CSE 659 Seminar in Computer Security
Fall 2009
Announcements
- 9/17/09 We will meet in Rm 2311 from Monday, 9/21/09.
- 9/11/09 It turns out that due to some administrative mixup,
CSE 659 is not formally offered this semester. So, no one can register
for it, and you can ignore any earlier statements on my expectations
that students will formally enroll in CSE 659. (We will likely
continue the seminar in Spring, and you can enroll then if you
continue to participate in Spring.)
Overview
Computer and network security has become one of the most important areas
of computer science. Security vulnerabilities make front-page news, while
cyber crime has matured to the point of supporting an active black market
for the development and trading of malicious software and infrastructures
for supporting spam, phishing and cyber-extortion. These factors have
accelerated research interest in cyber security.
This seminar will expose students to some of the latest research in
security through lectures and paper presentations. Our focus will be on
emerging areas such as software vulnerability analysis and mitigation,
malware defense, automated generation of network-layer filters for
blocking attacks, and high-speed network intrusion detection. Our paper
selection will reflect a bias for practical, systems-oriented research.
This course is a must for any one interested in doing research in Secure
Systems Lab. The lectures will provide the basic background that is
necessary for the kinds of projects being undertaken in the lab, as well
as providing the foundations for the research papers that will be read in
the second half of the course.
Course Organization
The first half of the course will provide the necessary background that
would be required for the papers covered in the second half of the course.
This background material is targeted at the focus areas of research in
Secure Systems Laboratory. This material will be organized into three main
areas, as described below.
- Software vulnerability detection and defense.
Software vulnerabilities are behind most security problems today. Some
researchers have been developing techniques to identify vulnerabilities
using static analysis of source code or binary code. Others have focussed
on detecting exploitations of these vulnerabilities using runtime
monitoring techniques. The most general and powerful of these techniques
have relied on program transformation techniques on source or binary code,
or runtime instruction-level emulation. We will discuss a representative
sampling of these techniques, and explore some new directions. Of particular
interest are binary analysis and transformation,
memory errors in C/C++, and information-flow
tracking. This line of research builds on techniques from languages, compilers and runtime systems.
- Intrusion detection and automated signature generation.
Program transformation techniques mentioned above derive their power
from their ability to insert active probes into the execution stream of
programs. In practical deployments, such active probes may not be
desired as they can impact performance and reliability. This has led
to continued research in more transparent attack detection techniques
that are decoupled from applications, e.g., deployed on network-level
intrusion prevention systems (IPS). Of particular
interest are high-speed signature matching,
deep packet-inspection, and
vulnerability-oriented signatures.
This research builds on foundations from networks, operating
systems, algorithms, and machine-learning.
- Malware defense.
Experience shows that even the best defenses are fallible, allowing
attacks to get through, either as a result of the limitations of the
prevention technique, or due to the actions of an unwitting user. In
today's environment, such attacks are typically used to install
back-doors that allow a victim system to be used as a base for future
attacks, including those aimed at identity theft, distributed denial of
service, and spam distribution. The rise of cyber crime has led to an
explosion in stealthy malware that evade the best malware defenses
available today, which mainly rely on manually constructed signatures
that characterize previously known, wide-spread malware. We will
therefore discuss emerging research directions on proactive defenses
that aim to guarantee protection from malware, even from those that
haven't been encountered before; and enable systems to tolerate attacks
and maintain the trustworthiness of their most critical components.
Some of the main research themes in this context include information
flow containment, virtualization, intrusion tolerance
and recovery.
Note that this material overlaps with CSE 509 that I
taught in Spring 2008. Students should refer to the lecture notes
available on the CSE 509 Spring 08 web site
for more details on the material covered in this course.
The second half of the course will consist of student presentations
of recent papers in security research. The list of papers and the
presentation schedule will be made available by the end of September.
Time:
Monday 11:30am to 12:45pm
Place:
CS Building, Rm 2311
Instructor:
R . Sekar
Office: 2313E Computer Science
Presentation topics and Schedule
Reading List:
TBD