**CSE 227: Graduate Computer Security** [*Deian Stefan*](https://cseweb.ucsd.edu/~dstefan/) About ============================================================== This course focuses on computer security, exploring a range of topics – from systems security, to web security, edge security, and privacy – to illustrate some of the modern research challenges in the area and the standards for advancement. It is not designed to be a tutorial course, but rather to give students the context to understand current security research and evaluate their interest in the field. The course will examine both the defensive and offensive side of the field. At the conclusion of the course, the students will have the foundation to conduct research in computer security and to apply the latest security research to a particular area of practice. Lectures: : Tuesday and Thursday, 2:00--3:20pm, Pepper Canyon Hall 121 Staff: : **Instructor**: Deian Stefan : **Teaching Assistant**: David Thien Office hours: : **Deian**: Thursay, 3:30--4:00pm, or by appointment : **David**: By appointment Class discussion: : We'll use the CSE slack channel `cse227-spring22` Write ups: : We'll use gradescope for all paper write ups, project updates, and final papers. : [Gradescope course](https://www.gradescope.com/courses/382679) with entry code `WYGNPE` Calendar and Readings ============================================================== Tue Mar 29 2022: Introduction - *Reading*: - [How to Read a Paper](papers/keshav:how.pdf) by S. Keshav - [The Rise of Worse is Better](https://dreamsongs.com/RiseOfWorseIsBetter.html) by R. P. Gabriel - *Additional reading*: - [Reflections on Trusting Trust](papers/thompson:reflections.pdf) by K. Thompson Thu Mar 31 2022: Low-level vulnerabilities and exploits - *Reading*: - [Hacking Blind](papers/bittau:brop.pdf) by A. Bittau et al. - [A Modern History of Offensive Security Research](https://docs.google.com/presentation/d/19HfkIojyLE8L8X8aZT-lJont96JqIg4PqEhb2juIK2c/edit#slide=id.p) by D. Dai Zovi - *Additional reading*: - [Low-Level Software Security by Example](papers/erlingsson:low.pdf) by U. Erlingsson et al. - [Return-Oriented Programming: Systems, Languages, and Applications](papers/roemer:rop.pdf) by R. Roemer et al. Tue Apr 5 2022: Finding vulnerabilities and exploits - *Reading*: - [AEG: Automatic Exploit Generation](papers/avgerinos:aeg.pdf) by T. Avgerinos et al. - [Sys: A Static/Symbolic Tool for Finding Good Bugs in Good (Browser) Code](https://cseweb.ucsd.edu/~dstefan/pubs/brown:2020:sys.pdf) by F. Brown et al. - *Additional reading*: - [EXE: Automatically Generating Inputs of Death](papers/cadar:exe.pdf) by C. Cadar et al. - [KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs](papers/cadar:klee.pdf) by C. Cadar et al. Thu Apr 7 2022: Undefined behavior - *Reading*: - [Towards Optimization-Safe Systems: Analyzing the Impact of Undefined Behavior](papers/wang:stack.pdf) by X. Wang et al. - [Taming Undefined Behavior in LLVM](papers/lee:taming.pdf) by J. Lee et al. Tue Apr 12 2022: Supply chain attacks - *Reading*: - [Towards Measuring Supply Chain Attacks on Package Managers for Interpreted Languages](https://www.ndss-symposium.org/wp-content/uploads/ndss2021_1B-1_23055_paper.pdf) by R. Duan et al. - [https://nikos.vasilak.is/p/harp:ccs:2021.pdf](https://nikos.vasilak.is/p/harp:ccs:2021.pdf) by N. Vasilakis - *Additional reading*: - [A Look In the Mirror: Attacks on Package Managers](https://theupdateframework.io/papers/attacks-on-package-managers-ccs2008.pdf) by J. Cappos Thu Apr 14 2022: Software fault isolation - *Reading*: - [Retrofitting Fine Grain Isolation in the Firefox Renderer](papers/narayan:retrofitting.pdf) by S. Narayan et al. - [Evaluating SFI for a CISC Architecture](papers/pittsfield.pdf) by S. McCamant and G. Morrisett - *Additional reading*: - [Principles and Implementation Techniques of Software-Based Fault Isolation](papers/tan:sfi.pdf) by G. Tan - [The High-level Benefits of Low-level Sandboxing](papers/sammler:the-high-level.pdf) by M. Sammler et al. Fri Apr 15 2022: Project proposal - *Expectation*: At the very least, you should have a clear problem statement, brief literature survey (e.g., to understand how and if this done before), evaluation questions and approach, and brief risk analysis (e.g., to understand the best and worst case outcome of the project). Tue Apr 19 2022: Privilege separation - *Reading*: - [Preventing Privilege Escalation](papers/provos:ssh.pdf) by N. Provos et al. - [Privtrans: Automatically partitioning programs for privilege separation](papers/brumley:privtrans.pdf) by D. Brumley and D. Song - *Additional reading*: - [Building Secure High-Performance Web Services with OKWS](krohn:okws.pdf) by M. Krohn - [Site Isolation: Process Separation for Web Sites within the Browser](papers/reis:site.pdf) by C. Reis et al. Thu Apr 21 2022: Invited talk: Binary Hardening and Low Fat Pointers by [Roland Yap](https://www.comp.nus.edu.sg/~ryap/), National University of Singapore - *Reading*: - [Hardening Binaries against More Memory Errors](papers/duck:hardening.pdf) by G. Duck et al. - *Abstract*: Memory errors are often the root cause of security vulnerabilities and exploitation in low level languages. We will first overview Low-Fat pointers which gives a easy and efficient way of doing out-of-bounds detection with pointers. Low Fat pointers have been used to create an efficient tool for detecting spatial memory errors for C/C++ with the LowFat sanitizer and type checking and sub-bounds error checking sanitizer with EffectiveSan. In this talk, we will focus on new work which looks at how to harden binaries against memory errors. We introduce RedFat, a binary rewriter which hardens x86_64 binaries against heap memory errors (spatial and temporal). It uses a complementary error detection methodology combining low fat pointers with red zones. RedFat makes minimal assumptions about the binary and is able to operate on stripped and non-PIC binaries. It is also language agnostic and has been evaluated on C/C++/Fortran benchmarks. Tue Apr 26 2022: Information flow control - *Reading*: - [Hails: Protecting Data Privacy in Untrusted Web Applications](https://cseweb.ucsd.edu/~dstefan/pubs/giffin:2012:hails.pdf) by D. Stefan et al. - *Additional reading*: - [Flexible Dynamic Information Flow Control in the Presence of Exceptions](https://cseweb.ucsd.edu/~dstefan/pubs/stefan:2017:flexible.pdf) by D. Stefan et al. - [Language-Based Information-Flow Security](papers/sabelfeld:ifc.pdf) Thu Apr 28 2022: Verification - *Reading*: - [Hyperkernel: Push-Button Verification of an OS Kernel](papers/hyperkernel.pdf) by L. Nelson et al. - *Additional reading*: - [seL4: Formal Verificaiton of an OS Kernel](papers/sel4.pdf) by G. Klein et al. - [Modular Verification for Computer Security](papers/appel:modular.pdf) by A. Appel Fri Apr 29 2022: Status update Tue May 3 2022: JavaScript JIT exploitation - *Reading*: - [Compile Your Own Type Confusion: Exploiting Logic Bugs in JavaScript JIT Engines](http://phrack.org/papers/jit_exploitation.html) by saelo - [CodeAlchemist: Semantics-Aware Code Generation to Find Vulnerabilities in JavaScript Engines](papers/han:codealchemist.pdf) by H. Han et al. - *Additional reading*: - [Finding and Preventing Bugs in JavaScript Bindings](papers/brown:finding.pdf) by F. Brown et al. - [A case study of JavaScriptCore and CVE-2016-4622](http://phrack.org/papers/attacking_javascript_engines.html) by saelo Thu May 5 2022: JavaScript JIT defenses - *Reading*: - [Towards a verified range analysis for JavaScript JITs](https://cseweb.ucsd.edu/~dstefan/pubs/brown:2020:vera.pdf) by F. Brown et al. - *Additional reading*: - [NoJITsu: Locking Down JavaScript Engines](papers/park:nojitsu.pdf) by T. Park et al. Tue May 10 2022: eBPF exploitation - *Reading*: - [Simple and Precise Static Analysis of Untrusted Linux Kernel Extensions](papers/gershuni:prevail.pdf) by E. Gershuni et al. - *Additional reading*: - [CVE-2022-8835: Linux Kernel Privilege Escalation via Improper eBPF Program Verification](https://www.zerodayinitiative.com/blog/2022/4/8/cve-2022-8835-linux-kernel-privilege-escalation-via-improper-ebpf-program-verification) by M. Paul Thu May 12 2022: eBPF defenses - *Reading*: - [Specification and verification in the field: Applying formal methods to BPF just-in-time compilers in the Linux kernel](papers/nelson:jitterbug.pdf) by L. Nelson et al. - *Additional reading*: - [Jitk: A Trustworthy In-Kernel Interpreter Infrastructure](papers/wang:jitk.pdf) by X. Wang et al. Fri May 13 2022: Status update Tue May 17 2022: Hardware exploitation - *Reading*: - [Spectre Attacks: Exploiting Speculative Execution](papers/spectre.pdf) by P. Kocher et al. - [Escaping the Chrome Sandbox with RIDL](https://googleprojectzero.blogspot.com/2020/02/escaping-chrome-sandbox-with-ridl.html) by S.Röttger - *Additional reading*: - [A Systematic Evaluation of Transient Execution Attacks and Defenses](papers/canella:systematic.pdf) by C. Canella et al. - [LVI - Hijacking Transient Execution with Load Value Injection](papers/lvi.pdf) by J. V. Bulck Thu May 19 2022: Hardware defenses - *Reading*: - [Swivel: Hardening WebAssembly against Spectre](https://cseweb.ucsd.edu/~dstefan/pubs/narayan:2022:swivel.pdf) by S. Narayan et al. - [Efficiently Mitigating Transient Execution Attacks using the Unmapped Speculation Contract](papers/behrens:ward.pdf) by J. Behrens et al. - *Additional reading*: - [Security Analysis of Processor Instruction Set Architecture for Enforcing Control-Flow Integrity](papers/shanbhogue:cet.pdf) by V. Shanbhogue et al. Fri May 27 2022: Status update Tue May 31 2022: Crypto attacks and defenses - *Reading*: - [The Most Dangerous Code in the World: Validating SSL Certificates in Non-Browser Software](papers/georgiev:the-most.pdf) by M. Georgiev et al. - [Jasmin: High-Assurance and High-Speed Cryptography](papers/almeida:jasmin.pdf) by J. B. Almeida et al. - *Additional reading*: - [TPM-FAIL: TPM meets Timing and Lattice Attacks](https://arxiv.org/abs/1911.05673) by D. Moghimi et al. - [A Messy State of the Union: Taming the Composite State Machines of TLS](papers/beurdouche:a-messy.pdf) by M. Beurdouche et al. - [SoK: Computer-Aided Cryptography](papers/barbosa:sok.pdf) by M. Barbosa et al. - [FaCT: A DSL for timing-sensitive computation](papers/cauligi:fact.pdf) by S. Cauligi et al. - [HACL*: A verified modern cryptographic library](https://eprint.iacr.org/2017/536) by Zinzindohoué et al. Evaluation ============================================================== Since the primary goal of this course is to prepare to you to do research, the evaluation for this course is simple: (1) class participation and (2) research project. Participation (35%) -------------------------------------------------------------- You are expected to read the assigned paper(s) before each meeting. In class we will discuss the interesting parts of the paper(s). You are expected to do any background reading on your own and come prepared with questions and an evaluation of the paper. To make this easy: For each paper you will turn in a short write-up morning of lecture (11am pacific). Research project (65%) -------------------------------------------------------------- You will work on projects in groups of 3-5. The goal of the project is to conduct original research in security. You are encouraged to come up with your own project idea, but we have a few ideas that are well-scoped for a quarter project. At the end of the quarter, you are expected to turn in a short research paper (6-10 pages) and give a 10 minute talk. We will have periodic status updates to help you stay on track. Project ideas ============================================================== Take a look at [Stefan's list of project ideas](https://cseweb.ucsd.edu//classes/fa21/cse227-a/projects.html). Here is a list of new projects: - Sandbox a serious third-party C library in a popular C++ program using RLBox. - Extend Wasm with provably-safe inline assembly. - Verify the SFI safety of binaries compiled with wasm2c (via Clang). - Find bugs by combining source-level static checking (e.g., CodeQL) with low-level symbolic execution (a la Sys). - Statically (or symbolically) check the IPC layerof Firefox (or Chrome). - Design and implement an RLBox like system for Rust. - Extend Rust's bindgen to sandbox C code in Rust projects. - Extend Node.js' Node-API to sandbox C code for Node. - Sandbox CPython code. - Analyze the implications of undefined behavior in sandboxing systems. - Add hardware backed (e.g., ARM MTE or CHERI) to Memory Safe Wasm (MSWasm) compiler. - Sandbox (e.g., using containers) npm install scripts. - Implement a transparency system for (detecting supply chain attacks on) npm. - Implement a language-level module sandboxing system for Node.js. - Analyze the top n Node.js module to understand if a capability security model is practical. - Analyze (attack) the pre-processing stage (e.g., image decoding library) of typical neural network pipelines. - Verify/check analysis passes (e.g., effects, alias) in JITs. - Verify peep hole optimizations in the Firefox JIT. - Verify the security of the V8 Sandbox. - Port the V8 Sandbox to Firefox' SpiderMonkey. - Find bugs in or verify uBPF's code generation. Hall of fame ============================================================== List of papers that started out as CSE 227 projects: - CoResident Evil: Covert Communications in the Cloud with Lambdas, Anil Yelam, Ariana Mirian, Keerthana Ganesan, Shibani Subbareddy, and Stefan Savage, Proceedings of the Web Conference (WWW), Ljubljana, Solvenia, April 2021. - Доверя́й, но проверя́й: SFI safety for native-compiled Wasm, Evan Johnson, David Thien, Yousef Alhessi, Shravan Narayan, Fraser Brown, Sorin Lerner, Tyler McMullen, Stefan Savage, and Deian Stefan, Proceedings of the Network and Distributed System Security Symposium (NDSS), San Diego, CA, February 2021. - Retrofitting Fine Grain Isolation in the Firefox Renderer, Shravan Narayan, Craig Disselkoen, Tal Garfinkel, Nathan Froyd, Eric Rahm, Sorin Lerner, Hovav Shacham, and Deian Stefan, Proceedings of the USENIX Security Symposium, August 2020. - Network Reconnaissance and Vulnerability Excavation of Secure DDS Systems, Ruffin White, Gianluca Caiazza, Chenxu Jiang, Xinyue Ou, Zhiyue Yang, Agostino Cortesi, Henrik Christensen, Proceedings of Workshop on Software Security for Internet of Things (SSIoT), June 2019. - FaCT: A Flexible, Constant-Time Programming Language, Sunjay Cauligi, Gary Soeller, Fraser Brown, Brian Johannesmeyer, Yunlu Huang, Ranjit Jhala, and Deian Stefan, Secure Development Conference (SecDev), September 2017. - On the (In)effectiveness of Mosaicing and Blurring as Tools for Document Redaction, Steven Hill, Zhimin Zhou, Lawrence Saul, and Hovav Shacham, Privacy Enhancing Technologies Symposium, Darmstadt, Germany, July 2016. - Fast and Vulnerable: A Story of Telematic Failures, Ian Foster, Andrew Prudhomme, Karl Koscher, and Stefan Savage, Proceedings of the USENIX Workshop On Offensive Technologies (WOOT), Washington D.C., August 2015. - Are AES x86 Cache Timing Attacks Still Feasible? (short paper), Keaton Mowery, Sriram Keelveedhi, and Hovav Shacham, Proceedings of the Cloud Computing Security Workshop (CCSW), October 2012. - When Good Services Go Wild: Reassembling Web Services for Unintended Purposes, Feng Lu, Jiaqi Zhang, and Stefan Savage, Proceedings of the USENIX Workshop on Hot Topics in Security, Bellevue, WA, August 2012. - Heat of the Moment: Characterizing the Efficacy of Thermal Camera-Based Attacks, Keaton Mowery, Sarah Meiklejohn, and Stefan Savage, Proceedings of the USENIX Workshop On Offensive Technologies (WOOT), San Francisco, CA, August 2011. - Extracting Device Fingerprints from Flash Memory by Exploiting Physical Variations, Pravin Prabhu, Ameen Akel, Laura Grupp, Wing-Key Yu, G. Edward Suh, Edwin Kan, and Steven Swanson, Proceedings of the 4th International Conference on Trust and Trustworthy Computing (TRUST), Pittsburg, Pennsylvania, June 2011. - Privacy-preserving Network Forensics, Mikhail Afanasyev, Tadayoshi Kohno, Justin Ma, Nick Murphy, Stefan Savage, Alex C. Snoeren, and Geoffrey M. Voelker, Communications of the Association for Computing Machinery 54(5), May 2011. - Got Traffic? An Evaluation of Click Traffic Providers, Qing Zhang, Thomas Ristenpart, Stefan Savage, and Geoffrey M. Voelker, Proceedings of the WICOM/AIRWeb Workshop on Web Quality (WebQuality), Hyderabad, India, Mar 2011. - Neon: System Support for Derived Data Management, Qing Zhang, John McCullough, Justin Ma, Navil Schear, Michael Vrable, Amin Vahdat, Alex C. Snoeren, and Geoffrey M. Voelker, Proceedings of the ACM International Conference on Virtual Execution Environments (VEE), Pittsburgh, PA, March 2010. - When Good Instructions Go Bad: Generalizing Return-Oriented Programming to RISC, Erik Buchanan, Ryan Roemer, Hovav Shacham, and Stefan Savage, Proceedings of the ACM Conference on Computer and Communications Security (CCS), Alexandria, VA, October 2008, pages 27-38. - Reconsidering Physical Key Secrecy: Teleduplication via Optical Decoding, Benjamin Laxton, Kai Wang, and Stefan Savage, Proceedings of the ACM Conference on Computer and Communications Security (CCS), Alexandria, VA, October 2008, pages 469-77.