Selected Topics in Systems Security (Fall 2015)

Meeting Times

Days:   Weds and Fridays at 2:30 pm
Location:   FB331


This graduate-level course focuses on selected research topics in systems security covering papers from operating systems, networking, and computer security and forensics venues. The course is structured as a research seminar where students jointly present (with me) research papers to their peers. Introduction to Computer Security (COMP535) or equivalent is strongly advised as a prerequisite for this course. In addition, familiarity with low-level systems programming (e.g., C and assembly) will be necessary to understand the details of some of the assigned papers.

Course Project

The course project will entail submitting (to me) a workshop-quality research paper outlining novel ideas. This project can involve application of concepts learned from existing research papers, but MUST depict original ideas. Validation of prior work is also permitted, but in those cases, a more thorough analysis of the original work's strengths and weaknesses must be undertaken. There will be several checkpoints throughout the semester, one of which includes a short survey paper on work related to your chosen topic. The course project constitutes 60% of your final grade. Graduate students will be required to use LaTeX when preparing their interim and final reports. Several ideas for potential projects will be suggested, but students are encouraged to work on topics that they are passionate about. Depending on the size of course enrollment, students may be required to work in small groups (of max 3 persons) on the course project. Of course, the more people on a project, the higher my expectations :)

Readings and Presentations

Students are required to read the papers assigned during the semester and be able to competently discuss the material in class. Each student will be responsible for presenting one lecture (depending on the class size) -- that lecture will be based on the assigned paper(s) for the week including as much relevant related work as necessary to distill the work presented in that paper. The presenter will provide a comprehensive overview of the topic suitable for a 1-hour talk. Additionally, each student will be responsible for submitting a constructive critique of the main paper(s) assigned each week; We may be using an online review management system (hotCRP) for submitting reviews. Additionally, for each assigned paper, students must also suggest (1) at least two thought-provoking questions regarding the material covered in the paper (2) an in-depth discussion of possible directions for future work based on the ideas / topic of the paper. These questions must critically evaluate the paper (e.g., questioning the assumptions, questioning whether the experiments were lacking (and why), discussing flaws or omissions in the analysis, areas for improvement, etc.). This summary will be turned in to the moderator (and myself) each Tuesday session.

The moderator is responsible for recapping (within 15 mins) the discussion that transpired on the Tuesday session or pertinent points raised in the reviews. Occasionally, the moderator will also be responsible for presenting any supplimentary material not covered by the presenter. Hence, the expectation is that the moderator, the presenter, and myself will work closely in preparing the material for a given week. The moderator will lead the general discussions on Thursday. Notes on the week's discussion must also be compiled by the moderator and submitted to the course mailing list no later than 1 week after the Thursday lecture.

Office Hours

Thursday 1 - 3 pm or by appointment.

Mailing List

Registered students will automatically be added to the course mailing list.


This is intended to be an INTERACTIVE class, and as such, class participation will play a significant role in the course grading criteria. (If you've taken COMP535 before, then you know what I mean. And yes, like COMP535, you can also expect to be coding!) Students will be graded on the presentation of their assigned paper(s), their participation in discussions, and their course project. Tentative weights for the grading are as follows:

Deliverable Grade
Presentations 25%
Project 60%
Class participation 15%

Reading List (subject to change)

Topic Presenter
Moderator  (Thursday)

Week 1

Course Introduction, selection of presenters, project discussion

See How To Get Your Systems Paper Accepted?, P. Pietzuch, 2011)

related readings:

  • R Levin and D. Redell, How (and How Not) to Write a Good Systems Paper, Operating Systems Review, 1983.
  • M. Bernstein, Reviewing Conference Papers, 2008.
  • T. Roscoe, Writing Reviews for Systems Conferences, 2007.
  • (Video). Alex Reinhart. Statistics done wrong: pitfalls in experimentation, LASER Workshop, 2014.
  • V. Stodden and S. Miguez. Best practices for computational science: software infrastructure and environments for Reproducible and Extensible Research, 2014.


No Class

Week 2

You Can Run But You Can't Read: Preventing Memory Disclosure Exploits in Executable Code

M. Backes, T. Holz, B. Kollenda, P. Koppe, S. Nurnberger, J. Pewny
ACM Conference on Computer and Communications Security, 2014

related readings:

  • K. Snow et al. Just-in-time Code Reuse: On the effectiveness of fine-grained address space layout randomization, In IEEE Security and Privacy, 2013.
  • J. Gionta et al. Hidem: Protecting the contents of userspace memory in the face of disclosure vulnerabilites. In CODASYS 2015.
  • S. Crane et al. Readactor: Practical Code Randomization Resilient to Memory Disclosure. In IEEE Security and Privacy, 2015.

Kevin Snow


Week 3

Non-control-data attacks are realistic threats

S. Chen, J. Xu, E. Sezer, P. Guariar, R. Iyer
USENIX Security Symposium, 2005

related readings:
  • U. Erlingsson. XFI: Software Guards for System Address Spaces. Symposium on Operating systems design and implementation, 2006.
  • H. Hu, Z. L Chua, S. Adrian, P. Saxena, Z. Liang. Automatic Generation of Data-Oriented Exploits. In USENIX Security Symposium, 2015.
  • M. Castro et al. Securing software by enforcing data-flow integrity. Symposium on Operating Systems Design and Implementation, 2006.
  • U. Erlingsson. XFI: Software Guards for System Address Spaces. Symposium on Operating systems design and implementation, 2006.

Roman Rogowski


Week 4

WebWinnow: Leveraging Exploit Kit Workflows to Detect Malicious URLs

B.Eshete and V.N. Venkatakrishnan

related readings:
  • K. Thomas et al. Ad Injection at Scale: Assessing Deceptive Advertisement Modifications. IEEE Symposium on Security and Privacy, 2015.
  • C. Grier et al. Manufactoring compromise: the emergence of exploit-as-a-service. In Proceedings of ACM Conference on Computer and Communication Security, 2012.
  • Z. Li et al. Knowing your enemy: understanding and detecting malicious web advertising. In Proceedings of ACM Conference on Computer and Communications Security, 2012.

Teryl Taylor

Nathan Otterness

Week 5

PhoneyPot: Data-driven Understanding of Telephony Threats

P. Gupta, B. Srinivasan, V. Balasubramaniyan, M. Ahamad.
ISOC Network and Distributed Systems Security, 2015

related readings:
  • R. Carmo et al. Artemisa: an Open-Source Honeypot Back-end to Support Security in VoIP Domains. In Symposium on Integrated NEtwork Management, 2011.
  • M. Gruber et al. Voice Calls for Free: How the black market establishes free phone calls - trapped and uncovered by a VoIP Honeynet. In Conference on Privacy, Security and Trust, 2013.

Micah Morton


Week 6

DSCRETE: Automatic Rendering of Forensic Information from Memory Images via Application Logic Reuse

B. Saltaformaggio, Z. Gu, X. Zhang, D. Xu
USENIX Security Symposium, 2014

related readings:
  • Golden G. Richard III and Andrew Case. In Lieu of Swap: Analyzing Compressed RAM in Mac OS X and Linux, Digital Forensics Research Conference, 2014.
  • Davide Balzarotti, Roberto Di Pietro and Antonio Villani. The Impact of GPU-Assisted Malware on Memory Forensics: A Case Study. In Proceedings of the Digital Forensics Research Conference, 2015.



Week 7

Sept 30, Oct. 2

Guest Lecturer: Michalis Polychronakis, Code Randomization for Fun and Profit.

Project Updates (Friday)

Week 8

Direct Memory Access (DMA) Attacks meets memory encryption

E. Blass and W. Robertson. TRESOR-Hunt: Attacking CPU-Bound Encryption, ACSAC, 2012.

related readings:



Week 9

On the Effectiveness of Instruction Set Randomization

N. Sovarel, D. Evans, and N. Paul
USENIX Security Symposium, 2005

related readings:
  • S. Bhatkar, R. Sekar, D. DuVarney. Efficient Techniques for Comprehensive Protection from Memory Error Exploits.
  • H. Schacham, M. Page, B. Pfaff, E. Goh, N. Modadugu, D. Boneh. On the effectiveness of Address space randomization, ACM CCS 04.



October 14

Literature Review due

Week 10

PinDrop: Using Single-ended Audio Features to Determine Call Provenance

V. Balasubramaniyan et al.
ACM CCS, 2010

related readings:
  • S. Hisconmez et al. Audio codec identification from coded and transcoded audio. Digital Signal Processing, 2013.



Oct 28 - Nov. 6

Away for RAID Conference

Week 11

Flipping Bits in Memory Without Accessing Them: An Experimental Study of DRAM Disturbance Errors

Yoongu Kim et al.
Symposium on Computer Architecture, 2014

related readings:
  • Mark Seaborn and Thomas Dullien. Exploiting the DRAM rowhammer bug to gain kernel privileges, March 2015.
  • D. Gruss, C. Maurice and S. Mangard. Rowhammer.js: A remote software-induced fault attack in Javascript, July, 2015.
  • A. Halderman et al. Lest we remember: cold-boot attacks on encryption keys. In USENIX Security Symposium, 2008.



Week 12

A Semantics-Aware Approach to Automated Reverse Engineering Unknown Protocols

Y.Wang et al.
International Conference on Network Protocols, 2012

related readings:



Remaining weeks Remaining papers to be decided based on class makeup; finalized during the first 3 weeks of class.
XXX Final presentations and submission of course project