Course Description:

Cyberattacks are becoming more and more sophisticated. State-funded attackers are spending tremendous time and effort to infiltrate organizations (e.g., enterprise and government agencies) leveraging stealthy and advanced techniques (e.g., zero-day exploits).

To fight back against those attackers, there are various advanced techniques proposed by researchers and industry. As attackers break into systems in various ways, to build a fundamental protection against these attackers require techniques across various layers of software and fundamental understanding of the system as well as attackers.

• This course will cover recent advances in cyberattack prevention and analysis via program analysis and reverse-engineering. In particular, we will focus on understanding recent advances in the topics by reading, presenting, and discussing details of recent publications in top security conferences (S&P, USENIX Security, CCS, and NDSS).
• Students will learn (1) how to analyze vulnerabilities and exploits to understand root causes of the attack, and come up with fundamental solutions, (2) how to investigate sophisticated cyberattacks in order to pinpoint and discover how attackers infiltrate systems and what they did (e.g., leak secrets), and (3) how we can leverage program analysis techniques in order to automate the above tasks and make the software more secure.
• Students will (1) read recent academic papers carefully and present the essence of papers, (2) learn how to implement advanced dynamic and static analysis used in attack prevention and investigation, and (3) learn how to conduct a system security research that builds fundamental software.
• Why this course? This course is for you if you are interested in learning fundamental principles and techniques to analyze and prevent cyberattacks including malicious programs, (zero-day) exploits, and complex attacks that consist of multiple-stages. You are interested in reading and understanding cutting-edge research papers and eventually wanting to publish top-tier security papers. If we find a promising project out of the course, we can develop it into a publication and I will fund your travel for a conference presentation.
• Students may need basic knowledge or experience in system programming in C (assembly is a big plus). Experience in dynamic program analysis tools (e.g., Intel Pin, DynamoRIO), static program analysis tools (e.g., LLVM), and/or reverse-engineering tools (e.g., IDA Disassembler, OllyDbg, Immunity Debugger) is very welcomed.

Assessment:

This class has no exam. The grading is based on projects and presentations.

• Presentation: 10%
• Required Projects: 45% (3 introductory projects; each 15%)
• Individual Project: 35% (1 advanced individual project)
• Class participation: 10%

There will be opportunities for extra credits (e.g., questions/presentations/projects).

Topics:

Dynamic Program Analysis

• Data-flow tracking
• Control-flow tracking

Static Program Analysis

• Data-flow analysis
• Control-flow analysis
• Pointer/alias analysis

Reverse-engineering

• Evasive techniques
• Code obfuscation/de-obfuscation

Operating System Security

• Sandboxing/isolation, Fault localization
• Record and replay based analysis
• Audit-logging

Web Security

• Script Language Security (JS/Flash)
• Browser Security
• Malicious Advertisement

Mobile Security

• Security Issues on Android/iOS
• Program Analysis techniques for Mobile Platforms

IoT Security

• Security Issues on heterogeneous IoT platforms
• Improving IoT security via program analysis

Reading List:

This reading list includes representative publications that will be covered during this class. Papers will be added during the semester. Please use them to understand high-level themes of the class topics.

Tips: How to read academic papers

Particularly for systems security papers: (1) Read Abstract -> Introduction -> Conclusion, (2) Find and read a motivation (representative) example or case studies. They include a complete (and often realistic) story and how the proposed idea solves the problem with newly proposed methods.

Dynamic/Static Analysis Frameworks

• Pin: building customized program analysis tools with dynamic instrumentation [PLDI'05]
• Valgrind: A Framework for Heavyweight Dynamic Binary Instrumentation [PLDI'07]
• LLVM: A Compilation Framework for Lifelong Program Analysis & Transformation [CGO'04]

Data-flow tracking and Data-flow analysis

• libdft: Practical Dynamic Data Flow Tracking for Commodity Systems [VEE'12]
• A General Approach for Efficiently Accelerating Software-based Dynamic Data Flow Tracking on Commodity Hardware [NDSS'12]
• LDX: Causality Inference by Lightweight Dual Execution [ASPLOS'16]

Control-flow tracking and Control-flow analysis

• Control-Flow Integrity [MSR-TR-05-18]
• Efficient Path Encoding [MICRO'96]
• Precise Calling Context Encoding [ICSE'10]
• LDX: Causality Inference by Lightweight Dual Execution [ASPLOS'16]

Evasive techniques

• Evading android runtime analysis via sandbox detection [ASIACCS'14]
  • Detecting Malware and Sandbox Evasion Techniques [SANS InfoSec Reading Room]
  • News Article
• X-Force: Force-Executing Binary Programs for Security Applications [USENIX'14]
• Revolver: An Automated Approach to the Detection of Evasive Web-based Malware [SP'13]

Code obfuscation/de-obfuscation

• Deobfuscation of virtualization-obfuscated software: a semantics-based approach [CCS'11]
• LOOP: Logic-Oriented Opaque Predicate Detection in Obfuscated Binary Code [CCS'15]
• Code obfuscation against symbolic execution attacks [ACSAC'16]

Record and replay / N-version systems

• Intrusion recovery using selective re-execution [OSDI'10]
• Record and transplay: partial checkpointing for replay debugging across heterogeneous systems [SIGMETRICS'11]
• Transparent Mutable Replay for Multicore Debugging and Patch Validation [ASPLOS'13]
• Varan the Unbelievable: An Efficient N-version Execution Framework [ASPLOS'15]

Audit-logging

• High Accuracy Attack Provenance via Binary-Based Execution Partition [NDSS'13]
• LogGC: Garbage Collecting Audit Log [CCS'13]
• Efficient patch-based auditing for web application vulnerabilities [OSDI'12]

Web/Browser Security

• The Security Architecture of the Chromium Browser
• UCognito: Private Browsing without Tears [CCS'15]
• WebCapsule: Towards a Lightweight Forensic Engine For Web Browsers [CCS'15]
• Riding out DOMsday: Toward Detecting and Preventing DOM Cross-Site Scripting [NDSS'18]
• FlashDetect: ActionScript 3 malware detection [RAID'12]
• The Postman Always Rings Twice: Attacking and Defending postMessage in HTML5 Websites [NDSS'13]

Sandboxing/isolation, Fault localization

• Native Client: A Sandbox for Portable, Untrusted x86 Native Code [SP'09]

Mobile/IoT Security

• iRiS: Vetting Private API Abuse in iOS Applications [CCS'15]
• GUITAR: Piecing Together Android App GUIs from Memory Images. [CCS'15]
• Fear and Logging in the Internet of Things [NDSS'18]
• IoTFuzzer: Discovering Memory Corruptions in IoT Through App-based Fuzzing [NDSS'18]
• Sensitive Information Tracking in Commodity IoT [USENIX'18]

Machine Learning (Added)

• Learning from Mutants: Using Code Mutation to Learn and Monitor Invariants of a Cyber-Physical System
• DeepXplore: Automated Whitebox Testing of Deep Learning Systems
• Towards Deep Learning Models Resistant to Adversarial Attacks