CS851: Malware Seminar
Meeting Times: 3-5pm, Olsson 228E
- 7 December: Project final report due
- Project Presentations, 30 November:
- Michael Crane and Wei Hu, Efficient Instruction Set Randomization Using Software Dynamic Translation [PPT]
- Nguyet Nguyen, Instruction Subsets in Software Diversity [PPT]
- Tony Aiello, Information Security Cases [PDF]
- Michael Spiegel, Fighting the DDoS Menace! [PPT]
- Project Presentations, 23 November:
- The readings for 16 November:
Additional recommended readings:
- F. B. Schneider, G. Morrisett, and R. Harper. A language-based approach to security. Lecture Notes in Computer Science, 2001.
- George Necula. Proof-Carrying Code. In 24th ACM Symposium on Principles of Programming Languages (POPL), January 1997.
- George C. Necula and Peter Lee. Efficient Representation and Validation of Proofs. In IEEE Symposium on Logic in Computer Science 1998 (LICS), June 1998.
- Christopher Colby, Peter Lee, George C. Necula, Fred Blau, Ken Cline, and Mark Plesko. A Certifying Compiler for Java. ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI), 2000.
- George C. Necula and Peter Lee. Safe Kernel Extensions without Run-Time Checking. OSDI'96, October 1996.
- The paper Darrell and Matt mentioned: Peter Szor, Hunting for Metamorphic. There are some other interesting papers on Peter Szor's webpage.
- The Long Arm of the Law, CSO Magazine, Sept 2004. Excerpt:A remarkable case involving computer security, Cobell v. Norton, is now working its way through the courts. Currently set for argument this month before the federal appellate court in Washington, D.C., the case raises two important issues: What are the proper remedies for privacy violations? And can the courts dictate website security standards?
Cobell v. Norton is a class-action lawsuit that was filed June 10, 1996, in the U.S. District Court in Washington, D.C., to force the federal government to account for the billions of dollars that have been held in trust since the late 19th century on behalf of approximately 500,000 Native American beneficiaries and their heirs. As trustee, the government took legal title to the land parcels and assumed full responsibility for management of the trust lands, including the obligation to collect and disburse to the beneficiaries any revenue generated by mining, oil and gas extraction, timber operations, grazing or similar activities.
In late 2001, attorneys for the plaintiffs questioned the computer security of the trust fund. Judge Royce C. Lamberth ordered an investigation. The special master running the investigation hired a computer forensics expert, who was able to break into the system with ease. On the strength of the forensic expert's report, the court determined that the trust accounts were vulnerable to hacking. He immediately took the unprecedented step of ordering the Department of the Interior to terminate all of its Internet connections on Dec. 5, 2001.
- Readings for 26 October:
Bharath Madhusudan and John Lockwood, Design of a System for Real-Time Worm Detection. 12th Annual Proceedings of IEEE Hot Interconnects (HotI-12). Stanford, CA, August, 2004, pp. 77-83.
Stuart E. Schechter, Jaeyeon Jung, and Arthur W. Berger. Fast Detection of Scanning Worm Infections. The Seventh International Symposium on Recent Advances in Intrusion Detection (RAID), September 2004.
Xuan Chen and John Heidemann. Detecting Early Worm Propagation through Packet Matching. Technical Report ISI-TR-2004-585, USC/Information Sciences Institute, February, 2004.
- Readings for 12 Octoboer:
Joshua Green, The Myth of Cyberterrorism. Washington Monthly, November 2002.
Institute for Security Technology Studies at Dartmouth College. Cyber Security of the Electric power industry. December 2002.
- Readings for 5 October:
Standler, Ronald B. "Possible Vicarious Liability for Computer Users in the USA?" 17 April 2004.
Standler, Ronald B. "Examples of Malicious Computer Programs." 2002.
Coleman, Jules. "Theories of Tort Law." Stanford Encyclopedia of Philosophy. 20 Otcober 2003.
- Readings for 28 September:
Directed-Graph Epidemiological Models of Computer Viruses. Oakland 1991.
Moore, Shannon, Voelker and Savage. Internet Quarantine: Requirements for Containing Self-Propagating Code. INFOCOM 2003.
Weaver, Staniford and Paxson. Very Fast Containment of Scanning Worms. USENIX Security 2004.
- The Next Threat, Forbes Magazine, 20 Sept 2004.
- ClamAV vs. Mydoom, 1:0 — ClamAV, a GPL virus scanner, detected new variants of the Mydoom virus. Students looking for project ideas may want to think about doing something with ClamAV.
- Readings for 21 September:
Daniel Geer, Rebecca Bace, Peter Gutmann, Perry Metzger, Charles Pfleeger, John Quartererman and Bruce Schneier. CyberInsecurity: The Cost of Monopoly — How the Dominance of Microsoft's Products Poses a Risk to Security. September 2003.
Gaurav S. Kc, Angelos D. Keromytis, and Vassilis Prevelakis. Countering Code-Injection Attacks With Instruction-Set Randomization. 10th ACM International Conference on Computer and Communications Security (CCS), pp. 272 - 280. October 2003.
Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar. Address Obfuscation: an Efficient Approach to Combat a Broad Range of Memory Error Exploits. 12th USENIX Security Symposium, pp. 105-120, August 2003.
Additional suggested readings:H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu and D. Boneh. On the Effectiveness of Address Space Randomization. ACM CCS 2004, October 2004.
Debate: Is an Operating System Monoculture a Threat to Security?, USENIX Annual Technical Conference, 2004.
Dan Geer, Chief Scientist, Verdasys, Inc.; Scott Charney, Chief Trustworthy Computing Strategist, Microsoft Corporation
Moderated by Avi Rubin, Johns Hopkins University.
Dan Geer's opening and closing remarks
MP3 recording of debate [97MB]
- Malware Writers Using Open-Source Tactics, LinuxInsider, 9 Sept 2004.
- Readings for 14 September: [Presentation Slides]
Fred Cohen. Computer Viruses - Theory and Experiments. 1984.
Mihai Christodorescu, Somesh Jha. Testing Malware Detectors. ISTA 2004.
Christopher Kruegel, William Robertson, Fredrik Valeur and Giovanni Vigna. Static Disassembly of Obfuscated Binaries. USENIX Security 2004.
Additional suggested readings:VX Heavens has a good collection of virus papers (more targeted to virus authors than researchers: don't run code from this site!): http://vx.netlux.org/lib/?lang=EN
Andreas Marx. Outbreak Response Times: Putting AV To The Test. Virus Bulletin, February 2004.
Andreas Marx. Retrospective Testing -How Good (sic) Heuristics Really Work (PPT Presentation Slides from Virus Bulletin Conference 2002).
Steve White. Virus Bulletin 2010: A Retrospective. Virus Bulletin Conference, September 2000.
- Readings for 7 September:
Eugene Spafford. A Failure to Learn from the Past. Annual Computer Security Applications Conference, 2003.
Stuart Staniford, Vern Paxson and Nicholas Weaver. How to 0wn the Internet in Your Spare Time. USENIX Security Symposium 2002.
- The regular meeting time for the seminar will be Tuesdays, 3-5pm in Olsson 228E.
- 20,000 Zombie PCs -- $3000 (Slashdot, 9 September 2004)
- Registration Survey
- Suggested Papers
- Project Description
University of Virginia
Department of Computer Science
CS 851: Malware Seminar