CS 7301--003: Recent Advances in Computing - OPERATING SYSTEMS SECURITY Friday: 1:00pm-3:45pm ECSN 2.112 $Id: fall2013b.t2t, v1.0, last updated %%mtime(%c) Exp $ %! Target: %! Options: --toc --css-sugar --encoding=iso-8859-1 %! Style: tech.css %! PreProc: %! PostProc: --------------------------------------------------------------------------- === Course Overview === CS 7301 is a graduate level (PhD in particular), research oriented, systems and security, seminar class. The goal of this course is to read, understand, and present the recent advances (which has not been systemized into text book yet) in operating systems security. We will select the most recent papers from both operating systems venues including SOSP, OSDI, USENIX ATC, EuroSys, ASPLOS, and security venues including IEEE S&P, ACM CCS, USENIX Security, and NDSS. In particular, we will cover - **Why kernel level attacks**. What's the advantage of kernel level attacks? What are the attack vectors? How they are launched? How we can defend against them? - **Out-of-the-box techniques**. How to design the layer-below systems to secure OS kernel. What are the challenges? What is the state-of-the-art? - **In-box techniques**. Why we want to design in-box monitoring? What's the advantage and disadvantage? What's the state-of-the-art? - **Emerging Systems Security**. Android and iOS security. The learning outcome is students will be able to understand the recent advances in operating systems security, the relevent security problems, and how these approaches/solutions are proposed. --------------------------------------------------------------------------- === Tentative Schedule === Please login your elearning website and download the lecture notes. || Week | Topic To Be Covered | 0 | Course Overview | | 1 | Overivew of the landscape of modern computing, and OS Kernel Key Components | || Understanding Kernel Level Attacks |||| | 2 | Kernel level attack vectors: memory exploits, code based attacks | | 3 | Kernel level attack vectors: rootkits, data-based, DKOM | || Out-of-VM Techniques |||| | 4 | Virtual Machine Introspection | | 5 | Bridging the Semantic-Gap: SBCFI, VMwatcher, Virtuoso, VMST | | 6 | Hardware-based monitoring: Copilot, Vigilare, mGuard, KI-Mon | | 7 | Overshadow, CloudVisor | | 8 | VM Management, forking, replication, deduplication | || In-VM Techniques l |||| | 9 | In-VM monitoring, Access Control | | 10 | Control Flow Integrity (for COTS Binaries), CCFIR, STIR | | 11 | Binary Rewriting, In-lined Reference Monitors | | 12 | Vulnerability Analysis: KINT, KGuard | || Potpourri |||| | 13 | Kernel Data Structure Analysis: KOP, MAS, SigGraph, Value Invariant | | 14 | Kernel ASLR, ROP | | 15 | The papers of our interest | | 16 | The papers of our interest | --------------------------------------------------------------------------- === Reading List === We do not have a text book, but we have the following reading list. Students are required to read, and present one or two of the following papers. Note that the order these papers is of no particular meaning but just for you to track which paper you will be presenting. - [1] [Just-In-Time Code Reuse: On the Effectiveness of Fine-Grained Address Space Layout Randomization http://cs.unc.edu/~fabian/papers/oakland2013.pdf] [Oakland'13] - [2] [Practical Control Flow Integrity & Randomization for Binary Executables http://www.cs.berkeley.edu/~dawnsong/papers/Oakland2013-CCFIR-CR.pdf] [Oakland'13] - [3] [Design, Implementation and Verification of an eXtensible and Modular Hypervisor Framework https://sparrow.ece.cmu.edu/group/pub/paper-xmhf-IEEESP-2013.pdf] [Oakland'13] - [4] [PrivExec: Private Execution as an Operating System Service http://seclab.ccs.neu.edu/publications/sp2013privexec.pdf] [Oakland'13] - [5] [Practical Timing Side Channel Attacks Against Kernel Space ASLR http://www.ieee-security.org/TC/SP2013/papers/4977a191.pdf] [Oakland'13] - [6] [Control Flow Integrity for COTS Binaries https://www.usenix.org/system/files/conference/usenixsecurity13/sec13-paper_zhang.pdf] [USENIX-Security'13] - [7] [KI-Mon: A Hardware-assisted Event-triggered Monitoring Platform for Mutable Kernel Object https://www.usenix.org/system/files/conference/usenixsecurity13/sec13-paper_lee.pdf] [USENIX-Security'13] - [8] [Jekyll on iOS: When Benign Apps Become Evil https://www.usenix.org/system/files/conference/usenixsecurity13/sec13-paper_wang_2.pdf] [USENIX-Security'13] - [9] [Steal This Movie: Automatically Bypassing DRM Protection in Streaming Media Services https://www.usenix.org/system/files/conference/usenixsecurity13/sec13-paper_wang_3.pdf] [USENIX-Security'13] - [10] [Safe Loading - A Foundation for Secure Execution of Untrusted Programs http://www.ieee-security.org/TC/SP2012/papers/4681a018.pdf] [Oakland'12] - [11] [Space Traveling across VM: Automatically Bridging the Semantic Gap in Virtual Machine Introspection via Online Kernel Data Redirection http://www.utdallas.edu/~zhiqiang.lin/file/SP12.pdf] [Oakland'12] - [12] [Virtuoso: Narrowing the Semantic Gap in Virtual Machine Introspection http://www.poly.edu/sites/polyproto.poly.edu/files/csaw2011_submission_35.pdf] [Oakland'11] - [13] [PRISM: Program Replication and Integration for Seamless MILS http://www.ieee-security.org/TC/SP2011/PAPERS/2011/paper018.pdf] [Oakland'11] - [14] [Improving Integer Security for Systems with KINT https://www.usenix.org/system/files/conference/osdi12/osdi12-final-88.pdf] [OSDI'12] - [15] [FlexSC: Flexible System Call Scheduling with Exception-Less System Calls https://www.usenix.org/legacy/events/osdi10/tech/full_papers/Soares.pdf] [OSDI'10] - [16] [Accountable Virtual Machine https://www.usenix.org/legacy/events/osdi10/tech/full_papers/Haeberlen.pdf] [OSDI'10] - [17] [Enabling Configuration-Independent Automation by Non-Expert Users https://www.usenix.org/legacy/events/osdi10/tech/full_papers/Kushman.pdf] [OSDI'10] - [18] [Automating Configuration Troubleshooting with Dynamic Information Flow Analysis https://www.usenix.org/legacy/events/osdi10/tech/full_papers/Attariyan.pdf] [OSDI'10] - [19] [The Turtles Project: Design and Implementation of Nested Virtualization https://www.usenix.org/legacy/events/osdi10/tech/full_papers/Ben-Yehuda.pdf] [OSDI'10] - [20] [MiG: Efficient Migration of Desktop VMs Using Semantic Compression http://0b4af6cdc2f0c5998459-c0245c5c937c5dedcca3f1764ecc9b2f.r43.cf2.rackcdn.com/11716-atc13-rai.pdf] [USENIX-ATC'13] - [21] [Practical and Effective Sandboxing for Non-root Users http://0b4af6cdc2f0c5998459-c0245c5c937c5dedcca3f1764ecc9b2f.r43.cf2.rackcdn.com/11745-atc13-kim.pdf] [USENIX-ATC'13] - [22] [A Compiler-level Intermediate Representation based Binary Analysis and Rewriting System http://eurosys2013.tudos.org/wp-content/uploads/2013/paper/Anand.pdf] [EuroSys'13] - [23] [Isolating Commodity Hosted Hypervisors with HyperLock http://www4.ncsu.edu/~zwang15/files/EuroSys12.pdf] [EuroSys'12] - [24] [kGuard: Lightweight Kernel Protection against Return-to-User Attacks https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final143.pdf] [USENIX-Security'12] - [25] [Tracking Rootkit Footprints with a Practical Memory Analysis System https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final196.pdf] [USENIX-Security'12] - [26] [DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final107.pdf] [USENIX-Security'12] - [27] [CloudVisor: Retrofitting Protection of Virtual Machines in Multi-tenant Cloud with Nested Virtualization http://sigops.org/sosp/sosp11/current/2011-Cascais/printable/15-zhang.pdf] [SOSP'11] - [28] [Overshadow: A Virtualization-Based Approach to Retrofitting Protection in Commodity Operating Systems http://drkp.net/papers/overshadow-asplos08.pdf] [ASPLOS'08] - [29] [Stealthy Malware Detection Through VMM-Based Out-of-the-Box Semantic View Reconstruction http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.80.1954&rep=rep1&type=pdf] [CCS'07] - [30] [Copilot --a Coprocessor-based Kernel Runtime Integrity Monitor https://www.usenix.org/legacy/event/sec04/tech/full_papers/petroni/petroni.pdf] [USENIX-Security'04] - [31] [Vigilare: Toward Snoop-based Kernel Integrity Monitor http://www.cse.psu.edu/~tjaeger/cse597-s13/docs/vigilare_monitor_ccs_12.pdf] [CCS'12] - [32] [Combining Control-Flow Integrity and Static Analysis for Efficient and Validated Data Sandboxing http://www.cse.lehigh.edu/~gtan/paper/cfiDataSandboxing.pdf] [CCS'12] - [33] [Process Out-Grafting: An Efficient Out-of-VM Approach for Fine-Grained Process Execution Monitoring http://friends.cs.purdue.edu/pubs/CCS11.pdf] [CCS'11] - [34] [Secure In-VM Monitoring Using Hardware Virtualization http://research.microsoft.com/pubs/153179/sim-ccs09.pdf] [CCS'09] - [35] [Taming Hosted Hypervisors with (Mostly) Deprivileged Execution http://www4.ncsu.edu/~cwu10/files/NDSS13_DEHYPE.pdf] [NDSS'13] - [36] [Kruiser: Semi-synchronized Non-blocking Concurrent Kernel Heap Buffer Overflow Monitoring http://www.internetsociety.org/sites/default/files/10_4.pdf] [NDSS'12] - [37] [SigGraph: Brute Force Scanning of Kernel Data Structure Instances Using Graph-based Signatures http://www.utdallas.edu/~zxl111930/file/SigGraph_NDSS11.pdf] [NDSS'11] - [38] [A Virtual Machine Introspection Based Architecture for Intrusion Detection http://suif.stanford.edu/papers/vmi-ndss03.pdf] [NDSS'03] --------------------------------------------------------------------------- === Office Hours === Wednesday, Friday 4PM-6PM --------------------------------------------------------------------------- === Prerequisites === Solid programming/development skills (Assembly, C, C++, Unix) are required for this class. "Operating System", "Compilers", and "Computer Security", are the least prerequisites for this class. In particular, for UTD student - CS 3340 Computer Architecture - CS 3376 C/C++ Programming in a UNIX Environment - CS 4348 Operating Systems Concepts - CS 4393 Computer and Network Security - CS 4394 Implementation of Modern Operating Systems Note for undergraduate students who may be interested in taking this class, please be aware that the class is designed for graduate students, you are encouraged to attend the first lecture and then talk to the instructor. --------------------------------------------------------------------------- === Course Projects === - Design and Implement a Virtual Machine Introspection tool - ... --------------------------------------------------------------------------- === Course Policy === ==== Grading Policy ==== - 10% Class Participation - 40% Class Presentation - 50% Course Project - Exceptional work will be rewarded appropriately ==== Late Policy ==== No late submission. ==== Collaboration Policy ==== Students are encouraged to collaborate, particularly on the course project. But we will limit the team member to at most two students. ==== Cheating Policy ==== We will strictly follow the university policy on cheating and plagiarism which is available [here http://www.utdallas.edu/judicialaffairs/UTDJudicialAffairs-policies.html]. Please [avoid http://www.utdallas.edu/judicialaffairs/UTDJudicialAffairs-AvoidDishonesty.html]. There are also several examples of [Scholastic Dishonesty http://www.utdallas.edu/judicialaffairs/UTDJudicialAffairs-Basicexamples.html] If you have any questions regarding this issue, please contact the instructor. %!include: ''sp12.js'' --------------------------------------------------------------------------- [HOME index.html] [SOURCE %%infile]