E6121 Reliable Software

Fall 2012 -- Junfeng Yang

    Due 11/18
  • no-sleep bugs. Compare iOS and Android on their sleep-related APIs.
  • Android security. The paper mentions that typical Android applications execute on top of a Java virtual machine. What is the role of Java in ensuring overall security?
  • koi.Think about other applications that you run on your mobile phone. How might you apply Koi's techniques to help ensure privacy in these other applications? What other techniques could be useful?
    Due 10/28
  • js enfoce. Given
            function idx(x) {
              if(x == 'constructor') { return '__unknown__';}
              return x;
            }
          
    Would it be enough to ensure that a[b] won't evaluate to a['constructor']? Explain.
  • pentest. The paper describes static methods to identify input vectors and dynamic methods to discover successful attacks. Describe three other ideas that can improve penetration testing.
    Due 10/21
  • Static analysis of PHP The paper describes one false positive in the result section. Why is it a false positive? Show your reasoning by demonstrating how the proposed analysis works on the given code (i.e., show the states and block summaries at each step of the analysis).
  • Browser compatibility testing. Algorithm 4.2 computes maximal matches, not necessarily maximum matches. Construct an example state graph to illustrate this case.
    Due 10/14
  • Delta debugging. Outline how you would apply delta debugging on data races (concurrent accesses to the same shared memory location with at least one write) to isolate the thread schedules that trigger the races. Assume you have full control over the thread scheduler and can generate whatever thread schedules you want.
  • Rx. Explain how you would apply the Rx idea to recover from stack buffer overflows.
  • Patch-based auditing. Describe the challenges to apply the idea in the paper to websites written in Java.
    Due 9/30
  • EXE. What's a reasonable strategy to handle malloc() with a symbolic size like in the code snippet below?
            size_t sz;
            make_symbolic(&sz);
            char *p = malloc(sz);
            p[2] = 0;
            p[i] = p[3];
          
    Describe the paths your strategy will explore for this code snippet.
  • Baggy bounds check. Suppose slot_size is set to 16 bytes. Consider the following code snippet:
          char *p = malloc(256);
          char *q = p + 256;
          char ch = *q;
        
    Explain whether or not baggy bounds checking will raise an exception at the dereference of q.
    Due 9/23
  • Pin. Write a Pin module that replaces malloc() calls with my_malloc() calls. You can get Pin from here.
  • Memcheck. Would valgrind detect the buffer overrun in the following code? Why or why not?
      int foo(void) {
          int a[2] = {0};
          a[2] = 10; // off by 1
      }    
    Due 9/16
  • Meta-compilation. Based on your understanding of the paper, write a checker that finds memory leaks.
  • Kint. Construct a C example that contains a harmful integer overflow that can't be detected by Kint. Your example must be fewer than 50 lines.