**CSE 227: Graduate Computer Security** [*Deian Stefan*](https://cseweb.ucsd.edu/~dstefan/) About ============================================================== This course focuses on computer security, exploring a range of topics – from systems security, to web security, edge security, and privacy – to illustrate some of the modern research challenges in the area and the standards for advancement. It is not designed to be a tutorial course, but rather to give students the context to understand current security research and evaluate their interest in the field. The course will examine both the defensive and offensive side of the field. At the conclusion of the course, the students will have the foundation to conduct research in computer security and to apply the latest security research to a particular area of practice. Lectures: : Monday and Wednesday, 5:00--6:20pm, on Zoom Staff: : **Instructor**: Deian Stefan : **Teaching Assistants**: John Renner and Shravan Narajay Office hours: : **Deian**: Tuesday, 3:00--4:00pm, or by appointment : **John and Shravan**: By appointment Zoom information: : See [course Canvas site](https://canvas.ucsd.edu/courses/25076). If you are not enrolled in this class but want to participate in the class remotely please email the instructor. To facilitate an open discussion, the in-class discussion will *not* be recorded. Class discussion: : We'll use Discord for all class related communication (invite link is on Canvas). Write ups: : We'll use gradescope for all (but first two) paper write ups, project updates, and final papers. : [Gradescope course](https://www.gradescope.com/courses/260678) with entry code `D58PJ3` Calendar and Readings ============================================================== Mon Mar 29 2021: Introduction - *Reading*: - [How to Read a Paper](papers/keshav:how.pdf) by S. Keshav - [Reflections on Trusting Trust](papers/thompson:reflections.pdf) by K. Thompson Wed Mar 31 2021: Low-level vulnerabilities and exploits - *Reading*: - [Hacking Blind](papers/bittau:brop.pdf) by A. Bittau et al. - [A Modern History of Offensive Security Research](https://docs.google.com/presentation/d/19HfkIojyLE8L8X8aZT-lJont96JqIg4PqEhb2juIK2c/edit#slide=id.p) by D. Dai Zovi - *Write up*: [here](https://docs.google.com/forms/d/e/1FAIpQLSf_UTkLnwlXYUATQLEgUpOupnuTspC8aaGEFhdwIn0Af_GJUg/viewform?usp=sf_link) - *Additional reading*: - [Low-Level Software Security by Example](papers/erlingsson:low.pdf) by U. Erlingsson et al. - [Return-Oriented Programming: Systems, Languages, and Applications](papers/roemer:rop.pdf) by R. Roemer et al. Mon Apr 5 2021: Finding vulnerabilities and exploits - *Reading*: - [Sys: A Static/Symbolic Tool for Finding Good Bugs in Good (Browser) Code](https://cseweb.ucsd.edu/~dstefan/pubs/brown:2020:sys.pdf) by F. Brown et al. - [AEG: Automatic Exploit Generation](papers/avgerinos:aeg.pdf) by T. Avgerinos et al. - *Write up*: [here](https://docs.google.com/forms/d/e/1FAIpQLScXcPv9CHQEr8Y3_tk820WVxkRXG20-PmSTZJ_t_R9YgyN3AA/viewform?usp=sf_link) - *Additional reading*: - [EXE: Automatically Generating Inputs of Death](papers/cadar:exe.pdf) by C. Cadar et al. - [KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs](papers/cadar:klee.pdf) by C. Cadar et al. Wed Apr 7 2021: Control flow integrity - *Reading*: - [Control-Flow Integrity: Principles, Implementations, and Applications](papers/abadi:cfi.pdf) by M. Abadi et al. - [Finding Cracks in Shields: On the Security of Control Flow Integrity Mechanisms](papers/li:cracks.pdf) by Li et al. - *Additional reading*: - [Control-Flow Integrity: Precision, Security, and Performance](papers/burow:cfi.pdf) by N. Burow et al. - [Control-Flow Bending: On the Effectiveness of Control-Flow Integrity](papers/carlini:cfb.pdf) by N. Carlini et al. Mon Apr 12 2021: Software fault isolation - *Reading*: - [Retrofitting Fine Grain Isolation in the Firefox Renderer](papers/narayan:retrofitting.pdf) by S. Narayan et al. - *Additional reading*: - [Principles and Implementation Techniques of Software-Based Fault Isolation](papers/tan:sfi.pdf) by G. Tan - [The High-level Benefits of Low-level Sandboxing](papers/sammler:the-high-level.pdf) by M. Sammler et al. Wed Apr 14 2021: Privilege separation - *Reading*: - [Preventing Privilege Escalation](papers/provos:ssh.pdf) by N. Provos et al. - [Privtrans: Automatically partitioning programs for privilege separation](papers/brumley:privtrans.pdf) by D. Brumley and D. Song - *Additional reading*: - [Building Secure High-Performance Web Services with OKWS](krohn:okws.pdf) by M. Krohn - [Site Isolation: Process Separation for Web Sites within the Browser](papers/reis:site.pdf) by C. Reis et al. Fri Apr 16 2021: Project proposal - *Expectation*: At the very least, you should have a clear problem statement, brief literature survey (e.g., to understand how and if this done before), evaluation questions and approach, and brief risk analysis (e.g., to understand the best and worst case outcome of the project). Mon Apr 19 2021: Capabilities - *Reading*: - [Capsicum: Practical Capabilities for UNIX](papers/capsicum.pdf) by R. Watson et. al - *Additional reading*: - [CHERI: A Hybrid Capability-System Architecture for Scalable Software Compartmentalization](papers/watson:cheri.pdf) by R. Watson et. al - [CloudABI](https://www.youtube.com/watch?v=3N29vrPoDv8) by E. Schouten Wed Apr 21 2021: Information flow control - *Reading*: - [Hails: Protecting Data Privacy in Untrusted Web Applications](https://cseweb.ucsd.edu/~dstefan/pubs/giffin:2012:hails.pdf) by D. Stefan et al. - *Additional reading*: - [Language-Based Information-Flow Security](papers/sabelfeld:ifc.pdf) - [Flexible Dynamic Information Flow Control in the Presence of Exceptions](https://cseweb.ucsd.edu/~dstefan/pubs/stefan:2017:flexible.pdf) by D. Stefan et al. Mon Apr 26 2021: Verification - *Reading*: - [seL4: Formal Verificaiton of an OS Kernel](papers/sel4.pdf) by G. Klein et al. - [Modular Verification for Computer Security](papers/appel:modular.pdf) by A. Appel - *Additional reading*: - [Hyperkernel: Push-Button Verification of an OS Kernel](papers/hyperkernel.pdf) by L. Nelson et al. Wed Apr 28 2021: No class Fri Apr 30 2021: Status update Mon May 3 2021: JavaScript JIT exploitation - *Reading*: - [Compile Your Own Type Confusion: Exploiting Logic Bugs in JavaScript JIT Engines](http://phrack.org/papers/jit_exploitation.html) by saelo - [A case study of JavaScriptCore and CVE-2016-4622](http://phrack.org/papers/attacking_javascript_engines.html) by saelo - *Additional reading*: - [Finding and Preventing Bugs in JavaScript Bindings](papers/brown:finding.pdf) by F. Brown et al. - [CodeAlchemist: Semantics-Aware Code Generation to Find Vulnerabilities in JavaScript Engines](papers/han:codealchemist.pdf) by H. Han et al. Wed May 5 2021: JavaScript JIT defenses - *Reading*: - [Towards a verified range analysis for JavaScript JITs](https://cseweb.ucsd.edu/~dstefan/pubs/brown:2021:vera.pdf) by F. Brown et al. - *Additional reading*: - [NoJITsu: Locking Down JavaScript Engines](papers/park:nojitsu.pdf) by T. Park et al. Mon May 10 2021: eBPF exploitation - *Reading*: - [Simple and Precise Static Analysis of Untrusted Linux Kernel Extensions](papers/gershuni:prevail.pdf) by E. Gershuni et al. - *Additional reading*: - [CVE-2021-8835: Linux Kernel Privilege Escalation via Improper eBPF Program Verification](https://www.zerodayinitiative.com/blog/2021/4/8/cve-2021-8835-linux-kernel-privilege-escalation-via-improper-ebpf-program-verification) by M. Paul Wed May 12 2021: eBPF defenses - *Reading*: - [Specification and verification in the field: Applying formal methods to BPF just-in-time compilers in the Linux kernel](papers/nelson:jitterbug.pdf) by L. Nelson et al. - *Additional reading*: - [Jitk: A Trustworthy In-Kernel Interpreter Infrastructure](papers/wang:jitk.pdf) by X. Wang et al. Fri May 14 2021: Status update Mon May 17 2021: Hardware exploitation - *Reading*: - [Spectre Attacks: Exploiting Speculative Execution](papers/spectre.pdf) by P. Kocher et al. - [Escaping the Chrome Sandbox with RIDL](https://googleprojectzero.blogspot.com/2021/02/escaping-chrome-sandbox-with-ridl.html) by S.Röttger - *Additional reading*: - [A Systematic Evaluation of Transient Execution Attacks and Defenses](papers/canella:systematic.pdf) by C. Canella et al. - [LVI - Hijacking Transient Execution with Load Value Injection](papers/lvi.pdf) by J. V. Bulck Wed May 19 2021: Hardware defenses - *Reading*: - [Efficiently Mitigating Transient Execution Attacks using the Unmapped Speculation Contract](papers/behrens:ward.pdf) by J. Behrens et al. - [Swivel: Hardening WebAssembly against Spectre](https://cseweb.ucsd.edu/~dstefan/pubs/narayan:2021:swivel.pdf) by S. Narayan et al. - *Additional reading*: - [Security Analysis of Processor Instruction Set Architecture for Enforcing Control-Flow Integrity](papers/shanbhogue:cet.pdf) by V. Shanbhogue et al. Mon May 24 2021: Crypto attacks - *Reading*: - [The Most Dangerous Code in the World: Validating SSL Certificates in Non-Browser Software](papers/georgiev:the-most.pdf) by M. Georgiev et al. - [TPM-FAIL: TPM meets Timing and Lattice Attacks](https://arxiv.org/abs/1911.05673) by D. Moghimi et al. - *Additional reading*: - [A Messy State of the Union: Taming the Composite State Machines of TLS](papers/beurdouche:a-messy.pdf) by M. Beurdouche et al. Wed May 26 2021: Crypto defenses - *Reading*: - [Jasmin: High-Assurance and High-Speed Cryptography](papers/almeida:jasmin.pdf) by J. B. Almeida et al. - [HACL*: A verified modern cryptographic library](https://eprint.iacr.org/2017/536) by Zinzindohoué et al. - *Additional reading:* - [SoK: Computer-Aided Cryptography](papers/barbosa:sok.pdf) by M. Barbosa et al. - [FaCT: A DSL for timing-sensitive computation](papers/cauligi:fact.pdf) by S. Cauligi et al. Fri May 28 2021: Status update Mon May 31 2021: No class Wed Jun 2 2021: Final presentations Evaluation ============================================================== Since the primary goal of this course is to prepare to you to do research, the evaluation for this course is simple: (1) class participation and (2) research project. Participation (35%) -------------------------------------------------------------- You are expected to read the assigned paper(s) before each meeting. In class we will discuss the interesting parts of the paper(s). You are expected to do any background reading on your own and come prepared with questions and an evaluation of the paper. To make this easy: For each paper you will turn in a short write-up morning of lecture (11am pacific). Research project (65%) -------------------------------------------------------------- You will work on projects in groups of 3-5. The goal of the project is to conduct original research in security. You are encouraged to come up with your own project idea, but we have a few ideas that are well-scoped for a quarter project. At the end of the quarter, you are expected to turn in a short research paper (6-10 pages) and give a 10 minute talk. We will have periodic status updates to help you stay on track.