S^^3^^ (Systems and Software Security) Lab $Id: s3.t2t, v2.0, last updated %%mtime(%c) Exp $ %! Target: %! Options: --toc --css-sugar --encoding=iso-8859-1 %! Style: tech.css %! PreProc: %! PostProc(html): \^\^(.*?)\^\^ \1 === About === --------------------------------------------------------------------------- [[img/s3.jpg] img/s3.jpg] The Systems and Software Security (S^^3^^) Lab at The University of Texas at Dallas focuses on building new systems and automated techniques to secure our computer systems including OS kernels and the running software. We cover a wide spectrum of technology including those from hardware, architecture, virtualization, operating system, and compilers. Our emphasis is the underlying //program (including source code and binary code) analysis techniques// as computer systems essentially run programs, and our particularly interested applications include the protection of hypervisor and operating system kernel, the inference of binary code for vulnerability discovery and malicious behavior analysis as well as the binary code rewriting and reuse, the investigation of the cyber attacks such as intrusion detection and digital forensics, and the digital data recovery. === Current Interests === --------------------------------------------------------------------------- - **Software security (or binary code analysis)** We always have a strong interest of playing with the native binary code especially the x86 binary, because it is everywhere and it is the final representation of the software implementation. In the past, we have investigated the reverse engineering of binary code for discovering the network protocol format as well as more generally input data format. We also have devised techniques for automatic vulnerability discovery, and automatic data structure reverse engineering. These days, we are investigating how to automatically identify critical components in software binary and reuse it in different security context. [[ICDCS'13 file/ICDCS13.pdf], [ACSAC'12 file/ACSAC12.pdf], [CCS'12 file/CCS12.pdf], [DFRWS'12 file/DFRWS12.pdf], [NDSS'10 file/Rewards_NDSS10.pdf], [DSN'10 file/DCCS10.pdf], [NDSS'09 file/IntScope_NDSS09.pdf], [FSE'08 file/FSE08.pdf], [DSN'08 file/FSE08.pdf], [NDSS'08 file/AutoFormat_NDSS08.pdf]]. - **Systems security** We also have a strong interest in OS kernel and hypervisior program analysis. In fact, sometimes kernel programs are a bit easier to analyze than user level programs. Our particular interest is through instrumenting virtual machine monitor (much like the way we instrument the normal user-level binary programs) to understand the OS behavior such as OS kernel control flow and the OS data structures, and propose protection techniques for OS control and data integrity. [[ISCA'13 file/ISCA13.pdf], [DSN'13 file/DSN13.pdf], [VEE'13 file/VEE13.pdf], [SOCC'12 file/SOCC12.pdf], [S&P'12 file/SP12.pdf], [NDSS'11 file/SigGraph_NDSS11.pdf]] - **Cloud computing (Virtualization, Introspection)** With the rapid movement towards cloud computing, the cloud security and the virtual machine (VM) management has gradually become a big concern. Our expertise is in memory data analysis, and it actually becomes an virtual machine introspection (VMI) problem in IaaS cloud as both applications need to analyze memory data. Our main focus is to develop automatic introspection techniques for both VMI and forensics. [[ISCA'13 file/ISCA13.pdf], [VEE'13 file/soon.txt], [SOCC'12 file/SOCC12.pdf], [S&P'12 file/SP12.pdf], [NDSS'11 file/SigGraph_NDSS11.pdf]] - **Memory or disk data analysis (for introspection, digital forensics, and intrusion detection)** Our emphasis is mainly on memory data analysis. Essentially, digital forensics aims to recover digital evidence which is usually data and has to be interpreted based on the data structures. As we have developed data structure reverse engineering techniques, we aim to apply the data structure knowledge for better digital forensics. In the past, we have focused on both live memory and dead memory data instances identification. Recently, we focused on how to carve binary files in disk image. [[ISCA'13 file/ISCA13.pdf], [DSN'13 file/DSN13.pdf], [SOCC'12 file/SOCC12.pdf], [DFRWS'12 file/DFRWS12.pdf], [NDSS'12 file/DIMSUM_NDSS12.pdf], [NDSS'11 file/SigGraph_NDSS11.pdf], [NDSS'10 file/Rewards_NDSS10.pdf]] - **Diversity/Randomization for Security** Mono-culture is the root-cause of why our cyber infrastructure is vulnerable to the large scale, automated attacks. Our another research efforts focus on breaking the mono-culture of the existing computing environment and introduce the randomizations (un-predications) to the system and software. In the past, we did data structure layout randomization, and our on-going efforts focus on many other aspects of randomizations. [[CCS'12 file/CCS12.pdf], [DIMVA'09 file/DIMVA09.pdf]] === People === --------------------------------------------------------------------------- ==== Faculty ==== - [Dr. Zhiqiang Lin http://www.utdallas.edu/~zhiqiang.lin/] ==== PhD Students ==== - Yangchun Fu - Yufei Gu - Vishwath Mohan (working closely) - [David Urbina http://www.utdallas.edu/~david.urbina/] - Junyuan Zeng (co-advised with [Dr. Bhavani Thuraisingham http://www.utdallas.edu/~bxt043000/]) - Husheng Zhou ==== Master Students ==== - David B Sounthiraraj - [Scott Hand http://www.utdallas.edu/~shand/] - Joshua Hammond - Kenneth Miller - Matthew Stephen ==== Undergraduate Students ==== - [UTD-CSG (Computer Security Group) http://csg.utdallas.edu] - Their achievements - CSAW CTF 2012 (37th globally, 9th in the undergraduate teams) - CSAW CTF 2011 (24th globally, 7th in the undergraduate teams) - IFSF CTF 2012 (15th globally, 2nd in the US) ==== Alumni ==== - Kevin Hulin (MS 2012, first employment Sandia National Lab) - Camron Quituga (MS 2012, first employment DoD) - Mitchell Adair (MS 2012, first employment Raytheon) ==== Note ==== - Our Lab will always hire good PhD students. If you are fascinated with Operating System/Virtualization, and/or Binary Code, and/or Compiler, and are highly motivated, we should talk. === Publications === --------------------------------------------------------------------------- || Conferences/Journals | Papers | || 2013 || | **ISCA** | "CPU Transparent Protection of OS Kernel and Hypervisor Integrity with Programmable DRAM". Ziyi Liu, Jonghyuk Lee, Junyuan Zeng, Yuanfeng Wen, Zhiqiang Lin, and Weidong Shi. To appear in //Proceedings of the 40th International Symposium on Computer Architecture//, Tel-Aviv, Israel. June 2013. (56/282=19.9%) [[PDF file/soon.txt]][[Slides file/soon.txt]][[Bibtex bib/isca13.bib]] | | **ICDCS** | "AUTOVAC: Towards Automatically Extracting System Resource Constraints and Generating Vaccines for Malware Immunization". Zhaoyan Xu, Jialong Zhang, Guofei Gu, and Zhiqiang Lin. To appear in //Proceedings of the 33rd International Conference on Distributed Computing Systems//, Philadelphia, USA. July 2013. (61/365=16.7%) [[PDF file/soon.txt]][[Slides file/soon.txt]][[Bibtex bib/icdcs13.bib]] | | **DSN** | "Manipulating Semantic Values in Kernel Data Structures: Attack Assessments and Implications". Aravind Prakash, Eknath Venkataramani, Heng Yin, and Zhiqiang Lin. To appear in //Proceedings of the 43rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN-PDS)//, Budapest, Hungary, June 2013 [[PDF file/soon.txt]][[Slides file/soon.txt]][[Bibtex bib/dsn13.bib]] | | **VEE** | "Exterior: Using a Dual-VM Based External Shell for Guest-OS Introspection, Configuration, and Recovery". Yangchun Fu, and Zhiqiang Lin. To appear in //Proceedings of the 9th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments//, Houston, TX, March 2013 [[PDF file/VEE13.pdf]][[Slides file/VEE13-Slides.pdf]][[Bibtex bib/vee13.bib]] | || 2012 || | **ACSAC** | "Securing Untrusted Code via Compiler-Agnostic Binary Rewriting". Richard Wartel, Vishwath Mohan, Kevin Hamlen, and Zhiqiang Lin. In //Proceedings of the 28th Annual Computer Security Applications Conference//, Orlando, FL, December 2012. (44/231=19%) [[PDF file/ACSAC12.pdf]][[Slides file/ACSAC12.pptx]][[Bibtex bib/acsac12.bib]] (//Outstanding Student Paper Award//) | | **SOCC** | "OS-Sommelier: Memory-Only Operating System Fingerprinting in the Cloud". Yufei Gu, Yangchun Fu, Aravind Prakash, Zhiqiang Lin, and Heng Yin. In //Proceedings of the 3rd ACM Symposium on Cloud Computing//, San Jose, CA, October 2012. ((21+4)/165=15.3%) [[PDF file/SOCC12.pdf]][[Slides file/socc12-slides.pdf]][[Bibtex bib/socc12.bib]] | | **CCS** | "Binary Stirring: Self-randomizing Instruction Addresses of Legacy x86 Binary Code". Richard Wartel, Vishwath Mohan, Kevin Hamlen, and Zhiqiang Lin. In //Proceedings of the 19th ACM Conference on Computer and Communications Security//, Raleigh, NC, October 2012. (80/423=18.9%) [[PDF file/CCS12.pdf]][[Slides file/CCS12.pptx]][[Bibtex bib/ccs12.bib]] (This paper wins the //2nd place in the NYU-Poly AT&T Best Applied Security Paper// of the Year [2012 http://www.poly.edu/csaw2012/csaw-research]) | | **DFRWS** | "Bin-Carver: Automatic Recovery of Binary Executable Files". Scott Hand, Zhiqiang Lin, Guofei Gu, and Bhavani Thuraisingham. In //Proceedings of the 12th Annual Digital Forensics Research Conference//, Washington DC, August 2012 (14/47=29.8%). [[PDF file/DFRWS12.pdf]][[Slides file/BinCarver.pdf]][[Bibtex bib/dfrws12.bib]] | | **S&P** | "Space Traveling across VM: Automatically Bridging the Semantic Gap in Virtual Machine Introspection via Online Kernel Data Redirection". Yangchun Fu, and Zhiqiang Lin. In //Proceedings of the 33rd IEEE Symposium on Security and Privacy//, San Fransisco, CA, May 2012 (40/307=13%). [[PDF file/SP12.pdf]][[Slides file/sp12-Slides.pdf]][[Slides-Handout file/sp12-handout.pdf]][[Demo http://www.youtube.com/watch?v=RY4xGfONgYg]][[Bibtex bib/oakland12.bib]] | | **NDSS** | "DIMSUM: Discovering Semantic Data of Interest from Un-mappable Memory with Confidence". Zhiqiang Lin, Junghwan Rhee, Chao Wu, Xiangyu Zhang, and Dongyan Xu. In //Proceedings of the 19th ISOC Network and Distributed System Security Symposium//, San Diego, CA, February 2012 (46/258 = 17.8%). [[PDF http://www.internetsociety.org/sites/default/files/10_1.pdf]][[Slides http://www.internetsociety.org/sites/default/files/P10_1.pdf]][[Bibtex bib/ndss12.bib]] | || 2011 and Before || | **AsiaCCS** | "Characterizing Kernel Malware Behavior with Kernel Data Access Patterns". Junghwan Rhee, Zhiqiang Lin, and Dongyan Xu. In //Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security//, Hong Kong, March 2011 (35/217 = 16.1%).[[PDF http://friends.cs.purdue.edu/pubs/ASIACCS11.pdf]] [[Bibtex bib/asiaccs11.bib]] | | **NDSS** | "SigGraph: Brute Force Scanning of Kernel Data Structure Instances Using Graph-based Signatures". Zhiqiang Lin, Junghwan Rhee, Xiangyu Zhang, Dongyan Xu, and Xuxian Jiang. In //Proceedings of the 18th Network and Distributed System Security Symposium//, San Diego, CA, February 2011 (28/139 = 20.1%). [[Abstract ndss11.html]][[PDF file/SigGraph_NDSS11.pdf]][[Bibtex bib/ndss11.bib]][[Demo file/SigGraph.avi]][[Slides file/NDSS11.ppt]] | | **ISSTA** | "Strict Control Dependence and its Effect on Dynamic Information Flow Analyses". Tao Bao, Yunhui Zheng, Zhiqiang Lin, Xiangyu Zhang and Dongyan Xu. In //Proceedings of the 2010 International Symposium on Software Testing and Analysis//,Trento, Italy. July 2010 (24/105 = 23%). [[Bibtex bib/issta10.bib]][[PDF file/issta10.pdf]] | | **DSN** | "Reuse-Oriented Camouflaging Trojan: Vulnerability Detection and Attack Construction". Zhiqiang Lin, Xiangyu Zhang, and Dongyan Xu. In //Proceedings of the 40th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN-DCCS)//, Chicago, IL, June 2010 (39/168=23.2%). [[Abstract dsn10.html]][[PDF file/DCCS10.pdf]][[Bibtex bib/dsn10.bib]][[Slides file/DCCS10.ppt]] | | **NDSS** | "Automatic Reverse Engineering of Data Structures from Binary Execution. Zhiqiang Lin, Xiangyu Zhang, and Dongyan Xu. //In Proceedings of the 17th Network and Distributed System Security Symposium//, San Diego, CA, February 2010 (24/156=15.4%). [[Abstract ndss10.html]][[PDF file/Rewards_NDSS10.pdf]][[Bibtex bib/ndss10.bib]][[Slides file/NDSS10.ppt]][[Demo file/rewards_demo.tar.gz]] (Note that this paper wins the //1st place in the Poster Competition of [2010 CERIAS Annual Information Security Symposium http://www.cerias.purdue.edu/site/symposium2010]//) | | **TSE** | "Reverse Engineering Input Syntactic Structure from Program Execution and Its Applications". Zhiqiang Lin, Xiangyu Zhang, and Dongyan Xu. //IEEE Transactions on Software Engineering//. 36(5), 2010. [[PDF http://www.computer.org/portal/web/csdl/doi/10.1109/TSE.2009.54]][[Bibtex bib/tse10.bib]] | | **DIMVA** | "Polymorphing Software by Randomizing Data Structure Layout". Zhiqiang Lin, Ryan Riley, and Dongyan Xu. In //Proceedings of the 6th SIG SIDAR Conference on Detection of Intrusions and Malware and Vulnerability Assessment//. Milan, Italy, July 2009 ((10+3)/44=29.5%). [[Abstract dimva09.html]][[PDF file/DIMVA09.pdf]][[Bibtex bib/dimva09.bib]][[Code dimva09.html]] | | **NDSS** | "IntScope: Automatically Detecting Integer Overflow Vulnerability In X86 Binary Using Symbolic Execution". Tielei Wang, Tao Wei, Zhiqiang Lin, and Wei Zou. In //Proceedings of the 16th Network and Distributed System Security Symposium//, San Diego, CA, February 2009 (20/171=11.7%). [[Abstract ndss09.html]][[PDF file/IntScope_NDSS09.pdf]][[Bibtex bib/ndss09.bib]] | | **FSE** | "Deriving Input Syntactic Structure From Execution". Zhiqiang Lin, and Xiangyu Zhang. In //Proceedings of the 16th ACM SIGSOFT International Symposium on Foundations of Software Engineering//. Atlanta, Georgia, USA, November 2008 (31/152=20.5%). [[Abstract fse08.html]][[PDF file/FSE08.pdf]][[Bibtex bib/fse08.bib]][[Slides file/FSE08.ppt]] | | **DSN** | "Convicting Exploitable Software Vulnerabilities: An Efficient Input Provenance Based Approach". Zhiqiang Lin, Xiangyu Zhang, and Dongyan Xu. In //Proceedings of the 38th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN-DCCS)//, Anchorage, Alaska, USA, June 2008 (34/149=23%). [[Abstract dsn08.html]][[PDF file/DSN08.pdf]][[Bibtex bib/dsn08.bib]][[Slides file/DSN08.ppt]] | | **NDSS** | "Automatic Protocol Format Reverse Engineering Through Context-Aware Monitored Execution". Zhiqiang Lin, Xuxian Jiang, Dongyan Xu, and Xiangyu Zhang. In //Proceedings of the 15th Network and Distributed System Security Symposium//,San Diego, CA, February 2008 (21/118=17.8%) [[Abstract ndss08.html]][[PDF file/AutoFormat_NDSS08.pdf]][[Bibtex bib/ndss08.bib]][[Slides file/NDSS08.ppt]] | | **AsiaCCS** | "AutoPaG: Towards Automated Software Patch Generation with Source Code Root Cause Identification and Repair". Zhiqiang Lin, Xuxian Jiang, Dongyan Xu, Bing Mao, and Li Xie. In //Proceedings of ACM Symposium on InformAtion, Computer and Communications Security//, Singapore, March 2007 (Acceptance ratio: 33/188=17.6%). [[PDF file/AutoPaG.pdf]][[Bibtex bib/autopag_asiaccs07.bib]][[Slides file/ASIACCS07_AutoPaG.ppt]] | | **ISC** | "Transparent Run-Time Prevention of Format-String Attacks via Dynamic Taint and Flexible Validation". Zhiqiang Lin, Nai Xia, Guole Li, Bing Mao, and Li Xie. In //Proceedings of the 9th Information Security Conference//. Greece. Sept, 2006 (Acceptance ratio: 38/188=20.2%). [[PDF file/ISC06.pdf]][[Bibtex bib/isc06.bib]][[Code file/LibFormat.tar.gz]] | | **ARES** | "A Practical Framework for Dynamically Immunizing Software Security Vulnerabilities". Zhiqiang Lin, Bing Mao, and Li Xie. In //Proceedings of the First International Conference on Availability, Reliability and Security//. Austria. April, 2006. [[PDF http://www.computer.org/portal/web/csdl/doi/10.1109/ARES.2006.11]][[Bibtex bib/ares06.bib]] | | **IAW** | "LibsafeXP: A Practical and Transparent Tool for Run-time Buffer Overflow Preventions". Zhiqiang Lin, Bing Mao, and Li Xie. In //Proceedings of the 7th Annual IEEE Information Assurance Workshop//. West Point, NY. USA. June, 2006. [[PDF file/IAW06.pdf]][[Bibtex bib/iaw06.bib]][[Slides file/LibsafeXP.pdf]][[Code file/LibsafeXP.tar.gz]] | %!include: ''iff.js'' --------------------------------------------------------------------------- [HOME index.html] [SOURCE %%infile]