Exploiting Software Vulnerabilities

This is the official website for maintaining the materials of the course titled “Exploiting Software Vulnerabilities” (course code 62240), an optional course in the Master’s Degree in Informatics Engineering of the School of Engineering and Architecture, University of Zaragoza (Spain).

Lecture planning (course 2023/2024)

• Sep 04:
  • Course introduction and motivation (slides)
  • Vulnerability management and assessment (slides). Recommended lectures:
    • A. Avizienis et al., “Basic concepts and taxonomy of dependable and secure computing,” in IEEE Transactions on Dependable and Secure Computing, vol. 1, no. 1, pp. 11-33, Jan.-March 2004, doi: 10.1109/TDSC.2004.2
    • P. Marks, “Bounties Mount for Bugs,”, Communications of the ACM, Aug 2018 [Online]
    • A.K. Sood, R. Bansal and R. J. Enbody, “Cybercrime: Dissecting the State of Underground Enterprise,” in IEEE Internet Computing, vol. 17, no. 1, pp. 60-68, Jan.-Feb. 2013, doi: 10.1109/MIC.2012.61
    • J. Spring et al., “Towards Improving CVSS,” white paper, SEI CMU, December 2018
    • Sandia’s IDART red team
    • S. Stolfo, A. Keromytis, A. Cui and A. Matwyshyn, “Ethics in Security Vulnerability Research,” in IEEE Security & Privacy, vol. 8, no. 02, pp. 67-72, 2010, doi: 10.1109/MSP.2010.67
• Sep 11: Program Binary Analysis (slides). Recommended lectures:
  • A. Bessey et al., “A few billion lines of code later: using static analysis to find bugs in the real world,” in Communications of the ACM, vol. 53, iss. 2, pp. 66-75, Feb 2010, doi: 10.1145/1646353.1646374
  • E. J. Schwartz et al., “All You Ever Wanted to Know about Dynamic Taint Analysis and Forward Symbolic Execution (but Might Have Been Afraid to Ask),” 2010 IEEE Symposium on Security and Privacy, Berkeley/Oakland, CA, 2010, pp. 317-331, doi: 10.1109/SP.2010.26
  • R. Baldoni et al., “A Survey of Symbolic Execution Techniques,” in ACM Comput. Surv. 51, 3, Article 50 (July 2018), 39 pages, doi 10.1145/3182657
  • V. J. M. Manès et al., “The Art, Science, and Engineering of Fuzzing: A Survey,” in IEEE Transactions on Software Engineering, doi: 10.1109/TSE.2019.2946563
  • D. Cono D’Elia et al., “SoK: Using Dynamic Binary Instrumentation for Security (And How You May Get Caught Red Handed),” in Asia CCS ’19: Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security, July 2019, pp. 15-27, 2019, doi: 10.1145/3321705.3329819
• Sep 18: Laboratory session 1: Process memory maps (lab workbook, auxiliary files)
• Sep 25: Software Vulnerabilities: Integer Overflows and Format String Bugs (slides). Recommended lectures:
  • W. Dietz et al., “Understanding Integer Overflow in C/C++,” in ACM Transactions on Software Engineering and Methodology, 25(1), 2015, pp. 1-29. doi:10.1145/2743019
  • Team Teso, “Exploiting Format String Vulnerabilities”
  • F. Kilic, T. Kittel, C. Eckert, “Blind Format String Attacks,” in International Conference on Security and Privacy in Communication Networks (SecureComm 2014), Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol. 153. Springer, Cham. doi: 10.1007/978-3-319-23802-9_23
  • riq & gera, “Advances in format string exploitation” in Phrack 59, vol. 11, July 2002
  • K.-S. Lhee and S.J. Chapin, “Buffer overflow and format string overflow vulnerabilities,” Softw: Pract. Exper., 33: 423-460, 2003, John Wiley & Sons, Inc., doi: 10.1002/spe.515
• Oct 02: Software Vulnerabilities: Control-Flow Hijacking (slides). Recommended lectures:
  • E. H. Spafford, “The internet worm program: an analysis,” in SIGCOMM Comput. Commun. Rev. 19, 1 (Jan. 1989), 17-57, doi: 10.1145/66093.66095
  • E. Bendersky, “Stack frame layout on x86-64,” September 2011
  • Aleph One, “Smashing The Stack For Fun And Profit,” in Phrack 49, vol. 7, November 1996
  • L. Szekeres, M. Payer, T. Wei and D. Song, “SoK: Eternal War in Memory,” 2013 IEEE Symposium on Security and Privacy, Berkeley, CA, 2013, pp. 48-62, doi: 10.1109/SP.2013.13
  • V. van der Veen et al., “Memory Errors: The Past, the Present, and the Future,” in Research in Attacks, Intrusions, and Defenses. RAID 2012. Lecture Notes in Computer Science, vol 7462. Springer, Berlin, Heidelberg, doi: 10.1007/978-3-642-33338-5_5
• Oct 09: no lecture day
• Oct 16 and Oct 23: Laboratory session 2: Integer Overflows and Format String Bugs (lab workbook, auxiliary files)
• Oct 30: no lecture day
• Nov 06: Software Defenses: Exploitation Mitigation Techniques in the Windows OS (slides). Recommended lectures:
  • skape, “Preventing the Exploitation of SEH Overwrites,” Sept. 2006
  • A. Sotirov, M. Dowd, “Bypassing Browser Memory Protections: Setting back browser security by 10 years ,”, BlackHat USA 2008
  • J.M. Hart, “Windows System Programming,” Addison-Wesley, 4th ed., 2010, ISBN 978-0321657749
  • B. Merino, “Software Exploitation,” tech. report, Spanish Institute of Cybersecurity (formerly, Instituto Nacional de Tecnologías de la Comunicación, 2012
  • A. Ionescu, “Windows 8 Security and ARM,” BreakPoint 2012
  • B. Krebs, “Windows Security 101: EMET 4.0,”, 2013
  • CCN-CERT, “Guía de Seguridad de las TIC CCN-STIC 950: RECOMENDACIONES DE EMPLEO DE LA HERRAMIENTA EMET”, Apr. 2017
• Nov 13 and Nov 20: Laboratory session 3: Stack-based and Heap-based Overflows (lab workbook, auxiliary files)
• Nov 27: Advanced Exploitation Techniques: Exploit Payloads (slides). Recommended lectures:
  • rix, “Writing IA32 alphanumeric shellcodes” in Phrack 57, vol. 11, Aug. 2001
  • IETF Network Working Group, “The Base16, Base32, and Base64 Data Encodings”, Oct. 2006
  • P. Van Eeckhoutte, “Unicode – from 0x00410041 to calc”, Nov. 2009
• Dec 04: Advanced Exploitation Techniques: Windows Shellcoding and ROP (slides). Recommended lectures:
  • H. Shacham, “The Geometry of Innocent Flesh on the Bone: Return-into-libc Without Function Calls (on the x86),” in Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS), ACM, 2007, pp. 552-561, doi: 10.1145/1315245.1315313
  • Phrack staff, “Prophile on horizon” in Phrack 60, vol. 11, Dec. 2002
  • D. Uroz, R. J. Rodríguez, “Evaluation of the Executional Power in Windows using Return Oriented Programming,” in Proceedings of the 15th IEEE Workshop on Offensive Technologies (WOOT), IEEE, 2021, pp. 361-372, doi: 10.1109/SPW53761.2021.00056
• Dec 11 and Dec 18: Laboratory session 4: Code-Reuse Attacks in Windows (lab workbook, auxiliary files)
• Jan 11: EXAMINATION. Presentations of the assignments will take place at Seminar A.22, Ada Byron Building, starting at 16:00. List of students and submitted assignments (in alphabetical order):
  • Guillermo Cruz Rojas, “CVE-2022-27666”
  • Samuel Pérez Pedrajas, “CVE-2023-38831”

License

All the material provided in this webpage is under CC BY-NC-SA 4.0 license.

Author

Ricardo J. Rodríguez

Previous courses

• Course 2022-2023
• Course 2021-2022
• Course 2020-2021

LAST UPDATE

• January 10, 2024: Added final student assignments
• July 11, 2023: Website initial creation