Computer Science Workshop on Security
"We may have created the monster, they'll
say, but we didn't set it
loose"
Instructor:Mooly Sagiv
Assistant: Greta Yorsh
Class Time and Location: Monday 10-12, Dan-David 204
Prerequisites:
- Software 1 (C programming)
- Operating Systems
For further information email: gretay at tau dot ac dot il
Goals
Methodology
Schedule
Requirements
Registering
Projects
Bibliography
News
Workshop Goals
This workshop is intended to provide an introduction into
security threats of programming errors (bugs), such as buffer overflow.
The students will learn the interns of common attack mechanisms
and the measures to protect agains these attacks.
The students will have a opportunaty to implement and experiment with
security attacks, exploiting the vulnarabilities
of Linux/Windows to gain access or privileges to the system.
This time the focus will be on the classical attacks; the following
topics are not in the scope of this workshop: criptography,
autenthication, viruses (malicious code that multiplies and distributes itself).
What kind of programming errors are potential security threats?
What does it take to conduct an attack?
How to protect against an attack?
This workshop will attempt to give students a better understanding of the
issues raised by such questions.
Workshop Methodology
In the first meeting, the projects will be presented and a brief
introduction of the related topics will be provided.
The students will split into groups of 2 or 3.
Each group is required to choose a project
by the end of the second week of the semester.
Please, notify us
about the chosen project and the group members, as soon as you can.
In the second meeting, the projects will be assigned and
an introduction to kernel programming will be given.
The first part of the workshop is devoted to collecting, reading and
understanding the material on the attack and its implications.
Also, in some projects, the students are expected to learn kernel programming utilities
to implement a protection mechanism.
During the following month, and no later than 08/12/03, each group has to present
its plan to the instructor in a personalized meeting.
You will have to explain in detail the implementation design and show understanding
of the interns of the attack.
Emphesizes on implementation and specific project goals will be given by the instructor.
You will have to prove in your final presentation that the project goal are fulfilled.
You are strongly encoraged to make this meeting as soon as possible.
The second part of the workshop is devoted to
implementing an attack and a protection mechanism against the attack. You are
expected to test the code, analyze its performance and improve the protection
mechansim or reason why it cannot be improved. The projects must
not be tested on the university's computers,
except the designated computers in Schrieber 005.
The last two weeks of the semester,
we will have two meetings in which each group will present
their work, including the source code, the demos and the conclusions.
Each presentation will be about 25 minutes long, after which each group member will
be asked questions about the project, to evaluate her/his performance in workshop.
Emphasis will be placed on understanding the details
of the attack, its implications (the way it can be exploited) as well as limitations,
and protection mechanisms.
All students are required to attend the final meetings.
Top
Course Schedule
- 27/10/03
Overview of the projects
Brief introduction to buffer overflow attacks
[Slides]
- 10/11/03
Projects assigning
Introductory lecture on "Kernel Programming" by Evgeny Lipovetsky
- 08/12/03
Deadline for presenting project plans (personalized meetings of each group with the instructor)
and getting an approval.
- 19/1/04
Project presentations and discussions
- 26/1/04
Project presentations and discussions
Top
Course Requirements
- Present project plan and get an approval
- Present the project and answer questions,
following the guidelines in methodology section.
Grade
The grade will consist of the project grade and the
understanding/participation grade. The project grade will be based
solely on the quality of the implementation and the demonstration.
The understanding/participation grade will be based on the instructor's
impression of your understanding of the material in
meetings and in the project discussion in the final class meeting.
Course Policy
Needless to say, any copying or unauthorized sharing of information will
result in a grade penalty or possible disciplinary action. This includes
unauthorized (by the teacher) use of publicly available code (such as code
provided on the Internet) for some of the tasks you are required to
implement.
The use of university's computers, except the designated computers in Shreiber 005,
for running/testing/debugging of any sortware related to the projects and the workshop
is strictly forbidden.
Registering
Anybody taking this workshop is requested to register by
sending mail.
Top
Projects
- Buffer overflow (Win/Linux)
- Write a service that runs on a remote computer and contains buffer overflow bug.
- Write an exploit that calls the service and causes buffer overflow and gets a remote shell.
- Write a patch that fixes the service without stopping it.
- Bonus: Cooperate with project 3 (Win). Insted of getting a remote
shell, run the virus from project 3 on the remote computer. Run WatchDog
from project 3 on the remote computer, and try to "fool" it by changing the
virus. Make conclusions about the limitations of the virus and the WatchDog.
Implementation using Hooks
Implementation using CreateRemoteThread
Slides
Read Me First File - Important to read!
(For your convenience - unzip s1,s2 to the libraries into the C:\ base directory)
- Linux buffer overflow
- There is a known buffer overflow bug in kernel function ptrace(). Explore it to get root shell.
- Write source code patch for linux to fix the bug.
- Learn about the protection mechanism provided by StackGuard and LibSafe.
- Apply StackGuard and LibSafe to ptrace() from Linux 2.4.
Does it proved a protection against buffer overflow exploit you have? Can you break the protection?
- Bonus: Apply existing
tool(s) for buffer overflow detection to a new linux kernel 2.6. Can you
find a bug? Exploit the bugs to get root shell (using the experience with
ptrace or other ideas).
- WatchDog (Win)
- Write a virus that changes process' executable code at run time:
replace original SaveAs operation in ".text" section of
MSWord, such that each SaveAs is recorded in a log file.
- Use 2 of the 3 way to run the virus (see Advanced Windows / J. Richter for details):
- dll via regedt
- dll via system hook
- CreateRemoteThread()
- Kernel programming task: write a driver called WatchDog,
that prevents malicious changes in other processes executable code.
- Bonus: cooperate with
project 1 to improve WatchDog.
[Project Files]
- KeyLog (Win)
- Write a program that logs all keys pressed by the user in 5 password-protected applications
of your choice and learns passwords.
- Extend the program to work from a logon screen.
- Kernel programming: write a driver that detects
key-logging activities
[Project Files]
- "Good virus" (Win)
- Learn about msblust virus that attacked in last August:
its working principle, implications and prevention.
In your opinion, why it was so successful ?
- Replace the logical bomb functionality of msblust (that is reboot)
with a patch utility, that does the following:
- closes the "hole" through which msblust entered the current computer host
- replicates itself to the neighbors of current
computer host
- What is your opinion about "good-virus" ? Write a
short note on the topic: pros and cons of a "good-virus".
[Slides]
- OS Detection
- Given an IP address, try to figure out automatically the properties of the target
computer host : OS, service-pack, etc.
For example, write port-scanner (open ports 135, 139 indicate with high probability Win32, etc.)
- Use SNMP to find out more about the system
- Use existing exploits to get a remote shell and high privileges.
- Suggest protection techniques.
[Project Homepage]
- ExeMonitor
- implement the following attack: replace the
functionality of the calculator to open a “standard” view
instead of a “scientific” view and vise versa.
As opposite to WatchDog (in which the functionality is altered in the process memory),
you have to do it in the exe file. Run this attack.
- implement a protection against this attack: write a
driver that maintains a database of all exe files on the computer; it
monitors an attempt to write into an exe file and prevents it.
[Project Files]
Top
Bibliography and Links
Buffer Overflow
Kernel Programming
Other Links
-
The
VTrace Tool for Windows NT and Windows,
by Jacob R. Lorch and Alan Jay Smith.
This article describes the techniques used to construct
VTrace, a system tracer for Windows NT and Windows 2000. VTrace collects data
about processes, threads, messages, disk operations, network operations, and
devices. The technique uses a DLL loaded into the address space of every process
to intercept Win32 system calls; establishes hook functions for Windows NT
kernel system calls; modifies the context switch code in memory to log context
switches; and uses device filters to log accesses to devices.
- An overview of
Buffer overrun in Windows RPC protocol
and a more detailed
article, both
related to msblust virus (project 5), by "The last stage of delirium".
- Useful site for OS detection project: insecure.org,
this article is a nice introduction.
- Up-to-date articles on hacking techniques and their prevention:
phrack journal
- Articles, exploits and utilities (in russian) on
void.ru
- Articles (in english) on security.nnov.ru
- BoundsChecker tool
BoundsChecker by MattPietrek
For further information email: gretay at tau dot ac dot
il