Information Systems Security Analysis

A graduate seminar on systems security.

Logistics

The course is held once per week from 2pm to 4:45pm at a place TBD.

Policies

This is a graduate seminar. Your grade is based on your ability to critically assess and present research work in the field of systems security.

• Summary of 5 readings
• Brief critical essay
• Reproduce an experiment

Session List and Schedule

NB: this section is out of date and needs to be revised for the F2015 semester --MEL

This is the schedule of papers to read and presentations. Everyone is responsible for reading the "primary reading" each week (1 or 2 papers). Presenters are responsible for reading both the background readings and the primary readings.

High--Level Syllabus / Topics

• Ethics
• Code Injection (Attacks and Countermeasures)
  • stack
  • heap
  • return-to-libc, ROP
  • countermeasures
    • Artificial Diversity
    • Defensive Weird Machines
• Isolation, Approaches to System Instrumentation
• Virtualization and Security
• IDS
  • Confusion, Parsing
  • Filtering and Reverse Engineering Network Protocols and File Formats

Papers (Primary Readings)

1. (TOPIC: Sandboxing) "Improving Host Security with System Call Policies" by Niels Provos, 12th USENIX Security Symposium, Washington, DC, August 2003. PDF
2. (TOPIC: Sandboxing/Policy Enforcement) Watson, R. N. M., Anderson, J., Laurie, B., and Kennaway, K. Capsicum: practical capabilities for UNIX. In Proceedings of the 19th USENIX Security Symposium, Washington, DC, August 2010
3. (TOPIC: Virtualization) SecVisor: A Tiny Hypervisor to Provide Lifetime Kernel Code Integrity for Commodity OSes (SOSP 2007)
4. (TOPIC: NIDS/LangSec) Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics. Mark Handley and Vern Paxson and Christian Kreibich USENIX paper [http://www.icir.org/vern/papers/norm-usenix-sec-01-html/ html
5. (TOPIC: NIDS/LangSec) Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection by Thomas H Ptacek and Timothy M. Newsham
6. Automatic Network Protocol Analysis by Wondracek et al. (NDSS 2008)
7. Automatic Protocol Format Reverse Engineering through Context-Aware Monitored Execution by Lin et al., NDSS 2008
8. Tupni: Automatic Reverse Engineering of Input Formats by Cui et al. in CCS 2008
9. Polyglot: Automatic Extraction of Protocol Message Format using Dynamic Binary Analysis. Juan Caballero, Heng Yin, Zhenkai Liang, and Dawn Song. CCS'07
10. Control Flow Integrity for COTS Binaries by Mingwei Zhang and R. Sekar (USENIX Security 2013 Best Paper) https://www.usenix.org/conference/usenixsecurity13/technical-sessions/presentation/Zhang
11. Enhanced Operating System Security Through Efficient and Fine-grained Address Space Randomization by Giuffrida et al. (USENIX Security 2012) [1]
12. TIE: Principled Reverse Engineering of Types in Binary Programs, JongHyup Lee, Thanassis Avgerinos, and David Brumley (NDSS 2011)
13. SigGraph: Brute Force Scanning of Kernel Data Structure Instances Using Graph-based Signatures (NDSS 2011)
14. Discovering Semantic Data of Interest from Un-mappable Memory with Confidence by Zhiqiang Lin, Junghwan Rhee, Chao Wu, Xiangyu Zhang and Dongyan Xu (NDSS 2012)
15. (TOPIC: Virtualization) "A Virtual Machine Introspection Architecture for Intrusion Detection" (NDSS 2003)
16. (TOPIC: Virtualization) Virtuoso: Narrowing the Semantic Gap in Virtual Machine Introspection. Brendan Dolan-­‐Gavitt, Tim Leek, Michael Zhivich, Jonathon Giffin, and Wenke Lee. In Proceedings of The 2011 IEEE Symposium on Security and Privacy. Oakland, CA, May 2011.
17. (TOPIC: Practical Provable Protection) seL4: http://www.ssrg.nicta.com.au/publications/papers/Klein_EHACDEEKNSTW_09.pdf
18. "Return Oriented Rootkits" by Hund, Holz, and Freiling
19. PrivExec: Private Execution as an Operating System Service by Kaan Onarlioglu (Northeastern University), Collin Mulliner (Northeastern University), William Robertson (Northeastern University), Engin Kirda (Northeastern University) (Oakland 2013)
20. Tachyon: Tandem Execution for Efficient Live Patch Testing by Maurer and Brumley (USENIX Security 2012) https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final227.pdf
21. Jedidiah R. Crandall, Zhendong Su, S. Felix Wu, and Frederic T. Chong. On Deriving Unknown Vulnerabilities from Zero-Day Polymorphic and Metamorphic Worm Exploits. In the proceedings of the 12th ACM Conference on Computer and Communications Security (CCS 2005). Alexandria, Virginia. November 2005 http://www.cs.unm.edu/~crandall/ccsdacoda.pdf

Supplemental Papers

1. "Protection in Operating Systems" by Michael A. Harrison, Walter L. Ruzzo, and Jeffrey D. Ullman (ACM Digital Library, available via U of C with appropriate network address)
2. "The (Almost) Complete History of Memory Corruption Attacks" http://prezi.com/iemlmzvpnk_d/the-almost-complete-history-of-memory-corruption-attacks/
3. Protection. Proc. 5th Princeton Conf. on Information Sciences and Systems, Princeton, 1971. Reprinted in ACM Operating Systems Rev. 8, 1 (Jan. 1974), pp 18-24 PDF
4. "Protection in an information processing utility" http://www.multicians.org/graham-pipu.pdf
5. "A hardware architecture for implementing protection rings" http://www.multicians.org/protection.html
6. "The Protection of Information in Computer Systems" by Jerome H. Saltzer and Michael D. Schroeder
7. http://nob.cs.ucdavis.edu/history/papers/bell76.pdf (Sections 1 and 2)
8. http://nob.cs.ucdavis.edu/history/CD/biba75.pdf (Abstract, Section 1 and 2)
9. XFI: Software Guards for System Address Spaces
10. "Vx32: Lightweight User-level Sandboxing on the x86" (USENIX ATC 2008)
11. "Native Client: A Sandbox for Portable, Untrusted x86 Native Code" (Oakland 2009)
12. "Hardware Enforcement of Application Security Policies Using Tagged Memory" (OSDI 2008)
13. "Make Least Privilege a Right (Not a Privilege)" (HotOS 2005)
14. F. B. Schneider. Enforceable Security Policies. ACM Transactions on Information and System Security, 2(4), Mar. 2000.
15. "Transparent Runtime Defense Against Stack Smashing Attacks"
16. "StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks"
17. PointGuard(TM): Protecting Pointers From Buffer Overflow Vulnerabilities
18. "Building Diverse Computer Systems"
19. "Randomized Instruction Set Emulation to Disrupt Binary Code Injection Attacks"
20. "Countering Code-Injection Attacks with Instruction-Set Randomization"
21. "Mystifying the debugger for ultimate stealthiness" http://www.phrack.org/issues.html?issue=65&id=8&mode=txt
22. Steven M. Bellovin. Virtual machines, virtual security. Communications of the ACM, 49(10), October 2006. “Inside RISKS” column. html
23. VM-based Security Overkill: A Lament for Applied Systems Security Research. Sergey Bratus, Michael E. Locasto, Ashwin Ramaswamy, and Sean W. Smith. Proceedings of the 19th New Security Paradigms Workshop (NSPW 2010). September 2010. Concord, MA, USA. PDF
24. Efficient Monitoring of Untrusted Kernel-Mode Execution (NDSS 2011)
25. traditional return-to-libc: "Getting around non-executable stack (and fix)" Solar Designer http://www.clip.dia.fi.upm.es/~alopez/bugs/bugtraq2/0287.html
26. return-to-libc: Nergal, "Advanced return-into-lib(c) Exploits: PaX Case Study," Phrack 58:4
27. Return-oriented programming: The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86) Hovav Shacham. In Proceedings of CCS 2007, pages 552–561. ACM Press, Oct. 2007. http://cseweb.ucsd.edu/~hovav/papers/s07.html
28. http://pages.cpsc.ucalgary.ca/~locasto/papers/model-polymorphic-decoders.pdf On the Infeasibility of Modeling Polymorphic Shellcode. Yingbo Song, Michael E. Locasto, Angelos Stavrou, Angelos D. Keromytis, and Salvatore J. Stolfo. In the Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS 2007). pp. 541--551. October 2007, Alexandria, VA.
29. English Shellcode Mason, Small, Monrose, MacManus. CCS 2009.
30. "A Comparison of Publicly Available Tools for Dynamic Buffer Overflow Prevention"
31. RIPE:Runtime Intrusion Prevention Evaluator
32. "On the Effectiveness of Address Space Randomization"
33. http://research.microsoft.com/apps/pubs/default.aspx?id=66830
34. "Secure open source collaboration: an empirical study of Linus' law" http://dl.acm.org/citation.cfm?doid=1653662.1653717
35. http://www.hpl.hp.com/techreports/2012/HPL-2012-63R1.html
36. Familiarity Breeds Contempt: The Honeymoon Effect and The Role of Legacy Code in Zero-Day Vulnerabilities
37. https://www.acsac.org/2012/openconf/modules/request.php?module=oc_program&action=summary.php&id=205 Lines of Malicious Code: Insights Into the Malicious Software Industry
38. https://www.acsac.org/2012/openconf/modules/request.php?module=oc_program&action=summary.php&id=155 Efficient Protection of Kernel Data Structures via Object Partitioning
39. https://www.acsac.org/2012/openconf/modules/request.php?module=oc_program&action=summary.php&id=229 Distributed Application Tamper Detection Via Continuous Software Updates
40. https://www.acsac.org/2012/openconf/modules/request.php?module=oc_program&action=summary.php&id=118 Code Shredding: Byte-Granular Randomization of Program Layout for Detecting Code-Reuse Attacks
41. https://www.acsac.org/2012/openconf/modules/request.php?module=oc_program&action=summary.php&id=223 Securing Untrusted Code via Compiler-Agnostic Binary Rewriting
42. https://www.acsac.org/2012/openconf/modules/request.php?module=oc_program&action=summary.php&id=57 Using Memory Management to Detect and Extract Illegitimate Code for Malware Analysis
43. https://www.acsac.org/2012/openconf/modules/request.php?module=oc_program&action=summary.php&id=72 Generalized Vulnerability Extrapolation using Abstract Syntax Trees
44. http://acsac.org/2011/openconf/modules/request.php?module=oc_program&action=summary.php&id=178 BareBox: Efficient Malware Analysis on Bare-Metal
45. https://www.acsac.org/2012/openconf/modules/request.php?module=oc_program&action=summary.php&id=109 Down to the Bare Metal: Using Processor Features for Binary Analysis
46. http://acsac.org/2011/openconf/modules/request.php?module=oc_program&action=summary.php&id=57 deRop: Removing Return-Oriented Programming from Malware
47. http://acsac.org/2011/openconf/modules/request.php?module=oc_program&action=summary.php&id=129 Mitigating Code-Reuse Attacks with Control-Flow Locking
48. Heap Taichi: Exploiting Memory Allocation Granularity in Heap-Spraying Attacks http://acsac.org/2010/openconf/modules/request.php?module=oc_program&action=summary.php&id=31
49. http://acsac.org/2010/openconf/modules/request.php?module=oc_program&action=summary.php&id=185 Comprehensive Shellcode Detection using Runtime Heuristics
50. http://acsac.org/2010/openconf/modules/request.php?module=oc_program&action=summary.php&id=119 Analyzing and Improving Linux Kernel Memory Protection: A Model Checking Approach
51. G-Free: Defeating Return-Oriented Programming through Gadget-less Binaries http://acsac.org/2010/openconf/modules/request.php?module=oc_program&action=summary.php&id=121
52. Fast and Practical Instruction-Set Randomization for Commodity Systems http://acsac.org/2010/openconf/modules/request.php?module=oc_program&action=summary.php&id=86
53. Hardware Assistance for Trustworthy Systems through 3-D Integration http://acsac.org/2010/openconf/modules/request.php?module=oc_program&action=summary.php&id=182
54. https://www.acsac.org/2012/openconf/modules/request.php?module=oc_program&action=summary.php&id=200 Transforming Commodity Security Policies to Enforce Clark-Wilson Integrity

Supplemental Papers (Categorized)

Classic Protection Papers

1. "Protection in Operating Systems" by Michael A. Harrison, Walter L. Ruzzo, and Jeffrey D. Ullman (ACM Digital Library, available via U of C with appropriate network address)
2. "The (Almost) Complete History of Memory Corruption Attacks" http://prezi.com/iemlmzvpnk_d/the-almost-complete-history-of-memory-corruption-attacks/
3. Protection. Proc. 5th Princeton Conf. on Information Sciences and Systems, Princeton, 1971. Reprinted in ACM Operating Systems Rev. 8, 1 (Jan. 1974), pp 18-24 PDF
4. "Protection in an information processing utility" http://www.multicians.org/graham-pipu.pdf
5. "A hardware architecture for implementing protection rings" http://www.multicians.org/protection.html
6. "The Protection of Information in Computer Systems" by Jerome H. Saltzer and Michael D. Schroeder
7. http://nob.cs.ucdavis.edu/history/papers/bell76.pdf (Sections 1 and 2)
8. http://nob.cs.ucdavis.edu/history/CD/biba75.pdf (Abstract, Section 1 and 2)

Sandboxing / Policy Enforcement

1. XFI: Software Guards for System Address Spaces
2. "Vx32: Lightweight User-level Sandboxing on the x86" (USENIX ATC 2008)
3. "Native Client: A Sandbox for Portable, Untrusted x86 Native Code" (Oakland 2009)
4. "Hardware Enforcement of Application Security Policies Using Tagged Memory" (OSDI 2008)
5. "Make Least Privilege a Right (Not a Privilege)" (HotOS 2005)
6. F. B. Schneider. Enforceable Security Policies. ACM Transactions on Information and System Security, 2(4), Mar. 2000.

Exploits and Weird Machines

Defensive Weird Machines (i.e., Countermeasures)

1. "Transparent Runtime Defense Against Stack Smashing Attacks"
2. "StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks"
3. PointGuard(TM): Protecting Pointers From Buffer Overflow Vulnerabilities
4. "Building Diverse Computer Systems"
5. "Randomized Instruction Set Emulation to Disrupt Binary Code Injection Attacks"
6. "Countering Code-Injection Attacks with Instruction-Set Randomization"

Virtualization, Monitoring, Inspection

1. "Mystifying the debugger for ultimate stealthiness" http://www.phrack.org/issues.html?issue=65&id=8&mode=txt
2. Steven M. Bellovin. Virtual machines, virtual security. Communications of the ACM, 49(10), October 2006. “Inside RISKS” column. html
3. VM-based Security Overkill: A Lament for Applied Systems Security Research. Sergey Bratus, Michael E. Locasto, Ashwin Ramaswamy, and Sean W. Smith. Proceedings of the 19th New Security Paradigms Workshop (NSPW 2010). September 2010. Concord, MA, USA. PDF
4. Efficient Monitoring of Untrusted Kernel-Mode Execution (NDSS 2011)

ROP, anti-ROP

1. traditional return-to-libc: "Getting around non-executable stack (and fix)" Solar Designer http://www.clip.dia.fi.upm.es/~alopez/bugs/bugtraq2/0287.html
2. return-to-libc: Nergal, "Advanced return-into-lib(c) Exploits: PaX Case Study," Phrack 58:4
3. Return-oriented programming: The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86) Hovav Shacham. In Proceedings of CCS 2007, pages 552–561. ACM Press, Oct. 2007. http://cseweb.ucsd.edu/~hovav/papers/s07.html

LangSec

1. http://pages.cpsc.ucalgary.ca/~locasto/papers/model-polymorphic-decoders.pdf On the Infeasibility of Modeling Polymorphic Shellcode. Yingbo Song, Michael E. Locasto, Angelos Stavrou, Angelos D. Keromytis, and Salvatore J. Stolfo. In the Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS 2007). pp. 541--551. October 2007, Alexandria, VA.
2. English Shellcode Mason, Small, Monrose, MacManus. CCS 2009.

Security Measurement, Benchmarking

1. "A Comparison of Publicly Available Tools for Dynamic Buffer Overflow Prevention"
2. RIPE:Runtime Intrusion Prevention Evaluator
3. "On the Effectiveness of Address Space Randomization"
4. http://research.microsoft.com/apps/pubs/default.aspx?id=66830
5. "Secure open source collaboration: an empirical study of Linus' law" http://dl.acm.org/citation.cfm?doid=1653662.1653717
6. http://www.hpl.hp.com/techreports/2012/HPL-2012-63R1.html
7. Familiarity Breeds Contempt: The Honeymoon Effect and The Role of Legacy Code in Zero-Day Vulnerabilities

Miscellaneous Links

• https://www.usenix.org/students
• http://nob.cs.ucdavis.edu/history/seminal.html
• Hacking the Abacus (private release - contact the instructor for a copy)
• Phrack
• Uninformed.org
• IJ of PoC or GTFO http://pocorgtfo.freshdefense.net/
• Locasto's CPSC 525 http://wiki.ucalgary.ca/page/Courses/Computer_Science/CPSC_525.W2013
• http://geer.tinho.net/geer.nro.6xi13.txt
• A Language-Based Approach to Security. Fred B. Schneider, Greg Morrisett, and Robert Harper2
• LKM signing by bx: http://cs.dartmouth.edu/~bx/code-signing/talks/shmoocon-2014.pdf
• Smashing The Kernel Stack For Fun And Profit http://www.phrack.org/issues.html?issue=60&id=6&mode=txt

Ethics and OPSEC

1. http://www.cs.dartmouth.edu/~sws/pubs/pretending.pdf
2. http://www.prisonexp.org/
3. http://sunnyday.mit.edu/papers/therac.pdf
4. http://www.acm.org/about/code-of-ethics
5. http://stallman.org/articles/on-hacking.html
6. http://www.theatlantic.com/technology/archive/12/07/if-hackers-didnt-exist-governments-would-have-to-invent-them/259463/
7. http://www.phrack.org/issues.html?issue=68&id=16&mode=txt Lines in the Sand: Which Side Are You On in the Hacker Class War
8. Mindset: http://www.nukees.com/d/20070328.html
9. It's OK to let students hack: http://geekout.blogs.cnn.com/2012/04/23/students-chow-down-on-cyber-security-weaknesses/?hpt=hp_bn10
10. On "The Research Value of Publishing Attacks" http://cacm.acm.org/magazines/2012/11/156578-the-research-value-of-publishing-attacks/abstract
11. ethics of error prevention: http://www.infoq.com/presentations/error-prevention-ethics
12. http://cacm.acm.org/magazines/2013/7/165490-plenty-more-hacker-motivations/fulltext
13. http://www.slideshare.net/grugq/opsec-for-hackers

News

1. http://leaksource.wordpress.com/2013/12/30/nsas-ant-division-catalog-of-exploits-for-nearly-every-major-software-hardware-firmware/