Overview

Security issues and privacy breaches in modern systems (blockchains, datacenters, AI, etc.) result in billions of losses due to hacks and system downtime. This course introduces the security issues in such modern systems and covers state-of-the-art automated techniques (developed in the past few years) that can are applied to build more secure and reliable systems. The course has a practical focus and covers systems build by successful ETH spin-offs (ChainSecurity and DeepCode).

Objectives

  1. Learn about security issues in modern systems -- blockchains, smart contracts, AI-based systems (e.g., autonomous cars), data centers -- and why they are challenging to address.
  2. Understand how the latest automated analysis techniques work, both discrete and probabilistic.
  3. Understand how these techniques combine with machine-learning methods, both supervised and unsupervised.
  4. Understand how to use these methods to build reliable and secure modern systems.
  5. Learn about new open problems that if solved can lead to research and commercial impact.

Part I: Security of Blockchains

  • We will cover existing blockchains (e.g., Ethereum, Bitcoin), how they work, what the core security issues are, and how these have led to massive financial losses.
  • We will show how to extract useful information about smart contracts and transactions using interactive analysis frameworks for querying blockchains (e.g. Google's Ethereum BigQuery).
  • We will discuss the state-of-the-art security tools (e.g., Securify) for ensuring that smart contracts are free of security vulnerabilities.
  • We will study the latest automated reasoning systems (e.g., Dagger) for checking custom (temporal) properties of smart contracts and illustrate their operation on real-world use cases.

Part II: Machine Learning for Security

  • We will discuss how machine learning models for structured prediction are used to address security tasks, including de-obfuscation of binaries (DeBIN), Android APKs (DeGuard) and JavaScript (JSNice).
  • We will study to leverage program abstractions in combination with clustering techniques to learn security rules for cryptography APIs from large codebases.
  • We will study how to automatically learn to identify security vulnerabilities related to the handling of untrusted inputs (cross-Site scripting, SQL injection, path traversal, remote code execution) from large codebases.

Part III: Security of Datacenters and Networks

  • We will show how to ensure that datacenters and ISPs are secured using declarative reasoning methods (e.g., Datalog). We will also see how to automatically synthesize secure configurations (e.g. using SyNET and NetComplete) which lead to desirable behaviors, thus automating the job of the network operator and avoiding critical errors.
  • We will discuss how to apply modern discrete probabilistic inference (e.g., PSI and Bayonet) so to reason about probabilistic network properties (e.g., the probability of a packet reaching a destination if links fail).

Part IV: Security of AI-based Systems

  • We will look into the security issues related to modern systems that combine machine learning models (e.g., neural networks) within traditional systems such as cars, airplanes, and medical systems.
  • We will learn state-of-the-art techniques for security testing and certifying modern AI-based systems.

Course Project

The course involve a hands-on programming project where the methods studied in the class will be applied:
  • Project description: PDF
  • Code template: Gitlab repository
  • Use the latest commit on branch master for the latest version of the template. Send us an email if you do not have access to the repository.
  • Answers to common student questions can be found here

Deadlines:
Group registrationApril 10, 2019
Project announcement11:59PM CEST, April 15, 2019
Preliminary deadline (optional)11:59PM CEST, May 22, 2019
Final deadline11:59PM CEST, May 29, 2019

You can work on the project in a group consisting of at most 2 students. You must register for the project using this Google form.

Lectures

No. DateContentSlides Exercises Solutions
1 Feb 18 Introduction PDF
2 Feb 25 Intro to blockchains PDF PDF PDF
3 Mar 4 / Mar 11 Security analysis of smart contracts PDF PDF PDF
4 Mar 11 / Mar 18 Smart contract behaviors and LTL specifications PDF PDF PDF
5 Mar 25 Safety verification of smart contracts PDF
6 Mar 25 Guest lecture by ChainSecurity PDF
7 Apr 1 Verifying network configurations PDF PDF PDF
8 Apr 14 Network-wide configurations / Input synthesis for Datalog PDF PDF PDF PDF
9 Apr 29 Sketch / CEGIS / Efficient synthesis for OSPF PDF PDF PDF
10 May 6 Probabilistic Programming and Applications PDF PDF PDF PDF PDF
11 May 13 Statistical Deobfuscation of Code PDF PDF PDF