Exploiting Software Vulnerabilities

This is the official website for maintaining the materials of the course titled “Exploiting Software Vulnerabilities” (course code 62240), an optional course in the Master’s Degree in Informatics Engineering of the School of Engineering and Architecture, University of Zaragoza (Spain).

Lecture planning

Course 2020/2021

• Sep 15: Course introduction and motivation (slides)

• Sep 22: Vulnerability management and assessment (slides). Recommended lectures:

  • A. Avizienis et al., “Basic concepts and taxonomy of dependable and secure computing,” in IEEE Transactions on Dependable and Secure Computing, vol. 1, no. 1, pp. 11-33, Jan.-March 2004, doi: 10.1109/TDSC.2004.2
  • P. Marks, “Bounties Mount for Bugs,”, Communications of the ACM, Aug 2018 [Online]
  • A.K. Sood, R. Bansal and R. J. Enbody, “Cybercrime: Dissecting the State of Underground Enterprise,” in IEEE Internet Computing, vol. 17, no. 1, pp. 60-68, Jan.-Feb. 2013, doi: 10.1109/MIC.2012.61
  • J. Spring et al., “Towards Improving CVSS,” white paper, SEI CMU, December 2018
  • Sandia’s IDART red team

• Sep 29: Program Binary Analysis (slides). Recommended lectures:

  • A. Bessey et al., “A few billion lines of code later: using static analysis to find bugs in the real world,” in Communications of the ACM, vol. 53, iss. 2, pp. 66-75, Feb 2010, doi: 10.1145/1646353.1646374
  • E. J. Schwartz et al., “All You Ever Wanted to Know about Dynamic Taint Analysis and Forward Symbolic Execution (but Might Have Been Afraid to Ask),” 2010 IEEE Symposium on Security and Privacy, Berkeley/Oakland, CA, 2010, pp. 317-331, doi: 10.1109/SP.2010.26
  • R. Baldoni et al., “A Survey of Symbolic Execution Techniques,” in ACM Comput. Surv. 51, 3, Article 50 (July 2018), 39 pages, doi 10.1145/3182657
  • V. J. M. Manès et al., “The Art, Science, and Engineering of Fuzzing: A Survey,” in IEEE Transactions on Software Engineering, doi: 10.1109/TSE.2019.2946563
  • D. Cono D’Elia et al., “SoK: Using Dynamic Binary Instrumentation for Security (And How You May Get Caught Red Handed),” in Asia CCS ’19: Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security, July 2019, pp. 15-27, 2019, doi: 10.1145/3321705.3329819

• Oct 06: Laboratory session 1: Process memory maps (lab workbook, auxiliary files)

• Oct 13: no school

• Oct 20: Software Vulnerabilities: Buffer and Integer Overflows (slides). Recommended lectures:

  • E. H. Spafford, “The internet worm program: an analysis,” in SIGCOMM Comput. Commun. Rev. 19, 1 (Jan. 1989), 17-57, doi: 10.1145/66093.66095
  • E. Bendersky, “Stack frame layout on x86-64,” September 2011
  • Aleph One, “Smashing The Stack For Fun And Profit,” in Phrack 49, vol. 7, November 1996
  • L. Szekeres, M. Payer, T. Wei and D. Song, “SoK: Eternal War in Memory,” 2013 IEEE Symposium on Security and Privacy, Berkeley, CA, 2013, pp. 48-62, doi: 10.1109/SP.2013.13
  • V. van der Veen et al., “Memory Errors: The Past, the Present, and the Future,” in Research in Attacks, Intrusions, and Defenses. RAID 2012. Lecture Notes in Computer Science, vol 7462. Springer, Berlin, Heidelberg, doi: 10.1007/978-3-642-33338-5_5
  • W. Dietz et al., “Understanding Integer Overflow in C/C++,” in ACM Transactions on Software Engineering and Methodology, 25(1), 2015, pp. 1-29. doi:10.1145/2743019

• Oct 27: Laboratory session 2: Buffer and Integer Overflows (lab workbook, auxiliary files)

• Nov 03: Laboratory session 2: Buffer and Integer Overflows (cont.)

• Nov 10: Software Vulnerabilities: Format String and Race Conditions (slides). Recommended lectures:

  • Team Teso, “Exploiting Format String Vulnerabilities”
  • riq & gera, “Advances in format string exploitation” in Phrack 59, vol. 11, July 2002
  • K.-S. Lhee and S.J. Chapin, “Buffer overflow and format string overflow vulnerabilities,” Softw: Pract. Exper., 33: 423-460, 2003, John Wiley & Sons, Inc., doi: 10.1002/spe.515
  • F. Kilic, T. Kittel, C. Eckert, “Blind Format String Attacks,” in International Conference on Security and Privacy in Communication Networks (SecureComm 2014), Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol. 153. Springer, Cham. doi: 10.1007/978-3-319-23802-9_23
  • M. Bishop and M. Dilge, “Checking for Race Conditions in File Accesses,” in Computing Systems, vol. 9, no.2, pp.131-152, 1996, USENIX Association.
  • J. Wei and C. Pu, “TOCTTOU vulnerabilities in UNIX-style file systems: an anatomical study,” in Proceedings of the 4th conference on USENIX Conference on File and Storage Technologies - Volume 4 (FAST’05), 2005. USENIX Association. doi: 10.5555/1251028.1251040
  • J. Yang, A. Cui, S. Stolfo, and S. Sethumadhavan, “Concurrency Attacks,” in 4th USENIX Workshop on Hot Topics in Parallelism (HotPar 12), 2012, USENIX Association.

• Nov 17: Laboratory session 3: Format String and Race Conditions (lab workbook, auxiliary files)

• Nov 24: Laboratory session 3: Format String and Race Conditions (cont.)

• Dec 01: Exploitation Mitigation Techniques in Windows OS (slides). Recommended lectures:

  • skape, “Preventing the Exploitation of SEH Overwrites,” Sept. 2006
  • A. Sotirov, M. Dowd, “Bypassing Browser Memory Protections: Setting back browser security by 10 years ,”, BlackHat USA 2008
  • J.M. Hart, “Windows System Programming,” Addison-Wesley, 4th ed., 2010, ISBN 978-0321657749
  • B. Merino, “Software Exploitation,” tech. report, Spanish Institute of Cybersecurity (formerly, Instituto Nacional de Tecnologías de la Comunicación, 2012
  • A. Ionescu, “Windows 8 Security and ARM,” BreakPoint 2012
  • B. Krebs, “Windows Security 101: EMET 4.0,”, 2013
  • CCN-CERT, “Guía de Seguridad de las TIC CCN-STIC 950: RECOMENDACIONES DE EMPLEO DE LA HERRAMIENTA EMET”, Apr. 2017

• Dec 08: no school

• Dec 15: Laboratory session 4: Exploitation in Windows OS (lab workbook, auxiliary files)

• Dec 22: Malware Analysis: Analysis of Malicious Software 101 (slides). Recommended lectures:

  • M. Hale Ligh et al., “Malware Analyst’s Cookbook and DVD: Tools and Techniques for Fighting Malicious Code,” John Wiley & Sons, 1st ed., Nov. 2010, ISBN 978-0470613030
  • M. Sikorski and A. Honig, “Practical Malware Analysis,” No Starch Press, Feb. 2012, ISBN 978-1593272906
  • U. Bayer, A. Moser, C. Kruegel, and E. Kirda, “Dynamic Analysis of Malicious Code,” in J Comput Virol 2, pp. 67-77, 2006. doi: 10.1007/s11416-006-0012-2
  • A. Moser, C. Kruegel and E. Kirda, “Limits of Static Analysis for Malware Detection,” in Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007), Miami Beach, FL, 2007, pp. 421-430. doi: 10.1109/ACSAC.2007.21
  • U. Bayer, I. Habibi, D. Balzarotti, E. Kirda, and C. Kruegel, “A view on current malware behaviors,” in Proceedings of the 2nd USENIX conference on Large-scale exploits and emergent threats: botnets, spyware, worms, and more (LEET’09), USENIX Association, USA, 8
  • M. Egele, T. Scholte, E. Kirda, and C. Kruegel, “A survey on automated dynamic malware-analysis techniques and tools”, in ACM Comput. Surv. 44, 2, Feb. 2012, 42 pages. doi: 10.1145/2089125.2089126

• Dec 29: no school

• Jan 05: no school

• Jan 12: Laboratory session 5: Malware Analysis (introduction) (lab workbook, auxiliary files)

License

All the material provided in this webpage is under CC BY-NC-SA 4.0 license.

Author

Ricardo J. Rodríguez

LAST UPDATE

• January 05, 2021: Addition of material for the next lecture (Jan 12)
• December 15, 2020: Addition of material for the next lecture (Dec 22)
• November 27, 2020: Addition of material for next lectures (Dec 01, Dec 15)
• November 6, 2020: Addition of material for next lectures (Nov 10, Nov 17)
• October 14, 2020: Addition of material for next lectures (Oct 20, Oct 27)
• September 20, 2020: Addition of material for next lectures (Sep 22, Sep 29)
• September 15, 2020: Creation of the website, addition of material for Sep 15