Difference between revisions of "Courses/Computer Science/CPSC 601.29.ISSA.W2014"

From wiki.ucalgary.ca
Jump to: navigation, search
m (Session List and Schedule)
m
Line 13: Line 13:
 
== Session List and Schedule ==
 
== Session List and Schedule ==
  
This is the schedule of papers to read and presentations. Everyone is responsible for reading the "primary readings" each week. Presenters are responsible for reading both the background reading and the primary reading.
+
This is the schedule of papers to read and presentations. Everyone is responsible for reading the "primary reading" each week (1 or 2 papers). Presenters are responsible for reading both the background readings and the primary readings.
  
 
{| class="wikitable" style="text-align: center; width: 920px; height: 180px;"
 
{| class="wikitable" style="text-align: center; width: 920px; height: 180px;"
Line 49: Line 49:
 
! scope="row" | 4  
 
! scope="row" | 4  
 
| 3 Feb.  
 
| 3 Feb.  
|| S1: TBD, S2: TBD
+
|| S1: Laing talk, S2: [http://www.youtube.com/watch?v=FE5CH-tm9cE Exploitation and State Machines] [http://immunityinc.com/infiltrate/archives/Fundamentals_of_exploitation_revisited.pdf PDF slides]
 
|| x  
 
|| x  
 
|| (x, x, x)  
 
|| (x, x, x)  
Line 57: Line 57:
 
! scope="row" | 5  
 
! scope="row" | 5  
 
| 10 Feb.  
 
| 10 Feb.  
|| S1: TBD, S2: TBD  
+
|| S1: Navabisohi talk, S2: TBD  
 
|| x  
 
|| x  
 
|| (x, x, x)  
 
|| (x, x, x)  
Line 73: Line 73:
 
! scope="row" | 7  
 
! scope="row" | 7  
 
| <del>24 Feb.</del> 26 Feb.  
 
| <del>24 Feb.</del> 26 Feb.  
|| S1: TBD, S2: TBD (EDUrange?)
+
|| S1: Rougeau talk, S2: (EDURange/ScapyHunt exercise?)
 
|| x  
 
|| x  
 
|| (x, x, x)  
 
|| (x, x, x)  
Line 136: Line 136:
 
|}
 
|}
  
== Topics ==
+
== High--Level Syllabus / Topics ==
  
 
* Ethics
 
* Ethics
Line 154: Line 154:
 
== Papers (Primary Readings) ==
 
== Papers (Primary Readings) ==
  
# "Improving Host Security with System Call Policies" by Niels Provos, 12th USENIX Security Symposium, Washington, DC, August 2003. [http://www.citi.umich.edu/u/provos/papers/systrace.pdf PDF]
+
# (TOPIC: Sandboxing) "Improving Host Security with System Call Policies" by Niels Provos, 12th USENIX Security Symposium, Washington, DC, August 2003. [http://www.citi.umich.edu/u/provos/papers/systrace.pdf PDF]
# "[http://www.stanford.edu/~talg/papers/VMI/abstract.html A Virtual Machine Introspection Architecture for Intrusion Detection]" (NDSS 2003)
+
# (TOPIC: Sandboxing/Policy Enforcement) Watson, R. N. M., Anderson, J., Laurie, B., and Kennaway, K. [http://www.cl.cam.ac.uk/research/security/capsicum/papers/2010usenix-security-capsicum-website.pdf Capsicum: practical capabilities for UNIX]. In Proceedings of the 19th USENIX Security Symposium, Washington, DC, August 2010
# [http://static.usenix.org/events/osdi06/tech/full_papers/erlingsson/erlingsson.pdf XFI: Software Guards for System Address Spaces]
+
# (TOPIC: Practical Provable Protection) seL4: http://www.ssrg.nicta.com.au/publications/papers/Klein_EHACDEEKNSTW_09.pdf
# "[http://www.usenix.org/event/usenix08/tech/full_papers/ford/ford.pdf Vx32: Lightweight User-level Sandboxing on the x86]" (USENIX ATC 2008)
+
# (TOPIC: Virtualization) "[http://www.stanford.edu/~talg/papers/VMI/abstract.html A Virtual Machine Introspection Architecture for Intrusion Detection]" (NDSS 2003)
# "[http://src.chromium.org/viewvc/native_client/data/docs_tarball/nacl/googleclient/native_client/documentation/nacl_paper.pdf Native Client: A Sandbox for Portable, Untrusted x86 Native Code]" (Oakland 2009)
+
# (TOPIC: Virtualization) Virtuoso: Narrowing the Semantic Gap in Virtual Machine Introspection. Brendan Dolan-­‐Gavitt, Tim Leek, Michael Zhivich, Jonathon Giffin, and Wenke Lee. In Proceedings of The 2011 IEEE Symposium on Security and Privacy. Oakland, CA, May 2011.
# seL4: http://www.ssrg.nicta.com.au/publications/papers/Klein_EHACDEEKNSTW_09.pdf
+
# (TOPIC: NIDS/LangSec) Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics. Mark Handley and Vern Paxson and Christian Kreibich [http://static.usenix.org/publications/library/proceedings/sec01/handley.html USENIX paper [http://www.icir.org/vern/papers/norm-usenix-sec-01-html/ html]
# VM-based Security Overkill: A Lament for Applied Systems Security Research. Sergey Bratus, Michael E. Locasto, Ashwin Ramaswamy, and Sean W. Smith. Proceedings of the 19th New Security Paradigms Workshop (NSPW 2010). September 2010. Concord, MA, USA. [http://pages.cpsc.ucalgary.ca/~locasto/papers/nspw1038-bratus.pdf PDF]
+
# (TOPIC: NIDS/LangSec) Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection by Thomas H Ptacek and Timothy M. Newsham
# Watson, R. N. M., Anderson, J., Laurie, B., and Kennaway, K. [http://www.cl.cam.ac.uk/research/security/capsicum/papers/2010usenix-security-capsicum-website.pdf Capsicum: practical capabilities for UNIX]. In Proceedings of the 19th USENIX Security Symposium, Washington, DC, August 2010
+
# SigGraph: Brute Force Scanning of Kernel Data Structure Instances Using Graph-based Signatures (NDSS 2011)
# Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics. Mark Handley and Vern Paxson and Christian Kreibich [http://static.usenix.org/publications/library/proceedings/sec01/handley.html USENIX paper [http://www.icir.org/vern/papers/norm-usenix-sec-01-html/ html]
+
# TIE: Principled Reverse Engineering of Types in Binary Programs, JongHyup Lee, Thanassis Avgerinos, and David Brumley (NDSS 2011)
 +
# Discovering Semantic Data of Interest from Un-mappable Memory with Confidence by Zhiqiang Lin, Junghwan Rhee, Chao Wu, Xiangyu Zhang and Dongyan Xu (NDSS 2012)
 +
 
 
# Jedidiah R. Crandall, Zhendong Su, S. Felix Wu, and Frederic T. Chong. On Deriving Unknown Vulnerabilities from Zero-Day Polymorphic and Metamorphic Worm Exploits. In the proceedings of the 12th ACM Conference on Computer and Communications Security (CCS 2005). Alexandria, Virginia. November 2005 http://www.cs.unm.edu/~crandall/ccsdacoda.pdf
 
# Jedidiah R. Crandall, Zhendong Su, S. Felix Wu, and Frederic T. Chong. On Deriving Unknown Vulnerabilities from Zero-Day Polymorphic and Metamorphic Worm Exploits. In the proceedings of the 12th ACM Conference on Computer and Communications Security (CCS 2005). Alexandria, Virginia. November 2005 http://www.cs.unm.edu/~crandall/ccsdacoda.pdf
 
# [http://www.usenix.org/events/sec09/tech/full_papers/hund.pdf "Return Oriented Rootkits"] by Hund, Holz, and Freiling
 
# [http://www.usenix.org/events/sec09/tech/full_papers/hund.pdf "Return Oriented Rootkits"] by Hund, Holz, and Freiling
  
 
== Papers (Supplemental Readings) ==
 
== Papers (Supplemental Readings) ==
 +
 +
'''Classic Protection Papers'''
  
 
# "Protection in Operating Systems" by Michael A. Harrison, Walter L. Ruzzo, and Jeffrey D. Ullman ([http://portal.acm.org/citation.cfm?id=360303.360333 ACM Digital Library], available via U of C with appropriate network address)
 
# "Protection in Operating Systems" by Michael A. Harrison, Walter L. Ruzzo, and Jeffrey D. Ullman ([http://portal.acm.org/citation.cfm?id=360303.360333 ACM Digital Library], available via U of C with appropriate network address)
Line 173: Line 177:
 
# "Protection in an information processing utility" http://www.multicians.org/graham-pipu.pdf
 
# "Protection in an information processing utility" http://www.multicians.org/graham-pipu.pdf
 
# "A hardware architecture for implementing protection rings" http://www.multicians.org/protection.html
 
# "A hardware architecture for implementing protection rings" http://www.multicians.org/protection.html
 +
# "[http://www.cs.virginia.edu/~evans/cs551/saltzer/ The Protection of Information in Computer Systems]" by Jerome H. Saltzer and Michael D. Schroeder
 
# http://nob.cs.ucdavis.edu/history/papers/bell76.pdf (Sections 1 and 2)
 
# http://nob.cs.ucdavis.edu/history/papers/bell76.pdf (Sections 1 and 2)
 
# http://nob.cs.ucdavis.edu/history/CD/biba75.pdf (Abstract, Section 1 and 2)
 
# http://nob.cs.ucdavis.edu/history/CD/biba75.pdf (Abstract, Section 1 and 2)
# "[http://www.cs.virginia.edu/~evans/cs551/saltzer/ The Protection of Information in Computer Systems]" by Jerome H. Saltzer and Michael D. Schroeder
+
 
 +
'''Sandboxing / Policy Enforcement'''
 +
 
 +
# [http://static.usenix.org/events/osdi06/tech/full_papers/erlingsson/erlingsson.pdf XFI: Software Guards for System Address Spaces]
 +
# "[http://www.usenix.org/event/usenix08/tech/full_papers/ford/ford.pdf Vx32: Lightweight User-level Sandboxing on the x86]" (USENIX ATC 2008)
 +
# "[http://src.chromium.org/viewvc/native_client/data/docs_tarball/nacl/googleclient/native_client/documentation/nacl_paper.pdf Native Client: A Sandbox for Portable, Untrusted x86 Native Code]" (Oakland 2009)
 +
# "[http://static.usenix.org/events/osdi08/tech/full_papers/zeldovich/zeldovich_html/index.html Hardware Enforcement of Application Security Policies Using Tagged Memory]" (OSDI 2008)
 +
# "[http://static.usenix.org/events/hotos05/final_papers/full_papers/krohn/krohn.pdf Make Least Privilege a Right (Not a Privilege)]" (HotOS 2005)
 
# F. B. Schneider. Enforceable Security Policies. ACM Transactions on Information and System Security, 2(4), Mar. 2000.
 
# F. B. Schneider. Enforceable Security Policies. ACM Transactions on Information and System Security, 2(4), Mar. 2000.
# Smashing The Kernel Stack For Fun And Profit http://www.phrack.org/issues.html?issue=60&id=6&mode=txt
+
 
 +
'''Exploits and Weird Machines'''
 +
 
 +
 
 +
'''Defensive Weird Machines (i.e., Countermeasures)'''
  
 
# [http://www.usenix.org/event/usenix2000/general/baratloo.html "Transparent Runtime Defense Against Stack Smashing Attacks"]
 
# [http://www.usenix.org/event/usenix2000/general/baratloo.html "Transparent Runtime Defense Against Stack Smashing Attacks"]
 
# [http://www.usenix.org/publications/library/proceedings/sec98/full_papers/cowan/cowan.pdf "StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks"]
 
# [http://www.usenix.org/publications/library/proceedings/sec98/full_papers/cowan/cowan.pdf "StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks"]
 
# [http://www.usenix.org/events/sec03/tech/full_papers/cowan/cowan.pdf PointGuard(TM): Protecting Pointers From Buffer Overflow Vulnerabilities]
 
# [http://www.usenix.org/events/sec03/tech/full_papers/cowan/cowan.pdf PointGuard(TM): Protecting Pointers From Buffer Overflow Vulnerabilities]
 
 
 
# [http://www.cs.unm.edu/~immsec/publications/hotos-97.pdf "Building Diverse Computer Systems"]
 
# [http://www.cs.unm.edu/~immsec/publications/hotos-97.pdf "Building Diverse Computer Systems"]
 
# [http://www.cs.unm.edu/~gbarrant/p315-barrantes.pdf "Randomized Instruction Set Emulation to Disrupt Binary Code Injection Attacks"]
 
# [http://www.cs.unm.edu/~gbarrant/p315-barrantes.pdf "Randomized Instruction Set Emulation to Disrupt Binary Code Injection Attacks"]
# [http://www1.cs.columbia.edu/~angelos/Papers/instructionrandomization.pdf|"Countering Code-Injection Attacks with Instruction-Set Randomization"]]  
+
# [http://www1.cs.columbia.edu/~angelos/Papers/instructionrandomization.pdf "Countering Code-Injection Attacks with Instruction-Set Randomization"]
  
# [http://users.ece.cmu.edu/~adrian/630-f04/readings/wilander-comparison.pdf "A Comparison of Publicly Available Tools for Dynamic Buffer Overflow Prevention"]
+
'''Virtualization, Monitoring, Inspection'''
# [http://www.acsac.org/2011/openconf/modules/request.php?module=oc_program&action=view.php&a=&id=60&type=2 RIPE:Runtime Intrusion Prevention Evaluator]
 
# [http://cseweb.ucsd.edu/~hovav/papers/sppgmb04.html "On the Effectiveness of Address Space Randomization"]
 
  
 +
# "Mystifying the debugger for ultimate stealthiness" http://www.phrack.org/issues.html?issue=65&id=8&mode=txt
 
# Steven M. Bellovin. Virtual machines, virtual security. Communications of the ACM, 49(10), October 2006. “Inside RISKS” column. [http://www.csl.sri.com/users/neumann/insiderisks06.html#196 html]
 
# Steven M. Bellovin. Virtual machines, virtual security. Communications of the ACM, 49(10), October 2006. “Inside RISKS” column. [http://www.csl.sri.com/users/neumann/insiderisks06.html#196 html]
# Virtuoso: Narrowing the Semantic Gap in Virtual Machine Introspection. Brendan Dolan-­‐Gavitt, Tim Leek, Michael Zhivich, Jonathon Giffin, and Wenke Lee. In Proceedings of The 2011 IEEE Symposium on Security and Privacy. Oakland, CA, May 2011.  
+
# VM-based Security Overkill: A Lament for Applied Systems Security Research. Sergey Bratus, Michael E. Locasto, Ashwin Ramaswamy, and Sean W. Smith. Proceedings of the 19th New Security Paradigms Workshop (NSPW 2010). September 2010. Concord, MA, USA. [http://pages.cpsc.ucalgary.ca/~locasto/papers/nspw1038-bratus.pdf PDF]
# "Mystifying the debugger for ultimate stealthiness" http://www.phrack.org/issues.html?issue=65&id=8&mode=txt
 
# "[http://static.usenix.org/events/osdi08/tech/full_papers/zeldovich/zeldovich_html/index.html Hardware Enforcement of Application Security Policies Using Tagged Memory]" (OSDI 2008)
 
# "[http://static.usenix.org/events/hotos05/final_papers/full_papers/krohn/krohn.pdf Make Least Privilege a Right (Not a Privilege)]" (HotOS 2005)
 
 
# [http://www.cc.gatech.edu/~giffin/papers/ndss11/SG11.pdf Efficient Monitoring of Untrusted Kernel-Mode Execution] (NDSS 2011)
 
# [http://www.cc.gatech.edu/~giffin/papers/ndss11/SG11.pdf Efficient Monitoring of Untrusted Kernel-Mode Execution] (NDSS 2011)
  
 +
'''ROP, anti-ROP'''
 
   
 
   
 
# traditional return-to-libc: "Getting around non-executable stack (and fix)" Solar Designer http://www.clip.dia.fi.upm.es/~alopez/bugs/bugtraq2/0287.html
 
# traditional return-to-libc: "Getting around non-executable stack (and fix)" Solar Designer http://www.clip.dia.fi.upm.es/~alopez/bugs/bugtraq2/0287.html
 
# return-to-libc: Nergal, "[http://phrack.org/issues.html?issue=58&id=4 Advanced return-into-lib(c) Exploits: PaX Case Study]," Phrack 58:4
 
# return-to-libc: Nergal, "[http://phrack.org/issues.html?issue=58&id=4 Advanced return-into-lib(c) Exploits: PaX Case Study]," Phrack 58:4
 
# Return-oriented programming: The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86) Hovav Shacham. In Proceedings of CCS 2007, pages 552–561. ACM Press, Oct. 2007.  http://cseweb.ucsd.edu/~hovav/papers/s07.html
 
# Return-oriented programming: The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86) Hovav Shacham. In Proceedings of CCS 2007, pages 552–561. ACM Press, Oct. 2007.  http://cseweb.ucsd.edu/~hovav/papers/s07.html
# Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection by Thomas H Ptacek and Timothy M. Newsham
+
 
 +
'''LangSec'''
 +
 
 
# http://pages.cpsc.ucalgary.ca/~locasto/papers/model-polymorphic-decoders.pdf On the Infeasibility of Modeling Polymorphic Shellcode. Yingbo Song, Michael E. Locasto, Angelos Stavrou, Angelos D. Keromytis, and Salvatore J. Stolfo. In the Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS 2007). pp. 541--551. October 2007, Alexandria, VA.
 
# http://pages.cpsc.ucalgary.ca/~locasto/papers/model-polymorphic-decoders.pdf On the Infeasibility of Modeling Polymorphic Shellcode. Yingbo Song, Michael E. Locasto, Angelos Stavrou, Angelos D. Keromytis, and Salvatore J. Stolfo. In the Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS 2007). pp. 541--551. October 2007, Alexandria, VA.
 
# [http://www.cs.jhu.edu/~sam/ccs243-mason.pdf English Shellcode] Mason, Small, Monrose, MacManus. CCS 2009.
 
# [http://www.cs.jhu.edu/~sam/ccs243-mason.pdf English Shellcode] Mason, Small, Monrose, MacManus. CCS 2009.
  
== Videos (to watch) ==
+
'''Security Measurement, Benchmarking'''
 +
 
 +
# [http://users.ece.cmu.edu/~adrian/630-f04/readings/wilander-comparison.pdf "A Comparison of Publicly Available Tools for Dynamic Buffer Overflow Prevention"]
 +
# [http://www.acsac.org/2011/openconf/modules/request.php?module=oc_program&action=view.php&a=&id=60&type=2 RIPE:Runtime Intrusion Prevention Evaluator]
 +
# [http://cseweb.ucsd.edu/~hovav/papers/sppgmb04.html "On the Effectiveness of Address Space Randomization"]
 +
# http://research.microsoft.com/apps/pubs/default.aspx?id=66830
 +
# "Secure open source collaboration: an empirical study of Linus' law" http://dl.acm.org/citation.cfm?doid=1653662.1653717
 +
# http://www.hpl.hp.com/techreports/2012/HPL-2012-63R1.html
 +
# [http://acsac.org/2010/openconf/modules/request.php?module=oc_program&action=summary.php&id=69 Familiarity Breeds Contempt: The Honeymoon Effect and The Role of Legacy Code in Zero-Day Vulnerabilities]
  
# Thomas Dullien and Halvar Flake "Exploitation and State Machines" [http://immunityinc.com/infiltrate/archives/Fundamentals_of_exploitation_revisited.pdf PDF] [http://www.youtube.com/watch?v=FE5CH-tm9cE video]
 
  
 
= Miscellaneous Links =
 
= Miscellaneous Links =
Line 223: Line 243:
 
* [http://www.cs.cmu.edu/~rwh/papers/langsec/dagstuhl.pdf A Language-Based Approach to Security]. Fred B. Schneider, Greg Morrisett, and Robert Harper2
 
* [http://www.cs.cmu.edu/~rwh/papers/langsec/dagstuhl.pdf A Language-Based Approach to Security]. Fred B. Schneider, Greg Morrisett, and Robert Harper2
 
* LKM signing by bx: http://cs.dartmouth.edu/~bx/code-signing/talks/shmoocon-2014.pdf
 
* LKM signing by bx: http://cs.dartmouth.edu/~bx/code-signing/talks/shmoocon-2014.pdf
* http://research.microsoft.com/apps/pubs/default.aspx?id=66830
+
* Smashing The Kernel Stack For Fun And Profit http://www.phrack.org/issues.html?issue=60&id=6&mode=txt
* "Secure open source collaboration: an empirical study of Linus' law" http://dl.acm.org/citation.cfm?doid=1653662.1653717
+
 
* http://www.hpl.hp.com/techreports/2012/HPL-2012-63R1.html
 
  
 
== Ethics and OPSEC ==
 
== Ethics and OPSEC ==

Revision as of 20:47, 27 January 2014

Information Systems Security Analysis

A graduate seminar on systems security.

Logistics

The course is held once per week from 4pm to 6:45pm in ICT 616. There will be a short break around 5:15pm.

Policies

This is a graduate seminar. Your grade is based on your ability to critically assess and present research work in the field of systems security. You will have the opportunity to make three presentations.

Session List and Schedule

This is the schedule of papers to read and presentations. Everyone is responsible for reading the "primary reading" each week (1 or 2 papers). Presenters are responsible for reading both the background readings and the primary readings.

Sessions
Session Date Topic Primary Readings Background Readings Presenter
1 13 Jan. Introduction, Overview Hacking the Abacus: Chapter 2 1 2 3 Locasto
2 20 Jan. S1: History of Memory Corruption, S2: ibid 1 2 3 4 5 slides Locasto
3 27 Jan. S1: Chukuka talk, S2: Heap Feng Shui paper1 (s1, s4, s5) Chukuka
4 3 Feb. S1: Laing talk, S2: Exploitation and State Machines PDF slides x (x, x, x) Laing
5 10 Feb. S1: Navabisohi talk, S2: TBD x (x, x, x) Navabisohi
6 17 Feb. no class: reading week no class catch up on readings (none)
7 24 Feb. 26 Feb. S1: Rougeau talk, S2: (EDURange/ScapyHunt exercise?) x (x, x, x) Rougeau
8 3 March S1: TBD, S2: TBD x (x, x, x) Chukuka
9 10 March S1: TBD, S2: TBD x (x, x, x) Laing
10 17 March S1: TBD, S2: TBD x (x, x, x) Navabisohi
11 24 March S1: TBD, S2: TBD x (x, x, x) Rougeau
12 31 March S1: TBD, S2: TBD x (x, x, x) Chukuka
13 7 April S1: TBD, S2: TBD x (x, x, x) Laing
14 14 April S1: TBD, S2: TBD x1, x2 (x, x, x) Navabisohi, Rougeau

High--Level Syllabus / Topics

  • Ethics
  • Code Injection (Attacks and Countermeasures)
    • stack
    • heap
    • return-to-libc, ROP
    • countermeasures
      • Artificial Diversity
      • Defensive Weird Machines
  • Isolation, Approaches to System Instrumentation
  • Virtualization and Security
  • IDS
    • Confusion, Parsing
    • Filtering and Reverse Engineering Network Protocols and File Formats

Papers (Primary Readings)

  1. (TOPIC: Sandboxing) "Improving Host Security with System Call Policies" by Niels Provos, 12th USENIX Security Symposium, Washington, DC, August 2003. PDF
  2. (TOPIC: Sandboxing/Policy Enforcement) Watson, R. N. M., Anderson, J., Laurie, B., and Kennaway, K. Capsicum: practical capabilities for UNIX. In Proceedings of the 19th USENIX Security Symposium, Washington, DC, August 2010
  3. (TOPIC: Practical Provable Protection) seL4: http://www.ssrg.nicta.com.au/publications/papers/Klein_EHACDEEKNSTW_09.pdf
  4. (TOPIC: Virtualization) "A Virtual Machine Introspection Architecture for Intrusion Detection" (NDSS 2003)
  5. (TOPIC: Virtualization) Virtuoso: Narrowing the Semantic Gap in Virtual Machine Introspection. Brendan Dolan-­‐Gavitt, Tim Leek, Michael Zhivich, Jonathon Giffin, and Wenke Lee. In Proceedings of The 2011 IEEE Symposium on Security and Privacy. Oakland, CA, May 2011.
  6. (TOPIC: NIDS/LangSec) Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics. Mark Handley and Vern Paxson and Christian Kreibich USENIX paper [http://www.icir.org/vern/papers/norm-usenix-sec-01-html/ html
  7. (TOPIC: NIDS/LangSec) Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection by Thomas H Ptacek and Timothy M. Newsham
  8. SigGraph: Brute Force Scanning of Kernel Data Structure Instances Using Graph-based Signatures (NDSS 2011)
  9. TIE: Principled Reverse Engineering of Types in Binary Programs, JongHyup Lee, Thanassis Avgerinos, and David Brumley (NDSS 2011)
  10. Discovering Semantic Data of Interest from Un-mappable Memory with Confidence by Zhiqiang Lin, Junghwan Rhee, Chao Wu, Xiangyu Zhang and Dongyan Xu (NDSS 2012)
  1. Jedidiah R. Crandall, Zhendong Su, S. Felix Wu, and Frederic T. Chong. On Deriving Unknown Vulnerabilities from Zero-Day Polymorphic and Metamorphic Worm Exploits. In the proceedings of the 12th ACM Conference on Computer and Communications Security (CCS 2005). Alexandria, Virginia. November 2005 http://www.cs.unm.edu/~crandall/ccsdacoda.pdf
  2. "Return Oriented Rootkits" by Hund, Holz, and Freiling

Papers (Supplemental Readings)

Classic Protection Papers

  1. "Protection in Operating Systems" by Michael A. Harrison, Walter L. Ruzzo, and Jeffrey D. Ullman (ACM Digital Library, available via U of C with appropriate network address)
  2. "The (Almost) Complete History of Memory Corruption Attacks" http://prezi.com/iemlmzvpnk_d/the-almost-complete-history-of-memory-corruption-attacks/
  3. Protection. Proc. 5th Princeton Conf. on Information Sciences and Systems, Princeton, 1971. Reprinted in ACM Operating Systems Rev. 8, 1 (Jan. 1974), pp 18-24 PDF
  4. "Protection in an information processing utility" http://www.multicians.org/graham-pipu.pdf
  5. "A hardware architecture for implementing protection rings" http://www.multicians.org/protection.html
  6. "The Protection of Information in Computer Systems" by Jerome H. Saltzer and Michael D. Schroeder
  7. http://nob.cs.ucdavis.edu/history/papers/bell76.pdf (Sections 1 and 2)
  8. http://nob.cs.ucdavis.edu/history/CD/biba75.pdf (Abstract, Section 1 and 2)

Sandboxing / Policy Enforcement

  1. XFI: Software Guards for System Address Spaces
  2. "Vx32: Lightweight User-level Sandboxing on the x86" (USENIX ATC 2008)
  3. "Native Client: A Sandbox for Portable, Untrusted x86 Native Code" (Oakland 2009)
  4. "Hardware Enforcement of Application Security Policies Using Tagged Memory" (OSDI 2008)
  5. "Make Least Privilege a Right (Not a Privilege)" (HotOS 2005)
  6. F. B. Schneider. Enforceable Security Policies. ACM Transactions on Information and System Security, 2(4), Mar. 2000.

Exploits and Weird Machines


Defensive Weird Machines (i.e., Countermeasures)

  1. "Transparent Runtime Defense Against Stack Smashing Attacks"
  2. "StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks"
  3. PointGuard(TM): Protecting Pointers From Buffer Overflow Vulnerabilities
  4. "Building Diverse Computer Systems"
  5. "Randomized Instruction Set Emulation to Disrupt Binary Code Injection Attacks"
  6. "Countering Code-Injection Attacks with Instruction-Set Randomization"

Virtualization, Monitoring, Inspection

  1. "Mystifying the debugger for ultimate stealthiness" http://www.phrack.org/issues.html?issue=65&id=8&mode=txt
  2. Steven M. Bellovin. Virtual machines, virtual security. Communications of the ACM, 49(10), October 2006. “Inside RISKS” column. html
  3. VM-based Security Overkill: A Lament for Applied Systems Security Research. Sergey Bratus, Michael E. Locasto, Ashwin Ramaswamy, and Sean W. Smith. Proceedings of the 19th New Security Paradigms Workshop (NSPW 2010). September 2010. Concord, MA, USA. PDF
  4. Efficient Monitoring of Untrusted Kernel-Mode Execution (NDSS 2011)

ROP, anti-ROP

  1. traditional return-to-libc: "Getting around non-executable stack (and fix)" Solar Designer http://www.clip.dia.fi.upm.es/~alopez/bugs/bugtraq2/0287.html
  2. return-to-libc: Nergal, "Advanced return-into-lib(c) Exploits: PaX Case Study," Phrack 58:4
  3. Return-oriented programming: The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86) Hovav Shacham. In Proceedings of CCS 2007, pages 552–561. ACM Press, Oct. 2007. http://cseweb.ucsd.edu/~hovav/papers/s07.html

LangSec

  1. http://pages.cpsc.ucalgary.ca/~locasto/papers/model-polymorphic-decoders.pdf On the Infeasibility of Modeling Polymorphic Shellcode. Yingbo Song, Michael E. Locasto, Angelos Stavrou, Angelos D. Keromytis, and Salvatore J. Stolfo. In the Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS 2007). pp. 541--551. October 2007, Alexandria, VA.
  2. English Shellcode Mason, Small, Monrose, MacManus. CCS 2009.

Security Measurement, Benchmarking

  1. "A Comparison of Publicly Available Tools for Dynamic Buffer Overflow Prevention"
  2. RIPE:Runtime Intrusion Prevention Evaluator
  3. "On the Effectiveness of Address Space Randomization"
  4. http://research.microsoft.com/apps/pubs/default.aspx?id=66830
  5. "Secure open source collaboration: an empirical study of Linus' law" http://dl.acm.org/citation.cfm?doid=1653662.1653717
  6. http://www.hpl.hp.com/techreports/2012/HPL-2012-63R1.html
  7. Familiarity Breeds Contempt: The Honeymoon Effect and The Role of Legacy Code in Zero-Day Vulnerabilities


Miscellaneous Links


Ethics and OPSEC

  1. http://www.cs.dartmouth.edu/~sws/pubs/pretending.pdf
  2. http://www.prisonexp.org/
  3. http://sunnyday.mit.edu/papers/therac.pdf
  4. http://www.acm.org/about/code-of-ethics
  5. http://stallman.org/articles/on-hacking.html
  6. http://www.theatlantic.com/technology/archive/12/07/if-hackers-didnt-exist-governments-would-have-to-invent-them/259463/
  7. http://www.phrack.org/issues.html?issue=68&id=16&mode=txt Lines in the Sand: Which Side Are You On in the Hacker Class War
  8. Mindset: http://www.nukees.com/d/20070328.html
  9. It's OK to let students hack: http://geekout.blogs.cnn.com/2012/04/23/students-chow-down-on-cyber-security-weaknesses/?hpt=hp_bn10
  10. On "The Research Value of Publishing Attacks" http://cacm.acm.org/magazines/2012/11/156578-the-research-value-of-publishing-attacks/abstract
  11. ethics of error prevention: http://www.infoq.com/presentations/error-prevention-ethics
  12. http://cacm.acm.org/magazines/2013/7/165490-plenty-more-hacker-motivations/fulltext
  13. http://www.slideshare.net/grugq/opsec-for-hackers

News

  1. http://leaksource.wordpress.com/2013/12/30/nsas-ant-division-catalog-of-exploits-for-nearly-every-major-software-hardware-firmware/