CSC 495/583 Topics of Software Security

2019-Fall Course Website

Advisor: Si Chen

Course Logo

Course Overview

OllyDbg

  • The legal aspects of reverse engineering.
  • Assembly language for IA-32 compatible processors and how to read compiler-generated assembly language code.
  • The general principles behind malicious software and how reverse engineering is applied to study such program.

Expected Background

  • Basic programming concepts (e.g. complete Java I, II)
  • Knowledge with the C programming language, including pointers, arrays, loops, function calls, etc.
  • Familiar with Unix/Linux including the command-line shell and gdb
  • Familiar with Intel x86 assembly language and architecture
  • Familiar with web programming concepts (HTML, HTTP, TCP, network communications)

Textbook

No Textbook

Reference book:

  1. Randal E. Bryant, Davie Richard O'Hallaron, Computer Systems: A Programmer's Perspective, 3rd Edition, ISBN 978-0134092669
  2. Kris Kaspersky, Hacker Disassembling Uncovered, 2nd Edition, ISBN 978-1931769648
  3. Eldad Eilam, Reversing: Secrets of Reverse Engineering, 1st Edition, ISBN 978-0764574818

Course Content

# Date Topic Slides Supporting Materials
Class 1 Aug 26, 2019 Introduction ch01.pptx
Class 2 Aug 28, 2019 IA-32 Register, Byte Ordering, x86 ASM ch02.pptx abexcm1-voiees.exe LittleEndian.exe LittleEndian.cpp HelloWorld.exe
Class 3 Sep 3, 2019 x86 ASM, Stack ch03.pptx Stack.exe stack.py
Lab 0
(6 points)
Sep 3, 2019 Lab: Hello World
Change the text in pop-up window from "Hello World!" to "Hello Reversing", take a screenshot and upload the image to D2L. HelloWorld.exe Windows XP Environment Disclaimer
Class 4 Sep 5, 2019 Stack Frame ch04.pptx StackFrame.exe StackFrame.cpp
Class 5 Sep 10, 2019 Calling Convention, System Call, Introduction to PEDA and Pwntools ch05.pptx cdecl.c stdcall.c cdecl.exe stdcall.exe helloworld.asm shell.asm code.zip 1_sample.c 2_interactive.c 3_reversing.c
Lab 1
(6 points)
Sep 10, 2019 Lab: Stack and Stack Frame in Linux
lab1.pdf
  • Manjaro Linux (ArchLinux) Environment Username:csc495 password:csc495
  • lab1.c
  • Class 6 Sep 12, 2019 Stack Overflow (1) ch06.pptx buffer.c buffer2.c overflow.c
    Class 7 Sep 17, 2019 Stack Overflow (2) ch07.pptx hello.asm test.c Shellcode overflow2.c
    Class 8 Sep 23, 2019 Stack Overflow Review: Classic Exploitation Technique (with PEDA, Pwntools) & Linux Binary Protections (ASLR, DEP, Stack Canaries) ch08.pptx overflow2.c overflow3.c template.py exploit.py exploit2.py exploit3.py
    Lab 2
    (6 points)
    Sep 23, 2019 Lab: Stack Overflow
    lab2.pdf
  • lab2.c
  • exploit.py
  • Manjaro Linux (ArchLinux) Environment Username:csc495 password:csc495
  • Class 9 Sep 25, 2019 Return-oriented programming (ROP) ch09.pptx rop.c exploitROP.py exploitROP_template.py
    Class 10 Sep 30, 2019 Return-oriented programming (ROP) (2) ch10.pptx rop.c exploitROP.py rop2.c exploit_ROP2.py
    Class 11 Oct 2, 2019 Return-oriented programming (ROP) (3) & Dynamic Linking & Return-to-libc Attack & ASLR ch11.pptx reveal_address.c ret2lib.c ret2lib_Exploit.py niklasb/libc-database
    Class 12 Oct 8, 2019 Web Security (1) ch12.pptx
    Class 13 Oct 10, 2019 Web Security (2) ch13.pptx
    Lab 3
    (6 points)
    Oct 10, 2019 Lab3: Return-oriented programming (ROP)
    lab3.pdf [Hint]
  • lab3.c
  • lab3_exp.py
  • Manjaro (Arch Linux) 64 Environment
    Username: csc495 Password: csc495
  • Class 14 Oct 15, 2019 PLT, GOT & Return-to-plt Attack (Bypassing ASLR/NX) ch14.pptx ret2plt.c ret2plt_Exp.py
    Class 15 Oct 17, 2019 GOT Overwrite Attack (1) ch15.pptx bypassGOT.c exp_GOT.py
    Reading 1
    (10 points)
    Oct 17, 2019 Reading Question 1: Hacking Blind
    ReadingQuestion.pdf Hacking Blind paper Project Website
    Class 16 Oct 22, 2019 Multi-Stage Exploits ch16.pptx multi_stage.c exp_multi_stage.py
    Class 17 Oct 24, 2019 Stack Guard & Format String Bug ch17.pptx easy_canary_32.c easy_canary_exp_32.py easy_canary_64.c easy_canary_exp_64.py fmt_write.c fmt_wrong.c fmtstr.c fmtstr_exp.py
    Lab 4
    (6 points)
    Oct 28, 2019 Lab: Multi-Stage Exploits
    Target IP: 35.184.67.227
    Target Port: 8888
    Vulnerable program: lab4 (lab4.c)
    Target File (flag): flag.txt
    ASLR/NX is on, StackGuard and PIE is off
    Hint Libc version:libc6-i386_2.27-3ubuntu1_amd64 [Link]
  • lab4.c
  • lab4_exp.py
  • Ubuntu 18.04 LTS
    Username: csc495 Password: csc495
  • Class 18 Oct 29, 2019 Format String Bug (2) & Heap ch18.pptx fmt_write2.c fmt_test.c dump_bin.py fmt_test2.c fmt_test2_exp.py fmt_offset.py heap1.c
    Class 19 Oct 31, 2019 Heap Exploitation (1) ch19.pptx use_heap.c heap0.c exploit_heap0.py Pwndbg + GEF + Peda — One for all, and all for one
    Reading 2
    (10 points)
    Oct 31, 2019 Reading Question 2: BlueBorne
    Reading Question2.pdf blueborne technical paper Video (smartwatch takeover)
    Class 20 Nov 6, 2019 Heap Exploitation (2): Unlink Attack ch20.pptx babyfirst-heap_33ecf0ad56efc1b322088f95dd98827c exp_babyfirst.py
    Class 21 Nov 6, 2019 Heap Exploitation (3): Unlink Attack, glibc ch21.pptx babyfirst-heap_33ecf0ad56efc1b322088f95dd98827c exp_babyfirst.py
    Class 22 Nov 13, 2019 Heap Exploitation (4): glibc, House of force ch22.pptx hof.c bamboobox bamboobox_exp.py bamboobox.c
    Class 23 Nov 18, 2019 Heap Exploitation (5): Use After Free, Double Free & Kernel Exploitation ch23.pptx uaf.c doublefree.c babydriver.tar
    Final Project
    (30 points)
    Nov 18, 2019 Final: House of Force & ROP
    Target IP: 35.223.19.224
    Target Port: 8888
    Vulnerable program: final (final.c)
    Target File (flag): flag.txt
    64 bit (not 32), ASLR/NX, StackGuard is on and PIE is off
    Hint Libc version:libc6_2.23-0ubuntu11_amd64 [Link]
    Hint ROP gadgets infomation [Link] [Hint]
  • Binary (Downloaded from the remote server): final
  • final.c
  • attack.py
  • Ubuntu 16.04 LTS with Pwndbg
    Username: csc497 Password: csc497
  • Class 24 Dec 2, 2019 Kernel Exploitation ch24.pptx uaf.c babydriver.tar
    Reading 3
    (10 points)
    Dec 2, 2019 Reading Question 3: Kernel Exploit and the future of Software Security
    ReadingQuestion3.pdf OVER-THE-AIR: HOW WE REMOTELY COMPROMISED THE GATEWAY, BCM, AND AUTOPILOT ECUS OF TESLA CARS

    Tutorials and Supporting Materials