Taught by Mathias Payer. Fall semester 2024, 3 credit course.
Unsafe languages like C/C++ are widely used for their great promise of performance. Unfortunately, these languages are prone to a large set of different types of memory and type errors that allow the exploitation of several attack vectors such as code reuse, privilege escalation, or information leaks. On a high level memory and type safety would solve all these problems. Safe languages can (somewhat) cheaply enforce these properties. Unfortunately, these guarantees come at a high cost if retrofitted onto existing languages.
When working with unsafe languages, three fundamental approaches exist to protect against software flaws: formal verification (proving the absence of bugs), software testing (finding bugs), and mitigation (protecting against the exploitation of bugs). In this seminar, we will primarily focus on recent advances in system security by looking at papers from recent top tier conferences.
This seminar explores three areas: the understanding of attack vectors, approaches to software testing, and mitigation strategies. First you need to understand what kind of software flaws exist in low level software and how those flaws can be exploited.
Each student will pick one topic from the list of topics below. Alternatively, the student may suggest a paper from a top tier venue of the last year in security (NDSS, Oakland, SEC, or CCS). The student is expected to organize the material and prepare a presentation of the topic for the other students. The main goals of this seminar are:
Your grade is based on:
Submit your slides until Friday before your presentation so that you can incorporate some feedback for your presentation on Tuesday. For the summary, submit it until Monday night after the presentation, i.e., you have one week for the summary.
The seminar meets Tuesdays from 10:15 to 12:00 in INM203. A draft of the schedule looks as follows but remember that no plan survives contact with reality!
| Date | Paper | Presenter | Scribe |
|---|---|---|---|
| 10/09 | Introduction | Mathias | |
| 17/09 | QUACK: Hindering Deserialization Attacks via Static Duck Typing (NDSS'24) | Luca Carroz | Daniel Bucher |
| 17/09 | Invited talk by Chao Zhang (Research Faculty at Tsinghua) | ||
| 24/09 | Wear's my Data? Understanding the Cross-Device Runtime Permission Model in Wearables (Oakland'24) | Johanna Nuding | Paul Tissot-Daguette |
| 24/09 | Predictive Context-sensitive Fuzzing (NDSS'24) | Paul Tissot-Daguette | Johanna Nuding |
| 24/09 | Rise of Inspectron: Automated Black-box Auditing of Cross-platform Electron Apps (SEC'24) | Houhou Thomas | Xavier Marchon |
| 1/10 | CAMP: Compiler and Allocator-based Heap Memory Protection (SEC'24) | Jonas Sulzer | Julian Levkov |
| 1/10 | Everything is Good for Something: Counterexample-Guided Directed Fuzzing via Likely Invariant Inference (Oakland'24) | Julian Levkov | Jonas Sulzer |
| 1/10 | Vulnerability-oriented Testing for RESTful APIs (USENIX '24) | Rafaila Galanopoulou | Daniel López |
| 8/10 | The Great Request Robbery: An Empirical Study of Client-side Request Hijacking Vulnerabilities on the Web (Oakland'24*) | Siim Markus Marvet | Maitri Dedhia |
| 8/10 | LMSanitator: Defending Prompt-Tuning Against Task-Agnostic Backdoors (NDSS'24) | Xavier Marchon | Yago Pérez |
| 8/10 | Eavesdropping on Controller Acoustic Emanation for Keystroke Inference Attack in Virtual Reality (NDSS'24*) | Yago Pérez | Diogo Cardoso |
| 15/10 | Spill the TeA: An Empirical Study of Trusted Application Rollback Prevention on Android | Dominique Huang | Shunchang Liu |
| 15/10 | LLMs Cannot Reliably Identify and Reason About Security Vulnerabilities (Yet?): A Comprehensive Evaluation, Framework, and Benchmarks (Oakland'24) | Daniel López | Thomas Houhou |
| 15/10 | From Virtual Touch to Tesla Command: Unlocking Unauthenticated Control Chains From Smart Glasses for Vehicle Takeover (Oakland'24*) | Oscar de Francesca | Alexander Procelewski |
| 22/10 | Holidays | ||
| 29/10 | ShapFuzz: Efficient Fuzzing via Shapley-Guided Byte Selection (NDSS'24) | Alexander Procelewski | Oscar de Francesca |
| 29/10 | PrintListener: Uncovering the Vulnerability of Fingerprint Authentication via the Finger Friction Sound (NDSS'24) | Maitri Dedhia | Jonas Scholz |
| 29/10 | DarthShader: Fuzzing WebGPU Shader Translators & Compilers | Solène Husseini | Eugen Bosnjak |
| 5/11 | MetaSafe: Compiling for Protecting Smart Pointer Metadata to Ensure Safe Rust Integrity (SEC'24) | Daniel Bucher | Luca Carroz |
| 5/11 | Shedding Light on CVSS Scoring Inconsistencies: A User-Centric Study on Evaluating Widespread Security Vulnerabilities (Oakland'24*) | Samuel Tepoorten | Raymond Nasr |
| 5/11 | GPU Memory Exploitation for Fun and Profit (SEC'24) | Flavien Jaquerod | Solène Husseini |
| 12/11 | UntrustIDE: Exploiting Weaknesses in VS Code Extensions (NDSS'24*) | Eugen Bosnjak | Flavien Jaquerod |
| 12/11 | Why Aren’t We Using Passkeys? Obstacles Companies Face Deploying FIDO2 Passwordless Authentication | Raymond Nasr | Samuel Tepoorten |
| 12/11 | EL3XIR: Fuzzing COTS Secure Monitors (SEC'24) | Nadine Al Fadel Raad | Rafaila Galanopoulou |
| 19/11 | No class | ||
| 26/11 | From Chatbots to Phishbots?: Phishing Scam Generation in Commercial Large Language Models (Oakland'24*) | Shunchang Liu | Dominique Huang |
| 26/11 | CoCo: Efficient Browser Extension Vulnerability Detection via Coverage-guided, Concurrent Abstract Interpretation (CCS'23) | Ahyoung Seo | Siim Markus Marvet |
| 26/11 | K-LEAK: Towards Automating the Generation of Multi-Step Infoleak Exploits against the Linux Kernel (NDSS'24) | Ethan Bai | Sahil Singhvi |
| 3/12 | RustSan: Retrofitting AddressSanitizer for Efficient Sanitization of Rust (SEC'24) | Khalil M'hirsi | Ahyoung Seo |
| 3/12 | File Hijacking Vulnerability: The Elephant in the Room (NDSS'24) | Diogo Cardoso | Iman Attia |
| 3/12 | Go Go Gadget Hammer: Flipping Nested Pointers for Arbitrary Data Leakage (SEC'24) | Rasmus Makiniemi | Ethan Bai |
| 10/12 | Like, Comment, Get Scammed: Characterizing Comment Scams on Media Platforms (NDSS'24*) | Sahil Singhvi | Nadine Al Fadel Raad |
| 10/12 | HYPERPILL: Fuzzing for Hypervisor-bugs by Leveraging the Hardware Virtualization Interface (SEC'24*) | Jonas Scholz | Khalil M'hirsi |
| 10/12 | "False negative - that one is going to kill you." - Understanding Industry Perspectives of Static Analysis based Security Testing (Oakland'24*) | Iman Attia | Rasmus Makiniemi |
| 17/12 | No class |
The length of presentations for research papers should be between around 25 minutes, followed by 10 minutes of discussion (i.e., 35min per slot followed by 5min of feedback/setup). You can structure the presentation as follows:
When preparing the presentation, send a PDF version of your slides to Mathias before your talk to get feedback and submit the final slides right before your talk.
This list is non-exhaustive and the list may be adapted during class and students may suggest other recent software security papers they are interested in. The open book Software Security: Principles, Policies, and Protection1 provides an overview of many topics but does not go into depth for each policy. Similarly, the Eternal War in Memory2 presents an overview of the software security landscape. Crossed out topics have already been selected.
Fuzzing everywhere
ShapFuzz: Efficient Fuzzing via Shapley-Guided Byte Selection (NDSS'24)Predictive Context-sensitive Fuzzing (NDSS'24)Everything is Good for Something: Counterexample-Guided Directed Fuzzing via Likely Invariant Inference (Oakland'24)HyperPill: Fuzzing for Hypervisor-bugs by leveraging the Hardware Virtualization Interface (SEC'24\*)EL3XIR: Fuzzing COTS Secure Monitors (SEC'24)Sanitization is king
CoCo: Efficient Browser Extension Vulnerability Detection via Coverage-guided, Concurrent Abstract Interpretation (CCS'23)QUACK: Hindering Deserialization Attacks via Static Duck Typing (NDSS'24)LMSanitator: Defending Prompt-Tuning Against Task-Agnostic Backdoors (NDSS'24)RustSan: Retrofitting AddressSanitizer for Efficient Sanitization of Rust (SEC'24)CAMP: Compiler and Allocator-based Heap Memory Protection (SEC'24)DMAAUTH: A Lightweight Pointer Integrity-based Secure Architecture to Defeat DMA Attacks (SEC'24)Languages and interactions
Eavesdropping on Controller Acoustic Emanation for Keystroke Inference Attack in Virtual Reality (NDSS'24\*)UntrustIDE: Exploiting Weaknesses in VS Code Extensions (NDSS'24\*)Shedding Light on CVSS Scoring Inconsistencies: A User-Centric Study on Evaluating Widespread Security Vulnerabilities (Oakland'24\*)LLMs Cannot Reliably Identify and Reason About Security Vulnerabilities (Yet?): A Comprehensive Evaluation, Framework, and Benchmarks (Oakland'24)Wear's my Data? Understanding the Cross-Device Runtime Permission Model in Wearables (Oakland'24)From Chatbots to Phishbots?: Phishing Scam Generation in Commercial Large Language Models (Oakland'24\*)MetaSafe: Compiling for Protecting Smart Pointer Metadata to Ensure Safe Rust Integrity (SEC'24)Spill the TeA: An Empirical Study of Trusted Application Rollback Prevention on Android (SEC'24)Exploits and attacks
File Hijacking Vulnerability: The Elephant in the Room (NDSS'24)Like, Comment, Get Scammed: Characterizing Comment Scams on Media Platforms (NDSS'24\*)K-LEAK: Towards Automating the Generation of Multi-Step Infoleak Exploits against the Linux Kernel (NDSS'24)The Great Request Robbery: An Empirical Study of Client-side Request Hijacking Vulnerabilities on the Web (Oakland'24\*)Parse Me, Baby, One More Time: Bypassing HTML Sanitizer via Parsing Differentials (Oakland'24)From Virtual Touch to Tesla Command: Unlocking Unauthenticated Control Chains From Smart Glasses for Vehicle Takeover (Oakland'24\*)Go Go Gadget Hammer: Flipping Nested Pointers for Arbitrary Data Leakage (SEC'24)GPU Memory Exploitation for Fun and Profit (SEC'24)You can find the papers through DBLP or the corresponding websites: