263-2925-00L  Program Analysis for System Security and Reliability

SemesterSpring Semester 2019
LecturersM. Vechev
Periodicityyearly recurring course
Language of instructionEnglish



Courses

NumberTitleHoursLecturers
263-2925-00 VProgram Analysis for System Security and Reliability2 hrs
Mon13:15-15:00CAB G 61 »
M. Vechev
263-2925-00 UProgram Analysis for System Security and Reliability1 hrs
Mon15:15-16:00CAB G 61 »
M. Vechev
263-2925-00 AProgram Analysis for System Security and Reliability1 hrsM. Vechev

Catalogue data

AbstractSecurity breaches in modern systems (blockchains, datacenters, AI, etc.) result in billions of losses. We will cover key security issues and how the latest automated techniques can be used to prevent these. The course has a practical focus, also covering systems built by successful ETH Spin-offs (ChainSecurity.com and DeepCode.ai).

More info: https://www.sri.inf.ethz.ch/teaching/pass2019
Learning objective* Learn about security issues in modern systems -- blockchains, smart contracts, AI-based systems (e.g., autonomous cars), data centers -- and why they are challenging to address.

* Understand how the latest automated analysis techniques work, both discrete and probabilistic.

* Understand how these techniques combine with machine-learning methods, both supervised and unsupervised.

* Understand how to use these methods to build reliable and secure modern systems.

* Learn about new open problems that if solved can lead to research and commercial impact.
ContentPart I: Security of Blockchains

- We will cover existing blockchains (e.g., Ethereum, Bitcoin), how they work, what the core security issues are, and how these have led to massive financial losses.
- We will show how to extract useful information about smart contracts and transactions using interactive analysis frameworks for querying blockchains (e.g. Google's Ethereum BigQuery).
- We will discuss the state-of-the-art security tools (e.g., https://securify.ch) for ensuring that smart contracts are free of security vulnerabilities.
- We will study the latest automated reasoning systems (e.g., Dagger) for checking custom (temporal) properties of smart contracts and illustrate their operation on real-world use cases.
- We will study the underlying methods for automated reasoning and testing (e.g., abstract interpretation, symbolic execution, fuzzing) are used to build such tools.

Part II: Machine Learning for Security

- We will discuss how machine learning models for structured prediction are used to address security tasks, including de-obfuscation of binaries (Debin: https://debin.ai), Android APKs (DeGuard: http://apk-deguard.com) and JavaScript (JSNice: http://jsnice.org).
- We will study to leverage program abstractions in combination with clustering techniques to learn security rules for cryptography APIs from large codebases.
- We will study how to automatically learn to identify security vulnerabilities related to the handling of untrusted inputs (cross-Site scripting, SQL injection, path traversal, remote code execution) from large codebases.

Part III: Security of Datacenters and Networks

- We will show how to ensure that datacenters and ISPs are secured using declarative reasoning methods (e.g., Datalog). We will also see how to automatically synthesize secure configurations (e.g. using SyNET and NetComplete) which lead to desirable behaviors, thus automating the job of the network operator and avoiding critical errors.
- We will discuss how to apply modern discrete probabilistic inference (e.g., PSI and Bayonet) so to reason about probabilistic network properties (e.g., the probability of a packet reaching a destination if links fail).

Part IV: Security of AI-based Systems

- We will look into the security issues related to modern systems that combine machine learning models (e.g., neural networks) within traditional systems such as cars, airplanes, and medical systems.
- We will learn state-of-the-art techniques for security testing and certifying entire AI-based systems, such as autonomous driving systems.

To gain a deeper understanding, the course will involve a hands-on programming project where the methods studied in the class will be applied.

Performance assessment

Performance assessment information (valid until the course unit is held again)
Performance assessment as a semester course
ECTS credits5 credits
ExaminersM. Vechev
Typesession examination
Language of examinationEnglish
RepetitionThe performance assessment is only offered in the session after the course unit. Repetition only possible after re-enrolling.
Mode of examinationwritten 120 minutes
Additional information on mode of examination50% of the grade is determined by mandatory course projects, 50% of the grade is determined by a written 2 hr exam
Written aidsNone
This information can be updated until the beginning of the semester; information on the examination timetable is binding.

Learning materials

 
Main linkInformation
Only public learning materials are listed.

Groups

No information on groups available.

Restrictions

There are no additional restrictions for the registration.

Offered in

ProgrammeSectionType
CAS in Computer ScienceFocus Courses and ElectivesWInformation
Data Science MasterCore ElectivesWInformation
Computer Science MasterFocus Core Courses Information SystemsWInformation
Computer Science MasterFocus Core Courses Software EngineeringWInformation
Computer Science MasterCore Focus Courses General StudiesWInformation
Computer Science MasterFocus Elective Courses Information SecurityWInformation