- Due 11/17
- Hybrid race detector. Construct an example that can bypass the hybrid race detector. It must not be one of the cases described in Section 6.7. Explain why your example can bypass the detection algorithm.
- Parrot. Parrot doesn't have wrappers for pthread spin lock operations. Please follow the algorithm format in Figure 6 and write your wrappers for the three pthread spin lock operations: pthread_spin_lock/trylock/unlock.
- Due 11/10
- Android Race Detection. List three possible reasons for false positives.
- Appdoctor. 1. Does AppDoctor handle all the possible input events? If not, can you discover all of them automatically? 2. Can AppDoctor find the crash bugs caused by data races?
- Due 10/27
- Virtual address spaces are a standard OS abstraction for isolating processes. That is, ensuring that a process cannot interfere with the memory contents of another process or the OS kernel. However, commodity OSes oftentimes trade stronger memory isolation for performance. A common (kernel) design pattern is to use shared, split kernel/user address space layouts. In such schemes, the kernel is mapped inside the same address space of every process to facilitate fast kernel/user interactions. What are the security implications of this design choice? Does is affect how kernel bugs are exploited? Does it provide a vantage point to attackers? Does it affect the effectiveness of standard protections, like non-executable memory?
- Assuming that performance is not a issue, can we achieve strong kernel isolation? How hard is it to truly isolate kernel space from userland, given that our OSes have been evolving based on that premise?
- Due 10/20
- XSS Attacks. Finish all six levels of XSS attacks, and write down the process.
- CORS. Construct a JavaScript program communicating with another PhP program through CORS.
- Due 10/13
- VMVM. Construct an attack to bypass state isolation in VMVM.
- Phosphor. Can you strip the taint tag off of data with Phosphor? How?
- Due 10/6
- Delta debugging. Outline how you would apply delta debugging on data races (concurrent accesses to the same shared memory location with at least one write) to isolate the thread schedules that trigger the races. Assume you have full control over the thread scheduler and can generate whatever thread schedules you want.
- Rx. Explain how you would apply the Rx idea to recover from stack buffer overflows.
- Patch-based auditing. Describe the challenges to apply the idea in the paper to websites written in Java.
- Due 9/29
- CleanOS. Please elaborate at least two scenarios where a thief may be able to get sensitive data from the device. In each scenario, would the cloud auditing service find it out?
- Pebble. In the following code snippet will d and e
have the same or related taint tags in Pebbles? In TaintDroid?
int taint1 = 64; int taint2 = 128; int a = 1; int b = 2; a = Taint.setTaintInt(a, taint1); b = Taint.settaintInt(b, taint2); int[] c = new int[2]; c[0] = a; c[1] = b; int d = c[0]; int e = c[1];
- Due 9/22
- EXE. What's a reasonable strategy to
handle malloc() with a symbolic size like in the code snippet
below?
size_t sz; make_symbolic(&sz); char *p = malloc(sz); p[2] = 0; p[i] = p[3];Describe the paths your strategy will explore for this code snippet. - Baggy bounds check. Suppose slot_size is set to
16 bytes. Consider the following code snippet:
char *p = malloc(256); char *q = p + 256; char ch = *q;Explain whether or not baggy bounds checking will raise an exception at the dereference of q.
- Due 9/15
- Pin. Write a Pin module that replaces malloc() calls with my_malloc() calls. You can get Pin from here.
- Memcheck. Would valgrind detect the buffer overrun in the following code? Why or why not?
int foo(void) { int a[2] = {0}; a[2] = 10; // off by 1 }
- Due 9/8
- Meta-compilation. Based on your understanding of the paper, write a checker that finds memory leaks.
- Kint. Construct a C example that contains a harmful integer overflow that can't be detected by Kint. Your example must be fewer than 50 lines.