Paul Irofti

About me: 
 Resume (RO)
 Security Seminar


 Sisteme de Operare
 Utilizarea SO
 OS Security
 Vedere Artificială
 Static Analysis
 Prelucrarea Semnalelor
 Calcul Numeric

 [E-mail address]

Operating Systems: Design and Security

The course is based on a series of research papers and projects focused on the design and security of operating systems. Students will review the referenced papers before class such that they can be discussed and expanded upon during class. Lab work will involve applying the concepts tought at during course in order to implement various practical tasks.

Organisation, grading and curricula information can be found in the first deck of slides.





Bachelor courses:

  1. Operating Systems
  2. [1] Abraham Silberschatz, Greg Gagne, Peter B. Galvin Operating system concepts, Wiley, 2018 [ Wiley ]
  3. Systems Architecture
    [1] Bartlett, Jonathan Programming from the ground up, Broken Arrow, Oklahoma: Bartlett Publishing, 2004. [ PDF ]
    [2] Intel Corporation Intel Software Developer ManualsPDF ]

Course materials

During course we will mainly work at the whiteboard supported by the following materials and slides. The papers that need to be prepared by students in advance are marked accordingly or announced in class a week in advance.

Module 0: Operating System Design

  1. Recapitulation: processes, paging, segmentation.
  2. Virtual machines

Module I: Buffer Overflow Attacks

  1. Buffer Overflow (Module Overflow)

    [1] Aleph One (Elias Levy) Smashing the stack for fun and profit., Phrack magazine 7.49 (1996): 14-16 [ PDF ]
  2. Return-to-libc Attacks

    [1] Solar Designer (Alexander Peslyak) Getting around non-executable stack (and fix), Bugtraq, 1997 [ HTML ]
    [2] c0ntext Bypassing non-executable-stack during exploitation using return-to-libc, [ HTML ]
    [3] David Wheeler Secure programmer: Countering buffer overflows, IBM DeveloperWorks, 2004 [ HTML ]
  3. Address Space Layout Randomization

  4. Return Oriented Programming

    [1] Shacham, Hovav The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86), Proceedings of the 14th ACM conference on Computer and communications security. 2007 [ PDF ]
    [2] Mortimer, Todd Removing ROP gadgets from OpenBSD, Proc. of the AsiaBSDCon (2019): 13-21 [ PDF  | Slides ]

Module II: Hardware Speculative Attacks

  1. Timing attacks

    [1] Kocher, Paul C. Timing Attacks on Implementations of Die-Hellman, RSA, DSS, and Other Systems, Advances in Cryptology| Crypto. Vol. 96. 1996. [ PDF ]
    [2] Brumley, Billy Bob, and Nicola Tuveri Remote timing attacks are still practical, European Symposium on Research in Computer Security. Springer, Berlin, Heidelberg, 2011. [ PDF ]
    [3] Percival, Colin Cache missing for fun and profit, 1-13, 2005. [ PDF ]
  2. Cache attacks: Meltdown

    [1] Lipp, Moritz, et al Meltdown, arXiv preprint arXiv:1801.01207 (2018) [ PDF ]
    [2] Mark D. Hill On the Meltdown & Spectre Design Flaws, Presentation (2018) [ PDF ]
  3. Cache attacks: Spectre

    [1] Kocher, Paul, et al. Spectre attacks: Exploiting speculative execution., 2019 IEEE Symposium on Security and Privacy (SP). IEEE, 2019 [ PDF ]
  4. Rowhammer attacks

    [1] Kim, Yoongu, et al. Flipping bits in memory without accessing them: An experimental study of DRAM disturbance errors., ACM SIGARCH Computer Architecture News 42.3 (2014): 361-372. [ PDF ]
    [2] Mark Seaborn and Thomas Dullien Exploiting the DRAM rowhammer bug to gain kernel privileges. Black Hat 15 (2015): 71 [ PDF ]
    [3] Gruss, Daniel, Clementine Maurice, and Stefan Mangard. Rowhammer. js: A remote software-induced fault attack in javascript. International conference on detection of intrusions and malware, and vulnerability assessment. Springer, Cham, 2016. [ PDF ]

Module 0: Operating System Design (continuation)

  1. Statistical clock drivers

    AMD Geode CS5536 multi-function general purpose timer. [ manpage | source ]

    [1] McCanne, Steven, and Chris Torek A Randomized Sampling Clock for CPU Utilization Estimation and Code Profiling., USENIX Winter. 1993. [ PDF ]
  2. Functional Correctness and Security Proofs: seL4 and Genode

Laboratory classes

Labs 3 and 4 contain an EICAR which is why the archives are password protected with "password".

  1. Processes and threads
  2. Synchronization and communication
  3. The Linux module inotify
  4. Windows Driver -- mini-filter
  5. Buffer overflow and ASLR
  6. Return Oriented Programming
  7. Cache memory: optimizations and atacks


Subjects list for the final paper is here.

Elaboration. 4 pages double-columned paper elaborated in teams of maxium 3 students. Paper LaTeX template can be found here.

Submitting the paper. One team member is designated the corresponding author. The corresponding author will upload the paper in the Teams Assignment.