CSC-591 Systems Attacks and Defenses


Date Topic Discussions (do readings before class)  
01/09 Introduction (slides, hackpack)    
01/16 Shellcode (slides) x86 Assembly Guide (link)
Emulation-based Detection of Non-self-contained Polymorphic Shellcode (link) [RAID’07]
01/23 Linux Security (slides) Setuid Demystified (link) [USENIX Sec’02]
Address Space Layout Permutation (ASLP) (link) [ACSAC’06]
01/30 Reverse Engineering (slides) Automatic Reverse Engineering of Malware Emulators (link) [S&P’09],
Native x86 Decompilation using Semantics-Preserving Structural Analysis and Iterative Control-Flow Structuring (link) [USENIX Sec’13],
Reassembleable Disassembling (link) [USENIX Sec’15]
02/06 Control-flow hijack attacks (slides) Smashing The Stack For Fun And Profit (link) and Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns (link) [S&P’04]  
02/13 Stack Canaries & ASLR (slides) StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks (link) [USENIX Sec’98] and NOEXEC  
02/20 Return-into-libc & ROP (slides) The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86) (link) [CCS’07]  
02/27 Symbolic Execution & Fuzzing (slides) KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs (link) [OSDI’08],
The Art, Science, and Engineering of Fuzzing:A Survey (link) [IEEE TSE’19]
03/05 Midterm Exam    
03/12 Spring Break - No class    
03/17 COVID-19 madness class becomes online-only from this point on  
online Web Security (slides) Intro  
online Web Security (slides) More intro  
online Web Security (slides) SQL Injections  
online Web Security (slides) HTML+JavaScript  
online Web Security (slides) AJAX & web frameworks  
online Web Security (slides) Client-side Attacks & Isolation  
online Web Security (slides) Session Fixation and other attacks  
online Web Security (slides) XSS Attacks  
04/17 HackPack CTF Capture the Flag event for the class that is open to the public, join here  
04/27 Final Exam online web security assignment