CAP6135: Malware and Software
Vulnerability Analysis
(Spring
2013)
Home
Schedule notes
Assignment
Class 1 (01/07): Course
introduction, Software
security introduction
Class 2 (01/09): Software
security intro (continue); Basic
network security introduction
Class 3 (01/16): basic
network security (continue)
after class reading materials: "Smashing The Stack
For Fun And Profit", Alpha
One
"Buffer
Overflows: Attacks and Defenses for the Vulnerability of the
Decade," Crispin Cowan, et al.
Class 4 (01/23): basic
network security (continue) (written notes)
Class 5 (01/28): term project description
(possible term project
topic) ; Stack Overflow I: Attack
Introduction
Class 6 (01/30): Stack overflow I
(continue)
Class 7 (02/04): Stack Overflow
example using GDB, Project 1 is
assigned and due Feb. 17th midnight via Canvas (written notes)
Class 8 (02/06): Stack Overflow II: Defense
Class 9 (02/11):
Find Software Bugs
Class 10 (02/13): Find software bugs (continue); Introduce instructor's ACSAC'07 best student award paper on
fuzzing (written notes)
Class 11 (02/18): Example
of man-made vulnerable code (fuzzTest-target.c, fuzzTest100.c ) and
explanation slides; Programming project 2 is
assigned and due Mar. 17th midnight; Term project proposal
slides are due Feb. 26th midnight
Class 12 (02/20): Explanation
of program project 2;
Class 13 (02/25): Program
Verification & Other Types of Vulnerabilities
Class 14 (02/27): Term project proposal presentation
Class 15 (03/11): Paper presentation and
summary; Email Spam
Class 16 (03/13): Email spam (continue); Homework 1
(email spam) is assigned and due Mar. 24th
(03/18): Class cancelled due to
school closing
Class 17 (03/20):
Network
Traffic Monitoring Using Wireshark; Programming
project 3 is assigned and due Apr. 6th midnight
Class 18 (03/25): Wireshark
(continue);
Cody McMahon: "Protecting
Browsers from Extension Vulnerabilities"
Omar Hachum: "Dude, where’s
that IP? Circumventing measurement-based IP geolocation"
Class 19 (03/27):
Jose Sanchez: "IntScope:
Automatically Detecting Integer Overflow Vulnerability in X86
Binary Using Symbolic Execution"
Swati Tripathi: "TaintScope:
A Checksum-Aware Directed Fuzzing Tool for Automatic Software
Vulnerability Detection"
Class 20 (04/01): Diego
Velasquez: "Automated
Whitebox Fuzz Testing"
Carlos.LeonTovar: "Vanish:
Increasing Data Privacy with Self-Destructing Data"
Class 21 (04/03):
Ahmed Alyammahi: "Detecting
Spammers on Social Networks"
Fawaz Al Fahmi: "Click
Trajectories: End-to-End Analysis of the Spam Value Chain"
Class 22 (04/08): Ruaa
Abdulrahman: "Countering
Kernel Rootkits with Lightweight Hook Protection"
Chris Zorn: "CryptDB:
Protecting Confidentiality with Encrypted Query Processing"
Class 23 (04/10): Kai
Li: "I
can be you: Questioning the use of Keystroke Dynamics as
Biometrics"
John Cain: "Hey,
You, Get Off of My Cloud: Exploring Information Leakage in
Third-Party Compute Clouds"
Class 24 (04/15): Toby Tobkin: "TaintDroid:
An Information-Flow Tracking System for Realtime Privacy
Monitoring on Smartphone"
Siddarth Asokan: "On
Limitations of Designing Leakage-Resilient Password Systems:
Attacks, Principles and Usability"
Class 25 (04/17):
Sanketh Beerabbi: "Social
Networking with Frientegrity: Privacy and Integrity with an
Untrusted Provider"
Sheetal Mutati: "The
Postman Always Rings Twice: Attacking and Defending postMessage in
HTML5 Websites"
Class 26 (04/22): Last regular
class
Term project presentation: Diego Velasquez
Carlos Leon
Fawaz Fahmi
Class 27 (04/29): 10am-12:50pm: Face-to-face session Term
Project Presentation
1. (Diego Velasquez) "Automated
Whitebox Fuzz Testing", P. Godefroid, M.Y. Levin, D. Molnar, Annual Network
& Distributed System Security Symposium (NDSS) 2008.
2. (Toby Tobkin) "TaintDroid: An Information-Flow
Tracking System for Realtime Privacy Monitoring on Smartphone", William Enck, Peter Gilbert, Byung-gon Chun, Landon P.
Cox, Jaeyeon Jung, Patrick McDaniel, and Anmol N. Sheth, USENIX
Symposium on Operating Systems Design and Implementation (OSDI),
2010.
3. (Cody McMahon) "Protecting
Browsers from Extension Vulnerabilities", Adam Barth, Adrienne
Porter Felt, Prateek Saxena, and Aaron Boodman. 17th Network and
Distributed System Security Symposium (NDSS), 2010.
4. (John Cain) "Hey,
You, Get Off of My Cloud: Exploring Information Leakage in
Third-Party Compute Clouds", Thomas Ristenpart, Eran Tromer, Hovav Shacham, and
Stefan Savage, Proceedings of the ACM Conference on Computer and
Communications Security, Chicago, IL, November 2009.
5. (Ruaa Abdulrahman) "Countering
Kernel Rootkits with Lightweight Hook Protection," Zhi Wang, Xuxian Jiang, Weidong Cui, Peng Ning,
Proceedings of the 16th ACM Conference on Computer and
Communications Security (CCS 2009), Chicago, IL, November 2009.
6. "VEX:
Vetting Browser Extensions for Security Vulnerabilities", Sruthi Bandhakavi, Samuel T. King, P. Madhusudan, and
Marianne Winslett, USENIX Security Symposium (Usenix), 2010 (best
paper award).
7. (Carlos.LeonTovar) "Vanish:
Increasing Data Privacy with Self-Destructing Data", Roxana Geambasu, Tadayoshi Kohno, Amit A. Levy, and
Henry M. Levy, USENIX Security Symposium (Usenix), 2009 (best
student paper award).
8. (Swati Tripathi) "TaintScope:
A Checksum-Aware Directed Fuzzing Tool for Automatic Software
Vulnerability Detection", Tielei Wang, Tao Wei, Guofei Gu, Wei Zou, 31st IEEE
Symposium on Security & Privacy (Oakland), Oakland, CA, May
2010. (Best Student Paper Award).
9. (Ahmed Alyammahi) "Detecting
Spammers on Social Networks", Gianluca Stringhini, Christopher Kruegel, Giovanni
Vigna, Annual Computer Security Applications Conference (ACSAC),
2010. (Best student paper award).
10. (Omar Hachum) "Dude,
where’s that IP? Circumventing measurement-based IP geolocation", Phillipa Gill, Yashar Ganjali, David Lie, Bernard Wong.
Proceedings of the 19th USENIX Symposium on Security, 2010.
11. (Chris Zorn) "CryptDB:
Protecting Confidentiality with Encrypted Query Processing", Raluca Ada Popa, Catherine M. S. Redfield, Nickolai
Zeldovich, Hari Balakrishnan, 23rd ACM Symposium on Operating
Systems Principles (SOSP), 2011.
12. "HomeAlone:
Co-Residency Detection in the Cloud via Side-Channel Analysis", Yinqian Zhang, Ari Juels, Alina Oprea, Michael K. Reite,
IEEE Symposium on Security and Privacy 2011.
13. (Fawaz Al Fahmi) "Click
Trajectories: End-to-End Analysis of the Spam Value Chain", Kirill Levchenko, Andreas Pitsillidis, Neha Chachra,
Brandon Enright, Mark Felegyhazi, Chris Grier, Tristan Halvorson,
Chris Kanich, Christian Kreibich, He Liu, Damon McCoy, Nicholas
Weaver, Vern Paxson, Geoffrey M. Voelker, Stefan Savage. IEEE
Symposium on Security and Privacy 2011,
14. (Siddarth Asokan) "On
Limitations of Designing Leakage-Resilient Password Systems:
Attacks, Principles and Usability", Qiang Yan, Jin Han,
Yingjiu Li and Robert H. Deng,NDSS 2012 (Distinguished Paper Award).
15. (Sanketh Beerabbi) "Social
Networking with Frientegrity: Privacy and Integrity with an
Untrusted Provider", Ariel J. Feldman, Aaron Blankstein,
Michael J. Freedman, and Edward W. Felten, Usenix Security
Symposium, 2012. (Best Student Paper)
16. "Memento:
Learning Secrets from Process Footprints", Suman Jana and
Vitaly Shmatikov, IEEE Symposium on Security and
Privacy, 2012. (Best Student Paper)
17. "User-Driven
Access Control: Rethinking Permission Granting in Modern
Operating Systems", Franziska Roesner, Tadayoshi
Kohno, Alexander Moshchuk, Bryan Parno, Helen J. Wang, and
Crispin Cowan, IEEE Symposium on Security and Privacy,
2012. (Best Practical Paper)
18. (Kai Li) "I
can be you: Questioning the use of Keystroke Dynamics as
Biometrics", Tey Chee Meng, Payas Gupta and Debin Gao,
NDSS 2013. (Best Paper Award)
19. (Sheetal Mutati) "The
Postman Always Rings Twice: Attacking and Defending postMessage
in HTML5 Websites", Sooel Son and Vitaly Shmatikov, NDSS
2013. (Best Student Paper)
20. ( ) "Routing
Around Decoys" Max Schuchard, John Geddes, Christopher
Thompson, Nicholas Hopper. CCS 2012. (Best Student Paper
Award)
21. (Jose Sanchez) "IntScope:
Automatically Detecting Integer Overflow Vulnerability in X86
Binary Using Symbolic Execution", Tielei Wang , Zhiqiang
Lin, NDSS 2009.