Latest COVID-19 Information for Purdue University

The Center for Education and Research in Information Assurance and Security (CERIAS)

The Center for Education and Research in
Information Assurance and Security (CERIAS)

2020 ONR Software Security Summer School (SSSS20), Online, August 3-7, 2020


Questions? Please email: ssss20@cerias.purdue.edu


Agenda

 

Monday, August 3rd, 2020

Pre-Tutorial Demo-only Day


10:00AM - 10:55AM (ET)



Help Session: Using WebEx and Connecting to Tutorial Instances




10:55AM - 11:00AM (ET)

Dongyan Xu (Purdue University), SSSS’20 Introduction




11:00AM - 12:00PM (ET)

UT Dallas

Semi-automated Debloating of Binary Software



12:00PM - 1:00PM (ET)

PrivateMachines

Hands-on DECAF



1:00PM - 2:00PM (ET)

Georgia Tech

SkyWalker: Toward Automated Synthesis of Offensive Agents to Counter C&C-Driven Mobile Cyber Attacks



2:00PM - 3:00PM (ET)

Purdue University and Intelligent Automation, Inc.

RVFuzzer: Finding Input Validation Bugs in Robotic Vehicles through Control-Guided Testing



3:00PM - 4:00PM (ET)

Pennsylvania State University

Flexible Process Monitoring with the Process Firewall



4:00PM - 5:00PM (ET)


Help Session: Using WebEx and Connecting to Tutorial Instances

Tuesday, August 4th, 2020

Hands-on Tutorial Day 1



Join on WebEx

9:50am - 10:00am (ET)


ONR

Ryan Craven (ONR), SSSS’20 Opening Remarks





10:00AM - 1:00PM (ET)


EPFL and Purdue University

RetroWrite: Efficient Static Binary Rewriting for Security Testing





2:30PM - 5:30PM (ET)

Georgia Tech

Adopting RAZOR for Post-deployment Software Debloating



Wednesday, August 5th, 2020

Hands-on Tutorial Day 2

9:50AM - 10:00AM (ET)

ONR and MITRE

Matt Mickelson, SSSS’20 Wednesday Kick-off





10:00AM - 1:00PM (ET)

Stony Brook University

Less is More: Introducing an Automated Debloating Pipeline based on Dynamic Web Application Usage



2:30PM - 5:30PM (ET)

UCLA

JDebloat—Synergistic Java Bytecode Customization through Static Debloating and Delayering





Thursday, August 6th, 2020

Hands-on Tutorial Day 3

9:55AM-10:00AM (ET)

ONR

Dan Koller, SSSS’20 Thursday Kick-off




10:00AM - 1:00PM (ET)

Galois, Inc.

Software Fault Encouragement



2:30PM - 5:30PM (ET)

Draper

Applying CBAT for Binary Patch Verification

Friday, August 7th, 2020

Hands-on Tutorial Day 4




9:55AM - 10:00AM (ET)

ONR

Sam Weber, SSSS’20 Friday Kick-off




10:00AM - 1:00PM (ET)

Stony Brook University

Automated System Call Policy Generation for Container Attack Surface Reduction



2:30PM - 5:30PM (ET)

George Washington University

Communication Protocol Customization and Fuzzing

 

 

 

 

 




Technical Requirements for Attendees Computers

  • A reasonably fast internet connection that can support two-way video conferencing and interactive use of a remote computer system simultaneously.
  • Webex Training is best supported on Windows and macOS.  Other operating systems (e.g. Linux, Android, iOS) are not supported and may not allow you to share your screen if you need assistance with the tutorials.
  • An RDP client (Microsoft RDP Client Mac/Windows 10) will be needed for accessing AWS instances used for lab exercises.
  • Slack (optional)


Instructions for Windows and Mac Users



Tutorial Abstracts

RetroWrite: Efficient Static Binary Rewriting for Security Testing

EPFL and Purdue University

Tues. Aug. 4th, 2020 10:00AM - 1:00PM

 

 

Adopting RAZOR for Post-deployment Software Debloating

Georgia Tech

Tue. Aug. 4th, 2020 2:30PM – 5:30PM

In this tutorial, attendees will have the opportunity to use Razor to debloat post-deployment software. We will explore dynamic tracing techniques to trace software’s execution efficiently, use different heuristics to infer non-executed code with similar functionalities, and rewrite software without source code. We will walk through widely used benchmarks and real-world programs to evaluate Razor’s code reduction and robustness.

Less is More: Introducing an Automated Debloating Pipeline ased on Dynamic Web Application Usage

Stony Brook University

Wed. Aug. 5th, 2020 10:00AM - 1:00PM

In this tutorial, attendees will have the opportunity to learn and experiment with our “Less is More” debloating pipeline for web applications. Like binary software, web applications are becoming ever more complicated and their attack surface is constantly expanding. The attendees will get a chance to use our pipeline to debloat a popular web application, experience how the debloated web application functions as expected, and observe how an exploit that worked before debloating, stops working after debloating.

JDebloat—Synergistic Java Bytecode Customization through Static Debloating and Delayering

UCLA

Wed. Aug. 5th, 2020 2:30PM – 5:30PM

In this tutorial, attendees will have the opportunity to use JDebloat, a tool that reduces Java program size by half (on average). We will cover using our tool from beginning to end on an example project. Throughout the tutorial you will learn how our tool works, and how to use it.

 

Software Fault Encouragement

Galois, Inc.

Thurs. Aug. 6th, 2020 10:00AM – 1:00PM

This tutorial covers tools for adding defense-in-depth protections against cyber vulnerabilities for legacy embedded systems.  The tools (which support x86_64, PowerPC, and ARM) create artificial binary diversity with minimal overhead to significantly increase the effort required to develop attacks.  Attendees will have the opportunity to 1) apply the tools to a demonstration system, and 2) explore an example workflow for integrating binary diversification as a defensive mechanism.

Applying CBAT for Binary Patch Verification

Draper Laboratory

Thurs. Aug. 6th, 2020 2:30PM – 5:30PM

This tutorial will introduce CBAT: a Comparative Binary Analysis Tool.  CBAT is used to analyze binary programs and automatically find bugs or prove program correctness.  It can also compare the behavior of programs to check that patches or binary transformations do not introduce unintended changes.  Attendees will have the opportunity to find bugs in real programs with CBAT, and will learn about the BAP binary analysis platform it is built on.

Automated System Call Policy Generation for Container Attack Surface Reduction

Stony Brook University

Fri. Aug. 7th, 2020 10:00:AM – 1:00PM

Container technologies rely on weaker isolation mechanisms compared to virtual machines, allowing adversaries to exploit kernel vulnerabilities to escalate their privileges and fully compromise the host (and all the other containers running on it). To reduce this risk, we have developed Confine, an automated system that generates restrictive system call policies for arbitrary Docker containers. Reducing the number of available system calls limits the exposed interface of the underlying kernel, minimizing this way its attack surface. In this tutorial, attendees will have the opportunity to use Confine for hardening publicly available Docker images of popular applications (e.g., Nginx), take an in-depth look into the filtered system calls and the respective neutralized kernel vulnerabilities, and experiment with real-world exploits that are rendered ineffective by the applied system call policies.

Communication Protocol Customization and Fuzzing

George Washington University

Fri. Aug. 7th, 2020 2:30PM – 5:30PM

This tutorial introduces tools that perform protocol binary tainting and stateful protocol fuzzing. In this tutorial, attendees will have the opportunity to trace binary instructions relevant to specific protocol packets/fields, and detect vulnerabilities in stateful protocol communications.