**CS 380s: Graduate Computer Security** *Spring 2021* Instructor: : [Hovav Shacham](/~hovav/), hovav@cs.utexas.edu Office hours: : Wednesdays, 10:00 AM--noon, on Zoom Lectures: : Tuesdays and Thursdays, 9:30--11:00 AM, on Zoom Final presentations: : Wednesday 12 May, 2:00--5:00 PM, on Zoom Online Instruction Logistics ======================================================================== We will have synchronous lectures at our registrar-assigned time. Try to attend these lectures live, if you can; that will allow you to participate in discussion. As a backup, the lectures will also be recorded, with the link available on canvas. I have created a basic Canvas site for the course. That site links to Zoom meeting codes for lectures and for instructor office hours. We'll use Canvas for assignment submission and other course management tasks, but you should check this home page for course content. Asynchronous discussion and updates will take place on a dedicated channel in the UT Security Slack instead of Piazza. Please send me (hs) an e-mail with a UT e-mail address to invite. Policies ======================================================================== Attendance ------------------------------------------------------------------------ Attending lectures and keeping up with the readings is crucial for success in CS 380S. You must not register for another class whose lecture times overlap those of CS 380S, even in part. You must not register for a class section whose time overlaps with those of CS 380S, even in part. Office Hours ------------------------------------------------------------------------ Your instructor will each hold regular office hours, listed on the course home page. Office hours are the best way to get extended help with the course material. Please come to office hours! Readings and Textbooks ------------------------------------------------------------------------ There is no textbook for this class. Instead, we will read and discuss research papers. These papers are listed in the Calendar and Readings section, below. For additional background, you may find some of the following books useful: - R. Anderson, [_Security Engineering_, 3rd ed.](https://www.cl.cam.ac.uk/~rja14/book.html), Wiley, 2021 - Jean-Philippe Aumasson, [_Serious Cryptography_](https://nostarch.com/seriouscrypto/), No Starch, 2017 - Dan Boneh and Victor Shoup, [_A Graduate Course in Applied Cryptography_](https://toc.cryptobook.us/), book draft, 2020 - Whitfield Diffie and Susan Landau, [_Privacy on the Line_](https://mitpress.mit.edu/books/privacy-line), MIT Press, 2010 - M. Dowd, J. McDonald, and J. Schuh: [_The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities_](https://www.informit.com/store/art-of-software-security-assessment-identifying-and-9780321444424), Addison-Wesley, 2006. - J. Gustedt, [_Modern C_, 2nd ed.](https://modernc.gforge.inria.fr), Manning, 2019 - P. Gutmann, [_Engineering Security_](https://www.cs.auckland.ac.nz/~pgut001/pubs/book.pdf), book draft, 2014 - M. Haverbeke, [_Eloquent JavaScript_, 3rd ed.](https://nostarch.com/ejs3), No Starch, 2018 - P. Larsen and A.-R. Sadeghi, eds., [_The Continuing Arms Race: Code-Reuse Attacks and Defenses_](https://dl.acm.org/citation.cfm?id=3129743), ACM and Morgan & Claypool, 2018 - A. Miné: ["Tutorial on Static Inference of Numeric Invariants by Abstract Interpretation"](https://hal.sorbonne-universite.fr/hal-01657536), _Foundations and Trends in Programming Languages_, 2017. - A. Møller and M.I. Schwartzbach: [_Static Program Analysis_](https://cs.au.dk/~amoeller/spa/spa.pdf), manuscript, 2020. - P. van Oorschot, [_Computer Security and the Internet: Tools and Jewels_](https://people.scs.carleton.ca/~paulv/toolsjewels.html), Springer, 2019 - T. Paglen, [_Blank Spots on the Map_](https://www.amazon.com/Blank-Spots-Map-Geography-Pentagons/dp/0451229169/), NAL Trade, 2010 - E. Rescorla, [_SSL and TLS_](https://www.amazon.com/SSL-TLS-Designing-Building-Systems/dp/0201615983), Addison-Wesley, 2001 - T. Ringer, K. Palmskog, I. Sergey, M. Gligoric, and Z. Tatlock: ["QED at Large: A Survey of Engineering of Formally Verified Software"](https://arxiv.org/abs/2003.06458), _Foundations and Trends in Programming Languages_, 2019. - Ivan Ristic, [_Bulletproof SSL and TLS_](https://www.feistyduck.com/books/bulletproof-ssl-and-tls/), Feisty Duck, 2017 - [_Static Single Assignment Book_](http://ssabook.gforge.inria.fr/latest/book-full.pdf), manuscript, 2018. - M. Zalewski, [_The Tangled Web_](https://www.nostarch.com/tangledweb), No Starch, 2011 Paper discussion and presentation ------------------------------------------------------------------------ This is a graduate class, and one of its goals is to prepare you to read and evaluate recent research in computer security. We expect that you complete all assigned reading ahead of each class meeting and come prepared to discuss the reading. We will use the Perusall platform to annotate the readings ahead of each class. The deadline for completing the assigned readings on Perusall will be midnight before each class. On (most) Tuesdays, your instructor will lecture and lead the discussion. On (most) Thursdays, a group of students will lead the discussion. You may use a document camera, slides, or a screencast to present, as you prefer. If you use slides, they should be your own. Even if the authors have made their slides available online, you should not use those slides. You are presenting your own take on the reading in the context of our class. The maximum size for discussion lead groups will depend on the size of the class. All members of the discussion lead group should present part of the material and help lead discussion. Class meetings available for presentations will have a "Presenters" bulletpoint in their calendar entry. Discussion lead slots will be assigned on a first-come-first-serve basis. Send a Slack message to your instructor with the names of your group members and your preferred dates. Research project ------------------------------------------------------------------------ This is a graduate class, and one of its goals is to prepare you to undertake research in computer security. The most important graded component of the class will, accordingly, be a research project in computer security. Our expectation is that this project will produce a research paper of sufficient novelty and quality that it can be accepted at a workshop on computer security. You will work on the project in groups. The maximum size for project groups will depend on the size of the class. (Your project group need not be the same as your paper presentation group.) We will ask you to pick a project group ahead of the project proposal due date. We will post a list of proposed topics in the course Slack channel. You need not select a topic from this list. If your research specialization is in a field other than security, you may (and should!) consider a project that draws on your research specialization. The timeline for the project is: | Milestone | Due date | |----------------------|---------------------------------------------------------| | Groups formed | Tuesday 9 Feb, 11:59 PM | | Project proposal | ~~Wednesday 17 Feb~~ Monday 1 Mar, 11:59 PM | | First status update | ~~Friday 12 Mar~~ Wednesday 24 Mar, 11:59 PM | | Second status update | ~~Wednesday 14 Apr~~ Wednesday 21 Apr, 11:59 PM | | Final report due | Wednesday 12 May, 11:59 PM | Before you propose a project, we strongly encourage you to discuss it with your instructor in office hours. If you will propose a project not on the list posted in Slack, we encourage you even more strongly to discuss it with your instructor. We encourage you to use $\LaTeX$ to typeset your proposal, updates, and report. In particular, consider using the POPL/PLDI format files in [`acmart-master.zip`](https://sigplan.org/Resources/Author/) using first lines ~~~~~~~~~~~~~~~~~~~~ latex \documentclass[nonacm,sigplan,10pt,review]{acmart} \settopmatter{printfolios=true,printccs=false,printacmref=false} ~~~~~~~~~~~~~~~~~~~~ Assuming you use this format, expect the proposal to be 2 pages long; the first and second status updates 4 and 6 pages long; and the final report 8–10 pages long. The first status report can be exploratory, discussing the progress you have made so far and the next steps you plan to take. The second status report should look more like a draft of the final report, with background and related work sections largely finished. Each group will submit just one joint copy of the proposal, progress reports, and final report. At the same time that the final report is due, each group member will also individually submit a short (1-page) description of their contributions to the project. During our class on ~~18 Feb~~ 2 Mar, we will workshop your proposals. Each group will speak for 5 minutes to describe their project idea and plan of attack, and we will solicit feedback from the class. You can present visuals, but you do not need to make a formal slide deck. During our regularly scheduled final exam slot, each project group will give a 15--20 minute presentation about their project. (The presentation length will depend on the number of groups presenting; we'll announce it ahead of the presentation date.) For this final presentation, you will want to prepare a slide deck (and a live demo, if you can make one). All members of the project group should give part of the presentation. If you will not be able to attend the final exam session, you should record you part of the presentation (and confirm this accommodation with the instructor ahead of time). Exams ------------------------------------------------------------------------ Because the course this semester will be taught entirely online, we will not have written exams. On the one hand, testing in an uncontrolled environment increases the temptation to cheat, something I believe [faculty should avoid](https://communitystandards.stanford.edu/policies-and-guidance/honor-code). On the other hand, remote proctoring tools violate student privacy and may weaken the security of student devices. In place of exams, we will have a final project, described below. Grading ------------------------------------------------------------------------ The class will be scored out of 40 points. Reading on the Perusall platform will count for 6 points. Your turn leading paper presentation and discussion will count for 6 and participation during other discussions for 4. The project will count for the remaining 24, as follows: 2 points each for the proposal, workshop, and each update; 6 for the final presentation; and 10 for the final writeup. We expect to apply the following cutoffs in translating scores to letter grades: A/B cutoff at 85%; B/C cutoff at 76%; C/D cutoff at 67%; and D/F cutoff at 58%. We may adjust these cutoffs (downward) if we determine that some assignments were more difficult than intended. Plus and minus cutoffs will be determined based on score distribution. Class Recordings ------------------------------------------------------------------------ Class recordings are reserved only for students in this class for educational purposes and are protected under FERPA. The recordings should not be shared outside the class in any form. Violation of this restriction by a student could lead to Student Misconduct proceedings. Guidance on public access to class recordings can be found [here](https://covid.provost.utexas.edu/faculty/search/?query=can%2520i%2520make%2520recordings%2520public). (Text for this section comes from the Provost's [Spring 2021 syllabus guidance](https://provost.utexas.edu/finance-reporting-compliance/public-access-to-course-information-hb-2504/syllabus-guidance-spring-2021/).) Calendar and Readings ======================================================================== Tue 19 Jan 2021: Introduction - *Reading*: - S. Keshav: “[How to read a paper](http://blizzard.cs.uwaterloo.ca/keshav/home/Papers/data/07/paper-reading.pdf)” (2007) - J. Mickens: “[This world of ours](https://www.usenix.org/system/files/1401_08-12_mickens.pdf)” (2014) Thu 21 Jan 2021: Early initiatives - *Reading*: - W.H. Ware et al., _[Security Controls for Computer Systems](http://seclab.cs.ucdavis.edu/projects/history/papers/ware70.pdf)_ (1970) - P.A. Karger and R.R. Schell: “[Multics Security Evaluation: Vulnerability Analysis](https://www.acsac.org/2002/papers/classic-multics-orig.pdf)” (1974) Tue 26 Jan 2021: Offensive security - *Reading*: - D. Dai Zovi: “[A Modern History of Offensive Security Research](https://docs.google.com/presentation/d/19HfkIojyLE8L8X8aZT-lJont96JqIg4PqEhb2juIK2c/edit?usp=sharing)” (2018) - Aleph One: "Smashing the Stack for Fun and Profit" (1996), [in original formatting](http://phrack.org/archives/issues/49/14.txt) or [corrected and reformatted](https://avicoder.me/2016/02/01/smashsatck-revived/) - M. Payer: “[How Memory Safety Violations Enable Exploitation of Programs](https://www.morganclaypoolpublishers.com/catalog_Orig/samples/9781970001815_sample.pdf#page=16),” chapter 1 of [Larsen and Sadeghi](https://dl.acm.org/citation.cfm?id=3129743) (2018) Thu 28 Jan 2021: Exploitation and exploitability - *Reading*: - R. Roemer, E. Buchanan, H. Shacham and S. Savage: “[Return-Oriented Programming: Systems, Languages, and Applications](/~hovav/dist/rop.pdf)” (2012) - T. Dullien: “[Weird Machines, Exploitability, and Provable Unexploitability](http://www.dullien.net/thomas/weird-machines-exploitability.pdf)” (2017); and see also [a recent related presentation](https://docs.google.com/presentation/d/1-7XQWUHpGTrFls8M5OysefpF_HZ2YYCYW3huLPo6ArM/edit) Tue 2 Feb 2021: Control-flow integrity (I) - *Reading*: - M. Abadi, M. Budiu, Úlfar Erlingsson, and J. Ligatti: “[Control-Flow Integrity: Principles, Implementations, and Applications](https://www.cse.usf.edu/~ligatti/papers/cfi-tissec.pdf)” (2009) - Y. Li et al.: “Finding Cracks in Shields: On the Security of Control Flow Integrity Mechanisms” (2020) Thu 4 Feb 2021: Control-flow integrity (II) - *Presenters*: hs - *Reading*: - F. Schuster et al.: “[Counterfeit Object-oriented Programming: On the Difficulty of Preventing Code Reuse Attacks in C++ Applications](https://www.ei.rub.de/media/emma/veroeffentlichungen/2015/04/13/COOP-Oakland15_1.pdf)” (2015) - N. Carlini et al.: “[Control-Flow Bending: On the Effectiveness of Control-Flow Integrity](https://people.eecs.berkeley.edu/~daw/papers/cfi-sec15.pdf)” (2015) Tue 9 Feb 2021: Software fault isolation (I) - *Reading*: - G. Tan: “[Principles and Implementation Techniques of Software-Based Fault Isolation](http://www.cse.psu.edu/~gxt29/papers/sfi-final.pdf)” (2017) Thu 11 Feb 2021: Software fault isolation (II) - *Presenters*: jd - *Reading*: - Y. Mao et al.: “[Software Fault Isolation with API Integrity and Multi-Principal Modules](https://people.csail.mit.edu/nickolai/papers/mao-lxfi.pdf)” (2011) - S. Narayan et al.: “[Retrofitting Fine Grain Isolation in the Firefox Renderer](https://arxiv.org/abs/2003.00572)” (2020) Tue 16 Feb 2021: ~~WebAssembly~~ (weather closure, no class) - *Originally assigned reading, now optional*: - A. Jangda, B. Powers, E.D. Berger, and A. Guha: “[Not So Fast: Analyzing the Performance of WebAssembly vs. Native Code](https://www.usenix.org/conference/atc19/presentation/jangda)” (2019) - D. Lehmann, J. Kinder, and M. Pradel: “[Everything Old is New Again: Binary Security of WebAssembly](https://www.usenix.org/conference/usenixsecurity20/presentation/lehmann)” (2020) - E. Johnson et al.: “SFI safety for native-compiled Wasm” (2021) - *Optional background reading*: [the Wasm core and embedder specifications](https://webassembly.github.io/spec/); [the WASI documentation](https://wasi.dev/) Thu 18 Feb 2021: ~~Project proposal workshopping~~ (weather closure, no class) Tue 23 Feb 2021: ~~eBPF (I)~~ (weather closure, no class) - *Originally assigned reading, now optional*: - M. Paul: “[CVE-2020-8835: Linux Kernel Privilege Escalation via Improper eBPF Program Verification](https://www.zerodayinitiative.com/blog/2020/4/8/cve-2020-8835-linux-kernel-privilege-escalation-via-improper-ebpf-program-verification)” (2020) - E. Gershuni et al.: “[Simple and Precise Static Analysis of Untrusted Linux Kernel Extensions](https://vbpf.github.io/assets/prevail-paper.pdf)” (2019) Thu 25 Feb 2021: ~~eBPF (II)~~ (weather closure, additional office hours instead of class) - *Presenters*: ~~at+kp~~ - *Originally assigned reading, now optional*: - X. Wang et al.: “[Jitk: A Trustworthy In-Kernel Interpreter Infrastructure](https://pdos.csail.mit.edu/papers/jitk:osdi14.pdf)” (2014) - L. Nelson, J. Van Geffen, E. Torlak, and X. Wang: “[Specification and verification in the field: Applying formal methods to BPF just-in-time compilers in the Linux kernel](https://unsat.cs.washington.edu/papers/nelson-jitterbug.pdf)” (2020) Tue 2 Mar 2021: Browsers and the same-origin policy *and project proposal workshopping* - *Reading*: - C. Jackson and A. Barth: “[Beware of Finer-Grained Origins](https://seclab.stanford.edu/websec/origins/fgo.pdf)” (2008) - C. Reis, A. Moshchuk, and N. Oskov: “[Site Isolation: Process Separation for Web Sites within the Browser](https://research.google/pubs/pub48285/)” (2019) Thu 4 Mar 2021: JIT spraying - *Presenters*: op+kr - *Reading*: - D. Blazakis: “[Interpreter Exploitation](https://www.usenix.org/legacy/event/woot10/tech/full_papers/Blazakis.pdf)” (2008) - R. Gawlik and T. Holz: [untitled JIT spray paper](https://www.usenix.org/system/files/conference/woot18/woot18-paper-gawlik.pdf) (2018) - S. Ahmed et al.: “[Methodologies for Quantifying (Re-)randomization Security and Timing under JIT-ROP](https://yaogroup.cs.vt.edu/aslr-measurement-ccs-2020.pdf)” (2020) Tue 9 Mar 2021: JavaScript engine exploitation - *Reading*: - saelo: “[The Art of Exploitation: Attacking JavaScript Engines](http://phrack.org/papers/attacking_javascript_engines.html)” (2016) - saelo: “[3 Years of Attacking JavaScript Engines](https://gist.github.com/saelo/dd598a91a27ddd7cb9e410dc92bf37a1)” (2019) - 0vercl0k: “[Introduction to SpiderMonkey Exploitation](https://doar-e.github.io/blog/2018/11/19/introduction-to-spidermonkey-exploitation/)” (2018) Thu 11 Mar 2021: JIT compiler exploitation - *Presenters*: mp - *Reading*: - saelo: “[The Art of Exploitation: Compile Your Own Type Confusion: Exploiting Logic Bugs in JavaScript JIT Engines](http://phrack.org/papers/jit_exploitation.html)” (2019) - 0vercl0k: “[A journey into IonMonkey: Root-Causing CVE-2019-9810](https://doar-e.github.io/blog/2019/06/17/a-journey-into-ionmonkey-root-causing-cve-2019-9810/)” (2019) Tue 23 Mar 2021: Microarchitectural attacks - *Reading*: - chapters 2 and 3 from D. Gruss: _[Transient-Execution Attacks and Defenses](https://gruss.cc/files/habil_part1_only.pdf)_ (2020) Thu 25 Mar 2021: ASLR side channels - *Presenters*: yh - *Reading*: - D. Evtyushkin, D. Ponomarev, and N. Abu-Ghazaleh: “[Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR](http://www.cs.ucr.edu/~nael/pubs/micro16.pdf)” (2016) - B. Gras et al.: “[ASLR on the Line: Practical Cache Attacks on the MMU](https://www.cs.vu.nl/~giuffrida/papers/anc-ndss-2017.pdf)” (2017) Tue 30 Mar 2021: Speculative execution (I) - *Reading*: - A. Fogh: “[Negative Result: Reading Kernel Memory From User Mode](https://cyber.wtf/2017/07/28/negative-result-reading-kernel-memory-from-user-mode/)” (2017) - J. Horn: “[Reading Privileged Memory with a Side-Channel](https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html)” (2018) - Kocher et al.: “[Spectre Attacks: Exploiting Speculative Execution](https://spectreattack.com/spectre.pdf)” (2019) - Lipp et al.: “[Meltdown: Reading Kernel Memory from User Space](https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-lipp.pdf)” (2018) Thu 1 Apr 2021: Speculative execution (II) - *Presenters*: ek - *Reading*: - S. van Schaik et al.: “[RIDL: Rogue In-Flight Data Load](https://mdsattacks.com/files/ridl.pdf)” (2019) - S. Röttger: “[Escaping the Chrome Sandbox with RIDL](https://googleprojectzero.blogspot.com/2020/02/escaping-chrome-sandbox-with-ridl.html)” (2020) - J. Van Bulck et al.: “[LVI: Hijacking Transient Execution through Microarchitectural Load Value Injection](https://lviattack.eu/lvi.pdf)” (2020) Tue 6 Apr 2021: Rowhammer (I) - *Reading*: - S. Govindavajhala and A.W. Appel: “[Using Memory Errors to Attack a Virtual Machine](https://www.cs.princeton.edu/~appel/papers/memerr.pdf)” (2003) - M. Seaborn and T. Dullien: “[Exploiting the DRAM Rowhammer Bug to Gain Kernel Privileges](https://www.blackhat.com/docs/us-15/materials/us-15-Seaborn-Exploiting-The-DRAM-Rowhammer-Bug-To-Gain-Kernel-Privileges.pdf)” (2015) - O. Mutlu and J.S. Kim: “[RowHammer: A Retrospective](https://arxiv.org/abs/1904.09724)” (2019) Thu 8 Apr 2021: Rowhammer (II) - *Presenters*: jl - *Reading*: - A. Kwong, D. Genkin, D. Gruss, and Y. Yarom: “[RAMBleed: Reading Bits in Memory without Accessing Them](https://rambleed.com/docs/20190603-rambleed-web.pdf)” (2020) - P. Frigo, C. Giuffrida, H. Bos, and K. Razavi: “[Grand Pwning Unit: Accelerating Microarchitectural Attacks with the GPU](https://www.vusec.net/wp-content/uploads/2018/05/glitch.pdf)” (2018) Tue 13 Apr 2021: Enclaves (I) - *Reading*: - D. Cerdeira, N. Santos, P. Fonseca, and S. Pinto: “[SoK: Understanding the Prevailing Security Vulnerabilities in TrustZone-assisted TEE Systems](https://www.cs.purdue.edu/homes/pfonseca/papers/sp2020-tees.pdf)” (2020) - *Optional background reading on SGX*: V. Costan, I. Lebedev, and S. Devadas: "Secure Processors" (2017), [Part I](https://people.csail.mit.edu/devadas/pubs/part_1.pdf) and [Part II](https://people.csail.mit.edu/devadas/pubs/part_2.pdf) Thu 15 Apr 2021: Enclaves (II) - *Presenters*: op+kr - *Reading*: - A. Ferraiuolo, A. Baumann, C. Hawblitzel, and B. Parno: “[Komodo: Using Verification to Disentangle Secure-Enclave Hardware from Software](https://andrew.cmu.edu/user/bparno/papers/komodo.pdf)” (2017) - D. Lee et al.: “[Keystone: An Open Framework for Architecting TEEs](https://arxiv.org/abs/1907.10119)” (2020) Tue 20 Apr 2021: Hardware accelerators - *Presenters*: at+kp - *Reading*: - L.E. Olson, S. Sethumadhavan, and M.D. Hill: “[Security Implications of Third-Party Accelerators](https://apps.dtic.mil/dtic/tr/fulltext/u2/1015558.pdf)” (2015) - R.P. Weinmann: “[Baseband Attacks: Remote Exploitation of Memory Corruptions in Cellular Protocol Stacks](https://www.usenix.org/system/files/conference/woot12/woot12-final24.pdf)” (2012) - G. Beniamini: “[Over The Air: Exploiting Broadcom’s Wi-Fi Stack, part 1](https://googleprojectzero.blogspot.com/2017/04/over-air-exploiting-broadcoms-wi-fi_4.html)” (2017) - X. Gong: “[Bypassing the Maginot Line: Remotely Exploit the Hardware Decoder on Smartphone](https://i.blackhat.com/USA-19/Wednesday/us-19-Gong-Bypassing-The-Maginot-Line-Remotely-Exploit-The-Hardware-Decoder-On-Smartphone.pdf)” (2019) Thu 22 Apr 2021: Hardware support for constant-time programming - *Presenters*: yw - *Reading*: - chapters 1 and 2 from I. Liu: _[Precision Timed Machines](https://www2.eecs.berkeley.edu/Pubs/TechRpts/2012/EECS-2012-113.pdf)_ (2012) - J. Yu et al.: “[Data Oblivious ISA Extensions for Side Channel-Resistant and High Performance Computing](https://eprint.iacr.org/2018/808)” (2019) - A. Singh et al.: “[SPX64: A Scratchpad Memory for General-purpose Microprocessors](https://dl.acm.org/doi/pdf/10.1145/3436730)” (2020) Tue 27 Apr 2021: Hardware support for memory safety (I) - *Presenters*: TBA - *Reading*: - Qualcomm Product Security: “[Pointer Authentication on ARMv8.3](https://www.qualcomm.com/media/documents/files/whitepaper-pointer-authentication-on-armv8-3.pdf)” (2017) - B. Azad: “[Examining Pointer Authentication on the iPhone XS](https://googleprojectzero.blogspot.com/2019/02/examining-pointer-authentication-on.html)” (2019) - chapters 1--3 of Intel: _[Control-flow Enforcement Technology Specification](https://software.intel.com/content/dam/develop/external/us/en/documents/control-flow-enforcement-technology-preview-711069.pdf)_, revision 3.0 (2019) - V. Shanbhogue, D. Gupta, and R. Sahita: “[Security Analysis of Processor Instruction Set Architecture for Enforcing Control-Flow Integrity](https://cseweb.ucsd.edu/~dstefan/cse227-spring20/papers/shanbhogue:cet.pdf)” (2019) Thu 29 Apr 2021: Hardware support for memory safety (II) - *Presenters*: mh - *Reading*: - K. Serebryany et al.: “[Memory Tagging and How It Improves C/C++ Memory Safety](https://arxiv.org/abs/1802.09517)” (2018) - J. Bialek, K. Johnson, M. Miller, and T. Chen: “[Security Analysis of Memory Tagging](https://github.com/microsoft/MSRC-Security-Research/blob/master/papers/2020/Security%20analysis%20of%20memory%20tagging.pdf)” (2020) Tue 4 May 2021: Hardware support for memory safety (III) - *Presenters*: TBA - *Reading*: - M. Hedayati et al.: “[Hodor: Intra-Process Isolation for High-Throughput Data Plane Libraries](https://www.usenix.org/conference/atc19/presentation/hedayati-hodor)” (2019) - A. Vahldiek-Oberwagner et al.: “[ERIM: Secure, Efficient In-process Isolation with Protection Keys (MPK)](https://www.usenix.org/conference/usenixsecurity19/presentation/vahldiek-oberwagner)” (2019) - J. Gu et al.: “[Harmonizing Performance and Isolation in Microkernels with Efficient Intra-kernel Isolation and Communication](https://www.usenix.org/conference/atc20/presentation/gu)” (2020) - R.J. Connor, T. McDaniel, J.M. Smith, and M. Schuchard: “[PKU Pitfalls: Attacks on PKU-based Memory Isolation Systems](https://www.usenix.org/conference/usenixsecurity20/presentation/connor)” (2020) Thu 6 May 2021: Recent developments - *Presenters*: at+kp - *Reading*: - “[Issue 1144662: Bypassing ASLR using Oilpan's Conservative Garbage Collector](https://crbug.com/1144662)” (2020) - S. Röttger and A. Janc: “[A Spectre Proof-of-Concept for a Spectre-Proof Web](https://security.googleblog.com/2021/03/a-spectre-proof-of-concept-for-spectre.html)” (2021) - A. Mambretti et al.: “[Bypassing Memory Safety Mechanisms through Speculative Control Flow Hijacks](https://arxiv.org/abs/2003.05503)” (2021) - S. Narayan et al.: “[Swivel: Hardening WebAssembly against Spectre](https://arxiv.org/abs/2102.12730)” (2021) Wed 12 May 2021: Project presentations