is893-2020-fall's People
is893-2020-fall's Issues
Paper bidding
Hi all,
Please fill this time table with your choice of papers: https://docs.google.com/spreadsheets/d/1XWGdLnSZEkEaK1olUEcjb9SKhbfpW5-roQ6asPTfBhE/edit?usp=sharing
Notice homework 1 & 2 score
You can check the homework score with the hash value of your student number in the Excel file.
If you have any questions or complaints, please contact by the below email.
Notice homework 3 Score
You can check the homework score with the hash value of your student number in the Excel file.
If you have any questions or complaints, please contact me by below email.
Feedback & fitness functions of fuzzing
Daejin's last question reminds me of some more interesting work that uses more advanced feedback and fitness functions.
- FairFuzz: fairness of branch coverages (see this is more than just using coverage)
- PerfFuzz: longest execution paths to find performance bugs
I recommend all of you read the papers. If you want, it is okay to present those papers.
Homework 7 is out
Due 11/25 23:59:59.
Merlin Error: Unbound module Llvm
Maybe it's trivial thing to someone, but I'm annoyed with error message says "Unbound module Llvm"
To solve this, we need to edit src/.merlin
file
and add a line
PKG llvm
right after EXCLUDE_QUERY_DIR
After editing src/.merlin
like this
EXCLUDE_QUERY_DIR
PKG llvm
blah blah ~
We can make most of some type-checking, and auto-completion feature for Llvm module. (which is a feature of merlin package)
The most important thing is that we're free from error messages.
Sorry for making an issue late at night.
Basic information
Hi all,
Welcome to Advanced software security.
This course will be fully realtime and online via Zoom. A Zoom invitation link will be sent to your email before the class. Also this course will be highly interactive; it will include paper presentations and QnA by students. So please prepare a camera (turn on by default) and a microphone (mute by default) for the class.
If you have any questions or suggestions, feel free to write a post on this board or an email to me.
I hope everybody will enjoy the course.
Thanks.
Applying C-reduce to other languages (esp., JS)
A simple optimization of the fuzzer
Hi all,
It seems that the fuzzer prints out too many output messages, which might make the Gradescope VM very slow.
I recommend you shut off stderr as follows:
diff --git a/src/fuzzer.ml b/src/fuzzer.ml
index 6f3f108..908c429 100644
--- a/src/fuzzer.ml
+++ b/src/fuzzer.ml
@@ -16,7 +16,7 @@ let initialize env =
let execute exe input =
let fd_in, fd_out = Unix.pipe () in
let devnull = Unix.openfile "/dev/null" [ Unix.O_WRONLY ] 0o644 in
- match Unix.create_process exe [| exe |] fd_in devnull Unix.stderr with
+ match Unix.create_process exe [| exe |] fd_in devnull devnull with
| 0 ->
Unix.close devnull;
Unix.close fd_in;
Homework 3 is out
Please click the link in the schedule table. Enjoy.
TA @bangin20 will give further instructions.
Due: midnight Oct 5
More details about my presentation [TypeArmor/S&P16]
Q1. Why TypeArmor can't prevent data-only attacks.
I read some papers about data-only attacks after presentation. So the essence of data-only attacks is about modifying data, not control flow. So data-only attacks doesn't harm control flow integrity. That means, any kind of CFI(including source-level, type-armor) cannot mitigate such attacks. To mitigate this kind of attack, we need another approach not CFI.
Q2. Why checking return type(void or non-void) can prevent attacks(especially COOP-like)?
COOP attack consists of ML gadget(main-loop) and other gadgets. COOP is a attack that read/write some data, or do some arithmetic task while running ML gadget. So, after doing something you must get back to main loop. So return process is very important in COOP attacks. If we can distinguish some abnormal returns and prevent it, we can break some COOP exploits.
Sorry I'm late, I wasn't sure if my answer was correct or wrong. So I read more papers and did more googling. If you're not satisfied with my answers, please comment down below.
some bugs in hw5 template
tests/dune
has some unused rules for "interval" domain tests and it passes domain type (sign/interval) toanalyzer
binary.Table.init
doesn't handle phi nodes.
Error while building
After running
cd llvm
mkdir build && cd build && cmake .. && make
When I run make
at the base of repository, I encountered such error.
In file included from dummy_irreader_ocaml.c:15:
../llvm/include/llvm-c/IRReader.h:17:10: fatal error: llvm-c/Types.h: No such file or directory
17 | #include "llvm-c/Types.h"
| ^~~~~~~~~~~~~~~~
compilation terminated.
It seems like there's no Types.h
at llvm/include/llvm-c
, am I missing something?
More details about my presentation [CFI/CCS05]
Q1. How about dynamic CFG like libraries?
In this paper, for their experiments, they focused on CFGs that are derived by a static binary analysis not dynamic analysis. For dynamic CFI, you can see this paper that describes about dynamic CFI that protects legacy, binary-only executables and libraries.
Q2. How the instrumented code works?
They assumed that the Code and Data section is non-writable. Based on this, they made a unique IDs as 32-bit(for software of reasonable size) and assigned that IDs to proper CFG. The instrumented code which checks whether the CFG is valid or not will be inserted to each ret, jmp, indirect call instruction. If the check failed, it jumps to the error_label.
+) I couldn't remember the other questions. If you have more, please comment on this issue.
Homework 2 is out
Please click the link in the schedule table. Enjoy.
Due: midnight next Sat
Homework 4 is out
Please click the link in the schedule table.
Due: midnight Oct 15
Notice homework 6 score
You can check the homework score with the hash value of your student number in the Excel file.
If you have any questions or complaints, please contact me by below email.
More details about my presentation [ASLR/CCS04]
Q1. What is the nuance about frequent randomizing just adds one bit of security. (positive or negative?)
The authors say about it by negative nuance, so they say frequent randomizing doesn't give effective solution for brute force attack. Here is the whole sentences about that.
If we randomize the address space layout of a process more frequently, we might naively expect
a significant increase in security. However, we will demonstrate that after the initial address space randomization,
periodic re-randomizing adds no more than 1 bit of security against brute force attacks regardless of the frequency,
providing little extra security.
Q2. How can we guarantee that ASLR is random? (which algorithm is used?)
I searched about real implementation of ASLR, and I found that ASLR use pseudo random number generation for randomizing in linux kernel 2.6.12. Here is source code about function generating random number for ASLR.
static struct keydata {
__u32 count; /* already shifted to the final position */
__u32 secret[12];
} ____cacheline_aligned ip_keydata[2];
...
/*
* Get a random word for internal kernel use only. Similar to urandom but
* with the goal of minimal entropy pool depletion. As a result, the random
* value is not cryptographically secure but for several uses the cost of
* depleting entropy is too high
*/
DEFINE_PER_CPU(__u32 [4], get_random_int_hash);
unsigned int get_random_int(void)
{
struct keydata *keyptr;
__u32 *hash = get_cpu_var(get_random_int_hash);
int ret;
keyptr = get_keyptr();
hash[0] += current->pid + jiffies + get_cycles();
ret = half_md4_transform(hash, keyptr->secret);
put_cpu_var(get_random_int_hash);
return ret;
}
Here is reference for more details. https://xorl.wordpress.com/2011/01/16/linux-kernel-aslr-implementation/
Pre-class notice
Hi all,
Please follow the instructions below.
-
Please submit the google form to share your GitHub ID.
https://forms.gle/oKQ1kmc6k1PFW6rA6 -
We matched the VM number for each student.
The ip address and port number of the vm are attached to the Excel file. IS893_vm.xlsx
We already have pre-requisite installed in the docker.
So, please check if your VM works well and ask TA if there is any problem.
You can change the access password freely :)
VM no. | Student name |
---|---|
1 | 이대진 |
2 | 신명근 |
3 | 정재황 |
4 | 홍재민 |
5 | 강우석 |
6 | 김현수 |
7 | 정승준 |
8 | 류혜원 |
[Question]Ocaml grammar recursive function usage typo(?)
Hi, while following codes in the first slide about Ocaml I noticed this(slide 12/57):
When pow() gets defined it takes two inputs, x and y. But when it's used in the function body (of itself), it gets a single input, y-1. Is this a typo? If so, how should it get fixed? I tried pow(x, y-1) instead but yields syntax error anyways. Please help!
Additional question,
how can I put a label on an issue?
Informative article about computer-aided theorem proving
In this lecture, you will see how (automated) theorem proving tools work and implement your analyzer using Z3. The following article covers the history and progress of automated theorem proving. Strongly recommend to read it:
Notice homework 5 score
You can check the homework score with the hash value of your student number in the Excel file.
If you have any questions or complaints, please contact me by below email.
Homework 6 is out
Checkout https://classroom.github.com/a/rw7SrKBp.
Due: 23:59:59 Nov 15
hw2 build failure
HW2 travis build is failing with following error message.
opt: example1.tmp.ll:43:212: error: invalid field 'nameTableKind'
!0 = distinct !DICompileUnit(language: DW_LANG_C99, file: !1, producer: "clang version 9.0.0-2~ubuntu18.04.2 (tags/RELEASE_900/final)", isOptimized: false, runtimeVersion: 0, emissionKind: FullDebug, enums: !2, nameTableKind: None)
Apparently it's caused by wrong path configuration. As you can see, there are a lot of random stuff in $PATH
and their priority is higher than /usr/bin
.
$ which clang
/usr/local/clang-7.0.0/bin/clang
$ which opt
/usr/local/clang-7.0.0/bin/opt
$ echo $PATH
/home/travis/.opam/is893-4.08.0/bin:/home/travis/.local/bin:/usr/local/lib/jvm/openjdk11/bin:/opt/pyenv/shims:/home/travis/.phpenv/shims:/home/travis/perl5/perlbrew/bin:/home/travis/.kiex/elixirs/elixir-1.7.4/bin:/home/travis/.kiex/bin:/home/travis/.phpenv/shims:/home/travis/gopath/bin:/home/travis/.gimme/versions/go1.11.1.linux.amd64/bin:/usr/local/maven-3.6.3/bin:/usr/local/cmake-3.12.4/bin:/home/travis/.gimme/versions/go1.11.1.linux.amd64/bin:/usr/local/maven-3.6.3/bin:/usr/local/cmake-3.12.4/bin:/usr/local/clang-7.0.0/bin:/home/travis/.rvm/gems/ruby-2.6.5/bin:/home/travis/.rvm/gems/ruby-2.6.5@global/bin:/home/travis/.rvm/rubies/ruby-2.6.5/bin:/home/travis/.rvm/bin:/home/travis/bin:/home/travis/.local/bin:/usr/local/lib/jvm/openjdk11/bin:/opt/pyenv/shims:/home/travis/.phpenv/shims:/home/travis/.nvm/versions/node/v10.16.0/bin:/home/travis/.kiex/elixirs/elixir-1.7.4/bin:/home/travis/.kiex/bin:/home/travis/gopath/bin:/home/travis/.gimme/versions/go1.11.1.linux.amd64/bin:/usr/local/maven-3.6.3/bin:/usr/local/cmake-3.12.4/bin:/usr/local/clang-7.0.0/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin:/home/travis/.phpenv/bin:/opt/pyenv/bin:/home/travis/.yarn/bin:/home/travis/.debug:/home/travis/.phpenv/bin:/opt/pyenv/bin
I think it's better to specify clang version and opt version in test/Makefile like this:
CC=@clang-9
OPT=@opt-9
Full Score
I uploaded your total score for the lecture
Thank you to take this lecture.
If you have any questions, please send me an email.
[email protected] (Until 24. Dec.)
Modified at Dec 22. 20:26
Project evaluation sheet
Hello.
I uploaded link for presentation peer review sheet
Please don't forget to fill your form after presentation.
Monotonicity of DD
Based on Hyunsu's last question, I elaborated that part on the slides a bit. See page 18.
-
If failure is not monotone (i.e., a super input of a failure input makes success), a 1-minimal solution may not contain the root cause of the failure. That makes DD less useful in practice.
-
"super-input of a failure input" does not mean an arbitrary input larger than the failure input. That also must be a subset of the "original failure input". I think this part was misleading and Jaehwang pointed out that correctly.
More questions and discussions are welcome!
Notice for presentation
-
Please complete your bidding until today. We will assign commentators tomorrow.
-
For each paper, we will have two commentators. Each commentator should have two questions or comments. Of course, anyone can ask a question.
-
For each presentation, every student will submit evaluation sheets for the presenter and commentators (except for him/herself). The evaluation criteria are as follows:
Presenter
- Does the presenter understand the contents well? [0-5]
- Is the flow logical and interesting? [0-5]
- Are the speech and slides clear and readable? [0-5]
- Are questions answered clearly? [0-5]
Commentator
- Does the commentator understand the contents well? [0-5]
- Is the question or comment critical? [0-5]
TA will provide a Google form link.
VM Shutdown
FYI,
안녕하세요. 전산학부 서버 TA 이창훈입니다.
KAIST 문지캠퍼스 전기설비 전체 안전진단관련으로 인해 오는 9월 19일(토) 08시 ~ 12시 문지캠퍼스 정전이 진행될 예정입니다.
이에 따라 문지캠퍼스에 위치한 수업용 VM 또한 해당 시간에 접속 및 사용이 불가능 합니다.
또한, 전기작업 시작 전에 모든 VM을 사용중지 해야한다고 하여 오전 6시~7시 정도부터 VM을 일시 정지할 예정입니다.따라서, 해당 시간동안 VM 사용이 불가능하니 사용 중이신 학생분들께 전달 부탁드립니다.
[HW7] why is `Typesystem.type_of_llvalue` necessary?
I guess Typesystem.type_of_llvalue
is for getting the type variable of a variable. But what's the point of type variable when we have access to Llvm.type_of
? I believe the homework assumes that the output of Llvm.type_of
is trusted because
it's necessary for passing the given test which requires declaring the correct type of alloca
instruction using Llvm.type_of
(ID 11
and ID 12
of the expected output). If Llvm.type_of
can be trusted as the source of type info of variables, I think all the stuff related to type_env
is unnecessary.
Homework 5 is out
Checkout https://classroom.github.com/a/Vff2oy-c.
Due: 23:59:59 Nov 4
Homework 1 is out
Please click the link in the schedule table.
Due: midnight next Wed
Notice
Hi all,
There might be some confusion about class cancelation due to undergrad interviews.
Our schedule will not change at all.
I.e.,
- We DO have a class on Mon (12/7)
- We DO NOT have a class on Wed (12/9)
The term "midnight"
Homework 4's due is 10.15 midnight.
I'm curious that 10.15 midnight means 1 or 2.
1 2
14 | 15 | 16
^ ^
I think I'm not the only one who is confused with term midnight https://english.stackexchange.com/questions/6459/how-should-midnight-on-be-interpreted
So, how about using explicit time visualization like https://www.timeanddate.com/countdown/generic?iso=20201016T00&p0=3999&msg=Homework+4+Due&font=cursive
which can be made here https://www.timeanddate.com/countdown/create
Notice homework 4 score
You can check the homework score with the hash value of your student number in the Excel file.
If you have any questions or complaints, please contact me by below email.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.