Code: analysis, bugs, and security
optional course, supported by Bitdefender
Instructor: Marius Minea, firstname.lastname@example.org (Office: B531. Phone: +40-256-403284)
Lab: Andrei Ardelean, gmail: andreirardelean; Alex Petenchea, gmail: alex.petenchea
Course: Wed 8-10, ASPC
Lab: Fri 14-16, 16-18, B528
New: contest with special prizes for students participating in the course
last year's course
Sample program: print addresses
- Assembly language.
Sample programs: nested expression (and in three-address code), switch, array of function pointers, lists with pointers to pointers (commented .asm).
See also: x86 Assembly Guide (David Evans, U. Virginia)
- Linking and loading. Scope and linkage in C
good slides at UTexas (part1, part2)
A very good summary (D. Beazley et al.)
U. Drepper. How to write shared libraries very detailed; check sec.1.5.5 for explanation of GOT and PLT
The example from class with PLT and relocation
- Obfuscation (summary). Extensive slideset (Christian Collberg, U. Arizona)
Extra: This summer school has some more advanced talks
- Compilation and analysis with LLVM. Basic discussion. Intro and LLVM Passes (F. Pereira, UFMG), also tutorial from 2015 LLVM Dev meeting
- Static analysis.. A discussion on value range analysis (J. Regehr, U. Utah).
A paper on property simulation (see example for comparing different analyses)
- Memory vulnerabilities
- Fuzzing and symbolic execution. More details: AFL, KLEE
- File formats. Write an unzip program, and check it against some test archives (with some problems)
archive with all zip files. File zipinfo.txt describes each zip.
- Assembly language. Exercises from the lab + one challenge
- Linking and loading: lab programs for function hooking and mprotect (also updated for 64 bits).
Useful reference: GDB command summary
- Obfuscation. binary for use in the lab.
- Writing LLVM passes. Starting point and full code written in the lab
- Writing a clang checker. Tutorial. archive with code
- Memory corruption vulnerabilities. test program.
- overwrite the return address with that of go_shell
- insert your own payload on the stack
- same as above, but with randomized stack (search for jmp esp
- with non-executable stack enabled, do a ROP attack
- Fuzzing and symbolic execution. buggy program and initial archive for AFL
Last modified: Fri Nov 24 8:00:00 EET 2017