Code: analysis, bugs, and security

Instructor: Marius Minea, marius@cs.upt.ro (Office: B531. Phone: +40-256-403284)
Lab: Andrei Ardelean, gmail: andreirardelean; Alex Petenchea, gmail: alex.petenchea
Course: Wed 8-10, ASPC
Lab: Fri 14-16, 16-18, B528

New: contest with special prizes for students participating in the course

Course materials

1. Introduction.
   Sample program: print addresses
2. Assembly language.
   Sample programs: nested expression (and in three-address code), switch, array of function pointers, lists with pointers to pointers (commented .asm).
   See also: x86 Assembly Guide (David Evans, U. Virginia)
3. Linking and loading. Scope and linkage in C
   good slides at UTexas (part1, part2)
   A very good summary (D. Beazley et al.)
   U. Drepper. How to write shared libraries very detailed; check sec.1.5.5 for explanation of GOT and PLT
   The example from class with PLT and relocation
4. Obfuscation (summary). Extensive slideset (Christian Collberg, U. Arizona)
   Extra: This summer school has some more advanced talks
5. Compilation and analysis with LLVM. Basic discussion. Intro and LLVM Passes (F. Pereira, UFMG), also tutorial from 2015 LLVM Dev meeting
6. Static analysis.. A discussion on value range analysis (J. Regehr, U. Utah).
   A paper on property simulation (see example for comparing different analyses)
7. Memory vulnerabilities
8. Fuzzing and symbolic execution. More details: AFL, KLEE

Laboratory

1. File formats. Write an unzip program, and check it against some test archives (with some problems)
   archive with all zip files. File zipinfo.txt describes each zip.
2. Assembly language. Exercises from the lab + one challenge
3. Linking and loading: lab programs for function hooking and mprotect (also updated for 64 bits).
   Useful reference: GDB command summary
4. Obfuscation. binary for use in the lab.
5. Writing LLVM passes. Starting point and full code written in the lab
6. Writing a clang checker. Tutorial. archive with code
7. Memory corruption vulnerabilities. test program.
   • overwrite the return address with that of go_shell
   • insert your own payload on the stack
   • same as above, but with randomized stack (search for jmp esp
   • with non-executable stack enabled, do a ROP attack
8. Fuzzing and symbolic execution. buggy program and initial archive for AFL

Project suggestions

Resources

Other courses

• System Security and Binary Analysis (UT Dallas). Graduate course, good source of topics
• Malware Analysis (Rensselaer). Very good set of labs
• Modern Binary Exploitation (Rensselaer)
• Software Protection: How to Crack Programs, and Defend Against Cracking (Christian Collberg)
• Computer and Network Security (Politehnica University of Bucharest)