Syllabus

In this class we consider how programming language techniques can be used to fill the security gap.  In particular, we will consider novel programming languages, programming language analyses (both on the source code, and as instrumentation on the running program), and programming tools that can be used to address security issues. As possible examples (which we may or may not go over, depending on time constraints, class interests, etc.), we might study various instantiations of the Jif programming language, the ProVerif verification tool, the Fine programming language, the Rubyx security-oriented symbolic executor, to name a few.

Grading: Most of the class will consist of reading and discussing papers in the research literature. Graded work will make up the final grade as follows:

• Class Participation (35%), four parts: (1) written reviews of the papers we read; (2) short homework or programming projects; (3) discussion during class; and (4) presentations on topics to be chosen during the semester. Grading for presentations is elaborated on below.
• Project (40%). Students will propose projects approximately one month into the semester, to be completed by the end of the semester. Projects, done individually or in groups, will attempt a non-trivial study or implementation of a programming language, analysis, or tool. In the best case, these projects will be a prelude to published papers. More details on the project will be made available during the semester.
• Final Exam (25%). There will be a comprehensive final exam, which will count for comp credit.

Prerequisite: We will be reading technical papers in the programming language research literature, so CMSC 631 or CMSC 630 are expected prerequisites, or equivalent. An undergraduate programming languages class (like a compilers class or semantics class) may suffice; contact the instructor.

Presentations: Students making presentations will be graded on the following criteria:

• understanding: does the presenter understand the material?
• thoughtfulness: does the presenter have insights and opinions beyond what was in the paper?
• background/perspective: did the presenter read background papers?
• clarity: can the audience understand the presentation? is the "big picture" clear? are there useful examples?
• materials: do the slides or use of blackboard illustrate and support the talk? are there diagrams to help convey the technicalities? (when your talk gets into deep territory, a diagram is worth 10K words)
• delivery: has the the presenter practiced?
• non-regurgitation: did the presenter do something beyond simply typing sections of the paper as bullet points? did the presenter motivate the ideas in their own words or just state ideas from the paper verbatim?
• answering questions: can the presenter handle questions from the audience?

Academic Dishonesty: The university policy on academic dishonesty is strictly followed. All graded materials (whether exams, summaries, presentations, or projects) must be strictly individual efforts. In the case of a group project or assignment, only collaborations within the group are permitted.

Schedule

• Introduction
  • Jan 25, slides
  • Jan 27, class cancelled due to snow
• Web applications
  • Feb 1, slides
  • Feb 1, Cross-Site Request Forgeries: Exploitation and Prevention, Zeller and Felten (2008)
  • Feb 1, Defeating Script Injection Attacks with Browser Enforced Embedded Policies, Jim, Swamy, and Hicks (2007)
  • Feb 21, Perils of session hijacking (and software to do it!)
• Low-level attacks against the heap and stack
  • Feb 3, Low-level software security, attacks and defenses (Sections 1-2), Erlingsson (2007)
  • Feb 3, DieHarder: Securing the Heap, Novark and Berger (2010)
• Malicious computation without code injection
  • Feb 8, The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86), Shacham (2007)
  • Feb 8, When good instructions go bad: generalizing return-oriented programming to RISC, Buchanan, Roemer, Shacham, Savage (2008)
  • Feb 8, (optional) Return-Oriented Programming without Returns, S. Checkoway, L. Davi, A. Dmitrienko, A.-R. Sadeghi, H. Shacham, and M. Winandy (2010)
• Control flow integrity
  • Feb 10 Control flow integrity, Abadi, Budiu, Erlingsson, Ligatti (2005)
  • Feb 10, Automated Detection of Persistent Kernel Control-Flow Attacks, Petroni and Hicks (2007) (slides)
  • Feb 10, (optional) Control-flow integrity principles, implementations, and applications, Abadi, Budiu, Erlingsson, Ligatti (2009, longer version of 2005 paper)
• Applying randomization as a (non)defense
  • Feb 15 (Amanda Crowell presented these slides), On the Effectiveness of Address-Space Randomization, Shacham, Page, Pfaff, Goh, Modadugu, and Boneh (2004)
  • Feb 15, An Analysis of Address Space Layout Randomization on Windows Vista, Whitehouse (2007)
  • Feb 17 (Bryan Ta presented these slides), Where's the FEEB? Effectiveness of Instruction Set Randomization, Sovarel, Evans, Paul (2005)
  • Feb 17, N-variant systems: A secretless framework for security through diversity, Cox, Evans, Filipi, Rowanhill, Hu, Davidson, Knight, Nguyen-Tuong, and Hiser (2006) (we went over these slides)
• Isolating the effects of untrusted executable content
  • Feb 22 (Jinseong Jeon, presented these slides), Efficient, Software-based Fault Isolation, Wahbe, Lucco, Anderson, and Graham (1993)
  • Feb 22, Evaluating SFI for a CISC Architecture, McCamant and Morrisett (2006)
  • Feb 24 (Kapil Anand, presented these slides), Native Client: A Sandbox for Portable, Untrusted x86 Native Code, Yee, Sehr, Dardyk, Chen, Muth, Ormandy, Okasaka, Narula, and Fullagar (2009). (You might find this information on Intel x86 segmentation from CS 412 or this wikipedia article to be useful background reading.)
  • Feb 24, Fast Byte-Granularity Software Fault Isolation, Castro, Costa, Martin, Peinado, Akritidis, Donnelly, Barham, and Black (2009)
  • Feb 24, (optional) Preventing memory error exploits with WIT, Akritidis, Cadar, Raiciu, Costa, and Castro (2008)
• Carrying on despite attack (or fault)
  • Mar 1 (Jeff Stuckman, presented these slides), ASSURE: Automatic Software Self-healing Using REscue points, Sidiroglou, Laadan, Perez, Viennot, Keromytis, and Nieh (2009)
  • Mar 1, Automatically Patching Errors in Deployed Software, many authors! (2009)
• Language-based, information flow security
  • Mar 3 (Matt McCutcheon, presented these slides) Language-based Information Flow Security, Sabelfeld and Myers (2003)
  • Mar 8, Project proposal due
  • Mar 8, A Decentralized Model for Information Flow Control, Myers, Liskov (1997)
  • Mar 8, Fabric: A Platform for Secure Distributed Computation and Storage, Liu, George, Vikram, Qi, Waye, Myers (2009)
  • Mar 10, Gradual Release: Unifying Declassification, Encryption, and Key Release Policies, Askarov, Sabelfeld (2007)
• Electronic Voting
  • Mar 15, Guest lecture, Michael Clarkson, on E-voting (used these slides and gave this talk (accessible from UMd only))
    Background reading: Civitas: Toward a Secure Voting System, Clarkson, Chong, Myers (2008)
  • (Optional) Helios: Web-based Open-Audit Voting, Adida (2008). See also Helios voting system, and notice of its use for the IACR
  • (Optional) Analysis of an electronic voting system, Kohno, Stubblefield, Rubin, Wallach (2004)
  • (Optional) Report on the California top-to-bottom review (slides), Wagner (2007). Public materials here
• Formal properties of security
  • Mar 17, Hyperproperties, Clarkson, Schneider (2008)
• Spring Break
  • Mar 22, no class
  • Mar 24, no class
• Quantitative information flow analysis
  • Mar 29, Quantifying Information Flow with Beliefs, Clarkson, Myers, Schneider; in lecture we used Clarkson's slides
  • Mar 31, Quantification of Integrity, Clarkson, Schneider. There is a extended version (optional); in lecture we used a reorganized set of Clarkson's slides
• Dynamic taint analysis
  • Apr 5, Jinseong Jeon presented these slides, Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software, Newsome, Song
  • Apr 5 (Jinseong again), Effective Memory Protection Using Dynamic Tainting, Clause, Doudalis, Orso, Prvulovic
• Dynamic information flow analysis
  • Apr 7, Bryan Ta presented these slides, Quantitative information flow as network flow capacity, McCamant, Ernst (2008)
  • Apr 7, (Bryan again) Measuring Channel Capacity to Distinguish Undue Influence, Newsome, McCamant, Song (2009)
  • Apr 12, Stephen Magill presenting, Dynamic vs. Static Flow-Sensitive Security Analysis, Russo, Sabelfeld (2010)
  • Apr 14, Stephen Magill presenting (with these slides in part), Dynamic Enforcement of Knowledge-based Security Policies, Mardziel, Magill, Hicks, Srivatsa (2011).
• Project status report (1 page) due, Apr 15
• Timing Channels
  • Apr 19, Matt McCutcheon presenting (with these slides) Remote Timing Attacks are Practical, Brumley, Boneh (2005)
  • Apr 19, (Matt again) Exposing Private Inforamtion by Timing Web Applications, Bortz, Boneh, Nandy (2007)
  • Apr 21, Predictive Black Box Mitigation of Timing Channels, Askarov, Zhang, Myers (2010); we presented these slides
• Software obfuscation
  • Apr 26, Jeff Stuckman presented these slides on Watermarking,Tamper-Proofing, and Obfuscation Tools for Software Protection, Collberg, Thomborson (2002)
  • Apr 26, (Jeff, again) Dynamic, path-based software watermarking, Collberg et al. (2004)
  • (Optional), An abstract interpretation-based framework for software watermarking, Cousot and Cousot (2004)
  • (Optional) On the (im)possibility of Obfuscating Programs, Barak, Goldreich, Impagliazzo, Rudich, Sahai, Vadhan, and Yang (2001)
  • (OptionaL) Positive Results and Techniques for Obfuscation, Lynn, Prabhakaran and Sahai (2004)
• Differential privacy
  • Apr 28, A Firm Foundation for Private Data Analysis, Dwork (2010)
  • Apr 28, Distance makes the types grow stronger (a calculus for differential privacy), Reed, Pierce (2010); we used Jason's presentation
  • May 3, Amanda Crowell presented these slides on Airavat: Security and Privacy for MapReduce, Roy, Setty, Kilzer, Shmatikov, Witchell (2010)
  • May 3 (Amanda again), Privacy Integrated Queries, McSherry (2010)
• Project presentations
  • May 5
    • Amanda Crowell, Consolidating and organizing the MITRE CWE tree on access control
    • Matt McCutcheon, Using SIF to write a secure wiki
  • May 10 (last day of class)
    • Bryan Ta, Preventing Buffer Overflow Attack by Enforcing Control Flow Integrity
    • Jinseong Jeon, Dynamic Enforcement of Security Policies on Android Applications: A Case Study
    • Jeffrey Stuckman, A benchmarking framework for vulnerability remediation assessment and education
• May 12-14 Starting time for final exam
• May 18 Project writeup due