Exploiting Software Vulnerabilities

This is the official website for maintaining the materials of the course titled “Exploiting Software Vulnerabilities” (course code 62240), an optional course in the Master’s Degree in Informatics Engineering of the School of Engineering and Architecture, University of Zaragoza (Spain).

Lecture planning (course 2022/2023)

• Sep 15:
  • Course introduction and motivation (slides)
  • Vulnerability management and assessment (slides). Recommended lectures:
    • A. Avizienis et al., “Basic concepts and taxonomy of dependable and secure computing,” in IEEE Transactions on Dependable and Secure Computing, vol. 1, no. 1, pp. 11-33, Jan.-March 2004, doi: 10.1109/TDSC.2004.2
    • P. Marks, “Bounties Mount for Bugs,”, Communications of the ACM, Aug 2018 [Online]
    • A.K. Sood, R. Bansal and R. J. Enbody, “Cybercrime: Dissecting the State of Underground Enterprise,” in IEEE Internet Computing, vol. 17, no. 1, pp. 60-68, Jan.-Feb. 2013, doi: 10.1109/MIC.2012.61
    • J. Spring et al., “Towards Improving CVSS,” white paper, SEI CMU, December 2018
    • Sandia’s IDART red team
    • S. Stolfo, A. Keromytis, A. Cui and A. Matwyshyn, “Ethics in Security Vulnerability Research,” in IEEE Security & Privacy, vol. 8, no. 02, pp. 67-72, 2010, doi: 10.1109/MSP.2010.67
• Sep 22: Program Binary Analysis (slides). Recommended lectures:
  • A. Bessey et al., “A few billion lines of code later: using static analysis to find bugs in the real world,” in Communications of the ACM, vol. 53, iss. 2, pp. 66-75, Feb 2010, doi: 10.1145/1646353.1646374
  • E. J. Schwartz et al., “All You Ever Wanted to Know about Dynamic Taint Analysis and Forward Symbolic Execution (but Might Have Been Afraid to Ask),” 2010 IEEE Symposium on Security and Privacy, Berkeley/Oakland, CA, 2010, pp. 317-331, doi: 10.1109/SP.2010.26
  • R. Baldoni et al., “A Survey of Symbolic Execution Techniques,” in ACM Comput. Surv. 51, 3, Article 50 (July 2018), 39 pages, doi 10.1145/3182657
  • V. J. M. Manès et al., “The Art, Science, and Engineering of Fuzzing: A Survey,” in IEEE Transactions on Software Engineering, doi: 10.1109/TSE.2019.2946563
  • D. Cono D’Elia et al., “SoK: Using Dynamic Binary Instrumentation for Security (And How You May Get Caught Red Handed),” in Asia CCS ’19: Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security, July 2019, pp. 15-27, 2019, doi: 10.1145/3321705.3329819
• Sep 29: no lecture
• Oct 06: Laboratory session 1: Process memory maps (lab workbook, auxiliary files)
• Oct 13: no school
• Oct 20: Software Vulnerabilities: Integer Overflows and Format String Bugs (slides). Recommended lectures:
  • W. Dietz et al., “Understanding Integer Overflow in C/C++,” in ACM Transactions on Software Engineering and Methodology, 25(1), 2015, pp. 1-29. doi:10.1145/2743019
  • Team Teso, “Exploiting Format String Vulnerabilities”
  • F. Kilic, T. Kittel, C. Eckert, “Blind Format String Attacks,” in International Conference on Security and Privacy in Communication Networks (SecureComm 2014), Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol. 153. Springer, Cham. doi: 10.1007/978-3-319-23802-9_23
  • riq & gera, “Advances in format string exploitation” in Phrack 59, vol. 11, July 2002
  • K.-S. Lhee and S.J. Chapin, “Buffer overflow and format string overflow vulnerabilities,” Softw: Pract. Exper., 33: 423-460, 2003, John Wiley & Sons, Inc., doi: 10.1002/spe.515
• Oct 27: Software Vulnerabilities: Control-Flow Hijacking (slides). Recommended lectures:
  • E. H. Spafford, “The internet worm program: an analysis,” in SIGCOMM Comput. Commun. Rev. 19, 1 (Jan. 1989), 17-57, doi: 10.1145/66093.66095
  • E. Bendersky, “Stack frame layout on x86-64,” September 2011
  • Aleph One, “Smashing The Stack For Fun And Profit,” in Phrack 49, vol. 7, November 1996
  • L. Szekeres, M. Payer, T. Wei and D. Song, “SoK: Eternal War in Memory,” 2013 IEEE Symposium on Security and Privacy, Berkeley, CA, 2013, pp. 48-62, doi: 10.1109/SP.2013.13
  • V. van der Veen et al., “Memory Errors: The Past, the Present, and the Future,” in Research in Attacks, Intrusions, and Defenses. RAID 2012. Lecture Notes in Computer Science, vol 7462. Springer, Berlin, Heidelberg, doi: 10.1007/978-3-642-33338-5_5
• Nov 03: Laboratory session 2: Integer Overflows and Format String Bugs (lab workbook, auxiliary files)
• Nov 10: Software Defenses: Exploitation Mitigation Techniques in the Windows OS (slides). Recommended lectures:
  • skape, “Preventing the Exploitation of SEH Overwrites,” Sept. 2006
  • A. Sotirov, M. Dowd, “Bypassing Browser Memory Protections: Setting back browser security by 10 years ,”, BlackHat USA 2008
  • J.M. Hart, “Windows System Programming,” Addison-Wesley, 4th ed., 2010, ISBN 978-0321657749
  • B. Merino, “Software Exploitation,” tech. report, Spanish Institute of Cybersecurity (formerly, Instituto Nacional de Tecnologías de la Comunicación, 2012
  • A. Ionescu, “Windows 8 Security and ARM,” BreakPoint 2012
  • B. Krebs, “Windows Security 101: EMET 4.0,”, 2013
  • CCN-CERT, “Guía de Seguridad de las TIC CCN-STIC 950: RECOMENDACIONES DE EMPLEO DE LA HERRAMIENTA EMET”, Apr. 2017
• Nov 17: Laboratory session 3: Stack-based and Heap-based Overflows (lab workbook, auxiliary files)
• Nov 24: Advanced Exploitation Techniques: Exploit Payloads (slides). Recommended lectures:
  • rix, “Writing IA32 alphanumeric shellcodes” in Phrack 57, vol. 11, Aug. 2001
  • IETF Network Working Group, “The Base16, Base32, and Base64 Data Encodings”, Oct. 2006
  • P. Van Eeckhoutte, “Unicode – from 0x00410041 to calc”, Nov. 2009
• Dec 01: Laboratory session 4: Exploitation in Windows (lab workbook, auxiliary files)
• Dec 08: no school
• Dec 15: Advanced Exploitation Techniques: Windows Shellcoding and ROP (slides). Recommended lectures:
  • H. Shacham, “The Geometry of Innocent Flesh on the Bone: Return-into-libc Without Function Calls (on the x86),” in Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS), ACM, 2007, pp. 552-561, doi: 10.1145/1315245.1315313
  • Phrack staff, “Prophile on horizon” in Phrack 60, vol. 11, Dec. 2002
  • D. Uroz, R. J. Rodríguez, “Evaluation of the Executional Power in Windows using Return Oriented Programming,” in Proceedings of the 15th IEEE Workshop on Offensive Technologies (WOOT), IEEE, 2021, pp. 361-372, doi: 10.1109/SPW53761.2021.00056
• Dec 22: Laboratory session 5: Code-Reuse Attacks in Windows (lab workbook, auxiliary files)
• Jan 12: EXAMINATION Presentations of the assignments will take place at Seminar A.22, Ada Byron Building, starting at 16:00. List of students and submitted assignments (in alphabetical order):
  • Daniel Huici Meseguer and Christian Omar Pillajo Sánchez, “CVE-2020-8597”
  • Freddy Martínez, CVE-2021-21148 [undisclosed]
  • Raúl Herguido Sevil, “CVE-2021-31870”

License

All the material provided in this webpage is under CC BY-NC-SA 4.0 license.

Author

Ricardo J. Rodríguez

Previous courses

• Course 2021-2022
• Course 2020-2021

LAST UPDATE

• January 21, 2022: Added final student assignments
• December 15, 2022: Material addition for EXAMINATION
• December 1, 2022: Material addition for Dec 15, 22
• November 23, 2022: Material addition for Nov 24, Dec 1
• November 9, 2022: Material addition for Nov 10
• October 27, 2022: Material addition for Nov 03
• October 20, 2022: Material addition for Oct 20, Oct 27
• September 27, 2022: Material addition for Oct 06
• September 16, 2022: Material addition for Sep 22
• September 14, 2022: Material addition for Sep 15
• September 01, 2022: Website initial creation