.
Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna. Cross-Site Scripting Prevention with Dynamic Data Tainting and Static Analysis. In Proceedings of Network and Distributed System Security Symposium (NDSS), 2007.
Trevor Jim, Nikhil Swamy, and Michael Hicks. Defeating Script Injection Attacks with Browser-Enforced Embedded Policies. In Proceedings of the 16th International Conference on World Wide Web, 2007. |
| 6b Fri |
February 13th |
Tainting
(Karthik Manivannan) |
Jim Chow, Ben Pfaff, Tal Garfinkel, Kevin Christopher, Mendel Rosenblum. Understanding Data Lifetime via Whole System Simulation. In Proceedings of the 13th USENIX Security Symposium, 2004.
Jedidiah R. Crandall and Frederic T. Chong. Minos: Control Data Attack Prevention Orthogonal to Memory Model. In Proceedings of the 37th International Symposium on Microarchitecture, 2004.
James Newsome and Dawn Song. Dynamic Taint Analysis: Automatic Detection, Analysis, and Signature Generation of Exploit Attacks on Commodity Software. In Proceedings of the Network and Distributed Systems Security Symposium, 2005. |
| 7 Wed |
February 18th |
Format String Vulnerabilities (Todd Jackson) |
"Attack" Papers
scut / team teso. Exploiting Format String Vulnerabilities.
"Defense" Papers
Crispin Cowan, Matt Barringer, Steve Beattie, and Greg Kroah-Hartman. FormatGuard: Automatic Protection From printf Format String Vulnerabilities. In Proceedings of the 10th USENIX Security Symposium, 2001.
Pankaj Kohli and Bezawada Bruhadeshwar. FormatShield: A Binary Rewriting Defense against Format String Attacks. In Proceedings of the 13th Australasian Conference on Information Security and Privacy (ACISP 2008).
Umesh Shankar, Kunal Talwar, Jeffrey S. Foster and David Wagner. Detecting Format String Vulnerabilities with Type Qualifiers. In Proceedings of the 10th USENIX Security Symposium, 2001. |
| 7 Fri |
February 20th |
Large Scale Checking
(Hsuan Yang) |
The Coverity Approach
Yichen Xie, Andy Chou, and Dawson Engler. ARCHER: Using Symbolic, Path-sensitive Analysis to Detect Memory Access Errors. In Foundations of Software Engineering, 2003.
Junfeng Yang, Ted Kremenek, Yichen Xie, and Dawson Engler. MECA: an Extensible, Expressive System and Language for Statically Checking Security Properties. In Proceedings of the 10th ACM Conference on Computer and Communication Security, 2003.
Cristian Cadar, Vijay Ganesh, Peter M. Pawlowski, David L. Dill, Dawson R. Engler. EXE: Automatically Generating Inputs of Death. In Proceedings of the 13th ACM Conference on Computer and Communications Security, 2006
Other Large-Scale Static Analyses
Benjamin Schwarz, Hao Chen, David Wagner, Geoff Morrison, Jacob West, Jeremy Lin, and Wei Tu. Model Checking An Entire Linux Distribution for Security Violations. In Proceedings of the 21st Annual Computer Security Applications Conference (ACSAC), 2005.
Brian Hackett, Manuvir Das, Daniel Wang, Zhe Yang. Modular Checking for Buffer Overflows in the Large. Proceedings of the 28th international conference on Software engineering, 2006. |
| 8 Wed |
February 25th |
Reference Monitors and Software Fault Isolation (Marcelo Cintra) |
F. B. Schneider. Enforceable
security policies. ACM Trans. Inf.
Syst. Secur. 3, 1, Feb. 2000.
Ulfar Erlingsson and Fred Schneider. SASI Enforcement of Security Policies: A Retrospective. Proceedings of the New Security Paradigm Workshop, 1999.
Ú. Erlingsson. The
Inlined Reference Monitor Approach to Security Policy Enforcement. Ph.D.
thesis, Department of Computer Science, Cornell University. Technical
Report 2003-1916, Department of Computer Science, Cornell University,
Ithaca, NY, 2003.
Martín Abadi, Mihai Budiu, Úlfar Erlingsson, and Jay Ligatti. Control-flow integrity. Proceedings of the 12th ACM conference on Computer and communications security, 2005.
Stephen McCamant and Greg Morrisett. Evaluating SFI for a CISC Architecture. In Proceedings of 15th USENIX Security Symposium, 2006. |
| 8a Fri |
February 27th |
Information Flow
(Maxim Lazarov)
|
Theory
Dorothy Denning. A
lattice model of secure information flow. Communications of the ACM, May 1976.
D. Denning and P.J. Denning. Certification
of programs for secure information flow. Communications of the ACM, July 1977.
N. Heintze and J. G. Riecke. The
SLam calculus: programming with secrecy and integrity. In Proceedings of the ACM
Symposium on Principles
of Programming Languages, 1998.
Dennis Volpano, Geoffrey Smith and Cynthia Irvine. A Sound Type System for Secure Flow Analysis. Journal of Computer Security, Vol. 4, No. 3, 1996.
Solutions
Andrew C. Myers and Barbara Liskov. Protecting
privacy using the decentralized label model. ACM Trans. Softw. Eng. Methodol. 9, 4 (Oct. 2000), 41
Andrew C. Myers. JFlow:
practical mostly-static information flow control.
In Proceedings of the 26th ACM Symposium on Principles of Programming
Languages, 1999.
Andrei Sabelfeld and Andrew C. Myers. Language-Based
Information-Flow Security. IEEE Journal on Selected Areas in Communications,
21(1), 2003. |
| 8b Fri |
February 27th |
End-to-End Information Flow
(Gregor Wagner) |
Lantian Zheng, Stephen Chong, Andrew C. Myers, Steve Zdancewic. Using Replication and Partitioning to Build Secure Distributed Systems. In Proceedings of the IEEE Symposium on Security and Privacy, 2003.
Heng Yin, Dawn Song, Manuel Egele, Engin Kirda and Christopher Kruegel. Panorama: Capturing System-wide Information Flow for Malware Detection and Analysis. In Proceedings of ACM Conference on Computer and Communication Security, Oct 2007. |
| 9 Wed |
March 4th |
Intrinsically Safe Code
(Michael Franz)
|
Wolfram Amme, Niall Dalton, Jeffery von Ronne, and Michael Franz; “SafeTSA:
A Type Safe and Referentially Secure Mobile-Code Representation
Based on Static Single Assignment Form"; in Proceedings
of the ACM
Sigplan Conference on Programming Language Design and Implementation
(PLDI 2001), 2001.
Wolfram Amme, Jeffery von Ronne, and Michael Franz; "SSA-Based
Mobile Code: Implementation and Empirical Evaluation"; ACM
Transactions on Architecture and Code Optimization (TACO), Vol. 4, No. 2, Article
No. 13; June 2007. |
| 9 Fri |
|
no class |
|
| 10 |
|
no classes in Week 10 |
|
|
