CS 8803 SS: Software Security
Spring 2007
Instructor
Dr. Jon Giffin
Email: giffin@cc
Phone: 4/385-1060
Office: Klaus 3140
Office hours: Mon & Wed 2:00–3:00
Meetings
Cherry Emerson 320
1:05–1:55 MWF
Grading
Daily discussion participation: 25%
Exercise 1: 10%
Exercise 2: 10%
Project proposal: 10%
Project report: 25%
Project presentation: 20%
Absences
This is a topics class where we discuss research papers as a small group in each session, and it works most effectively when you attend and actively participate in the discussions. A significant portion of the grade in the course is hence dependent upon daily participation. You can only participate if you attend, so a failure to show up will hurt your participation grade. Excused absences include travel to conferences if you are traveling on one or more class days. Upcoming paper deadlines are not excused absences: please plan your schedule to fit both class and paper writing. (Also unexcused: inlaws in town, cooking peas, washing socks, ...)
Homeworks
- Homework 1 [pdf] [Supplementary hw1.tgz]
- Homework 2 [pdf] [Supplementary hw2.tgz]
- Project [pdf]
Schedule
| Date | Topic | Reading | Link |
|---|---|---|---|
| Jan 8 | Course introduction | ||
| Jan 10 | Attacks | [Spa89] | [pdf] |
| Jan 12 | Attacks | [Tho84] | [pdf] |
| Jan 17 | Attacks Attack exercise 1 assigned |
[GSJ+05] | [pdf] |
| Jan 19 | Attacks | [MCI+01] | [pdf] |
| Jan 22 | Reverse engineering and tamper resistance | [LD03] | [pdf] |
| Jan 24 | Reverse engineering and tamper resistance | [SLS+05] | [pdf] |
| Jan 26 | Reverse engineering and tamper resistance | [WOS05] | [pdf] |
| Jan 29 | Foundations of intrusion detection | [Den86] | [pdf] |
| Jan 31 | Foundations of intrusion detection | [Sch00] | [pdf] |
| Feb 2 | Foundations of intrusion detection Exercise 1 due |
||
| Feb 5 | Behavior-based intrusion detection Exercise 2 assigned |
[IKP95] | [pdf] |
| Feb 7 | Behavior-based intrusion detection | [FHS+96] | [pdf] |
| Feb 9 | Behavior-based intrusion detection | ||
| Feb 12 | Behavior-based intrusion detection | [WD01] | [pdf] |
| Feb 14 | Behavior-based intrusion detection | [ABE+05] | [pdf] |
| Feb 16 | Behavior-based intrusion
detection Exercise 2 due |
||
| Feb 19 | Behavior-based intrusion detection Project assigned |
[WS02] | [pdf] |
| Feb 21 | Behavior-based intrusion detection | [GJM06] | [pdf] |
| Feb 23 | Behavior-based intrusion detection | ||
| Feb 26 | Exploit-based intrusion detection | [BSD05] | [pdf] |
| Feb 28 | Exploit-based intrusion detection | [NS05] | [pdf] |
| Mar 2 | Exploit-based intrusion detection Project proposals due |
||
| Mar 5 | Exploit-based intrusion detection | [WK03] | [pdf] |
| Mar 7 | Self-healing software | [XNK+05] | [pdf] |
| Mar 9 | Self-healing software | [SK05] | [pdf] |
| Mar 12 | Self-healing software | [LS05] | [pdf] |
| Mar 14 | Self-healing software | ||
| Mar 16 | Virtual machine based security | [GR03] | [pdf] |
| Mar 26 | Virtual machine based security | [BCI06] | [pdf] |
| Mar 28 | Virtual machine based security | [GPC+03] | [pdf] |
| Mar 30 | Virtual machine based security | ||
| Apr 2 | Virtual machine based security | [KCW+06] | [pdf] |
| Apr 4 | Program redesign | [BS04] | [pdf] |
| Apr 6 | Program redesign | ||
| Apr 9 | Programming language based security | [NMW02] | [pdf] |
| Apr 11 | Programming language based security | [SW06] | [pdf] |
| Apr 13 | Programming language based security | ||
| Apr 16 | Software verification | [KR02] | [pdf] |
| Apr 18 | Software verification | [WKP80] | [pdf] |
| Apr 20 | Software verification | ||
| Apr 23 | Analysis of real-world software | [MCM06] | [pdf] |
| Apr 25 | Analysis of real-world software | [KSR+04] | [pdf] |
| Apr 27 | Analysis of real-world software | ||
| May 3 | Project reports due | ||
Reading list
Attacks
- [Spa89]
E.H. Spafford. Crisis and aftermath. Communications of the ACM, 32(2), June 1989. - [Tho84]
K. Thompson. Reflections on trusting trust. Communications of the ACM, 27(8), August 1984. - [GSJ+05]
V. Ganapathy, S.A. Seshia, S. Jha, T.W. Reps, and R.E. Bryant. Automatic discovery of API-level exploits. 27th International Conference on Software Engineering. St. Louis, Missouri, May 2005. - [MCI+01]
B.P. Miller, M. Christodorescu, R. Iverson, T. Kosar, A. Mirgorodskii, and F. Popovici. Playing inside the black box: Using dynamic instrumentation to create security holes. Parallel Processing Letters, 11(2/3), 2001.
Reverse engineering and tamper resistance
- [LD03]
C. Linn and S. Debray. Obfuscation of executable code to improve resistance to static disassembly. 10th ACM Conference on Computer and Communications Security. Washington, DC, October 2003. - [SLS+05]
A. Seshadri, M. Luk, E. Shi, A. Perrig, L. van Doorn, and P. Khosla. Pioneer: Verifying code integrity and enforcing untampered code execution on legacy systems. 20th ACM Symposium on Operating System Principles. Brighton, United Kingdom, October 2005. - [WOS05]
G. Wurster, P.C. van Oorschot, and A. Somayaji. A generic attack on checksumming-based software tamper resistance. IEEE Symposium on Security and Privacy. Oakland, California, May 2005.
Foundations of intrusion detection
- [Den86]
D.E. Denning. An intrusion-detection model. IEEE Symposium on Security and Privacy. Oakland, California, April 1986. - [Sch00]
F.B. Schneider. Enforceable security policies. ACM Transactions on Information and System Security, 3(1), February 2000.
Behavior-based intrusion detection
- [IKP95]
K. Ilgun, R.A. Kemmerer, and P.A. Porras. State transition analysis: A rule-based intrusion detection approach. IEEE Transactions on Software Engineering, 21(3), March 1995. - [FHS+96]
S. Forrest, S.A. Hofmeyr, A. Somayaji, and T.A. Longstaff. A sense of self for UNIX processes. IEEE Symposium on Security and Privacy. Oakland, California, May 1996. - [WD01]
D. Wagner and D. Dean. Intrusion detection via static analysis. IEEE Symposium on Security and Privacy. Oakland, California, May 2001. - [ABE+05]
M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti. Control-flow integrity: Principles, implementations, and applications. 12th ACM Conference on Computer and Communications Security. Alexandria, Virginia, November 2005. - [WS02]
D. Wagner and P. Soto. Mimicry attacks on host based intrusion detection systems. 9th ACM Conference on Computer and Communications Security. Washington, DC, November 2002. - [GJM06]
J.T. Giffin, S. Jha, and B.P. Miller. Automated discovery of mimicry attacks. 9th International Symposium on Recent Advances in Intrusion Detection. Hamburg, Germany, September 2006.
Exploit-based intrusion detection
- [BSD05]
S. Bharkar, R. Sekar, and D. DuVarney. Efficient techniques for comprehensive protection from memory error exploits. 14th USENIX Security Symposium. Baltimore, Maryland, August 2005. - [NS05]
J. Newsome and D.X. Song. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. 12th Network and Distributed System Security Symposium. San Diego, California, February 2005. - [WK03]
J. Wilander and M. Kamkar. A comparison of publicly available tools for dynamic buffer overflow prevention. 10th Network and Distributed System Security Symposium. San Diego, California, February 2003.
Self-healing software
- [XNK+05]
J. Xu, P. Ning, C. Kil, Y. Zhai, and C. Bookholt. Automatic diagnosis and response to memory corruption vulnerabilities. ACM Symposium on Computer and Communications Security. Alexandria, Virginia, November 2005. - [SK05]
S. Sidiroglou and A.D. Keromytis. Countering network worms through automatic patch generation. IEEE Security and Privacy, 3(6), November 2005. - [LS05]
Z. Liang and R. Sekar. Fast and automated generation of attack signatures: A basis for building self-protecting servers. 12th ACM Conference on Computer and Communications Security. Alexandria, Virginia, November 2005.
Virtual machine based security
- [GR03]
T. Garfinkel and M. Rosenblum. A virtual machine introspection based architecture for intrusion detection. Network and Distributed System Security Symposium. San Diego, California, Feburary 2003. - [BCI06]
A. Baliga, X. Chen, and L. Iftode. Paladin: Automated detection and containment of rootkit attacks. Rutgers University Department of Computer Science Technical Report #DCS-TR-593, January 2006. - [GPC+03]
T. Garfinkel, B. Pfaff, J. Chow, M. Rosenblum, and D. Boneh. Terra: A virtual machine-based platform for trusted computing. Symposium on Operating System Principles. Bolton Landing, New York, October 2003. - [KCW+06]
S.T. King, P.M. Chen, Y.-M. Wang, C. Verbowski, H.J. Wang, and J.R. Lorch. SubVirt: Implementing malware with virtual machines. IEEE Symposium on Security and Privacy. Oakland, California, May 2006.
Program redesign
- [BS04]
D. Brumley and D. Song. Privtrans: Automatically partitioning programs for privilege separation. 13th USENIX Security Symposium. San Diego, California, August 2004.
Programming langauge based security
- [NMW02]
G.C. Necula, S. McPeak, and W. Weimer. CCured: type-safe retrofitting of legacy code. 29th Symposium on Principles of Programming Languages. Portland, Oregon, 2002. - [SW06]
Z. Su and G. Wassermann. The essence of command injection attacks in web applications. 33rd Symposium on Principles of Programming Languages. Charleston, South Carolina, January 2006.
Software verification
- [KR02]
C. Ko and T. Redmond. Noninterference and intrusion detection. IEEE Symposium on Security and Privacy. Oakland, California, May 2002. - [WKP80]
B.J. Walker, R.A. Kemmerer, and G.J. Popek. Specification and verification of the UCLA Unix security kernel. Communications of the ACM, 23(2), February 1980.
Analysis of real-world software
- [MCM06]
B.P. Miller, G. Cooksey, and F. Moore. An empirical study of the robustness of MacOS applications using random testing. First International Workshop on Random Testing. Portland, Maine, July 2006. - [KSR+04]
T. Kohno, A. Stubblefield, A.D. Rubin, and D.S. Wallach. Analysis of an electronic voting system. IEEE Symposium on Security and Privacy. Oakland, California, May 2004.