Prologue
This year, SJTU's Gossip event was held on 7.24-28 at the School of Information Security Engineering in Shanghai (the lecture hall at Zhangjiang Science Park). For the event posts, see: Event Agenda, Attendance Guide, Event Notes.
I arrived at the hotel on Sunday, and after dinner Yifan and I went over in advance to scout the route. The buildings inside the Zhangjiang Institute for Advanced Study look quite nice, and seem to have been completed less than five years ago. Since we had registered our identity information ahead of time, we could swipe open the access gates with the Suishen QR code.
The exterior and interior decorations of the buildings look great and are very functional. My favorite part was that the buildings are connected by warm corridors, and there are plenty of sofas, chairs, and tables for discussion.
Lu Kangjie - Open-Source Software
Ancient unfixed vulnerabilities are still effective.
advanced analysis and reasoning
Indirect function calls, linux127k, firefox241k. How to accurately determine indirect calls during static analysis (CCS '19 best paper, using multi-layer nested struct types for tracing) (NDSS 2024, GNN-assisted, locating anchor functions like open, etc., where similar functions can be matched based on semantic information). General rule: use documentation and rules as bug oracles; use inconsistencies as bug oracles.
understandability - understand the program
secure-by-design defense
assurability - hardening mechanisms. Memory attack working modes. Modularize complex systems and isolate modules to avoid cross-module memory access; dependency analysis is needed. TyPM, analyzes whether modules have a particular type-based dependency relationship (type based analysis); the insight is that information passing between two modules only happens via global variables and function calls, so analyzing the boundary type information can split the modules. Implementing isolation: use bound check, use overlapping methods, use 3 registers to achieve a partition into 6 regions.
affordable and continuous protection
sustainability - sustainability. Open-source volunteers have no financial support, leading to issues with not being able to maintain things continuously.
The security question of open-source vs. closed-source: which is more secure? Program analysis; build systems; AI.
Some research insights
- Solve fundamental problems, solve general problems, propose new insights
- Research types: attack-study-detection-defense
- Abstract new general problems from corner cases
Research starting points: read papers; recent vulnerability and attack reports; derive new problems from previous work; communicate more; trial and error.
Some self-questions to ask:
- Where is the intuition (summarize in one sentence; is it interesting and novel?)
- Why hasn't anyone done it before (not worth doing? impossible to implement?)
- What can others learn from this work (technical contribution? real-world impact? new findings?)
- Is the research sufficiently meaningful?
Issues in system design and implementation:
- Every design choice should be explained (in the paper)
- Solve the root problem rather than surface phenomena, do not be ad hoc
- Don't get fixated on a corner, don't go down the wrong path, solve the overall problem
- Keep thinking and improving
- Stay sensitive and curious about details (new ideas)
Competitive papers:
- Tell a good story in the abstract and intro
- Technical difficulties and solutions
- Experimental results that support the claims
- Writing
Zhang Yue - IoT Bluetooth
peripheral and central need to pair. broadcaster and observer broadcast.
Yin Tingting - From Fuzzing to Bounty
FANS
- Issues of concern: the lower layers of Android, vulnerabilities at native code interfaces, new attack surfaces
- Comprehensive automation, e.g. automated flashing and rebooting, to save time
StateFuzz
- Identify key variables
- Identify state-change features
KextFuzz
- The pointer authentication instructions on macOS can be replaced with instrumentation instructions, avoiding offset errors (the PAC mechanism on ARMv8)
- Interface information acquisition, wrapper code for the encapsulation layer
Xie Mengyao - Hardware-Assisted Memory Isolation Mechanisms
Existing memory isolation techniques: address-based isolation, with a check before memory access; domain-based isolation; dedicated memory access instructions.
Defense papers: think first, lay out the threat model in advance.
Meng Wei - Challenges and Opportunities in Web Security Research
Client-Side Security
Clickjacking Instrument the underlying C++ code to detect attribute modifications; detect element similarity and transparent overlays.
JS global identifier conflicts Use absolute addresses, check whether the identifier is defined.
Server-Side Security
Low-frequency application-layer DoS Check delay, refuse first-time connections, check whether requests are malicious.
Taint type defects Inter-procedural data flow analysis.
Ma Siqi & Li Juanru - Discovering Security Vulnerabilities in the Era of Smart Devices
Start from real-world applications around you, think about whether some security principle has been violated, then expand and induce general, common patterns.
Shen Wenbo - Evolution and Outlook of OS Kernel Attack and Defense
The dedication to research from project zero, in industry and academia.
The evolution of traditional kernel attacks and defenses, kernel security issues in container scenarios.
Issues of ethics: attack papers should also implement defenses, and discuss ethics.
To publish a paper: prove that you have advanced the SOTA.
How to do research? Read tons of papers, blogs, videos, and any kind of material.
Epilogue
In summary, I gained quite a lot from the five days of lectures. The main thing was getting a deeper understanding of how to do research, while also reminding myself to settle down and lay a solid foundation. There was a student/teacher with a Beijing accent who was really interesting; he asked questions after almost every speaker's talk, and his tone was very much like a roundtable moderator's hhh.
Over these few days, the group often ate Sichuan food, like Xianqi Banbudian and Chuanyu Youhuo at Longyang Plaza. Eating Sichuan food in Shanghai really feels a bit interesting. But I have to say, Xianqi was the best of all.
ChinaJoy was being held in Shanghai on Saturday, which caused the room rates at nearby hotels to skyrocket, so I could only book through Thursday. The pictures Huazhu's app showed looked like the White House, and in reality it's actually pretty similar, but you have to wait for the right time and the right lighting to take a photo. At night it looks roughly like this:
On the last evening I went to a certain mall and ate Hunan food. Almost all of it was pre-made dishes, very unappetizing and the portions were tiny. Counted as a bad experience, I guess. But on the way out, I saw a board-game training class in the mall. I have to say, even board games have started to get competitive now... they were originally just an entertainment activity to promote communication and friendship, but now they have to rank winners and losers - isn't that sort of putting the cart before the horse?
