Operating Systems: Design and Security
The course is based on a series of research papers and projects
focused on the design and security of operating systems.
Students will review the referenced papers before class
such that they can be discussed and expanded upon during class.
Lab work will involve applying the concepts tought at during course
in order to implement various practical tasks.
Organisation, grading and curricula information can be found in
the first deck of slides.
Professors
Course
Laboratory
Prerequisites
Bachelor courses:
- Operating Systems
[1]
|
Abraham Silberschatz, Greg Gagne, Peter B. Galvin
Operating system concepts,
Wiley, 2018
[ Wiley ]
|
-
Systems Architecture
[1]
|
Bartlett, Jonathan
Programming from the ground up,
Broken Arrow, Oklahoma: Bartlett Publishing, 2004.
[ PDF ]
|
[2]
|
Intel Corporation
Intel Software Developer Manuals
[ PDF ]
|
Course materials
During course we will mainly work at the whiteboard supported by
the following materials and slides.
The papers that need to be prepared by students in advance are marked
accordingly or announced in class a week in advance.
Module 0: Operating System Design
- Recapitulation:
processes, paging, segmentation.
- Virtual machines
Module I: Buffer Overflow Attacks
- Buffer Overflow (Module Overflow)
[1]
|
Aleph One (Elias Levy)
Smashing the stack for fun and profit.,
Phrack magazine 7.49 (1996): 14-16
[ PDF ]
|
- Return-to-libc Attacks
[1]
|
Solar Designer (Alexander Peslyak)
Getting around non-executable stack (and fix),
Bugtraq, 1997
[ HTML ]
|
[2]
|
c0ntext
Bypassing non-executable-stack during exploitation using return-to-libc,
[ HTML ]
|
[3]
|
David Wheeler
Secure programmer: Countering buffer overflows,
IBM DeveloperWorks, 2004
[ HTML ]
|
- Address Space Layout Randomization
- Return Oriented Programming
[1]
|
Shacham, Hovav
The geometry of innocent flesh on the bone:
Return-into-libc without function calls (on the x86),
Proceedings of the 14th ACM conference on Computer and communications security. 2007
[ PDF ]
|
[2]
|
Mortimer, Todd
Removing ROP gadgets from OpenBSD,
Proc. of the AsiaBSDCon (2019): 13-21
[ PDF
| Slides ]
|
Module II: Hardware Speculative Attacks
- Timing attacks
[1]
|
Kocher, Paul C.
Timing Attacks on Implementations of Die-Hellman, RSA, DSS, and Other Systems,
Advances in Cryptology| Crypto. Vol. 96. 1996.
[ PDF ]
|
[2]
|
Brumley, Billy Bob, and Nicola Tuveri
Remote timing attacks are still practical,
European Symposium on Research in Computer Security. Springer, Berlin,
Heidelberg, 2011.
[ PDF ]
|
[3]
|
Percival, Colin
Cache missing for fun and profit,
1-13, 2005.
[ PDF ]
|
- Cache attacks: Meltdown
[1]
|
Lipp, Moritz, et al
Meltdown,
arXiv preprint arXiv:1801.01207 (2018)
[ PDF ]
|
[2]
|
Mark D. Hill
On the Meltdown & Spectre Design Flaws,
Presentation (2018)
[ PDF ]
|
- Cache attacks: Spectre
[1]
|
Kocher, Paul, et al.
Spectre attacks: Exploiting speculative execution.,
2019 IEEE Symposium on Security and Privacy (SP). IEEE, 2019
[ PDF ]
|
- Rowhammer attacks
[1]
|
Kim, Yoongu, et al.
Flipping bits in memory without accessing them:
An experimental study of DRAM disturbance errors.,
ACM SIGARCH Computer Architecture News 42.3 (2014): 361-372.
[ PDF ]
|
[2]
|
Mark Seaborn and Thomas Dullien
Exploiting the DRAM rowhammer bug to gain kernel privileges.
Black Hat 15 (2015): 71
[ PDF ]
|
[3]
|
Gruss, Daniel, Clementine Maurice, and Stefan Mangard.
Rowhammer. js: A remote software-induced fault attack in javascript.
International conference on detection of intrusions and malware, and vulnerability assessment. Springer, Cham, 2016.
[ PDF ]
|
Module 0: Operating System Design (continuation)
- Statistical clock drivers
AMD Geode CS5536 multi-function general purpose timer.
[ manpage | source ]
[1]
|
McCanne, Steven, and Chris Torek
A Randomized Sampling Clock for CPU Utilization Estimation
and Code Profiling.,
USENIX Winter. 1993.
[ PDF ]
|
- Functional Correctness and Security Proofs: seL4 and Genode
Laboratory classes
All lab materials can be found
here.
Examination
Subjects list for the final paper is
here.
Elaboration.
4 pages double-columned paper elaborated in teams of maxium 3 students.
Paper LaTeX template can be found
here.
Submitting the paper.
One team member is designated the corresponding author.
The corresponding author will upload the paper in the Teams Assignment.