Paper list
Note
Particularly for systems security papers:
(1) Read Abstract → Introduction → Conclusion.
(2) Find and read a motivation (representative) example or case studies. They include a complete (and often realistic) story and how the proposed idea solves the problem with newly proposed methods.
Memory Corruption and Control Flow Hijacking
- SoK: Eternal War in Memory
- Smashing the Stack: Read the following two articles
- On the effectiveness of Address-Space Randomization [CCS 04]
ROP Attacks
- Return-Oriented Programming: Systems, Languages, and Applications [TISSEC 12]
- Return-oriented programming without returns [CCS 12]
- You Can Run but You Can’t Read: Preventing Disclosure Exploits in Executable Code [CCS 14]
- Readactor: Practical Code Randomization Resilient to Memory Disclosure [SP 15]
Control Flow and Code Pointer Integrity
- Control-Flow Integrity [CCS 05]
- Control Flow Integrity for COTS Binaries [SEC 13]
- Code-Pointer Integrity [OSDI 2014]
More Binary Attack and Defenses
Advanced Attacks
- Framing Signals—A Return to Portable Shellcode
- APISAn: Sanitizing API Usages through Semantic Cross-Checking
- (State of) The Art of War: Offensive Techniques in Binary Analysis
Integer Vulnerabilities and Defenses
- Understanding Integer Overflow in C/C++ [ICSE 2012]
- Improving Integer Security for Systems with KINT [OSDI 12]
Dynamic/Static Analysis Frameworks
- Pin: building customized program analysis tools with dynamic instrumentation [PLDI 05]
- Valgrind: A Framework for Heavyweight Dynamic Binary Instrumentation [PLDI 07]
- LLVM: A Compilation Framework for Lifelong Program Analysis & Transformation [CGO‘04]
- DynInst Anywhere, any-time binary instrumentation [PASTE 11]
- AddressSanitizer: A Fast Address Sanity Checker [ATC 12]
Dynamic Analysis
- libdft: Practical Dynamic Data Flow Tracking for Commodity Systems [VEE 12]
- A General Approach for Efficiently Accelerating Software-based Dynamic Data Flow Tracking on Commodity Hardware [NDSS 12]
- FlowDroid: Precise Context, Flow, Field, Object-sensitive and Lifecycle-aware Taint Analysis for Android Apps [PLDI 14]
- LDX: Causality Inference by Lightweight Dual Execution [ASPLOS 16]
Static Analysis
Symbolic Execution
- KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs [OSDI 08]
- (State of) The Art of War: Offensive Techniques in Binary Analysis [SP 16]
Virtualization and Security
- When Virtual is Harder than Real: Security Challenges in Virtual Machine Based Computing Environments [HotOS 05]
- Virtualization: Issues, Security Threats, and Solutions
- CloudVisor: Retrofitting Protection of Virtual Machines in Multi-tenant Cloud with Nested Virtualization [SOSP 11]
- Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds [CCS 09]
Kernel security
- Linux kernel vulnerabilities: State-of-the-art defenses and open problems short paper
- ret2dir: Rethinking Kernel Isolation [SEC 14]
- Breaking Kernel Address Space Layout Randomization with Intel TSX [CCS 16]
Sandboxing: Isolation, and Fault localization
- The Security Architecture of the Chromium Browser
- Native Client: A Sandbox for Portable, Untrusted x86 Native Code [S&P 09]
- Spotless Sandboxes: Evading Malware Analysis Systems using Wear-and-Tear Artifacts [SP 17]
IoT and CPS Security
- GUITAR: Piecing Together Android App GUIs from Memory Images [CCS 15]
- Fear and Logging in the Internet of Things [NDSS 18]
- IoTFuzzer: Discovering Memory Corruptions in IoT Through App-based Fuzzing [NDSS 18]
Threat Intelligence Computing
- Threat Intelligence Computing [CCS 18]
- Reading the Tea leaves: A Comparative Analysis of Threat Intelligence [SEC 19]
- Understanding and Securing Device Vulnerabilities through Automated Bug Report Analysis [SEC 19]
- ATTACK2VEC: Leveraging Temporal Word Embeddings to Understand the Evolution of Cyberattacks [SEC 19]
Audit-logging and Provenance Analysis
- Traps and Pitfalls: Practical Problems in System Call Interposition Based Security Tools [NDSS 03]
- LogGC: Garbage Collecting Audit Log [CCS 13]
- Towards a Timely Causality Analysis for Enterprise Security [NDSS 18]
Code obfuscation/de-obfuscation
- SoK: Deep Packer Inspection: A Longitudinal Study of the Complexity of Run-Time Packers [SP 15]
- Deobfuscation of virtualization-obfuscated software: a semantics-based approach [CCS‘11]
- LOOP: Logic-Oriented Opaque Predicate Detection in Obfuscated Binary Code [CCS‘15]
- Code obfuscation against symbolic execution attacks [ACSAC‘16]
Hardwares
Hardware Vulnerabilities - Cases for Meltdown / Spectre Attacks
- Meltdown: Reading Kernel Memory from User Space[Sec 18]
- Spectre Attacks: Exploiting Speculative Execution[S&P 19]
Hardware and Enclave (SGX) Security
- Inferring Fine-grained Control Flow Inside SGX Enclaves with Branch Shadowing [SEC 17]
- High-Resolution Side Channels for Untrusted Operating Systems[ATC 17]
- Graphene-SGX: A Practical Library OS for Unmodified Applications on SGX [ATC 17]
Page last revised on: 2019-09-23