The course material is broken into several modules that cover both defensive and offensive materials.

• Lab 0: Turing machine to buffer overflow simulators
• Lab 1: 32-bit buffer overflow
• Lab 2: 32-bit ret2lib buffer overflow
• Lab 3: 64-bit buffer overflow
• Lab 4: Development of remote exploit for Windows web server CVE-2004-2271
• Lab 5: Source code static analysis of CVE-2004-2271 with Atlas
• Lab 6: Fuzzing with AFL
• Lab 7: Symbolic execution with Angr
• Lab 8: Obfuscating CVE-2012-4681 and CVE-2013-0422 exploits to evade antivirus on VirusTotal
• Lab 9: Human-in-the-loop analysis of large Android applications (with and without source code)

The course material is broken into several modules that cover both defensive and offensive materials.

• Lab 0: Turing machine to buffer overflow simulators
• Lab 1: 32-bit buffer overflow
• Lab 2: 32-bit ret2lib buffer overflow
• Lab 3: 64-bit buffer overflow
• Lab 4: Development of remote exploit for Windows web server CVE-2004-2271
• Lab 5: Source code static analysis of CVE-2004-2271 with Atlas
• Lab 6: Fuzzing with AFL
• Lab 7: Symbolic execution with Angr
• Lab 8: Obfuscating CVE-2012-4681 and CVE-2013-0422 exploits to evade antivirus on VirusTotal
• Lab 9: Human-in-the-loop analysis of large Android applications (with and without source code)

The course material is broken into several modules that cover both defensive and offensive materials.

• Lab 0: Turing machine to buffer overflow simulators
• Lab 1: 32-bit buffer overflow
• Lab 2: ret2lib-bit ROP buffer overflow
• Lab 3: 64-bit buffer overflow
• Lab 4: Development of remote exploit for Windows web server CVE-2004-2271
• Lab 5: Source code static analysis of CVE-2004-2271 with Atlas
• Lab 6: Fuzzing with AFL
• Lab 7: Symbolic execution with Angr
• Lab 8: Obfuscating CVE-2012-4681 and CVE-2013-0422 exploits to evade antivirus on VirusTotal
• Lab 9: Human-in-the-loop analysis of large Android applications (with and without source code)

What is dynamic analysis and when should we use it? Dynamic analysis is one tool in a software security professional's toolkit that can drastically improve their effectiveness at analyzing buggy or even malicious software, but it is not a magic bullet. Knowing when and when not to apply dynamic analysis is important. This talk builds an understanding of dynamic analysis from basic principles then examines how dynamic analysis is applied in state-of-the-art tools such as AFL and the techniques that have stemmed from DARPA's Cyber Grand Challenge. Finally, we take a look towards the future at how humans and machines could work together by leveraging each other's strengths to perform a human-in-the-loop statically-informed dynamic analysis.

Algorithmic Complexity Vulnerabilities (ACV) are a class of vulnerabilities that enable Denial of Service attacks. ACVs stem from asymmetric consumption of resources due to complex loop termination logic, recursion, and/or resource intensive library APIs. Completely automated detection of ACVs is intractable and it calls for tools that assist human analysts.

We present DISCOVER, a suite of tools that facilitates human-on- the-loop detection of ACVs. DISCOVER's workflow can be broken into three phases - (1) Automated characterization of loops, (2) Selection of suspicious loops, and (3) Interactive audit of selected loops. We demonstrate DISCOVER using a case study using a DARPA challenge app. DISCOVER supports analysis of Java source code and Java bytecode. We demonstrate it for Java bytecode.

From bug hunting to exploit development to securing software systems, program analysis is a common thread that ties together multiple fields of software security. This training is targeted at individuals with little or no program analysis experience. Instead of simply learning how to break things, this training focuses on the challenges involved in securing software systems and developing a systematic approach to tackling ongoing software security challenges. The material is broken into 6 modules that cover both defensive and offensive aspects of security.

Exploit Development: First we will become intimately familiar with one particular type of bug, a buffer overflow. We will iteratively develop exploits for a simple Linux program with a buffer overflow before we move on to developing an exploit for a Windows webserver called MiniShare.

Fundamentals of Program Analysis: Next we will discuss program analysis and how it can be used to analyze programs to detect bugs and malware. We will also consider some fundamental challenges and even limitations of what is possible in program analysis. This module discusses relationships between bugs and malware, as well as strategies for integrating human intelligence in automatic program analysis. Later you will be presented with an enormous task of quickly locating malware in a large Android application (several thousand lines of code). Through this activity you will be challenged to develop strategies for auditing something that is too big to personally comprehend. As class we will collectively develop strategies to audit the application, we will use those strategies to develop automated techniques for detecting malware.

Bug Hunting: In this module we will examine strategies for hunting for unknown bugs in software. We will revisit our buffer overflow vulnerabilities and consider what is involved to automatically detect the vulnerability for various programs while considering the limitations of program analysis. We will develop a tool to automatically locate the line number of the code that was exploited in the Minishare webserver.

Antivirus Evasion: Since antivirus is used to actively thwart exploitation attempts, we will take a detour to examine techniques to bypass and evade antivirus. Specifically we will examine what is necessary to manually modify a 4 year old browser drive by attack to become undetectable by all modern antivirus. We will also build a tool to automatically obfuscate and pack our exploit.

Post Exploitation: In this module we will develop a Managed Code Rootkit (MCR) and deploy the rootkit on the victim machine using our previous exploit against Minishare.

Going Beyond: In this final module, we explore future directions in the field and examine some open problems in the context of what we learned in the previous modules.

It is the objective that by the end of this course participants should be able to: 1) Demonstrate basic bug hunting, exploitation, evasion, and post-exploitation skills, 2) Describe commonalities between vulnerability analysis and malware detection, 3) Describe fundamental limits in program analysis, 4) Challenge conventional viewpoints of security, 5) Confidently approach large third party software, 6) Critically evaluate software security products, and 7) Locate additional relevant resources.

The paper presents the Mockingbird framework that combines static and dynamic analyses to yield an efficient and scalable approach to analyze large Java software. The framework is an innovative integration of existing static and dynamic analysis tools and a newly developed component called the Object Mocker that enables the integration. The static analyzers are used to extract potentially vulnerable parts from large software. Targeted dynamic analysis is used to analyze just the potentially vulnerable parts to check whether the vulnerability can actually be exploited.

We present a case study to illustrate the use of the framework to analyze complex software vulnerabilities. The case study is based on a challenge application from the DARPA Space/Time Analysis for Cybersecurity (STAC) program. Interestingly, the challenge program had been hardened and was thought not to be vulnerable. Yet, using the framework we could discover an unintentional vulnerability that can be exploited for a denial of service attack. The accompanying demo video depicts the case study.

Program invariants are properties that are true at a particular program point or points. Program invariants are often undocumented assertions made by a programmer that hold the key to reasoning correctly about a software verification task. Unlike the contemporary research in which program invariants are defined to hold for all control flow paths, we propose homomorphic program invariants, which hold with respect to a relevant equivalence class of control flow paths. For a problem-specific task, homomorphic program invariants can form stricter assertions. This work demonstrates that the novelty of computing homomorphic program invariants is both useful and practical.

Towards our goal of computing homomorphic program invariants we deal with the challenge of the astronomical number of paths in programs. Since reasoning about a class of program paths must be efficient in order to scale to real world programs, we extend prior work to efficiently divide program paths into equivalence classes with respect to control flow events of interest. Our technique reasons about inter-procedural paths, which we then use to determine how to modify a program binary to abort execution at the start of an irrelevant program path. With off-the-shelf components, we employ the state-of-the-art in fuzzing and dynamic invariant detection tools to mine homomorphic program invariants.

To aid in the task of identifying likely software anomalies, we develop human-in-the-loop analysis methodologies and a toolbox of human-centric static analysis tools. We present work to perform a statically-informed dynamic analysis to efficiently transition from static analysis to dynamic analysis and leverage the strengths of each approach. To evaluate our approach, we apply our techniques to three case study audits of challenge applications from DARPA's Space/Time Analysis for Cybersecurity (STAC) program. In the final case study, we discover an unintentional vulnerability that causes a denial of service (DoS) in space and time, despite the challenge application having been hardened against static and dynamic analysis techniques.

With the advent of highly sophisticated cyber-physical malware (CPM), a cyber-attack can cripple critical services virtually paralyze the nation. In differentiating CPM from traditional malware, the difference really comes from the open-ended possibilities for malware triggers resulting from the wide spectrum of sensor inputs, and the almost limitless application-specific possibilities for designing malicious payloads.

Fundamentally, the challenges of detecting sophisticated CPM stem from the complexities inherent in the software at the heart of cyber-physical systems. We discuss three fundamental challenges: explosion of execution behaviors, computational intractability of checking feasible behaviors, and difficult-to-analyze programming constructs. For each challenge we present a systematic methodology for auditing and verifying software.

In detecting novel CPM, the tasks are: developing plausible hypotheses for malware trigger and malicious payload, analyzing software to gather evidence based on CPM hypotheses, and verifying software to prove or refute a hypothesis based on the gathered evidence. We discuss research directions for effective automation to support these tasks and with audience participating we will demonstrate visual techniques for exploring software.

Software is pervasive, and for better or worse, it now controls most of daily lives. Developing and maintaining secure software is of the upmost importance, but it seems that despite our best efforts we just haven’t gotten it right yet. More importantly we should ask ourselves why haven’t we solved this problem yet? This talk summarizes classical program analysis as well as recent program analysis techniques without all the fancy jargon. As case studies, we examine a few of DARPA’s high-profile software security programs and read between the lines to see where the field is going. Is your job in computer security going to be replaced by machines armed with theorem provers or will humans always have a role to play? Come join in the discussion.

This 2018 DOCGEN Challenge paper describes DynaDoc, an automated documentation system for on-demand context-specific documentation. A key novelty is the use of graph database technology with an eXtensible Common Software Graph Schema (XCSG). Using XCSG-based query language, DynaDoc can mine efficiently and accurately a variety of program artifacts and graph abstractions from millions of lines of code to provide semantically relevant and rich documentation. DynaDoc leverages the extensibility of XCSG to incorporate information about commits, issues, and other supplementary artifacts and links that information to program artifacts.

From bug hunting to exploit development to securing software systems, program analysis is a common thread that ties together multiple fields of software security. This training is targeted at individuals with little or no program analysis experience. Instead of simply learning how to break things, this training focuses on the challenges involved in securing software systems and developing a systematic approach to tackling ongoing software security challenges. The material is broken into 6 modules that cover both defensive and offensive aspects of security.

Exploit Development: First we will become intimately familiar with one particular type of bug, a buffer overflow. We will iteratively develop exploits for a simple Linux program with a buffer overflow before we move on to developing an exploit for a Windows webserver called MiniShare.

Fundamentals of Program Analysis: Next we will discuss program analysis and how it can be used to analyze programs to detect bugs and malware. We will also consider some fundamental challenges and even limitations of what is possible in program analysis. This module discusses relationships between bugs and malware, as well as strategies for integrating human intelligence in automatic program analysis. Later you will be presented with an enormous task of quickly locating malware in a large Android application (several thousand lines of code). Through this activity you will be challenged to develop strategies for auditing something that is too big to personally comprehend. As class we will collectively develop strategies to audit the application, we will use those strategies to develop automated techniques for detecting malware.

Bug Hunting: In this module we will examine strategies for hunting for unknown bugs in software. We will revisit our buffer overflow vulnerabilities and consider what is involved to automatically detect the vulnerability for various programs while considering the limitations of program analysis. We will develop a tool to automatically locate the line number of the code that was exploited in the Minishare webserver.

Antivirus Evasion: Since antivirus is used to actively thwart exploitation attempts, we will take a detour to examine techniques to bypass and evade antivirus. Specifically we will examine what is necessary to manually modify a 4 year old browser drive by attack to become undetectable by all modern antivirus. We will also build a tool to automatically obfuscate and pack our exploit.

Post Exploitation: In this module we will develop a Managed Code Rootkit (MCR) and deploy the rootkit on the victim machine using our previous exploit against Minishare.

Going Beyond: In this final module, we explore future directions in the field and examine some open problems in the context of what we learned in the previous modules.

It is the objective that by the end of this course participants should be able to: 1) Demonstrate basic bug hunting, exploitation, evasion, and post-exploitation skills, 2) Describe commonalities between vulnerability analysis and malware detection, 3) Describe fundamental limits in program analysis, 4) Challenge conventional viewpoints of security, 5) Confidently approach large third party software, 6) Critically evaluate software security products, and 7) Locate additional relevant resources.

• Day 1: Binary Exploitation
• Day 2: Web Security
• Day 3: Program Analysis
• Day 2: Bug Hunting
• Day 5: Cybersecurity Competition

The paper presents COMB, a tool to improve accuracy and efficiency of software engineering tasks that hinge on computing all relevant program behaviors.

Computing all behaviors and selecting the relevant ones is computationally intractable. COMB uses Projected Control Graph (PCG) abstraction to derive the relevant behaviors directly and efficiently. The PCG is important as the number of behaviors relevant to a task is often significantly smaller than the totality of behaviors.

COMB provides extensive capabilities for program comprehension, analysis, and verification. We present a basic case study and a Linux verification study to demonstrate various capabilities of COMB and the addressed challenges. COMB is designed to support multiple programming languages. We demonstrate it for C and Java.

With the advent of highly sophisticated cyber-physical malware (CPM) such as Industroyer, a cyberattack could be as destructive as the terrorist attack on 9/11, it would virtually paralyze the nation. We discuss as the major risks the vulnerability of: telecommunication infrastructure, industrial control systems (ICS), and mission-critical software.

In differentiating CPM from traditional malware, the difference really comes from the open-ended possibilities for malware triggers resulting from the wide spectrum of sensor inputs, and the almost limitless application-specific possibilities for designing malicious payloads.

Fundamentally, the challenges of detecting sophisticated CPM stem from the complexities inherent in the software at the heart of cyber-physical systems. We discuss three fundamental challenges: explosion of execution behaviors, computational intractability of checking feasible behaviors, and difficult-to-analyze programing constructs.

In detecting novel CPM, the tasks are: developing plausible hypotheses for malware trigger and mali- cious payload, analyzing software to gather evidence based on CPM hypotheses, and verifying software to prove or refute a hypothesis based on the gathered evidence. We discuss research directions for effective automation to support these tasks.

Algorithmic complexity vulnerabilities (ACVs) can be exploited to cause denial-of-service. Detecting ACVs is hard because of the numerous kinds of loop complexities that cause ACVs. This renders automatic detection intractable for ACVs. State-of-the-art loop analyses aim to obtain precise loop iteration bounds automatically; they can do so for relatively simple loops. This research focuses on techniques to amplify intelligence so that the analyst can gain a deeper knowledge of complex loops that is necessary to discover ACVs. We describe: (a) loop abstractions and use them to define patterns and other characterizations of loop behaviors which in turn can be applied to create automated filters to isolate complex loops with high likelihood of ACVs, (b) innovative visual querying mechanisms for interactive loop analysis; they enable the analyst to hypothesize ACVs and gather the necessary evidence for targeted dynamic analysis for confirming ACVs. These capabilities are illustrated with an ACV detection case study. We present an empirical study using over 5000 loops from 4 open source libraries, and 18 DARPA challenge apps. The study evaluates the usefulness of the loop characterizations and patterns to enable the analyst to create effective filters to isolate complex loops.

Software side-channel vulnerabilities (SSCVs) allow an attacker to gather secrets by observing the differential in the time or space required for executing the program for different inputs. Detecting SSCVs is like searching for a needle in the haystack, not knowing what the needle looks like. Detecting SSCVs requires automation that supports systematic exploration to identify vulnerable code, formulation of plausible side-channel hypotheses, and gathering evidence to prove or refute each hypothesis. This paper describes human-on-the-loop automation to empower analysts to detect SSCVs. The proposed automation is founded on novel ideas for canonical side channel patterns, program artifact filters, and parameterized program graph models for efficient, accurate, and interactive program analyses. The detection process is exemplified through a case study. The paper also presents metrics that bring out the complexity of detecting SSCVs.

Massive software systems are being built the way Egyptians were building pyramids, with the sheer force of human labor. Agile development, programming languages, component libraries, and integrated development environments, help but they have not brought down the cost of developing and maintaining software. Software projects continue to run over projected budgets and schedule. The pervasive use of software has opened up dire possibilities of catastrophic accidents and attacks emanating from software vulnerabilities.

The core problem is our inability to understand, analyze, and verify large software systematically. The need for automated analysis is clear given the enormous size of modern software. Patching security holes with reactive automation is not the solution when we face zero-day software defects with deadly power for catastrophic destruction. Not only must automated software security analysis scale to large software but also be proactive and highly accurate.

This tutorial is an introduction to fundamental software analysis principles, systematic problem solving, and automated tool support to address the challenges of large software. Whether you are an educator, a researcher, a software engineer, or a manager you will learn a completely new paradigm to think about software and how to manage the complexity of analyzing and verifying large software for cybersecurity and safety.

Detecting zero-day sophisticated malware is like searching for a needle in the haystack, not knowing what the needle looks like. This paper describes Android Malicious Flow Visualization Toolbox that empowers a human analyst to detect such malware. Detecting sophisticated malware requires systematic exploration of the code to identify potentially malignant code, conceiving plausible malware hypotheses, and gathering evidence from the code to prove or refute each hypothesis. We describe interactive visualizations of program artifacts to understand and analyze complex Android semantics used by an app. The toolbox incorporates visualization capabilities that work together cohesively, and provides a mechanism to easily add new capabilities.

We present case studies of detecting Android malware with confidentiality and integrity breaches. We report the accuracy and efficiency achieved by our team of analysts by using the toolbox, while auditing 77 sophisticated Android apps provided by Defense Advanced Research Projects Agency (DARPA).

JReFrameworker is a Java bytecode manipulation tool released at DEFCON 24 that lowers the barrier to entry for developing Managed Code Rootkits in the Java Virtual Machine. Bytecode manipulations are written entirely in source code, removing the need for any pre-requisite knowledge of bytecode internals and allowing anyone with a basic working knowledge of Java to develop a sophisticated rootkit. Following the tool’s original release last year, development has continued while incorporating community feedback. Along with the improved documentation, bug fixes, and rigorous unit testing comes the ability to create multiphase manipulations, incremental compilation, an improved Metasploit post module, and integrations into the Atlas program analysis framework. By including interactive visual program analysis capabilities, JReFrameworker can automatically generate payloads for arbitrary programs at the click of a mouse (think Minority Report meets rootkit development). Finally, we explore alternate applications of the framework for reverse engineering and hardening third party applications. At the end, a special Derbycon release of the tool, which includes a little something extra, will be revealed.

From bug hunting to exploit development to securing software systems, program analysis is a common thread that ties together multiple fields of software security. This training is targeted at individuals with little or no program analysis experience. Instead of simply learning how to break things, this training focuses on the challenges involved in securing software systems and developing a systematic approach to tackling ongoing software security challenges. The material is broken into 6 modules that cover both defensive and offensive aspects of security.

Exploit Development: First we will become intimately familiar with one particular type of bug, a buffer overflow. We will iteratively develop exploits for a simple Linux program with a buffer overflow before we move on to developing an exploit for a Windows webserver called MiniShare.

Fundamentals of Program Analysis: Next we will discuss program analysis and how it can be used to analyze programs to detect bugs and malware. We will also consider some fundamental challenges and even limitations of what is possible in program analysis. This module discusses relationships between bugs and malware, as well as strategies for integrating human intelligence in automatic program analysis. Later you will be presented with an enormous task of quickly locating malware in a large Android application (several thousand lines of code). Through this activity you will be challenged to develop strategies for auditing something that is too big to personally comprehend. As class we will collectively develop strategies to audit the application, we will use those strategies to develop automated techniques for detecting malware.

Bug Hunting: In this module we will examine strategies for hunting for unknown bugs in software. We will revisit our buffer overflow vulnerabilities and consider what is involved to automatically detect the vulnerability for various programs while considering the limitations of program analysis. We will develop a tool to automatically locate the line number of the code that was exploited in the Minishare webserver.

Antivirus Evasion: Since antivirus is used to actively thwart exploitation attempts, we will take a detour to examine techniques to bypass and evade antivirus. Specifically we will examine what is necessary to manually modify a 4 year old browser drive by attack to become undetectable by all modern antivirus. We will also build a tool to automatically obfuscate and pack our exploit.

Post Exploitation: In this module we will develop a Managed Code Rootkit (MCR) and deploy the rootkit on the victim machine using our previous exploit against Minishare.

Going Beyond: In this final module, we explore future directions in the field and examine some open problems in the context of what we learned in the previous modules.

It is the objective that by the end of this course participants should be able to: 1) Demonstrate basic bug hunting, exploitation, evasion, and post-exploitation skills, 2) Describe commonalities between vulnerability analysis and malware detection, 3) Describe fundamental limits in program analysis, 4) Challenge conventional viewpoints of security, 5) Confidently approach large third party software, 6) Critically evaluate software security products, and 7) Locate additional relevant resources.

Immutability analysis is important to software testing, verification and validation (V&V) because it can be used to identify independently testable functions without side-effects. Existing tools for immutability analysis are largely academic prototypes that have not been rigorously tested for accuracy or have not been maintained and are unable to analyze programs written in later versions of Java. In this paper, we re-implement two prominent approaches to inferring the immutability of an object: one that leverages a points-to analysis and another that uses a type-system. In addition to supporting Java 8 source programs, our re-implementations support the analysis of compiled Java bytecode. In order to evaluate the relative accuracy, we create a benchmark that rigorously tests the accuracy boundaries of the respective approaches. We report results of experiments on analyzing the benchmark with the two approaches and compare their scalability to real world applications. Our results from the benchmark reveal that points-to based approach is more accurate than the type inference based approach in certain cases. However, experiments with real world applications show that the points-to based approach does not scale well to very large applications and a type inference based approach may offer a scalable alternative.

We live in an age of software problems with catastrophic consequences. An extra goto in Apple's SSL implementation compromised certificate checks for the better part of a year. An erroneous integer conversion in the Ariane 5 launch destroyed the European Space Agency rocket and its cargo valued at 500 million dollars. Often the problem is just a few lines of code and looking for it is like searching for a needle in a haystack, but without knowing what a needle looks like. Moreover the problems are often so subtle that it is difficult to tell if the problem is intentionally malicious or an honest mistake. The traditional approach to bug and malware detection fails to detect novel attacks or discover new classes of bugs. To make matters worse, both problems can remain dormant and can easily evade testing. In this talk we critically explore the challenges involved in bug and malware detection. To explore concepts further we leverage a framework called JReFrameworker for manipulating the Java runtime environment to develop managed code rootkits.

This tutorial is about new genera of information leakage vulnerabilities, far more difficult to detect than the vulnerabilities that have previously dominated the software security landscape. We will survey attacks that have exploited information leakage vulnerabilities to steal sensitive information. We will show how to discover information leakage vulnerabilities using techniques and tools for visual modeling of software from our research on two high-profile DARPA programs, the Automated Program Analysis for Cybersecurity (APAC) and Space/Time Analysis for Cybersecurity (STAC).

The tutorial goals are:

1. Provide broad knowledge and the key concepts about information leakage threats.
2. Teach interactive tools to create visual models to analyze Java bytecode.
3. Provide hands-on experience of applying visual models with interactive visualization to audit an application for information leakage threats.

Algorithmic Complexity (AC) vulnerabilities can be exploited to cause a denial of service attack. Specifically, an adversary can design an input to trigger excessive (space/time) resource consumption. It is not possible to build a fully automated tool to detect AC vulnerabilities. Since it is an open-ended problem, a human-in-loop exploration is required to find the program loops that could have AC vulnerabilities. Ascertaining whether an arbitrary loop has an AC vulnerability is itself difficult, which is equivalent to the halting problem.

This paper is about a pragmatic engineering approach to detect AC vulnerabilities. It presents a statically-informed dynamic (SID) analysis and two tools that provide critical capabilities for detecting AC vulnerabilities. The first is a static analysis tool for exploring the software to find loops as the potential candidates for AC vulnerabilities. The second is a dynamic analysis tool that can try many different inputs to evaluate the selected loops for excessive resource consumption. The two tools are built and integrated together using the interactive software analysis, transformation, and visualization capabilities provided by the Atlas platform.

The paper describes two use cases for the tools, one to detect AC vulnerabilities in a Java bytecode and another to use the tools in an undergraduate algorithm class for students to perform experiments to learn different aspects of algorithmic complexity.

Software malfunctions can have catastrophic consequences and enormous costs. The error-prone and laborious manual practices of developing and maintaining large software must change to cope with ever increasing complexity of software, and the enormous safety and security challenges it poses. Formal verification is not a practical alternative for large software; it is riddled with problems of low accuracy and high computational complexity. The need for automation in software engineering is undoubted, however, a human is indispensable to reason about complex software. With this background, we have conducted two decades of research on human-in-loop automation (HLA) as a pragmatic alternative to manage complexity, safety, and security of large software systems in the cyber-physical world.

This course will introduce the HLA technology developed through our research, with unprecedented capabilities to model, analyze, visualize, verify, and transform large software in multiple languages. The HLA technology incorporates a graph database platform with a powerful query language to extract knowledge from software and build visual models to solve complex problems through automation guided by human reasoning. The HLA technology has been validated by applying it to: automatic parallelization of climate model software, model-based software development for critical avionics and automobile control systems, safety verifications of the Linux operating system, and cybersecurity challenges posed by Defense Advanced Research Projects Agency (DARPA) research programs. More than 300 companies including all major avionics and automobile companies use the HLA tools developed by EnSoft, the company founded on our research.

This course will provide a solid foundation on fundamentals of software that are applicable across all programming languages. With examples of real-world software problems, we will elaborate how this fundamental knowledge can be applied using HLA to cope with software complexity, safety, and security. We will present HLA as a modeling and problem-solving activity. Starting with a HLA model for systematic debugging, the course will show how to gradually advance to build HLA models for verifying complex software such as the Linux kernel. As in physics and mathematics, rigorous problem solving will be taught with models as powerful abstractions. We will use the Atlas platform from EnSoft to build visual models of software. Atlas stores program semantics in a graph database, and provides interactive and programming interfaces to query, model, and visualize software.

A strong laboratory component will include demonstrations, interactive experiments, and programming exercises. The labs will include challenging problems from real-world software in C, Java, and Java byte code. The participants will get a first-hand experience of how to implement HLA techniques through Atlas and perform analysis tasks in few minutes. These will include examples of difficult analysis tasks for which automated analysis is intractable, manual effort is prohibitively high, and thus HLA is the only practical solution.

The lecture notes, exercises, and the HLA tools for conducting the labs will be available to the participants for free academic use. The course will provide transformative ideas and introduce tools to implement them. It will enable academic participants to transform their research and education to focus on real-world problems of large software. It will impel new thinking among industry and government participants to innovate application-specific HLA practices and tools that can save significant time, money and effort with unprecedented capabilities to achieve safety and security in their software systems.

Software analysis has become complex enough to be intimidating to new students and professionals. It can be difficult to know where to start with over three decades of staggering research in data and control flow analyses and a plethora of analysis frameworks to choose from, ranging in maturity, support, and usability. While textbooks, surveys and papers help, nothing beats the personal experience of implementing and experimenting with classic algorithms.

With support from DARPA, we have developed a graph paradigm enabled with an interactive visual framework to implement and experiment with software analysis algorithms. Parsed programs along with pre-computed data and control flows are stored as a graph database so that analyzers with varying degrees of accuracy and scalability tradeoffs can be easily implemented using a high-level query language. The graphical as well as textual composition of queries, interactive visualization, and the 2-way correspondence between the code and its graph models are integrated through a platform called Atlas. With this machinery, the implementation and visualization effort is reduced as much as 10 to 50 fold, making it much easier to learn about and do research on software analysis algorithms with applications to software safety and security. The tutorial will provide the necessary background, including implementation of widely used algorithms. Participants will learn to prototype several algorithms in a short timeframe.

Managed Code Rootkits (MCRs) are terrifying post-exploitation attacks that open the doors for cementing and expanding a foothold in a target network. While the concept isn't new, practical tools for developing MCRs don't currently exist. Erez Metula released ReFrameworker in 2010 with the ability to inject attack modules into the C# runtime, paving the way for MCRs, but the tool requires the attacker to have knowledge of intermediate languages, does not support other runtimes, and is no longer maintained. Worse yet, the "write once, run anywhere" motto of managed languages is violated when dealing with runtime libraries, forcing the attacker to write new exploits for each target platform.

This talk debuts a free and open source tool called JReFrameworker aimed at solving the aforementioned challenges of developing attack code for the Java runtime while lowering the bar so that anyone with rudimentary knowledge of Java can develop a managed code rootkit. With Java being StackOverflow's most popular server side language of 2015 the Java runtime environment is a prime target for exploitation. JReFrameworker is an Eclipse plugin that allows an attacker to write simple Java source to develop, debug, and automatically modify the runtime. Best of all, working at the intended abstraction level of source code allows the attacker to "write once, exploit anywhere". When the messy details of developing attack code are removed from the picture the attacker can let his creativity flow to develop some truly evil attacks, which is just what this talk aims to explore.

After you log into a website your web browser is given a "cookie". Until you log out, your identity is your possession of that cookie. It's no wonder attackers love to steal your cookies. Let's take a look at how attackers steal from the cookie jar, what they can do with them, and how you can protect yourself.

Neither manual nor totally automated discovery of software vulnerabilities is practical. Manual discovery requires extremely laborious work by highly skilled software analysts and totally automated discovery is riddled with intractable problems.

This tutorial introduces a novel practical approach for machine-enabled human-in-the-loop discovery of software vulnerabilities, and is based on "amplifying human intelligence" rather than trying to replace human intelligence. The approach is supported by a suite of tools with unique capabilities that enable human analysts to quickly identify and understand the relevant parts of large software and perform "what-if experiments" in order to discover highly sophisticated vulnerabilities. These tools are advanced through large Defense Advanced Research Projects Agency (DARPA) projects and their effectiveness has been demonstrated for discovering sophisticated malware challenges.

Agenda:

1. DARPA Research
2. Unify cybersecurity and software reliability – how and why?
3. Solving hard problems with visual models
4. Android App Audits
5. Tool Demonstration

This tutorial is aimed at the audience interested in knowing how software reliability and cybersecurity converge in terms of intrinsic hard problems, and how that knowledge can be useful for advancing the research and practice in both fields. This tutorial is based on our research in three Defense Advanced Research Projects Agency (DARPA) projects and our practical experience of applying the research. The tutorial will provide succinct understanding of the "hardness" through representative problems and by introducing a programming language agnostic notion of an intrinsic hardness spectrum derived from fundamental impediments to detecting vulnerabilities accurately. About 60% of the tutorial will be demonstrations to elaborate on the hardness spectrum and its practical applicability. The representative problems will pertain to reliability issues for operating system kernels and malware attacks on Android apps. We will introduce the use of a powerful program comprehension tool to derive the hardness spectrum by mapping the Java, C, and Java bytecode to high-level entities that reveal the inner workings of complex software.

The growing threat of malware in embedded systems and the possibility of adversaries crafting one-of-a-kind sophisticated malware as a catastrophic cyberweapon makes malware detection a high priority topic for advanced research, college education, and professional training. There is a need for automated detection tools for commercial applications as well as a need for sophisticated apparatus to discover evasive malware targeted at defense applications. With those needs in mind, this tutorial will show the participants how to effectively deploy program analyses for cybersecurity.

The tutorial will be filled with interesting demonstrations of practical techniques, their applicability and limitations, and the underlying formal framework for future advances. We will discuss a novel and easy-to-understand graph paradigm of program analysis as the backbone of the framework. We will introduce Atlas, a platform designed to deploy the graph paradigm effectively. We will show how Atlas makes it easy to develop automated tools by taking away the burden of programming low-level program analysis constructs. We will demonstrate the Android Security Toolbox, an Atlas plug-in, as a sophisticated apparatus we developed through the DARPA APAC program.

The participants will get a hands-on experience in the powerful applicability of the graph paradigm through Atlas by observing its use to perform visual graph interactions or write small graph traversal programs to perform analyses that would otherwise take days of conventional programming. Researchers, college professors, and professional practitioners will find that they can build on the tutorial material and incorporate the graph program analysis paradigm to foster their special interests in research, teaching, or professional practice.

It has been a few years now since int eighty told us to drink all the booze and hack all the things. Well there are plenty of things left to hack, but the cost of booze is really adding up. Come learn how you can cheaply and easily brew your own booze from the many varieties of beer to a Viking mead. We will even touch a little on the legal and historical side of homebrewing. Did you know it's legal to brew your own in all 50 states as long as you don't sell it? Well you will when we give FREE BEER* to a few lucky attendees because we can't legally sell it to you! That's right FREE as in BEER. Finally we are open sourcing a markdown based homebrew log built on the Git version control system so you can publicly record your beer measurements and automatically calculate the alcohol content!

*Some molecular assembly required. Must be 21 years of age. Not enough beer for everyone.

Think twice before you optimize that code! You might just give away the farm. Side channel attacks were traditionally used to reverse engineer cryptographic hardware circuits using power analysis, but more recently timing information is being used to deduce the sensitive inner workings of software. The steady stream of side channel exploits coming out academia and the security community continue to demonstrate the seriousness of the problem and DARPA's current Space/Time Analysis for Cybersecurity (STAC) program indicates that we need a solution now. Let's take a look at a few real examples of information leakage through side channel attacks in web apps and learn to spot them together. If there's a hole in your bucket, then fix it, dear Henry.

This paper presents a demo of our Security Toolbox to detect novel malware in Android apps. This Toolbox is developed through our recent research project funded by the DARPA Automated Program Analysis for Cybersecurity (APAC) project. The adversarial challenge ("Red") teams in the DARPA APAC program are tasked with designing sophisticated malware to test the bounds of malware detection technology being developed by the research and development ("Blue") teams. Our research group, a Blue team in the DARPA APAC program, proposed a "human-in-the-loop program analysis" approach to detect malware given the source or Java bytecode for an Android app. Our malware detection apparatus consists of two components: a general-purpose program analysis platform called Atlas, and a Security Toolbox built on the Atlas platform. This paper describes the major design goals, the Toolbox components to achieve the goals, and the workflow for auditing Android apps. The accompanying video illustrates features of the Toolbox through a live audit.

This workshop was presented at multiple venues: Des Moines Area Community College's Discover Engineering Days, Iowa State University's Society of Women Engineering University, and Iowa State University's IT Olympics. The material was designed for high school level students with the goal of developing critical thinking skills and sparking an interest in engineering careers. During the IT Olympics this material was used to demonstrate to high school educators a way to challenge students to think critically.

Student Session Description: Computer hackers are a dark mysterious group both feared and revered in popular culture. What makes a hacker different? Come learn how anyone can be a hacker as we get our hands dirty attacking physical, digital, and human systems.

Educator Session Description: A workshop that discusses teaching critical thinking, curiosity, and experimentation to students through computer security. The workshop involves hands on labs for disabling tamper evident devices, voicemail hacking, and social engineering, as well as legal and ethical issues in security.

Automated static analysis tools are widely used in identifying software anomalies, such as memory leak, unsafe thread synchronization and malicious behaviors in smartphone applications. Such anomaly-prone scenarios can be bifurcated into: "ordinary" (analysis requires relatively simple automation) and "complex" (analysis poses extraordinary automation challenges). While automated static analysis tools can resolve ordinary scenarios with high accuracy, automating the analysis of complex scenarios can be very challenging and, at times, infeasible. Even when feasible the cost for full automation can be exorbitant: either in implementing the automation or in sifting through the large number of erroneous results manually. Instead, we appeal for a "Human-in-the-loop" approach called "Amplified Reasoning Technique" (ART). While some of the existing approaches do involve human in the analysis process, the roles played by man and machine are mainly segregated. Whereas, ART puts man and machine in a "loop" in an interactive and visualization-based fashion. This paper makes an attempt to convince its readers to make their analysis of software anomalies ART-based by presenting real-world case studies of complex anomalies and how an ART based approach can be very effective in resolving them. The case studies highlight the desired characteristics of an ART based tool and the type of role it plays in amplifying human intelligence.

We live in an age of software problems with catastrophic consequences. An extra goto in Apple's SSL implementation compromised certificate checks for the better part of a year. An erroneous integer conversion in the Ariane 5 launch destroyed the European Space Agency rocket and its cargo valued at 500 million dollars. Often the problem is just a few lines of code and looking for it is like searching for a needle in the haystack. Moreover the problems are often so subtle that it is difficult to tell if the problem is intentionally malicious or an honest mistake. The traditional approach to malware detection fails to detect such catastrophic problems. To make matters worse, the problem can remain dormant and can easily evade testing. The recently exposed Heartbleed problem in OpenSSL has existed since 2011. It is an open challenge to discover these subtle but catastrophic problems in software. In this talk, Iowa State University researchers involved with DARPA's Automated Program Analysis for Cybersecurity (APAC) project will discuss their approach to address this challenge. This approach enables a unique combination of automated software analysis and human intelligence. The approach will be concretely demonstrated by its use to detect subtle problems in Android applications.

With rising privacy concerns and the widespread adoption of social media platforms, it becomes necessary to examine how much information is still exposed after privacy protection mechanisms are enabled. Malicious attackers and investigators looking to utilize social media often face privacy and platform restrictions that serve both to protect the privacy of individuals and to protect the economic livelihood of the social media platform. This work focuses on revealing private social contacts as a first step to a larger reconnaissance of a target Online Social Network (OSN) profile. In many OSNs the friends that are hidden when a user enables privacy protection mechanisms may still be discovered by visiting the profiles of the target’s friends and searching for public references to the target account. For large OSNs such as Facebook it would be unfeasible to search large portions of the network to discover friends of the target. In this work, we review existing Social Network Analysis (SNA) research to examine how it can be exploited to efficiently discover a majority of private friends. As our contribution, we propose a greedy search algorithm for enabling efficient discovery of private friends on social networking sites, which has shown a 33.6% to 41.6% improvement over a standard breadth-first search on synthetically generated social networks as well as real-world social networks.

Open Source Intelligence (OSINT) has been widely acknowledged as a critical source of valuable and cost efficient intelligence that is derived from publicly available sources. With the rise of prominent social media platforms such as Facebook and Twitter that record and expose a multitude of different datasets, investigators are beginning to look at what social media has to offer the Intelligence Community (IC). Some major obstacles that OSINT analysts often face are privacy and platform restrictions that serve both to protect the privacy of individuals and to protect the economic livelihood of the social media platform. In this work we review existing social networking research to examine how it can be applied to OSINT. As our contribution, we propose a greedy search algorithm for enabling efficient discovery of private friends on social networking sites and evaluate its performance on multiple randomly generated graphs as well as a real-world social network collected by other researchers. In its breadth, this work aims to provide the reader with a broader understanding of OSINT and key concepts in social network analysis.