Workshop in compile-time techniques for detecting Javascript exploits Shir Landau-Feibish, Shmulik Regev, Noam Rinetzky

Slides:

Advertisements

Similar presentations

Indistar® Leadership Team Meetings. Where can we plan a meeting? Choose ‘Plan Your Meeting’ from the main menu screen Click on Meeting Agenda Setup.

Advertisements

Automatic Memory Management Noam Rinetzky Schreiber 123A /seminar/seminar1415a.html.

Compilation (Semester A, 2013/14) Lecture 14: Compiling Object Oriented Programs Noam Rinetzky Slides credit: Mooly Sagiv 1.

CSI 3120, Implementing subprograms, page 1 Implementing subprograms The environment in block-structured languages The structure of the activation stack.

A quasi-experimental comparison of assessment feedback mechanisms Sven Venema School of Information and Communication Technology.

DSP Implementation Lecture 3. Anatomy of a DSP Project In VDSP Linker Description File (.LDF) Source Files (.asm,.c,.h,.cpp,.dat) Object Files (.doj)

 Introduction  Related Work  Design Overview  System Implementation  Evaluation  Limitations 2011/7/19 2 A Seminar at Advanced Defense Lab.

Software Security Lecture 10 Fang Yu Dept. of MIS, National Chengchi University Spring 2011.

Software Security Lecture 0 Fang Yu Dept. of MIS National Chengchi University Spring 2011.

CS 330 Programming Languages 10 / 16 / 2008 Instructor: Michael Eckmann.

Nozzle: A Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan, Cornell University Ben Livshits and Ben Zorn, Microsoft Research (Redmond,

Advanced Compilers CSE 231 Instructor: Sorin Lerner.

Run-Time Storage Organization

COMS S1007 Object-Oriented Programming and Design in Java July 24, 2008.

Chapter 9: Subprogram Control

Evaluating a Formal Methods Technique via Student Assessed Exercises Alastair Donaldson, Alice Miller University of Glasgow.

1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)

Testing Static Analysis Tools using Exploitable Buffer Overflows from Open Source Code Zitser, Lippmann & Leek Presented by: José Troche.

Week 7 February 17, 2004 Adrienne Noble. Important Dates Due Monday, Feb 23 Homework 7 Due Wednesday, Feb 25 Project 3 Due Friday, Feb 27 Homework 8.

Charles Curtsinger UMass at Amherst Benjamin Livshits and Benjamin Zorm Microsoft Research Christian Seifert Microsoft 20 th USENIX Security Symposium.

Business and Management Research WELCOME. Business and Management Research Instructor:Rawaa Muhandes Office Number: 624 Term/yearSemester.

1 Chapter 5: Names, Bindings and Scopes Lionel Williams Jr. and Victoria Yan CSci 210, Advanced Software Paradigms September 26, 2010.

Measurement Tools and Dataset Dimitri Papadimitriou, Davide Careglio, JosepLluis Marzo.

CAP6135: Malware and Software Vulnerability Analysis Cliff Zou Spring 2015.

Names Variables Type Checking Strong Typing Type Compatibility 1.

March 12, ICE 1341 – Programming Languages (Lecture #6) In-Young Ko Programming Languages (ICE 1341) Lecture #6 Programming Languages (ICE 1341)

Compiler Construction

The Procedure Abstraction, Part V: Support for OOLs Comp 412 Copyright 2010, Keith D. Cooper & Linda Torczon, all rights reserved. Students enrolled in.

Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by Emre Can Sezer.

February 11, 2005 More Pointers Dynamic Memory Allocation.

Comp 245 Data Structures Linked Lists. An Array Based List Usually is statically allocated; may not use memory efficiently Direct access to data; faster.

Engineering Secure Software. Vulnerability of the Day  Each day, we will cover a different type of code-level vulnerability Usually a demo How to avoid,

CSE 425: Data Types I Data and Data Types Data may be more abstract than their representation –E.g., integer (unbounded) vs. 64-bit int (bounded) A language.

CMPGN3007 & CMPGN3008 BSc Project Dr T.A.Etchells BSc Project Tutor

CS 423 Compiler project notes Dept. of Comp. Sci. & Eng. Geunbae Lee.

CSC 111 COURSE ORIENTATION. Course name and Credit houres  CSC 111 – Computer Programming-I  Credit hours:  3 hours lecture  1 hour tutorial  2 hours.

By Davide Balzarotti Marco Cova Viktoria V. FelmetsgerGiovanni Vigna Presented by: Mostafa Saad.

Language Arts. Contact Info address:

Compiler Construction (CS-636)

Concepts of programming languages Chapter 5 Names, Bindings, and Scopes Lec. 12 Lecturer: Dr. Emad Nabil 1-1.

2/22/2010 TESL 3240 Curriculum Development and Materials Design Course overview.

Zozzle: Low-overhead Mostly Static JavaScript Malware Detection.

1 CS 426 / CPE 426 Senior Projects Spring 2007 Course Syllabus January 23, 2007.

Virtual Machines Noam Rinetzky Schreiber 123A Semester A. Tuesday, 14:00-16:00. Ornstein 110.

Data Structures and Algorithms in Java AlaaEddin 2012.

Lecture 1CS 380C 1 CS 380C Advanced Compiler Techniques Kathryn S McKinley The University of Texas at Austin.

Database Alerts and Persistent / Durable Links  Alerts are notifications regarding additions to the database  Persistent or Durable links are links that.

Michael J. Voss and Rudolf Eigenmann PPoPP, ‘01 (Presented by Kanad Sinha)

1 Introduction to Information Security , Spring 2016 Lecture 2: Control Hijacking (2/2) Avishai Wool.

CPSC 252Inheritance II Page 1 Inheritance & Pointers Consider the following client code: const int MAXCLOCKS = 2; Clock* clockPtr[ MAXCLOCKS ]; clockPtr[0]

Constraint Framework, page 1 Collaborative learning for security and repair in application communities MIT site visit April 10, 2007 Constraints approach.

Code Generation Instruction Selection Higher level instruction -> Low level instruction Register Allocation Which register to assign to hold which items?

CSC 172 DATA STRUCTURES. MIDTERM REVIEW MIDTERM EXAM 75 min 6 – 10 questions a lot like the quiz questions.

Seminar in automatic tools for analyzing programs with dynamic memory

Review: Chapter 5: Syntax directed translation

Secure Software Development: Theory and Practice

Symbolic Execution Tools for Software Testing

BUS 519 Possible Is Everything/snaptutorial.com

and Executing Programs

پروتكل آموزش سلامت به مددجو

Detecting Targeted Attacks Using Shadow Honeypots

1 مفهوم ارتباطات ارتباطات معادل واژه communications ) ميباشد(. ارتباطات يك فرايند اجتماعي و دو طرفه است كه در آن اطلاعات مبادله شده و نوعي تفاهم بين طرفهاي.

All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but might have been afraid to ask) Edward J. Schwartz, Thanassis.

Closure Representations in Higher-Order Programming Languages

Smashing the Stack for Fun and Profit

<<Project Name>>

CSE 153 Design of Operating Systems Winter 2019

point when a program element is bound to a characteristic or property

Symbolic Execution Tools for Software Testing

Symbolic Execution Tools for Software Testing

Presentation transcript:

Workshop in compile-time techniques for detecting Javascript exploits Shir Landau-Feibish, Shmulik Regev, Noam Rinetzky /workshop/workshop1314b.html Semester B. Monday, 16:00-18:00. Kaplun 319

Scope Automatic tools for analyzing Javascripts Detecting malicious code Static tools: Compile-time Dynamic tools: Run-time

Admin Projects in groups of 2-3 Talking and helping is OK – Copying is not All members should participate Hands-off guidance

Goals Learn Javascript Implement a simple analyzer (mini-project) Implement a sophisticated analyzer – Choose a vulnerability – Find tell-tale signs – Implement a detector Compile-time analysis Can have a runtime component Experimental evaluation Presentation of tools & results

Short term schedule Today: Problem description Next week: – Review of existing tools/techniques – Mini-project description

Long Term Schedule (Tentative) 17/02/2014: Problem description 24/02/2014: Mini-project description 07/04/2014: Progress report (mini project) 09/06/2014: Progress report – Mini project submission – Presenting chosen project 02/09/2014: Project submission ~15/September/2014: Project presentation

Javascript Self study Next lecture in Programming Languages – Next Monday (24/2/14), 10:00-12:00 – Dan David 001

Next week: Review of Techniques&Tools Heap feng shui Address disclosure – Pointer inference + integer sieve sections JIT spray – JIT spry Section ROP – Sections 1-2 Zozzle

Text links Heap feng shui – ot08.html ot08.html Address disclosure – – Pointer inference + integer sieve sections JIT spray – – JIT spray section ROP – – Only sections 1 & 2 Zozzle –