| 08/17 |
Introduction (slides) |
|
| 08/22 |
Shellcode (slides) |
x86 Assembly Guide (link) |
| 08/24 |
Control-flow hijack attacks (slides) |
Smashing The Stack For Fun And Profit (link) and Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns (link) [S&P’04] |
| 08/29 |
Stack Canaries & ASLR (slides) |
StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks (link) [USENIX Sec’98] and NOEXEC |
| 08/31 |
Return-into-libc & ROP (slides) |
The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86) (link) [CCS’07] |
| 09/05 |
Control-flow integrity (slides) |
Control-flow integrity (link) [CCS’05] |
| 09/07 |
Linux Security (slides) |
Setuid Demystified (link) [USENIX Sec’02] |
| 09/12 |
Reverse Engineering 1/2 (slides) |
Automatic Reverse Engineering of Malware Emulators (link) [S&P’09] |
| 09/14 |
Reverse Engineering 2/2 |
Native x86 Decompilation using Semantics-Preserving Structural Analysis and Iterative Control-Flow Structuring (link) [USENIX Sec’13] |
| 09/19 |
Symbolic Execution (slides) |
KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs (link) [OSDI’08] |
| 09/21 |
Fuzzing (slides) |
Automated Whitebox Fuzz Testing (link) [NDSS’08] |
| 09/26 |
Malicious Code (slides) |
Static Analysis of Executables to Detect Malicious Patterns (link) [USENIX Security’03] |
| 09/28 |
Sandboxing Applications (slides) |
Native Client: A Sandbox for Portable, Untrusted x86 Native Code (link) [S&P’09] |
| 10/03 |
Botnets and Cybercrime (slides) |
Your botnet is my botnet: analysis of a botnet takeover (link) [CCS’09] |
| 10/05 |
Fall Break - No class |
|
| 10/10 |
Midterm |
|
| 10/12 |
Web Security |
Intro |
| 10/17 |
Web Security |
Secure web browsing with the OP web browser (link) [SP’08] |
| 10/19 |
Web Security |
Noxes: a client-side solution for mitigating cross-site scripting attacks (link) [SAC’06] |
| 10/24 |
Web Security |
SQLrand: Preventing SQL injection attacks (link) [ACNS’04] |
| 10/26 |
Web Security (slides) |
Fear the EAR: discovering and mitigating execution after redirect vulnerabilities (link) [CCS’11] |
| 10/31 |
CCS Conference - No class |
CCS’17 accepted papers |
| 11/02 |
CCS Conference - No class |
CCS’17 accepted papers |
| 11/07 |
Web Security |
setup Burp Suite (link) and learn how to use it (link) |
| 11/09 |
Web Security |
Clickjacking: Attacks and Defenses (link) [USENIX Sec’12] |
| 11/14 |
Web Security (slides) |
SQL Injection Attacks by Example and XSS Prevention Cheat Sheet |
| 11/16 |
Browser Extensions (slides) |
Hulk: Eliciting Malicious Behavior in Browser Extensions (link) [USENIX Sec’14] |
| 11/21 |
Evasive Web-based Malware (slides) |
Revolver: An Automated Approach to the Detection of Evasive Web-based Malware (link) [USENIX Sec’13] |
| 11/23 |
Thanksgiving - No class |
|
| 11/28 |
TBD |
|
| 11/30 |
Final exam |
|