CSCI 2951U

Lectures

05/05/2025	`0xc`	`Project Presentations (cont'd)`
04/28/2025	`0xb`	`Project Presentations`
04/21/2025	`0xa`	`Special Topics (cont'd)`
RETBLEED: Arbitrary Speculative Code Execution with Return Instructions, USENIX SEC 2022. SysXCHG: Refining Privilege with Adaptive System Call Filters, ACM CCS 2023. SafeSLAB: Mitigating Use-After-Free Vulnerabilities via Memory Protection Keys, ACM CCS 2024. Flip Feng Shui: Hammering a Needle in the Software Stack, USENIX SEC 2016 (additional). Drammer: Deterministic Rowhammer Attacks on Mobile Platforms, ACM CCS 2016 (additional). CLKSCREW: Exposing the Perils of Security-Oblivious Energy Management, USENIX SEC 2017 (additional). Inferring Fine-grained Control Flow Inside SGX Enclaves with Branch Shadowing, USENIX SEC 2017 (additional). CAn't Touch This: Software-only Mitigation against Rowhammer Attacks targeting Kernel Memory, USENIX SEC 2017 (optional). Delta Pointers: Buffer Overflow Checks Without the Checks, EuroSys 2018 (optional). Uncontained: Uncovering Container Confusion in the Linux Kernel, USENIX SEC 2023 (optional). BeeBox: Hardening BPF against Transient Execution Attacks, USENIX SEC 2024 (optional).
04/14/2025	`NUL`	`vpk /away AFK`
04/07/2025	`0x9`	`Special Topics`
Block Oriented Programming: Automating Data-Only Attacks, ACM CCS 2018. Spectre Attacks: Exploiting Speculative Execution, IEEE S&P 2019. Eclipse: Preventing Speculative Memory-error Abuse with Artificial Data Dependencies, ACM CCS 2024. Framing Signals—A Return to Portable Shellcode, IEEE S&P 2014 (additional). Hacking Blind, IEEE S&P 2014 (additional). The Devil is in the Constants: Bypassing Defenses in Browser JIT Engines, NDSS 2015 (additional). Enabling Client-Side Crash-Resistance to Overcome Diversification and Information Hiding, NDSS 2016 (additional). Position-independent Code Reuse: On the Effectiveness of ASLR in the Absence of Information Disclosure, IEEE EuroS&P 2018 (additional). Let Me Unwind That For You: Exceptions to Backward-Edge Protection, NDSS 2023 (additional). CHERI: A Hybrid Capability-System Architecture for Scalable Software Compartmentalization, IEEE S&P 2015 (optional). Dedup Est Machina: Memory Deduplication as an Advanced Exploitation Vector, IEEE S&P 2016 (optional). Data-Oriented Programming: On the Expressiveness of Non-control Data Attacks, IEEE S&P 2016 (optional). Security Risks in Asynchronous Web Servers: When Performance Optimizations Amplify the Impact of Data-Oriented Attacks, IEEE EuroS&P 2018 (optional). DynPTA: Combining Static and Dynamic Analysis for Practical Selective Data Protection, IEEE S&P 2021 (optional).
03/31/2024	`0x8`	`Kernel Security (cont'd)`
Prefetch Side-Channel Attacks: Bypassing SMAP and Kernel ASLR, ACM CCS 2016. Meltdown: Reading Kernel Memory from User Space, USENIX SEC 2018. xMP: Selective Memory Protection for Kernel and User Space, IEEE S&P 2020. EPF: Evil Packet Filter, USENIX ATC 2023. Enforcing Kernel Security Invariants with Data Flow Integrity, NDSS 2016 (additional). Breaking Kernel Address Space Layout Randomization with Intel TSX, ACM CCS 2016 (additional). UniSan: Proactive Kernel Memory Initialization to Eliminate Data Leakages, ACM CCS 2016 (additional). How Double-Fetch Situations turn into Double-Fetch Vulnerabilities: A Study of Double Fetches in the Linux Kernel, USENIX SEC 2017 (additional). KCoFI: Complete Control-Flow Integrity for Commodity Operating System Kernels, IEEE S&P 2014 (optional). Fine-Grained Control-Flow Integrity for Kernel Software, IEEE EuroS&P 2016 (optional). Unleashing Use-Before-Initialization Vulnerabilities in the Linux Kernel Using Targeted Stack Spraying, NDSS 2017 (optional). Secure Page Fusion with VUsion, ACM SOSP 2017 (optional). KASLR is Dead: Long Live KASLR, ESSoS 2017 (optional). KASLR: Break It, Fix It, Repeat, ACM ASIACCS 2020 (optional). A Systematic Study of Elastic Objects in Kernel Exploitation, ACM CCS 2020 (optional). PIBE: Practical Kernel Control-Flow Hardening with Profile-Guided Indirect Branch Elimination, ACM ASPLOS 2021 (optional). Preventing Kernel Hacks with HAKCs, NDSS 2022 (optional). Page-Oriented Programming: Subverting Control-Flow Integrity of Commodity Operating System Kernels with Non-Writable Code Pages, USENIX SEC 2024 (optional).
03/24/2025	`NUL`	`Spring Recess`
No class On the Effectiveness of Address-Space Randomization, ACM CCS 2004 (optional). From Zygote to Morula: Fortifying Weakened ASLR on Android, IEEE S&P 2014 (optional). CAIN: Silently Breaking ASLR in the Cloud, USENIX WOOT 2015 (optional). Poking Holes in Information Hiding, USENIX SEC 2016 (optional). Undermining Information Hiding (and What to Do about It), USENIX SEC 2016 (optional). ASLR on the Line: Practical Cache Attacks on the MMU, NDSS 2017 (optional). No Need to Hide: Protecting Safe Regions on Commodity Hardware, EuroSys 2017 (optional). Breaking and Fixing Destructive Code Read Defenses, ACSAC 2017 (optional). Back To The Epilogue: Evading Control Flow Guard via Unaligned Targets, NDSS 2018 (optional). ProbeGuard: Mitigating Probing Attacks through Reactive Program Transformations, ACM ASPLOS 2019 (optional). SoK: Shining Light on Shadow Stacks, IEEE S&P 2019 (optional).
03/17/2025	`0x7`	`Code-Pointer Integrity`
Code-Pointer Integrity, USENIX OSDI 2014. Missing the Point(er): On the Effectiveness of Code Pointer Integrity, IEEE S&P 2016. PAC it up: Towards Pointer Integrity using ARM Pointer Authentication, USENIX SEC 2019. CETIS: Retrofitting Intel CET for Generic and Efficient Intra-process Memory Isolation, ACM CCS 2022. Stack Object Protection with Low Fat Pointers, NDSS 2017 (additional). CCFI: Cryptographically Enforced Control Flow Integrity, ACM CCS 2015 (additional). ASLR-Guard: Stopping Address Space Leakage for Code Reuse Attacks, ACM CCS 2015 (additional). PointGuard^TM: Protecting Pointers from Buffer Overflow Vulnerabilities, USENIX SEC 2003 (optional). ERIM: Secure, Efficient In-process Isolation with Protection Keys (MPK), USENIX SEC 2019 (optional). μRAI: Securing Embedded Systems with Return Address Integrity, NDSS 2020 (optional). SEIMI: Efficient and Secure SMAP-Enabled Intra-process Memory Isolation, IEEE S&P 2020 (optional). PTAuth: Temporal Memory Safety via Robust Points-to Authentication, USENIX SEC 2021 (optional). Tightly Seal Your Sensitive Pointers with PACTight, USENIX SEC 2022 (optional). PACMem: Enforcing Spatial and Temporal Memory Safety via ARM Pointer Authentication, ACM CCS 2022 (optional). Memory Tagging using Cryptographic Integrity on Commodity x86 CPUs, IEEE EuroS&P 2024 (optional).
03/10/2025	`0x6`	`Live ASLR`
Enhanced Operating System Security Through Efficient and Fine-grained Address Space Randomization, USENIX SEC 2012. Timely Rerandomization for Mitigating Memory Disclosures, ACM CCS 2015. Shuffler: Fast and Deployable Continuous Code Re-Randomization, USENIX OSDI 2016. SafeHidden: An Efficient and Secure Information Hiding Technique Using Re-randomization, USENIX SEC 2019. CodeArmor: Virtualizing the Code Space to Counter Disclosure Attacks, IEEE EuroS&P 2017 (additional). Remix: On-demand Live Randomization, ACM CODASPY 2015 (optional). How to Make ASLR Win the Clone Wars: Runtime Re-Randomization, NDSS 2016 (optional). Morpheus: A Vulnerability-Tolerant Secure Architecture Based on Ensembles of Moving Target Defenses with Churn, ACM ASPLOS 2019 (optional). CoDaRR: Continuous Data Space Randomization against Data-Only Attacks, ACM ASIACCS 2020 (optional). Adelie: Continuous Address Space Layout Re-randomization for Linux Drivers, ACM ASPLOS 2022 (optional). HARM: Hardware-Assisted Continuous Re-randomization for Microcontrollers, IEEE EuroS&P 2022 (optional). Randezvous: Making Randomization Effective on MCUs, ACSAC 2022 (optional).
03/03/2025	`0x5`	`Code Diversification \| JIT-ROP Protection`
Just-In-Time Code Reuse: On the Effectiveness of Fine-Grained Address Space Layout Randomization, IEEE S&P 2013. Readactor: Practical Code Randomization Resilient to Memory Disclosure, IEEE S&P 2015. Heisenbyte: Thwarting Memory Disclosure Attacks using Destructive Code Reads, ACM CCS 2015. Compiler-assisted Code Randomization, IEEE S&P 2018. Smashing the Gadgets: Hindering Return-Oriented Programming Using In-place Code Randomization, IEEE S&P 2012 (additional). Oxymoron: Making Fine-Grained Memory Randomization Practical by Allowing Code Sharing, USENIX SEC 2014 (additional). You Can Run but You Can't Read: Preventing Disclosure Exploits in Executable Code, ACM CCS 2014 (additional). Return to the Zombie Gadgets: Undermining Destructive Code Reads via Code Inference Attacks, IEEE S&P 2016 (additional). Address Obfuscation: an Efficient Approach to Combat a Broad Range of Memory Error Exploits, USENIX SEC 2003 (optional). Efficient Techniques for Comprehensive Protection from Memory Error Exploits, USENIX SEC 2005 (optional). Address Space Layout Permutation (ASLP): Towards Fine-Grained Randomization of Commodity Software, ACSAC 2006 (optional). ILR: Where'd My Gadgets Go?, IEEE S&P 2012 (optional). Binary Stirring: Self-randomizing Instruction Addresses of Legacy x86 Binary Code, ACM CCS 2012 (optional). Gadge Me If You Can: Secure and Efficient Ad-hoc Instruction-Level Randomization for x86 and ARM, ACM ASIACCS 2013 (optional). SoK: Automated Software Diversity, IEEE S&P 2014 (optional). Isomeron: Code Randomization Resilient to (Just-In-Time) Return-Oriented Programming, NDSS 2015 (optional). Opaque Control-Flow Integrity, NDSS 2015 (optional). HideM: Protecting the Contents of Userspace Memory in the Face of Disclosure Vulnerabilities, ACM CODASPY 2015 (optional). Leakage-Resilient Layout Randomization for Mobile Devices, NDSS 2016. (optional) No-Execute-After-Read: Preventing Code Disclosure in Commodity Software, ACM ASIACCS 2016 (optional). Juggling the Gadgets: Binary-level Code Randomization using Instruction Displacement, ACM ASIACCS 2016 (optional). NORAX: Enabling Execute-Only Memory for COTS Binaries on AArch64, IEEE S&P 2017 (optional). Defeating Zombie Gadgets by Re-randomizing Code upon Disclosure, ESSoS 2017 (optional). Protecting COTS Binaries from Disclosure-guided Code Reuse Attacks, ACSAC 2017 (optional). A Framework for Software Diversification with ISA Heterogeneity, RAID 2020 (optional). Methodologies for Quantifying (Re-)randomization Security and Timing under JIT-ROP, ACM CCS 2020 (optional). Practical Fine-Grained Binary Code Randomization, ACSAC 2020 (optional). R2C: AOCR-Resilient Diversity with Reactive and Reflective Camouflage, EuroSys 2023 (optional).
02/24/2025	`0x4`	`Control-Flow Integrity (cont'd)`
Stitching the Gadgets: On the Ineffectiveness of Coarse-Grained Control-Flow Integrity Protection, USENIX SEC 2014. Control-Flow Bending: On the Effectiveness of Control-Flow Integrity, USENIX SEC 2015. The Dynamics of Innocent Flesh on the Bone: Code Reuse Ten Years Later, ACM CCS 2017. CONFIRM: Evaluating Compatibility and Relevance of Control-flow Integrity Protections for Modern Software, USENIX SEC 2019. Out of Control: Overcoming Control-Flow Integrity, IEEE S&P 2014 (additional). Control Jujutsu: On the Weaknesses of Fine-Grained Control Flow Integrity, ACM CCS 2015 (additional). On the Effectiveness of Type-based Control Flow Integrity, ACSAC 2018 (additional). SoK: On the Effectiveness of Control-Flow Integrity in Practice, USENIX WOOT 2024 (additional). ROP is Still Dangerous: Breaking Modern Defenses, USENIX SEC 2014 (optional). Size Does Matter: Why Using Gadget-Chain Length to Prevent Code-Reuse Attacks is Hard, USENIX SEC 2014 (optional). Losing Control: On the Effectiveness of Control-Flow Integrity under Stack Attacks, ACM CCS 2015 (optional). WarpAttack: Bypassing CFI through Compiler-Introduced Double-Fetches, IEEE S&P 2023 (optional).
02/17/2025	`NUL`	`Presidents' Day`
No class Counterfeit Object-oriented Programming: On the Difficulty of Preventing Code Reuse Attacks in C++ Applications, IEEE S&P 2015 (optional). Type Casting Verification: Stopping an Emerging Attack Vector, USENIX SEC 2015 (optional). It's a TRaP: Table Randomization and Protection against Function-Reuse Attacks, ACM CCS 2015 (optional). A Tough `call`: Mitigating Advanced Code-Reuse Attacks at the Binary Level, IEEE S&P 2016 (optional). TypeSan: Practical Type Confusion Detection, ACM CCS 2016 (optional). VTPin: Practical VTable Hijacking Protection for Binaries, ACSAC 2016 (optional). Control-Flow Integrity: Precision, Security, and Performance, ACM CSUR 2017 (optional). MARX: Uncovering Class Hierarchies in C++ Programs, NDSS 2017 (optional). VTrust: Regaining Trust on Virtual Calls, NDSS 2017 (optional). HexType: Efficient Detection of Type Confusion Errors for C++, ACM CCS 2017 (optional). CFIXX: Object Type Integrity for C++ Virtual Dispatch, NDSS 2018 (optional). Origin-sensitive Control Flow Integrity, USENIX SEC 2019 (optional). Sherloc: Secure and Holistic Control-Flow Violation Detection on Embedded Systems, ACM CCS 2023 (optional).
02/10/2025	`0x3`	`Control-Flow Integrity`
Control-Flow Integrity, ACM CCS 2005. Control Flow Integrity for COTS Binaries, USENIX SEC 2013. Enforcing Forward-Edge Control-Flow Integrity in GCC & LLVM, USENIX SEC 2015. Where Does It Go?: Refining Indirect-Call Targets with Multi-Layer Type Analysis, ACM CCS 2019. FineIBT: Fine-grain Control-flow Enforcement with Indirect Branch Tracking, RAID 2023. Practical Context-Sensitive CFI, ACM CCS 2015 (additional). Per-Input Control-Flow Integrity, ACM CCS 2015 (additional). Venerable Variadic Vulnerabilities Vanquished, USENIX SEC 2017 (additional). Enforcing Unique Code Target Property for Control-Flow Integrity, ACM CCS 2018 (additional). DEEPTYPE: Refining Indirect Call Targets with Strong Multi-layer Type Analysis, USENIX SEC 2024 (additional). Practical Control Flow Integrity and Randomization for Binary Executables, IEEE S&P 2013 (optional). Monitor Integrity Protection with Space Efficiency and Separate Compilation, ACM CCS 2013 (optional). GRIFFIN: Guarding Control Flows Using Intel Processor Trace, ACM ASPLOS 2017 (optional). Efficient Protection of Path-Sensitive Control Security, USENIX SEC 2017 (optional). Object Flow Integrity, ACM CCS 2017 (optional). Binary Control-Flow Trimming, ACM CCS 2019 (optional). Refining Indirect Call Targets at the Binary Level, NDSS 2021 (optional). Let’s talk about CFI: clang edition \| Microsoft Edition, Trail of Bits (optional).
02/03/2025	`0x2`	`Kernel Security`
kGuard: Lightweight Kernel Protection against Return-to-user Attacks, USENIX SEC 2012. ret2dir: Rethinking Kernel Isolation, USENIX SEC 2014. kR^X: Comprehensive Kernel Protection against Just-In-Time Code Reuse, EuroSys 2017. Practical Timing Side Channel Attacks against Kernel Space ASLR, IEEE S&P 2013 (additional). PT-Rand: Practical Mitigation of Data-only Attacks against Page Tables, NDSS 2017 (additional). DirtyCred: Escalating Privilege in Linux Kernel, ACM CCS 2022 (additional). A Tale of Two Kernels: Towards Ending Kernel Hardening Wars with Split Kernel, ACM CCS 2014 (optional). Nested Kernel: An Operating System Architecture for Intra-Kernel Privilege Separation, ACM ASPLOS 2016 (optional). Jump over ASLR: Attacking Branch Predictors to Bypass ASLR, IEEE MICRO 2016 (optional). RetSpill: Igniting User-Controlled Data to Burn Away Linux Kernel Protections, ACM CCS 2023 (optional).
01/27/2025	`0x1`	`Introduction \| Basic Concepts`
Lecture slides SoK: Eternal War in Memory, IEEE S&P 2013. x86 Assembly \| x86-64 Assembly x86 Instruction Set Reference Stack frame layout: x86 \| x86-64 Position Independent Code (PIC): x86 \| x86-64 Anatomy of a Program in Memory Linux x86 Program Start Up The ELF file format

Meetings

Mondays 3PM – 5:20PM (M hour)
CIT 101 (Zoom)

Instructor

`Vasileios (Vasilis) Kemerlis`

https://cs.brown.edu/~vpk
echo @cs.brown.edu|sed 's/^/vpk/'
CIT 505 & Zoom (Mon. 6PM – 7PM)

Communication

course.csci.2951u.2025-spring.s01@lists.brown.edu

Announcements

05/05/2025	Project presentations.
04/28/2025	Project presentations.
04/14/2025	No class today.
04/07/2025	Lecture `0xa` readings posted.
03/31/2025	Lecture `0x9` readings posted.
03/24/2025	No class today.
03/17/2025	Lecture `0x8` readings posted.
03/10/2025	Lecture `0x7` readings posted.
03/03/2025	Lecture `0x6` readings posted.
02/24/2025	Lecture `0x5` readings posted.
02/17/2025	No class today.
02/10/2025	Lecture `0x4` readings posted.
02/03/2025	Lecture `0x3` readings posted.
01/27/2025	Lecture `0x2` readings posted.
01/22/2025	Lecture `0x1` readings posted.
01/22/2025	Welcome to CSCI 2951U!