Vulnerabilities and counter-measures

• Host vulnerabilities and counter-measures
  
• Stack smashing
  
• Aleph One, "Smashing the Stack for Fun and Profit", link
• C. Cowan, C. Pu, D. Maier, H. Hinton, P. Bakke, S. Beattie, A. Grier, P. Wagle, Q. Zhang, "StackGuard: Automatic Detection and Prevention of Buffer-Overflow Attacks", USENIX Security Symposium 1998. paper
• Vendicator, "StackShield", link
• H. Etoh, K. Yoda, "ProPolice: Improved Stack-Smashing Attack Detection", IPSJ SIGNotes Computer SECurity, 014(025), Oct. 2001. paper
• Bulba, Kill3r, "Bypassing StackGuard and StackShield", Phrack Magazine, 56(5), May 2000. link
• M. Prasad, T. Chiueh, "A Binary Rewriting Defense Against Stack-based Buffer Overflow Attacks", USENIX 2003. paper
• Solar Designer, "Getting around non-executable stack (and fix)", Aug. 1997. link
  
• Nergal, "The Advanced Return-into-lib(c) exploits (PaX case study)", Phrack Magazine, 58(4), Dec. 2001. link
• A. Baratloo, N. Singh, T. Tsai, "Transparent Run-time Defense Against Stack Smashing Attacks, USENIX 2000. paper
• Format strings
  
• Scut/team teso, "Exploiting Format String Vulnerabilities", 2001. link
• C. Cowan, M. Barringer, S. Beattie, G. Kroah-Hartman, "FormatGuard: Automatic Protection from printf Format String Vulnerabilities", USENIX Security Symposium 2001. paper
• U. Shankar, K. Talwar, J. Foster, D. Wagner, "Detecting Format String Vulnerabilities with Type qualifiers, USENIX Security Symposium 2001. paper
• Races
• M. Bishop and M. Dilger, "Checking for Race Conditions in File Accesses," Computing Systems 9 (2) pp. 131-152 (Spring 1996). paper
• SANS, "SANS Malware FAQ: How does the Ptrace exploit works (sic) on Linux?", link
  
• C. Cowan, S. Beattie, C. Wright, G. Kroah-Hartman "RaceGuard: Kernel Protection From Temporary File Race Vulnerabilities",  USENIX Security Symposium 2001.paper
• Algorithmic complexity
• S. Crosby, D. Wallach, "Denial of Service via Algorithmic Complexity Attacks", USENIX Security Symposium 2003 paper
• Others (please skip above three when presenting)
  
• E. Chien, P. Szor, "Blended Attacks: Exploits, Vulnerabilities, and Buffer-Overflow Techniques in Computer Viruses", Virus Bulletin Conference 2002, p. 1-35. paper
• G. Ollmann, "URL Encoded Attacks", link
• C. Cowan, S. Arnold, S. Beattie, C. Wright, J. Viega, "Defcon Capture the Flag: Defending Vulnerable Code from Intense Attack".  DARPA DISCEX III Conference 2003. paper.
  
• Generic prevention
  
• H. Chen, D. Dean and D. Wagner. "Model Checking One Million Lines of C Code". NDSS 2004. paper

• Network vulnerabilities and counter-measures
  
• 802.11 WEP
• J. Walker, "IEEE 802.11 Wireless LANs Unsafe at any key size; An analysis of the WEP encapsulation", paper
• N. Borisov, I. Goldberg, and D. Wagner. "Intercepting mobile communications: The insecurity of 802.11", in Proceedings of MOBICOM 2001.  paper
• W. Arbaugh, N. Shankar, Y. Wan, "Your 802.11 Wireless Network Has No Clothes", paper
• 802.11 MAC
• J. Bellardo and S. Savage, 802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions, USENIX Security Symposium 2003. paper
• TCP CC #1
  
• S. Savage, N. Cardwell, D. Wetherall, T. Anderson, "TCP Congestion Control with a Misbehaving Receiver", ACM CCR 1999. paper
• TCP CC #2
• A. Kuzmanovic, E. Knightly, "Low-Rate TCP-Targeted Denial of Service Attacks (The Shrew vs. the Mice and Elephants)", ACM SIGCOMM 2003 paper
• TCP SYN
• C. Schuba, I. Krsul, M. Kuhn, E. Spafford, A. Sundaram, D. Zamboni, "Analysis of a Denial of Service Attack on TCP" paper
• D. Kaminsky, "scanrand: Paketto 1.0", 2002. link #1 | link #2
  
• D. Bernstein, "SYN cookies", link
• TCP SYN Sequence Numbers
• S. Bellovin, "Security Problems in the TCP/IP Protocol Suite" paper
• R. Morris, "A Weakness in the 4.2BSD Unix TCP/IP Software" paper
• Michal Zalewski, "Strange Attractors and TCP/IP Sequence Number Analysis", link #1 | link #2
  
• S. Bellovin, "Defending against sequence number attacks", RFC 1948, paper
• P. Watson, "Slipping in the Window: TCP Reset Attacks", paper
• A. Heffernan, "Protection of BGP Sessions via the TCP MD5 Signature Option", RFC 2385, Aug. 1998. link
  
• DNS transaction numbers
• C. Schuba, "Addressing Weaknesses in the Domain Name System Protocol", MS Thesis, Aug. 1993 paper
• J. Stewart, "DNS Cache Poisoning - The Next Generation", SecurityFocus Jan. 2003 paper
  
• DNS
• D. Kaminsky, "Black Ops 2004 @ LayerOne", slides
  
• Reflectors
• V. Paxson, "An Analysis of Using Reflectors for Distributed Denial-of-Service Attacks", CCR vol. 31, no. 3, July 2001. paper
• Authentication flaws
  
• K. Fu, E. Sit, K. Smith, and N. Feamster. Dos and don'ts of client authentication on the web. In Proceedings of the 10th USENIX Security Symposium 2001. paper

Applying Biology to Security

• Population diversity
  
• Programs
  
• F. Cohen, ``Operating Systems Protection Through Program Evolution'', IFIP-TC11 `Computers and Security' (1994), paper
• Compilers
• S. Forrest, A. Somayaji, and D. Ackley. "Building Diverse Computer Systems", HotOS (1997). paper
• Operating systems
  
• M. Chew, D. Song, "Mitigating Buffer Overflows by Operating System Randomization", CMU-CS-02-197 Technical report, paper
• J. Xu, Z. Kalbarczyk, R. Iyer, "Transparent Runtime Randomization for Security", SRDS 2003, paper
• PaX Team, "Documentation for the PaX project", link
• A. van de Ven, "New Security Enhancements in Red Hat Enterprise Linux v. 3, update 3", paper
• S. Bhatkar, D. DuVarney, and R. Sekar. "Address Obfuscation: an Efficient Approach to Combat a Broad Range of Memory Error Exploits". 12th USENIX Security Symposium, pp. 105-120, August 2003. paper
• H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu and D. Boneh. "On the Effectiveness of Address Space Randomization". ACM CCS 2004, October 2004. paper
• C. Cowan, S. Beattie, J. Johansen, P. Wagle, "PointGuard: Protecting Pointers from Buffer Overflow Vulnerabilities", USENIX Security Symposium, Aug. 2003.  paper
• Instruction sets
  
• G. Kc, A. Keromytis, and V. Prevelakis. "Countering Code-Injection Attacks With Instruction-Set Randomization" 10th ACM International Conference on Computer and Communications Security (CCS), pp. 272 - 280. October 2003. paper
  
• E. Barrantes, D. Ackley, S. Forrest, T. Palmer, D. Stefanovic and D. Zovi. "Randomized instruction set emulation to disrupt binary code injection attacks". 10th ACM International Conference on Computer and Communications Security (CCS), pp. 272 - 280. October 2003. paper
• Malware
  
• P. Szor, P. Ferrie, "Hunting for Metamorphic", Virus Bulletin Conference 2001, p. 123. paper
• P. Szor, "Attacks on Win32", Virus Bulletin Conference 1998, p. 57-84. paper
  
• P. Szor, "Attacks on Win32 II", Virus Bulletin Conference 2000, p. 101-121. paper
• Protocols
• See above papers in network vulnerabilities
• Immune system responses
  
• General design
• A. Somayaji, S. Hofmeyr and S. Forrest. "Principles of a Computer Immune System". 1997 New Security Paradigms Workshop. paper
• S. White, M. Swimmer, E. Pring, W. Arnold, D. Chess, J. Morar. "Anatomy of a Commercial-Grade Immune System". IBM Research White Paper, paper
• System-calls
  
• S. Hofmeyr, S. Forrest, and A. Somayaji. Intrusion detection using sequences of system calls. Journal of Computer Security, 6:151--180, 1998. paper
• A. Somayaji and S. Forrest. "Automated Response Using System-Call Delays." USENIX 2000. paper
• Network traffic
• "Revisiting LISYS: Parameters and Normal Behavior." J. Balthrop, S. Forrest, and M. Glickman.. Proceedings of the 2002 Congress on Evolutionary Computation (in press) paper
• D. Dasgupta, F. Gonzalez, "An Immunity-Based Technique to Characterize Intrusions in Computer Networks", IEEE Transactions on Evolutionary Computing, 2002. paper
• Epidemiology
  
• Disease control viruses
• F. Cohen, "Computer Viruses - Theory and Experiments", Computers and Security, Vol. 6, p. 22-35, 1984. link
• J. Kephart and S. White, "Directed-Graph Epidemiological Models of Computer Viruses", IEEE Security and Privacy, 1991. paper
• Y. Wang and C. Wang, "Modeling the Effects of Timing Parameters on Virus Propagation", Workshop On Rapid Malcode (WORM), 2003. paper
• S. Staniford, V. Paxson, N. Weaver, "How to 0wn the Internet on Your Spare Time", USENIX Security Symposium 2002. paper
• D. Moore, Colleen Shannon, Geoffrey Voelker, Stefan Savage, "Internet Quarantine: Requirements for Containing Self-Propagating Code", INFOCOM 2003, paper
• Z. Chen, L. Gao, K. Kwiat, "Modeling the Spread of Active Worms", INFOCOM 2003, paper
• M. Garetto, W. Gong, D. Towsley, "Modeling Malware Spreading Dynamics", INFOCOM 2003, paper
• Andreas Marx. "Outbreak Response Times: Putting AV To The Test". Virus Bulletin, February 2004. paper

DDoS

• DDoS prevention
• Proof-of-work systems
• J. Leiwo, P. Nikander, and T. Aura. Towards network denial of service resistant protocols. IFIP/SEC 2000, paper
• D. Dean, A. Stubblefield, "Using Client Puzzles to Protect TLS", USENIX Security Symposium 2001 paper
• A. Back. "Hashcash - a denial of service counter-measure" 2002.  paper
• C. Dwork, A. Goldberg, M. Noar, "On memory-bound puzzles for fighting spam", CRYPTO 2003, paper.
• M. Abadi, M. Burrows, M. Manasse, T. Wobber, "Moderately Hard, Memory-bound Functions", paper
• A. Stavrou, D. Cook, W. Morein, A. Keromytis, V. Misra, D. Rubenstein, "WebSOS: An Overlay-based System for Protecting Web Servers from Denial of Service Attacks", paper.
• S. Kandula, D. Katabi, M. Jacob, A. Berger, "Botz-4-Sale: Surviving Organized DDoS Attacks that Mimic Flash Crowds", paper.
  
• W. Feng, E. Kaiser, W. Feng, A. Luu, "The Design and Implementation of Network Puzzles", INFOCOM 2005, paper
  
• B. Laurie, R. Clayton, "Proof-of-Work Proves Not to Work", Workshop on Economics and Information Security paper
• Capabilities
• T. Anderson, T. Roscoe, D. Wetherall, "Preventing Internet Denial-of-Service with Capabilities" paper
• A. Yaar, A. Perrig, D. Song "SIFF: An Endhost Capability Mechanism to Mitigate DDoS Flooding Attacks", IEEE Symposium on Security and Privacy 2004, May 2004. paper
• Tarpits
• T. Hunter, P. Terry, and A. Judge, "Tarzan: Distributed Tarpitting: Impeding Spam Across Multiple Servers", LISA '03 paper
• T. Liston, "Welcome to My Tarpit: The Tactical and Strategic Use of LaBrea", paper
• Indirection
• A. Keromytis, V. Misra, and D. Rubenstein, "SOS: Secure Overlay Services," in Proceedings of ACM SIGCOMM'02 paper
• R. Stone, "CenterTrack: An IP Overlay Network for Tracking DoS Floods" USENIX Security Symposium 2000 paper
• D. Adkins, K. Lakshminarayanan, A. Perrig, I. Stoica, "Taming IP Packet Flooding Attacks", HotNets II, paper
• Traceback
• S. Savage, D. Wetherall, A. Karlin, T. Anderson, "Practical Network Support for IP Traceback" SIGCOMM 2000 paper
• A. Snoeren, C. Partridge, L. Sanchez, C. Jones, F. Tchakountio, S. Kent, W. Strayer, "Hash-Based IP Traceback" SIGCOMM 2001 paper
• D. Song, A. Perrig, "Advanced and Authenticated Marking Schemes for IP Traceback" paper
• A. Yaar, A. Perrig, and D. Song, "FIT: Fast Internet Traceback", INFOCOM 2005. paper
  
• A. Yaar, A. Perrig, and D. Song, "Pi: A Path Identification Mechanism to Defend against DDoS Attacks",  paper
  
• H. Burch, B. Cheswick, "Tracing Anonymous Packets to Their Approximate Source" paper
  
• S. Bellovin, M. Leech, T. Taylor, "ICMP Traceback Messages" paper
• A. Mankin, D. Massey, C. Wu, S. Wu, L. Zhang, "On Design and Evaluation of "Intention-Driven" ICMP Traceback" paper
• Filtering
• H. Jamjoom, K. Shin, "Persistent Dropping: An Efficient Control of Traffic Aggregates", ACM SIGCOMM 2003 paper
• D. Sterne, K. Djahandari, B. Wilson, B. Babson, D. Schnackenberg, H. Holliday, T. Reid, "Automatic Response to Distributed Denial of Service Attacks" paper
• Misc
• M. Handley, A. Greenhalgh, "Steps Towards a DoS-resistant Internet Architecture", ACM SIGCOMM FDNA 2004 paper
• A. Shieh, A. Myers, E. Sirer, "Trickles: A Stateless Network Stack for Improved Scalability, Resilience, and Flexibility", paper
  
• Fingerprints and signatures
  
• Remote system fingerprinting
• T. Kohno, A. Broido, k. claffy, "Remote Physical Device Fingerprinting", paper
  
• Fyodor, "Remote OS detection via TCP/IP Stack Fingerprinting", Oct. 1998. link
  
• M. Smart, G. Malan, F. Jahanian, "Defeating TCP/IP Stack Fingerprinting", USENIX Security 2000. paper
• Signatures of malware
• C. Kreibich, J. Crowcroft, "Honeycomb - Creating Intrusion Detection Signatures Using Honeypots" paper
  
• V. Pai, L. Wang, K. Park, R. Pang, L. Peterson, "The Dark Side of the Web: An Open Proxy's View" paper
• B. Madhusudan, J. Lockwood, "Design of a System for Real-Time Worm Detection" IEEE Hot Interconnects, August, 2004, pp. 77-83. paper
• M. Christodorescu, S. Jha. "Testing Malware Detectors" ISTA 2004. paper
  
• Traffic signatures
• D. Moore, C. Shannon, k. claffy, "Code-Red: A Case Study on the Spread and Victims of an Internet Worm", IMW 2002, paper
• V. Yegneswaran, P. Barford, J. Ullrich, "Internet Intrusions: Global Characteristics and Prevalence", ACM SIGMETRICS 2003
• D. Moore, G. Voelker and S. Savage. "Inferring Internet Denial-of-Service Activity", USENIX Security 2001. paper
  
• J. Jung, B. Krishnamurthy, and M. Rabinovich. "Flash Crowds and Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites", paper
• P. Barford, D. Plonka, "Characteristics of Network Traffic Flow Anomalies" paper
• N. Weaver, S. Staniford, V. Paxson. Very Fast Containment of Scanning Worms. USENIX Security 2004. paper
• J. Mirkovic, G. Prier and P. Reiher, "Attacking DDoS at the Source", paper
• S. Schechter, J. Jung, A. Berger. "Fast Detection of Scanning Worm Infections" RAID 2004, September 2004. paper
• X. Chen, J. Heidemann. "Detecting Early Worm Propagation through Packet Matching" Technical Report ISI-TR-2004-585, USC/Information Sciences Institute, February, 2004. paper
• V. Sekar, Y. Xie, D. Maltz, M. Reiter, H. Zhang, "Toward a Framework for Internet Forensic Analysis", paper