CS 595C
Automated Worst Case and Side Channel Analysis for Software
Fall 2015
Description:
As bug detection techniques become more effective in eliminating flaws in
software systems, attacks that rely on inherent space-time complexity of
algorithms used for building software systems are gaining prominence. If
an adversary can generate arbitrary inputs that induce behaviors with
expensive space-time resource utilization at the defender's end, in
addition to mounting denial-of-service attacks, the adversary can also use
the same inputs to facilitate side-channel attacks in order to infer some
secret from the observed system behavior. In this seminar we will review
recent research results on automated worst-case analysis and quantitative
information flow analysis for software systems which can be used to identify
vulnerabilities to such attacks.
Instructor:
Tevfik Bultan
Meeting time:
Wednesdays, 10:00AM-10:50AM
Location: HFH 1152
Enrollment Code: 62422
Units: This will be a 2 unit seminar
Schedule and Presentations
Course Work
- Each student has to read all the papers that are presented every week and participate in the discussion.
- Each student will be asked to present one week:
- Please prepare slides for presenting the high level ideas.
Use the whiteboard for detailed discussions and examples.
Reading List
- Symbolic Execution
- Corina S. Pasareanu, Willem Visser, David H. Bushnell, Jaco
Geldenhuys, Peter C. Mehlitz, Neha Rungta.
Symbolic PathFinder:
integrating symbolic execution with model checking for Java bytecode
analysis.
Autom. Softw. Eng. 20(3): 391-425 (2013)
Alternate link
- Antonio Filieri, Corina S. Pasareanu, Willem Visser.
Reliability analysis in symbolic pathfinder.
ICSE 2013: 622-631
- Mateus Borges, Antonio Filieri, Marcelo d'Amorim, Corina S. Pasareanu,
Willem Visser.
Compositional solution space quantification for probabilistic
software analysis.
PLDI 2014: 15
- Worst Case Analysis
- Jacob Burnim, Sudeep Juvekar, Koushik Sen.
WISE: Automated test
generation for worst-case complexity.
ICSE 2009: 463-473
- Sumit Gulwani, Krishna K. Mehra, Trishul M. Chilimbi.
SPEED: precise and efficient static estimation of program computational
complexity.
POPL 2009: 127-139
- Bhargav S. Gulavani, Sumit Gulwani.
A Numerical Abstract Domain Based on Expression Abstraction and Max Operator with Application in Timing Analysis.
CAV 2008: 370-384
- Sumit Gulwani, Sagar Jain, Eric Koskinen.
Control-flow refinement and progress invariants for bound analysis.
PLDI 2009: 375-385
- Sumit Gulwani, Florian Zuleger.
The reachability-bound problem.
PLDI 2010: 292-304
-
ThanhVu Nguyen, Deepak Kapur, Westley Weimer, Stephanie Forrest.
Using dynamic analysis to generate disjunctive invariants.
ICSE 2014: 608-619
-
Richard M. Chang, Guofei Jiang, Franjo Ivancic, Sriram Sankaranarayanan, Vitaly Shmatikov.
Inputs of Coma: Static Detection of Denial-of-Service Vulnerabilities.
CSF 2009: 186-199
Alternate link
- Scott A. Crosby, Dan S. Wallach.
Denial of Service via Algorithmic Complexity Attacks.
USENIX Security 2003
- James Kirrage, Asiri Rathnayake, Hayo Thielecke.
Static Analysis for Regular Expression Denial-of-Service Attacks.
NSS 2013: 135-148
- Implicit Path Enumeration
- Yau-Tsun Steven Li, Sharad Malik.
Performance analysis of embedded software using implicit path enumeration.
IEEE Trans. on CAD of Integrated Circuits and Systems 16(12): 1477-1487 (1997)
- Thomas Lundqvist, Per Stenström.
An Integrated Path and Timing Analysis Method based on Cycle-Level Symbolic Execution.
Real-Time Systems 17(2-3): 183-207 (1999)
-
Martin Schoeberl, Wolfgang Puffitsch, Rasmus Ulslev Pedersen, Benedikt Huber.
Worst-case execution time analysis for a Java processor.
Softw., Pract. Exper. 40(6): 507-542 (2010)
-
Jens Knoop, Laura Kovács, Jakob Zwirchmayr.
r-TuBound: Loop Bounds for WCET Analysis (Tool Paper).
LPAR 2012: 435-444
- Jens Knoop, Laura Kovács, Jakob Zwirchmayr.
WCET squeezing: on-demand feasibility refinement for proven precise WCET-bounds.
RTNS 2013: 161-170
- Stefan Bygde, Andreas Ermedahl, Björn Lisper.
An Efficient Algorithm for Parametric WCET Calculation.
RTCSA 2009: 13-21
Alternate link
-
Elvira Albert, Puri Arenas, Samir Genaim, Germán Puebla.
Closed-Form Upper Bounds in Static Cost Analysis.
J. Autom. Reasoning 46(2): 161-203 (2011)
Alternate link
- Quantitative Information Flow Analysis
-
Geoffrey Smith.
On the Foundations of Quantitative Information Flow.
FOSSACS 2009: 288-302
- Pasquale Malacaria.
Assessing security threats of looping constructs.
POPL 2007: 225-235
- David Clark, Sebastian Hunt, Pasquale Malacaria.
A static analysis for quantifying information flow in a simple imperative language.
Journal of Computer Security 15(3): 321-371 (2007)
Alternate link
-
Jonathan Heusser, Pasquale Malacaria.
Quantifying information leaks in software.
ACSAC 2010: 261-269
- Quoc-Sang Phan, Pasquale Malacaria, Oksana Tkachuk, Corina S. Pasareanu.
Symbolic quantitative information flow.
ACM SIGSOFT Software Engineering Notes 37(6): 1-5 (2012)
- Quoc-Sang Phan, Pasquale Malacaria, Corina S. Pasareanu, Marcelo d'Amorim.
Quantifying information leaks using reliability analysis.
SPIN 2014: 105-108
- Stephen McCamant, Michael D. Ernst.
Quantitative information flow as network flow capacity.
PLDI 2008: 193-205
- Stephen McCamant, Michael D. Ernst.
Quantitative information flow tracking for C and related languages.
MIT-CSAIL-TR-2006-076
- Michael Backes, Boris Köpf, Andrey Rybalchenko.
Automatic Discovery and Quantification of Information Leaks.
IEEE Symposium on Security and Privacy 2009: 141-153
- Shuo Chen, Rui Wang, XiaoFeng Wang, Kehuan Zhang.
Side-Channel Leaks in Web Applications: A Reality Today, a Challenge Tomorrow.
IEEE Symposium on Security and Privacy 2010: 191-206
- Goran Doychev, Dominik Feld, Boris Köpf, Laurent Mauborgne, Jan Reineke.
CacheAudit: A Tool for the Static Analysis of Cache Side Channels.
USENIX Security 2013: 431-446