CS-510 Topics in Software Security

Taught by Mathias Payer. Fall semester 2024, 3 credit course.

News

Course overview

Unsafe languages like C/C++ are widely used for their great promise of performance. Unfortunately, these languages are prone to a large set of different types of memory and type errors that allow the exploitation of several attack vectors such as code reuse, privilege escalation, or information leaks. On a high level memory and type safety would solve all these problems. Safe languages can (somewhat) cheaply enforce these properties. Unfortunately, these guarantees come at a high cost if retrofitted onto existing languages.

When working with unsafe languages, three fundamental approaches exist to protect against software flaws: formal verification (proving the absence of bugs), software testing (finding bugs), and mitigation (protecting against the exploitation of bugs). In this seminar, we will primarily focus on recent advances in system security by looking at papers from recent top tier conferences.

This seminar explores three areas: the understanding of attack vectors, approaches to software testing, and mitigation strategies. First you need to understand what kind of software flaws exist in low level software and how those flaws can be exploited.

Each student will pick one topic from the list of topics below. Alternatively, the student may suggest a paper from a top tier venue of the last year in security (NDSS, Oakland, SEC, or CCS). The student is expected to organize the material and prepare a presentation of the topic for the other students. The main goals of this seminar are:

  1. understanding and defining the security policy and corresponding guarantees/trade-offs implemented by given work;
  2. reasoning about the power and effectiveness (completeness in regard to attack vectors covered, strength of the guarantees, and effectiveness) of different security policies (and being able to compare between them);
  3. reasoning on the computational and resource cost of mechanisms and possible downsides;
  4. alternative implementations of the policy at other levels of abstraction.
  5. developing skills to present a technical topic in computer science to an audience of peers;
  6. learning how to identify possible research topics and articulating differences to existing related work.

Your grade is based on:

  1. technical presentation of your topic (60%);
  2. writing a two page summary of a colleague's presentation and paper (30%); the suggested layout is to use the first page for the summary of the paper, one column as a summary of the class discussion and the final column with your own reflections; use the Usenix template for the summary;
  3. active participation in class which includes reading the assigned papers and asking questions/participating in the discussions (10%).

Submit your slides until Friday before your presentation so that you can incorporate some feedback for your presentation on Tuesday. For the summary, submit it until Monday night after the presentation, i.e., you have one week for the summary.

Schedule

The seminar meets Tuesdays from 10:15 to 12:00 in INM203. A draft of the schedule looks as follows but remember that no plan survives contact with reality!

Date Paper Presenter Scribe
10/09 Introduction Mathias
17/09 QUACK: Hindering Deserialization Attacks via Static Duck Typing (NDSS'24) Luca Carroz Daniel Bucher
17/09 Invited talk by Chao Zhang (Research Faculty at Tsinghua)
24/09 Wear's my Data? Understanding the Cross-Device Runtime Permission Model in Wearables (Oakland'24) Johanna Nuding Paul Tissot-Daguette
24/09 Predictive Context-sensitive Fuzzing (NDSS'24) Paul Tissot-Daguette Johanna Nuding
24/09 Rise of Inspectron: Automated Black-box Auditing of Cross-platform Electron Apps (SEC'24) Houhou Thomas Xavier Marchon
1/10 CAMP: Compiler and Allocator-based Heap Memory Protection (SEC'24) Jonas Sulzer Julian Levkov
1/10 Everything is Good for Something: Counterexample-Guided Directed Fuzzing via Likely Invariant Inference (Oakland'24) Julian Levkov Jonas Sulzer
1/10 Vulnerability-oriented Testing for RESTful APIs (USENIX '24) Rafaila Galanopoulou Daniel López
8/10 The Great Request Robbery: An Empirical Study of Client-side Request Hijacking Vulnerabilities on the Web (Oakland'24*) Siim Markus Marvet Maitri Dedhia
8/10 LMSanitator: Defending Prompt-Tuning Against Task-Agnostic Backdoors (NDSS'24) Xavier Marchon Yago Pérez
8/10 Eavesdropping on Controller Acoustic Emanation for Keystroke Inference Attack in Virtual Reality (NDSS'24*) Yago Pérez Diogo Cardoso
15/10 Spill the TeA: An Empirical Study of Trusted Application Rollback Prevention on Android Dominique Huang Shunchang Liu
15/10 LLMs Cannot Reliably Identify and Reason About Security Vulnerabilities (Yet?): A Comprehensive Evaluation, Framework, and Benchmarks (Oakland'24) Daniel López Thomas Houhou
15/10 From Virtual Touch to Tesla Command: Unlocking Unauthenticated Control Chains From Smart Glasses for Vehicle Takeover (Oakland'24*) Oscar de Francesca Alexander Procelewski
22/10 Holidays
29/10 ShapFuzz: Efficient Fuzzing via Shapley-Guided Byte Selection (NDSS'24) Alexander Procelewski Oscar de Francesca
29/10 PrintListener: Uncovering the Vulnerability of Fingerprint Authentication via the Finger Friction Sound (NDSS'24) Maitri Dedhia Jonas Scholz
29/10 DarthShader: Fuzzing WebGPU Shader Translators & Compilers Solène Husseini Eugen Bosnjak
5/11 MetaSafe: Compiling for Protecting Smart Pointer Metadata to Ensure Safe Rust Integrity (SEC'24) Daniel Bucher Luca Carroz
5/11 Shedding Light on CVSS Scoring Inconsistencies: A User-Centric Study on Evaluating Widespread Security Vulnerabilities (Oakland'24*) Samuel Tepoorten Raymond Nasr
5/11 GPU Memory Exploitation for Fun and Profit (SEC'24) Flavien Jaquerod Solène Husseini
12/11 UntrustIDE: Exploiting Weaknesses in VS Code Extensions (NDSS'24*) Eugen Bosnjak Flavien Jaquerod
12/11 Why Aren’t We Using Passkeys? Obstacles Companies Face Deploying FIDO2 Passwordless Authentication Raymond Nasr Samuel Tepoorten
12/11 EL3XIR: Fuzzing COTS Secure Monitors (SEC'24) Nadine Al Fadel Raad Rafaila Galanopoulou
19/11 No class
26/11 From Chatbots to Phishbots?: Phishing Scam Generation in Commercial Large Language Models (Oakland'24*) Shunchang Liu Dominique Huang
26/11 CoCo: Efficient Browser Extension Vulnerability Detection via Coverage-guided, Concurrent Abstract Interpretation (CCS'23) Ahyoung Seo Siim Markus Marvet
26/11 K-LEAK: Towards Automating the Generation of Multi-Step Infoleak Exploits against the Linux Kernel (NDSS'24) Ethan Bai Sahil Singhvi
3/12 RustSan: Retrofitting AddressSanitizer for Efficient Sanitization of Rust (SEC'24) Khalil M'hirsi Ahyoung Seo
3/12 File Hijacking Vulnerability: The Elephant in the Room (NDSS'24) Diogo Cardoso Iman Attia
3/12 Go Go Gadget Hammer: Flipping Nested Pointers for Arbitrary Data Leakage (SEC'24) Rasmus Makiniemi Ethan Bai
10/12 Like, Comment, Get Scammed: Characterizing Comment Scams on Media Platforms (NDSS'24*) Sahil Singhvi Nadine Al Fadel Raad
10/12 HYPERPILL: Fuzzing for Hypervisor-bugs by Leveraging the Hardware Virtualization Interface (SEC'24*) Jonas Scholz Khalil M'hirsi
10/12 "False negative - that one is going to kill you." - Understanding Industry Perspectives of Static Analysis based Security Testing (Oakland'24*) Iman Attia Rasmus Makiniemi
17/12 Parse Me, Baby, One More Time: Bypassing HTML Sanitizer via Parsing Differentials (Oakland'24) Olena Zavertiaieva

Topic presentations

The length of presentations for research papers should be between around 25 minutes, followed by 10 minutes of discussion (i.e., 35min per slot followed by 5min of feedback/setup). You can structure the presentation as follows:

  1. Motivation of the paper (1-2 slides, ~5 minutes)
  2. Key research questions (1-2 slides, ~5 minutes)
  3. Presentation of the core design and implementation of the research paper (4-8 slides, ~10 minutes)
  4. Evaluation of the security policy (2-3 slides, ~5 minutes)
  5. Material for discussion: advantages, disadvantages, limitations of the approach (2-3 slides, ~5 minutes)
  6. Summary slide of the paper: policy, defense property (at which point in memory model), implementation (language, compiler, or runtime)

When preparing the presentation, send a PDF version of your slides to Mathias before your talk to get feedback and submit the final slides right before your talk.

Topics

This list is non-exhaustive and the list may be adapted during class and students may suggest other recent software security papers they are interested in. The open book Software Security: Principles, Policies, and Protection1 provides an overview of many topics but does not go into depth for each policy. Similarly, the Eternal War in Memory2 presents an overview of the software security landscape. Crossed out topics have already been selected.

Fuzzing everywhere

Sanitization is king

Languages and interactions

Exploits and attacks

You can find the papers through DBLP or the corresponding websites:

References


  1. Software Security: Principles, Policies, and Protection. Mathias Payer↩︎

  2. SoK: Eternal War in Memory. Laszlo Szekeres, Mathias Payer, Tao Wei, and Dawn Song. In Oakland'13: Proc. Int'l Symp. on Security and Privacy, 2013.↩︎