Hi all,

Please fill this time table with your choice of papers: https://docs.google.com/spreadsheets/d/1XWGdLnSZEkEaK1olUEcjb9SKhbfpW5-roQ6asPTfBhE/edit?usp=sharing

You can check the homework score with the hash value of your student number in the Excel file.
If you have any questions or complaints, please contact by the below email.

• [email protected]

IS893_homework.xlsx

You can check the homework score with the hash value of your student number in the Excel file.
If you have any questions or complaints, please contact me by below email.

• [email protected]

IS893_homework.xlsx

Daejin's last question reminds me of some more interesting work that uses more advanced feedback and fitness functions.

• FairFuzz: fairness of branch coverages (see this is more than just using coverage)
• PerfFuzz: longest execution paths to find performance bugs

I recommend all of you read the papers. If you want, it is okay to present those papers.

Due 11/25 23:59:59.

Maybe it's trivial thing to someone, but I'm annoyed with error message says "Unbound module Llvm"
To solve this, we need to edit src/.merlin file

and add a line
PKG llvm right after EXCLUDE_QUERY_DIR

After editing src/.merlin like this

EXCLUDE_QUERY_DIR
PKG llvm
blah blah ~

We can make most of some type-checking, and auto-completion feature for Llvm module. (which is a feature of merlin package)
The most important thing is that we're free from error messages.

Sorry for making an issue late at night.

Hi all,

Welcome to Advanced software security.

This course will be fully realtime and online via Zoom. A Zoom invitation link will be sent to your email before the class. Also this course will be highly interactive; it will include paper presentations and QnA by students. So please prepare a camera (turn on by default) and a microphone (mute by default) for the class.

If you have any questions or suggestions, feel free to write a post on this board or an email to me.

I hope everybody will enjoy the course.

Thanks.

Interesting articles:

• https://linki.tools/2020/02/creduce-it-s-a-kind-of-magic.html
• https://rreverser.com/reducing-test-cases-for-javascript-tooling/

Hi all,

It seems that the fuzzer prints out too many output messages, which might make the Gradescope VM very slow.

I recommend you shut off stderr as follows:

diff --git a/src/fuzzer.ml b/src/fuzzer.ml
index 6f3f108..908c429 100644
--- a/src/fuzzer.ml
+++ b/src/fuzzer.ml
@@ -16,7 +16,7 @@ let initialize env =
 let execute exe input =
   let fd_in, fd_out = Unix.pipe () in
   let devnull = Unix.openfile "/dev/null" [ Unix.O_WRONLY ] 0o644 in
-  match Unix.create_process exe [| exe |] fd_in devnull Unix.stderr with
+  match Unix.create_process exe [| exe |] fd_in devnull devnull with
   | 0 ->
       Unix.close devnull;
       Unix.close fd_in;

Please click the link in the schedule table. Enjoy.

TA @bangin20 will give further instructions.

Due: midnight Oct 5

Q1. Why TypeArmor can't prevent data-only attacks.

I read some papers about data-only attacks after presentation. So the essence of data-only attacks is about modifying data, not control flow. So data-only attacks doesn't harm control flow integrity. That means, any kind of CFI(including source-level, type-armor) cannot mitigate such attacks. To mitigate this kind of attack, we need another approach not CFI.

Q2. Why checking return type(void or non-void) can prevent attacks(especially COOP-like)?

COOP attack consists of ML gadget(main-loop) and other gadgets. COOP is a attack that read/write some data, or do some arithmetic task while running ML gadget. So, after doing something you must get back to main loop. So return process is very important in COOP attacks. If we can distinguish some abnormal returns and prevent it, we can break some COOP exploits.

Sorry I'm late, I wasn't sure if my answer was correct or wrong. So I read more papers and did more googling. If you're not satisfied with my answers, please comment down below.

• tests/dune has some unused rules for "interval" domain tests and it passes domain type (sign/interval) to analyzer binary.
• Table.init doesn't handle phi nodes.

After running

cd llvm
mkdir build && cd build && cmake .. && make

When I run make at the base of repository, I encountered such error.

In file included from dummy_irreader_ocaml.c:15:
../llvm/include/llvm-c/IRReader.h:17:10: fatal error: llvm-c/Types.h: No such file or directory
   17 | #include "llvm-c/Types.h"
      |          ^~~~~~~~~~~~~~~~
compilation terminated.

It seems like there's no Types.h at llvm/include/llvm-c, am I missing something?

Q1. How about dynamic CFG like libraries?

In this paper, for their experiments, they focused on CFGs that are derived by a static binary analysis not dynamic analysis. For dynamic CFI, you can see this paper that describes about dynamic CFI that protects legacy, binary-only executables and libraries.

Q2. How the instrumented code works?

They assumed that the Code and Data section is non-writable. Based on this, they made a unique IDs as 32-bit(for software of reasonable size) and assigned that IDs to proper CFG. The instrumented code which checks whether the CFG is valid or not will be inserted to each ret, jmp, indirect call instruction. If the check failed, it jumps to the error_label.

+) I couldn't remember the other questions. If you have more, please comment on this issue.

Please click the link in the schedule table. Enjoy.

Due: midnight next Sat

Please click the link in the schedule table.

Due: midnight Oct 15

You can check the homework score with the hash value of your student number in the Excel file.
If you have any questions or complaints, please contact me by below email.

• [email protected]

IS893_homework.xlsx

Q1. What is the nuance about frequent randomizing just adds one bit of security. (positive or negative?)

The authors say about it by negative nuance, so they say frequent randomizing doesn't give effective solution for brute force attack. Here is the whole sentences about that.

If we randomize the address space layout of a process more frequently, we might naively expect
a significant increase in security. However, we will demonstrate that after the initial address space randomization,
periodic re-randomizing adds no more than 1 bit of security against brute force attacks regardless of the frequency,
providing little extra security.

Q2. How can we guarantee that ASLR is random? (which algorithm is used?)

I searched about real implementation of ASLR, and I found that ASLR use pseudo random number generation for randomizing in linux kernel 2.6.12. Here is source code about function generating random number for ASLR.

static struct keydata {
        __u32 count; /* already shifted to the final position */
        __u32 secret[12];
} ____cacheline_aligned ip_keydata[2];
  ...
/*
 * Get a random word for internal kernel use only. Similar to urandom but
 * with the goal of minimal entropy pool depletion. As a result, the random
 * value is not cryptographically secure but for several uses the cost of
 * depleting entropy is too high
 */
DEFINE_PER_CPU(__u32 [4], get_random_int_hash);
unsigned int get_random_int(void)
{
        struct keydata *keyptr;
        __u32 *hash = get_cpu_var(get_random_int_hash);
        int ret;
 
        keyptr = get_keyptr();
        hash[0] += current->pid + jiffies + get_cycles();
 
        ret = half_md4_transform(hash, keyptr->secret);
        put_cpu_var(get_random_int_hash);
 
        return ret;
}

Here is reference for more details. https://xorl.wordpress.com/2011/01/16/linux-kernel-aslr-implementation/

Hi all,

Please follow the instructions below.

1. Please submit the google form to share your GitHub ID.
   https://forms.gle/oKQ1kmc6k1PFW6rA6

2. We matched the VM number for each student.
   The ip address and port number of the vm are attached to the Excel file. IS893_vm.xlsx
   We already have pre-requisite installed in the docker.
   So, please check if your VM works well and ask TA if there is any problem.
   You can change the access password freely :)

Hi, while following codes in the first slide about Ocaml I noticed this(slide 12/57):

When pow() gets defined it takes two inputs, x and y. But when it's used in the function body (of itself), it gets a single input, y-1. Is this a typo? If so, how should it get fixed? I tried pow(x, y-1) instead but yields syntax error anyways. Please help!

Additional question,
how can I put a label on an issue?

In this lecture, you will see how (automated) theorem proving tools work and implement your analyzer using Z3. The following article covers the history and progress of automated theorem proving. Strongly recommend to read it:

https://www.quantamagazine.org/how-close-are-computers-to-automating-mathematical-reasoning-20200827/?fbclid=IwAR2fCPJBlPPlCUeXe2cqx3uHPamcqjMqug5XocSD1i0ZSnYYVDI-bR7lI1c

You can check the homework score with the hash value of your student number in the Excel file.
If you have any questions or complaints, please contact me by below email.

• [email protected]

IS893_homework.xlsx

Checkout https://classroom.github.com/a/rw7SrKBp.
Due: 23:59:59 Nov 15

HW2 travis build is failing with following error message.

opt: example1.tmp.ll:43:212: error: invalid field 'nameTableKind'
!0 = distinct !DICompileUnit(language: DW_LANG_C99, file: !1, producer: "clang version 9.0.0-2~ubuntu18.04.2 (tags/RELEASE_900/final)", isOptimized: false, runtimeVersion: 0, emissionKind: FullDebug, enums: !2, nameTableKind: None)

Apparently it's caused by wrong path configuration. As you can see, there are a lot of random stuff in $PATH and their priority is higher than /usr/bin.

$ which clang
/usr/local/clang-7.0.0/bin/clang
$ which opt
/usr/local/clang-7.0.0/bin/opt
$ echo $PATH
/home/travis/.opam/is893-4.08.0/bin:/home/travis/.local/bin:/usr/local/lib/jvm/openjdk11/bin:/opt/pyenv/shims:/home/travis/.phpenv/shims:/home/travis/perl5/perlbrew/bin:/home/travis/.kiex/elixirs/elixir-1.7.4/bin:/home/travis/.kiex/bin:/home/travis/.phpenv/shims:/home/travis/gopath/bin:/home/travis/.gimme/versions/go1.11.1.linux.amd64/bin:/usr/local/maven-3.6.3/bin:/usr/local/cmake-3.12.4/bin:/home/travis/.gimme/versions/go1.11.1.linux.amd64/bin:/usr/local/maven-3.6.3/bin:/usr/local/cmake-3.12.4/bin:/usr/local/clang-7.0.0/bin:/home/travis/.rvm/gems/ruby-2.6.5/bin:/home/travis/.rvm/gems/ruby-2.6.5@global/bin:/home/travis/.rvm/rubies/ruby-2.6.5/bin:/home/travis/.rvm/bin:/home/travis/bin:/home/travis/.local/bin:/usr/local/lib/jvm/openjdk11/bin:/opt/pyenv/shims:/home/travis/.phpenv/shims:/home/travis/.nvm/versions/node/v10.16.0/bin:/home/travis/.kiex/elixirs/elixir-1.7.4/bin:/home/travis/.kiex/bin:/home/travis/gopath/bin:/home/travis/.gimme/versions/go1.11.1.linux.amd64/bin:/usr/local/maven-3.6.3/bin:/usr/local/cmake-3.12.4/bin:/usr/local/clang-7.0.0/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin:/home/travis/.phpenv/bin:/opt/pyenv/bin:/home/travis/.yarn/bin:/home/travis/.debug:/home/travis/.phpenv/bin:/opt/pyenv/bin

I think it's better to specify clang version and opt version in test/Makefile like this:

CC=@clang-9
OPT=@opt-9

I uploaded your total score for the lecture

Thank you to take this lecture.

If you have any questions, please send me an email.
[email protected] (Until 24. Dec.)

is893_homework.xlsx

Modified at Dec 22. 20:26

Hello.

I uploaded link for presentation peer review sheet
Please don't forget to fill your form after presentation.

https://forms.gle/jgirmQ7tGwGoGvBi6

Based on Hyunsu's last question, I elaborated that part on the slides a bit. See page 18.

• If failure is not monotone (i.e., a super input of a failure input makes success), a 1-minimal solution may not contain the root cause of the failure. That makes DD less useful in practice.

• "super-input of a failure input" does not mean an arbitrary input larger than the failure input. That also must be a subset of the "original failure input". I think this part was misleading and Jaehwang pointed out that correctly.

More questions and discussions are welcome!

1. Please complete your bidding until today. We will assign commentators tomorrow.

2. For each paper, we will have two commentators. Each commentator should have two questions or comments. Of course, anyone can ask a question.

3. For each presentation, every student will submit evaluation sheets for the presenter and commentators (except for him/herself). The evaluation criteria are as follows:

Presenter

• Does the presenter understand the contents well? [0-5]
• Is the flow logical and interesting? [0-5]
• Are the speech and slides clear and readable? [0-5]
• Are questions answered clearly? [0-5]

Commentator

• Does the commentator understand the contents well? [0-5]
• Is the question or comment critical? [0-5]

TA will provide a Google form link.

FYI,

안녕하세요. 전산학부 서버 TA 이창훈입니다.

KAIST 문지캠퍼스 전기설비 전체 안전진단관련으로 인해 오는 9월 19일(토) 08시 ~ 12시 문지캠퍼스 정전이 진행될 예정입니다.
이에 따라 문지캠퍼스에 위치한 수업용 VM 또한 해당 시간에 접속 및 사용이 불가능 합니다.
또한, 전기작업 시작 전에 모든 VM을 사용중지 해야한다고 하여 오전 6시~7시 정도부터 VM을 일시 정지할 예정입니다.

따라서, 해당 시간동안 VM 사용이 불가능하니 사용 중이신 학생분들께 전달 부탁드립니다.

I guess Typesystem.type_of_llvalue is for getting the type variable of a variable. But what's the point of type variable when we have access to Llvm.type_of? I believe the homework assumes that the output of Llvm.type_of is trusted because
it's necessary for passing the given test which requires declaring the correct type of alloca instruction using Llvm.type_of (ID 11 and ID 12 of the expected output). If Llvm.type_of can be trusted as the source of type info of variables, I think all the stuff related to type_env is unnecessary.

Checkout https://classroom.github.com/a/Vff2oy-c.

Due: 23:59:59 Nov 4

Please click the link in the schedule table.

Due: midnight next Wed

Hi all,

There might be some confusion about class cancelation due to undergrad interviews.
Our schedule will not change at all.
I.e.,

• We DO have a class on Mon (12/7)
• We DO NOT have a class on Wed (12/9)

Homework 4's due is 10.15 midnight.
I'm curious that 10.15 midnight means 1 or 2.

   1    2
14 | 15 | 16
   ^    ^

I think I'm not the only one who is confused with term midnight https://english.stackexchange.com/questions/6459/how-should-midnight-on-be-interpreted

So, how about using explicit time visualization like https://www.timeanddate.com/countdown/generic?iso=20201016T00&p0=3999&msg=Homework+4+Due&font=cursive
which can be made here https://www.timeanddate.com/countdown/create

You can check the homework score with the hash value of your student number in the Excel file.
If you have any questions or complaints, please contact me by below email.

• [email protected]

IS893_homework.xlsx