CSCI 4900/6900 - Program Analysis for Software Reliability and Security


Instructor Kyu Hyung Lee
(kyuhlee@cs.uga.edu)
BYOD 638B
Times TR - 15:30 ~ 16:45
W - 15:35 ~ 16:25
Location Building : 1040
Room : 0306
Office Hours TBA
Course Webpage http://cs.uga.edu/~kyuhlee/fall2014
Piazza https://piazza.com/uga/fall2014/csci49006900

Course Overview

Software problems are the root causes of many system failures and cyber attacks. However, most software developers still rely on manual processes to generate tests, identify bugs and vulnerabilities, or correct misbehaving programs. Program analysis techniques allow developers to analyze the behavior of programs automatically, making software both easier to test and more reliable.

This is primarily a research-oriented, and seminar-type course that will explore both foundational and recent advances in program analysis, software reliability and software security. The goal of this course is to introduce students to the current techniques used in both research and practice. In the first a few lectures, the instructor will introduce the foundations and applications of program analysis. After that, the instructor will introduce fundamental concepts and principles of each course topic and the students in turn will present recent research papers from the reading materials.

In addition, each student will address relevant research problem in the area covered by the course. Students will choose relevant research problems, propose solutions and present results by the end of the semester.

Textbooks: There is no textbook required. We will read and discuss academic research papers. All of the papers for the class will be available on-line.


Prerequisites

Solid programming and debugging skills (C, C++, Linux) and good understanding of “Operating Systems” concepts are required for this class. Prior knowledge of “Compiler” and “Computer Security” are a plus.


Grading (Tentative)


Course Schedule (Tentative)

Date Topic Presenter Slides
8/19 Course Overview Instructor  
Program Analysis
8/20 Program Representation Instructor  
8/21 Program Slicing Instructor  
8/26 Program Instrumentation Instructor  
8/27 Program Analysis Instructor  
8/28 Program Analysis Instructor  
9/2 All You Ever Wanted to Know About Dynamic Taint Analysis and Forward Symbolic Execution (but might have been afraid to ask) [S&P 2010] Kevin Warrick  
9/3 Buffer Overflow Detection and Prevention Instructor  
9/4 Pin: Building Customized Program Analysis Tools with Dynamic Instrumentation [PLDI 2005] Phani Vadrevu  
Program Testing
9/9 Program Testing Instructor  
9/10 Program Testing Instructor  
9/11 Program Testing Instructor  
9/16 Symbolic Execution for Software Testing: Three Decades Later [Comm of ACM 2013] Guodong Zhu  
9/17 Project proposal presentation    
9/18 Project proposal presentation    
9/23 Project proposal presentation    
9/24  
9/25 Race Detection for Android Applications [PLDI 2014] E Brad Fuster  
Program Debugging
9/30 Program Debugging Instructor  
10/1 Program Debugging Instructor  
10/2 CLAP: Recording Local Executions to Reproduce Concurrency Failures [PLDI 2013] Logan Henry  
10/7  
10/8  
Software and System Security
10/9 Security Instuctor  
10/14 Security Instructor  
10/15 Framing Signals — A Return to Portable Shellcode [S&P 2014] Kevin Warrick  
10/16 Hacking Blind [S&P 2014] Phani Vadrevu  
10/21 Power Attack : An Increasing Threat to Data Centers [NDSS 2014] E Brad Fuster  
10/22 Project status presentation    
10/23 Project status presentation    
10/28 Enhancing Symbolic Execution with Veritesting [ICSE 2014] Guodong Zhu  
10/29 From Zygote to Morula: Fortifying Weakened ASLR on Android [S&P 2014] Instructor  
Software and System Defense
10/30 Defense Instructor  
11/4 Defense Instructor  
11/5 Binary Stirring: Self-randomizing Instruction Addresses of Legacy x86 Binary Code [CCS 2012] Phani Vadrevu  
11/6 Defense Instructor  
11/11 Cyber Crime Investigation Instructor  
11/12 Cyber Crime Investigation Instructor  
11/13 Backtracking Intrusions [SOSP 2003] Logan Henry  
11/18 Control Flow Integrity [CCS 2005] Kevin Warrick  
11/19 BareCloud: Bare-metal Analysis-based Evasive Malware Detection [USENIX Security 2014] Guodong Zhu  
11/20      
11/25 Thanksgiving break    
12/2 Project final presentation    
12/3 Project final presentation    
12/4 Project final presentation    

Reading List (Tentative)

Program Analysis

  1. All You Ever Wanted to Know About Dynamic Taint Analysis and Forward Symbolic Execution (but might have been afraid to ask) [S&P 2010]
  2. Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software [NDSS 2005]
  3. A Study of Effectiveness of Dynamic Slicing in Locating Real Faults [ESE 2007]
  4. Simplifying and Isolating Failure Inducing Input [TSE 2002]
  5. Empirical Evaluation of the Tarantula Automatic Fault-localization Technique [ASE 2005]
  6. Framework for Instruction-level Tracing and Analysis of Programs [VEE 2006]
  7. ShadowReplica: Efficient Parallelization of Dynamic Data Flow Tracking [CCS 2013]
  8. Pin: Building Customized Program Analysis Tools with Dynamic Instrumentation [PLDI 2005]
  9. QEMU - A Fast and Portable Dynamic Translator [USENIX ATC 2005]
  10. LLVM: A Compilation Framework for Lifelong Program Analysis & Transformation [CGO 2004]


Software Testing

  1. KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs [OSDI 2008]
  2. CUTE: A Concolic Unit Testing Engine for C [ESEC-FSE 2005]
  3. PathExpander: Architectural Support for Increasing the Path Coverage of Dynamic Bug Detection [MICRO 2006]
  4. AVIO: Detecting Atomicity Violations via Access Interleaving Invariants [ASPLOS 2006]
  5. Locating Faults Through Automated Predicate Switching [ICSE 2006]
  6. Symbolic Execution for Software Testing: Three Decades Later [Comm of ACM 2013]
  7. Finding Latent Performance Bugs in Systems Implementations [FSE 2010]
  8. Race Detection for Android Applications [PLDI 2014]
  9. MUVI: Automatically Inferring Multi-Variable Access Correlations and Detecting Related Semantic and Concurrency Bugs [SOSP 2007]


Software Debugging

  1. CP-Miner: A Tool for Finding Copy-paste and Related Bugs in Operating System Code [OSDI 2004]
  2. Toward Generating Reducible Replay Logs [PLDI 2011]
  3. PRES: Probabilistic Replay with Execution Sketching on Multiprocessors [SOSP 2009]
  4. CLAP: Recording Local Executions to Reproduce Concurrency Failures [PLDI 2013]
  5. ROOT : Replaying Multithreaded Traces with Resource-Oriented Ordering [SOSP 2013]
  6. Unified Debugging of Distributed Systems with Recon [DSN 2011]
  7. Automated Concurrency-Bug Fixing [OSDI 2012]
  8. Rx: Treating Bugs as Allergies - A Safe Method to Survive Software Failures [SOSP 2005]
  9. Automatic Runtime Error Repair and Containment via Recovery Shepherding [PLDI 2014]


Software and System Security

  1. Finding Security Vulnerabilities in Java Applications with Static Analysis [SSYM 2005]
  2. On Deriving Unknown Vulnerabilities from Zero-day Polymorphic and Metamorphic Worm Exploits [CCS 2005]
  3. How to Shop for Free Online Security Analysis of Cashier-as-a-Service Based Web Stores [S&P 2011]
  4. The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86) [CCS 2007]
  5. Gatling: Automatic Attack Discovery in Large-Scale Distributed Systems [NDSS 2012]
  6. Differential Slicing: Identifying Causal Execution Differences for Security Applications [S&P 2011]
  7. Hacking Blind [S&P 2014]
  8. From Zygote to Morula : Fortifying Weakened ASLR on Android [S&P 2014]
  9. Framing Signals — A Return to Portable Shellcode [S&P 2014]
  10. Power Attack : An Increasing Threat to Data Centers [NDSS 2014]
  11. Semantics-Aware Android Malware Classification Using Weighted Contextual API Dependency Graphs [CCS 2014]
  12. BareCloud: Bare-metal Analysis-based Evasive Malware Detection [USENIX Security 2014]


Software and System Defenses

  1. LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks [MICRO 2006]
  2. Control Flow Integrity [CCS 2005]
  3. A Virtual Machine Introspection Based Architecture for Intrusion Detection [NDSS 2003]
  4. Just-In-Time Code Reuse: On the Effectiveness of Fine-Grained Address Space Layout Randomization [S&P 2013]
  5. V2E: Combining Hardware Virtualization and Software Emulation for Transparent and Extensible Malware Analysis [VEE 2012]
  6. Kernel Malware Analysis with Un-tampered and Temporal Views of Dynamic Kernel Memory [RAID 2010]
  7. Practical Control Flow Integrity & Randomization for Binary Executables [S&P 2013]
  8. Practical and Effective Sandboxing for Non-root Users [USENIX ATC 2013]
  9. Binary Stirring: Self-randomizing Instruction Addresses of Legacy x86 Binary Code [CCS 2012]
  10. Secure Execution Via Program Shepherding [USENIX Security 2002]
  11. Digital Forensics Research: The Next 10 Years [DFRWS 2010]
  12. Backtracking Intrusions [SOSP 2003]
  13. High Accuracy Attack Provenance via Binary-based Execution Partition [NDSS 2013]
  14. LogGC: Garbage Collecting Audit Log [CCS 2013]
  15. Android Forensics: Automated Data Collection and Reporting From a Mobile Device [DFRWS 2013]
  16. Automatic Reverse Engineering of Data Structures from Binary Execution [NDSS 2010]
  17. Intrusion Recovery Using Selective Re-execution [OSDI 2010]
  18. Intrusion Recovery for Database-backed Web Applications [SOSP 2011]