Exploiting Software Vulnerabilities

This is the official website for maintaining the materials of the course titled “Exploiting Software Vulnerabilities” (course code 62240), an optional course in the Master’s Degree in Informatics Engineering of the School of Engineering and Architecture, University of Zaragoza (Spain).

Lecture planning (course 2021/2022)

• Sep 27:
  • Course introduction and motivation (slides)
  • Vulnerability management and assessment (slides). Recommended lectures:
    • A. Avizienis et al., “Basic concepts and taxonomy of dependable and secure computing,” in IEEE Transactions on Dependable and Secure Computing, vol. 1, no. 1, pp. 11-33, Jan.-March 2004, doi: 10.1109/TDSC.2004.2
    • P. Marks, “Bounties Mount for Bugs,”, Communications of the ACM, Aug 2018 [Online]
    • A.K. Sood, R. Bansal and R. J. Enbody, “Cybercrime: Dissecting the State of Underground Enterprise,” in IEEE Internet Computing, vol. 17, no. 1, pp. 60-68, Jan.-Feb. 2013, doi: 10.1109/MIC.2012.61
    • J. Spring et al., “Towards Improving CVSS,” white paper, SEI CMU, December 2018
    • Sandia’s IDART red team
    • S. Stolfo, A. Keromytis, A. Cui and A. Matwyshyn, “Ethics in Security Vulnerability Research,” in IEEE Security & Privacy, vol. 8, no. 02, pp. 67-72, 2010, doi: 10.1109/MSP.2010.67
• Oct 04: Program Binary Analysis (slides). Recommended lectures:
  • A. Bessey et al., “A few billion lines of code later: using static analysis to find bugs in the real world,” in Communications of the ACM, vol. 53, iss. 2, pp. 66-75, Feb 2010, doi: 10.1145/1646353.1646374
  • E. J. Schwartz et al., “All You Ever Wanted to Know about Dynamic Taint Analysis and Forward Symbolic Execution (but Might Have Been Afraid to Ask),” 2010 IEEE Symposium on Security and Privacy, Berkeley/Oakland, CA, 2010, pp. 317-331, doi: 10.1109/SP.2010.26
  • R. Baldoni et al., “A Survey of Symbolic Execution Techniques,” in ACM Comput. Surv. 51, 3, Article 50 (July 2018), 39 pages, doi 10.1145/3182657
  • V. J. M. Manès et al., “The Art, Science, and Engineering of Fuzzing: A Survey,” in IEEE Transactions on Software Engineering, doi: 10.1109/TSE.2019.2946563
  • D. Cono D’Elia et al., “SoK: Using Dynamic Binary Instrumentation for Security (And How You May Get Caught Red Handed),” in Asia CCS ’19: Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security, July 2019, pp. 15-27, 2019, doi: 10.1145/3321705.3329819
• Oct 11: no school
• Oct 18: Laboratory session 1: Process memory maps (lab workbook, auxiliary files)
• Oct 25: Software Vulnerabilities: Integer Overflows and Format String Bugs (slides). Recommended lectures:
  • W. Dietz et al., “Understanding Integer Overflow in C/C++,” in ACM Transactions on Software Engineering and Methodology, 25(1), 2015, pp. 1-29. doi:10.1145/2743019
  • Team Teso, “Exploiting Format String Vulnerabilities”
  • F. Kilic, T. Kittel, C. Eckert, “Blind Format String Attacks,” in International Conference on Security and Privacy in Communication Networks (SecureComm 2014), Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol. 153. Springer, Cham. doi: 10.1007/978-3-319-23802-9_23
  • riq & gera, “Advances in format string exploitation” in Phrack 59, vol. 11, July 2002
  • K.-S. Lhee and S.J. Chapin, “Buffer overflow and format string overflow vulnerabilities,” Softw: Pract. Exper., 33: 423-460, 2003, John Wiley & Sons, Inc., doi: 10.1002/spe.515
• Nov 01: no school
• Nov 04: Software Vulnerabilities: Control-Flow Hijacking (slides). Recommended lectures:
  • E. H. Spafford, “The internet worm program: an analysis,” in SIGCOMM Comput. Commun. Rev. 19, 1 (Jan. 1989), 17-57, doi: 10.1145/66093.66095
  • E. Bendersky, “Stack frame layout on x86-64,” September 2011
  • Aleph One, “Smashing The Stack For Fun And Profit,” in Phrack 49, vol. 7, November 1996
  • L. Szekeres, M. Payer, T. Wei and D. Song, “SoK: Eternal War in Memory,” 2013 IEEE Symposium on Security and Privacy, Berkeley, CA, 2013, pp. 48-62, doi: 10.1109/SP.2013.13
  • V. van der Veen et al., “Memory Errors: The Past, the Present, and the Future,” in Research in Attacks, Intrusions, and Defenses. RAID 2012. Lecture Notes in Computer Science, vol 7462. Springer, Berlin, Heidelberg, doi: 10.1007/978-3-642-33338-5_5
• Nov 08: Laboratory session 2: Integer Overflows and Format String Bugs (lab workbook, auxiliary files)
• Nov 15: Software Defenses: Exploitation Mitigation Techniques in the Windows OS (slides). Recommended lectures:
  • skape, “Preventing the Exploitation of SEH Overwrites,” Sept. 2006
  • A. Sotirov, M. Dowd, “Bypassing Browser Memory Protections: Setting back browser security by 10 years ,”, BlackHat USA 2008
  • J.M. Hart, “Windows System Programming,” Addison-Wesley, 4th ed., 2010, ISBN 978-0321657749
  • B. Merino, “Software Exploitation,” tech. report, Spanish Institute of Cybersecurity (formerly, Instituto Nacional de Tecnologías de la Comunicación, 2012
  • A. Ionescu, “Windows 8 Security and ARM,” BreakPoint 2012
  • B. Krebs, “Windows Security 101: EMET 4.0,”, 2013
  • CCN-CERT, “Guía de Seguridad de las TIC CCN-STIC 950: RECOMENDACIONES DE EMPLEO DE LA HERRAMIENTA EMET”, Apr. 2017
• Nov 22: Laboratory session 3: Stack-based and Heap-based Overflows (lab workbook, auxiliary files)
• Nov 29: Advanced Exploitation Techniques: Exploit Payloads (slides). Recommended lectures:
  • rix, “Writing IA32 alphanumeric shellcodes” in Phrack 57, vol. 11, Aug. 2001
  • IETF Network Working Group, “The Base16, Base32, and Base64 Data Encodings”, Oct. 2006
  • P. Van Eeckhoutte, “Unicode – from 0x00410041 to calc”, Nov. 2009
• Dec 06: no school
• Dec 13: Laboratory session 4: Exploitation in Windows (lab workbook, auxiliary files)
• Dec 20: Advanced Exploitation Techniques: Windows Shellcoding and ROP (slides). Recommended lectures:
  • H. Shacham, “The Geometry of Innocent Flesh on the Bone: Return-into-libc Without Function Calls (on the x86),” in Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS), ACM, 2007, pp. 552-561, doi: 10.1145/1315245.1315313
  • Phrack staff, “Prophile on horizon” in Phrack 60, vol. 11, Dec. 2002
  • D. Uroz, R. J. Rodríguez, “Evaluation of the Executional Power in Windows using Return Oriented Programming,” in Proceedings of the 15th IEEE Workshop on Offensive Technologies (WOOT), IEEE, 2021, pp. 361-372, doi: 10.1109/SPW53761.2021.00056
• Dec 27: no school
• Jan 03: no school
• Jan 10: Laboratory session 5: Code-Reuse Attacks in Windows (lab workbook, auxiliary files)
• Jan 11: INVITED LECTURE @ Salón de Actos, Ada Byron Building, from 12.00 to 14.00
  • Speaker: Ignacio Pérez, CISO at AST
  • Title (Spanish): Llora como forense lo que no supiste defender en tu análisis de riesgos
  • Abstract (Spanish): Cualquier entorno contiene múltiples vulnerabilidades, con diferentes estrategias para su tratamiento, ya sea antes de la materialización de una amenaza o con antelación, actuando con los procedimientos de detección y respuestas ante brechas de seguridad existentes. Sin embargo, nunca se cuenta con recursos suficientes para aplicar todas las medidas posibles. ¿Cómo se hace en un entorno TIC complejo?
• Feb 02: EXAMINATION Presentations of the assignments will take place at Aula A.06, Ada Byron Building, from 09.00 to 11.00. List of students and submitted assignments (in alphabetical order):
  • Juan Asensio Ayesa, “CVE-2021-21836”
  • Javier Fañanás Anaya, “CVE-2021-3156”
  • Alexandru Oarga Hategan, “CVE-2021-40346”

License

All the material provided in this webpage is under CC BY-NC-SA 4.0 license.

Author

Ricardo J. Rodríguez

Previous courses

• Course 2020-2021

LAST UPDATE

• February 2, 2022: Adding submitted assignments
• January 19, 2022: Adding exam information
• December 29, 2021: Material addition for Jan 10, Jan 11
• November 19, 2021: Material addition for Dec 13, Dec 20
• November 18, 2021: Material addition for Nov 29
• November 2, 2021: Material addition for Nov 22
• October 27, 2021: Material addition for Nov 4, 8, and 15
• October 15, 2021: Material addition for Oct 25
• September 28, 2021: Material addition for Oct 4, Oct 18
• September 20, 2021: Website creation, material addition for Sep 27