CS 7934 — Computer Systems Seminar, Spring 2011

Fridays, 2:00–3:00 PM, 3485 MEB

Organizer: Eric Eide


The spring 2011 offering of CS 7934 will cover a variety of systems topics, but with an eye toward three goals.

The first is to increase participants' understanding of malicious software, commonly known as malware. Computer-based systems are increasingly at risk from many forms of malware including viruses, worms, trojan horses, spyware, rootkits, and botnets. In addition, modern malware is increasingly sophisticated. Malware may attempt to exploit multiple vulnerabilities to infect a computer host; use active countermeasures to avoid detection, examination, and/or removal; and may be remotely controlled and even dynamically updatable. Malware is increasingly designed for activities such as computer crime, industrial espionage, and even cyberwarfare. Our goal in this seminar is to “know our enemy” by studying recent research publications that detail modern malware techniques and case studies. Only by understanding malware can we hope to engineer future computer-based systems that are immune to, or at least resilient to, the threats of the modern computing landscape.

The second is to be a venue for student presentations. Every student participating in the seminar will be required to give at least one “formal” research presentation during the semester. Ideally these will be presentations of students' current work, but other topics are also possible.

The third is to stay abreast of papers from recent and imminent top-tier systems and security conferences: e.g., SOSP, OSDI, NSDI, SIGCOMM, IEEE S&P, CCS, USENIX Security, RAID, and so on. Papers will be selected for their relevance to participants' research or upcoming Utah visitors.

CS 7934 is often called “the CSL seminar.” The name CSL is historic.

Mailing list

To get on the class mailing list, use Mailman to subscribe to csl-sem.


Although the course is listed as “variable credit,” the course is only available for one (1) credit in most circumstances. If you want to take the course for more than one credit, you will need to get approval from the instructor.

Those taking the course for credit must read all of the papers, submit a short summary of each paper prior to class (PDF, Postscript, LaTeX), participate in each discussion, and make at least one research presentation. We urge students to sign up for one credit if you're going to be attending anyway.


(You can check out what we did last semester here.)

Week Date Topic(s) Facilitator Paper(s)
1 1/14 Eide no meeting — organizational email
2 1/21 botnets Eide Your Botnet is My Botnet: Analysis of a Botnet Takeover. Brett Stone-Gross et al. In CCS '09, Nov. 2009.

The “Kneber” Botnet: A ZeuS Discovery and Analysis. Alex Cox and Gary Golomb. Whitepaper, NetWitness Corporation, Feb. 2010.

Supplementary: Return from the Dead: Waledac/Storm Botnet Back on the Rise. Andrea Lelli. Symantec Security Response Blog post, Jan. 2011.
3 1/28 VM-based malware analysis Burtsev Ether: Malware Analysis via Hardware Virtualization Extensions. Artem Dinaburg et al. In CCS '08, Oct. 2008. (author copy) (Ether Web site)

Emulating Emulation-Resistant Malware. Min Gyung Kang et al. In VMSec '09, Nov. 2009. (author copy)
4 2/4 Web-based malware Pullakandam An Empirical Study of Privacy-Violating Information Flows in JavaScript Web Applications. Dongseok Jang et al. In CCS '10, Oct. 2010.

The Ghost In The Browser: Analysis of Web-based Malware. Niels Provos et al. In HotBots '07, Apr. 2007.

Supplementary: Exploration of a JavaScript Malware Delivery Vehicle. Danny Goodman. Unpublished, Jul. 2008.
5 2/11 network architecture Ricci Concast: Design and Implementation of an Active Network Service. Kenneth L. Calvert et al. IEEE JSAC, 19(3):426–437, Mar. 2001.

Deconstructing the Network Layer. Onur Ascigil et al. In ICCCN '08, Aug. 2008.

Supplementary: Reflections on Network Architecture: An Active Networking Perspective. Ken Calvert. ACM SIGCOMM CCR, 36(2):27–30, Apr. 2006.
6 2/18 malware in P2P networks Gowda A Study of Malware in Peer-to-peer Networks. Andrew Kalafut et al. In IMC '06, Oct. 2006.

Malware Prevalence in the KaZaA File-Sharing Network. Seungwon Shin et al. In IMC '06, Oct. 2006.

Supplementary: Decline in Web, Increase in P2P Attacks Predicted for 2010. Jacqui Cheng. Ars Tecnica blog post, Dec. 2009.
7 2/25 behavior-based malware detection Thulasinathan Effective and Efficient Malware Detection at the End Host. Clemens Kolbitsch et al. In USENIX Security '09, Aug. 2009.

AccessMiner: Using System-Centric Models for Malware Protection. Andrea Lanzi et al. In CCS '10, Oct. 2010. (author copy)
8 3/4 no meeting — student research posters
9 3/11 drive-by downloads Mishrikoti Detection and Analysis of Drive-by-Download Attacks and Malicious JavaScript Code. Marco Cova et al. In WWW '10, Apr. 2010. (author copy)

Cujo: Efficient Detection and Prevention of Drive-by-Download Attacks. Konrad Rieck et al. In ACSAC '10, Dec. 2010. (author copy)

Supplementary: The BlackHole Fever Continues. Hardik Surl. Symantec Security Response Blog post, Mar. 2011.
10 3/18 Android malware Manikarnike Privilege Escalation Attacks on Android. Lucas Davi et al. In ISC '10, Oct. 2010.

TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones. William Enck et al. In OSDI '10, Oct. 2010.

Supplementary: Understanding Android Security. William Enck et al. IEEE Security & Privacy, 7(1):50–57, Jan./Feb. 2009.

Supplementary: Android.Bgserv Found on Fake Google Security Patch – Part II. Mario Ballano. Symantec Security Response Blog post, Mar. 2011.
11 3/25 no meeting — University spring break
12 4/1 Waledac Chikkulapelly Malware Authors Don't Learn, and That's Good! Joan Calvet et al. In MALWARE '09, Oct. 2009.

Tumbling Down the Rabbit Hole: Exploring the Idiosyncrasies of Botmaster Systems in a Multi-Tier Botnet Infrastructure. Chris Nunnery et al. In LEET '10, Apr. 2010.

Supplementary: The Waledac Protocol: The How and Why. Greg Sinclair et al. In MALWARE '09, Oct. 2009.
13 4/8 SCADA malware Lehmann An Experimental Investigation of Malware Attacks on SCADA Systems. Igor Nai Fovino et al. International Journal of Critical Infrastructure Protection, 2(4):139–145, Dec. 2009.

Cybersecurity Myths on Power Control Systems: 21 Misconceptions and False Beliefs. Ludovic Piètre-Cambacédès et al. IEEE Transactions on Power Delivery, 26(1):161–172, Jan. 2011.

Supplementary: Attack Code for SCADA Vulnerabilities Released Online. Kim Zetter. Threat Level Blog post, Mar. 2011.
14 4/15 VMI-based malware detection Kim Stealthy Malware Detection and Monitoring through VMM-Based “Out-of-the-Box” Semantic View Reconstruction. Xuxian Jiang et al. ACM Transactions on Information and System Security, 13(2), Feb. 2010.

Detecting Past and Present Intrusions through Vulnerability-Specific Predicates. Ashlesha Joshi et al. In SOSP '05, Oct. 2005.
15 4/22 rootkits Sharma Return-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms. Ralf Hund et al. In USENIX Security '09, Aug. 2009.

Implementing and Detecting a PCI Rootkit. John Heasman. Technical report, Next Generation Security Software Ltd., Nov. 2006.

Supplementary: Hosting backdoors in hardware. Reid Barton. Ksplice Blog post, Oct. 2010.
16 4/29 the underground economy Eide At 12:00 PM:
The Underground Economy: Priceless. Rob Thomas and Jerry Martin. ;login, 31(6):7–16, Dec. 2006.

An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants. Jason Franklin et al. In CCS '07, Oct.–Nov. 2007. (author copy)

Supplementary: Symantec Report on the Underground Economy: July 07–June 08. Marc Fossi et al. Technical report, Symantec Corporation, Nov. 2008.

Reference Materials

Potential Papers

Upcoming and recent conference proceedings are good sources of papers for discussion. Below are links to some relevant conference series.