Sismat Workshops

From Hack Evergreen Wiki
Jump to: navigation, search

PLaintext paste btw, no formatting yet.

SISMAT 2012 Agenda

This page holds links, topics, exercises, and the schedule for SISMAT 2012. Please feel free to improve and augment it with links, notes, or information. Please do give attribution to other sources if you include them. Monday 18 June

Everybody arrives. Tuesday 19 June (Overview, Introduction)

   12:00 - 13:30 Welcome lunch / remarks (Sudi 213)
       Roundtable introduction
       Papers Assigned
   13:30 - 13:45 Break
   13:45 - 14:00 Discussion
       Brief review of read-ahead materials: SISMAT Prep Material
       What do you want to see? Topics?
       Culture shock and shedding normal academic interaction
       Security Mailing Lists
   14:00 - 16:30 “Security”
       What is security? (and Wordle)
       No-tech hacking:
       Linux command line basics


   make sure you have access to a Unix or Linux platform
   vmware player


       CACM Code of Ethics:

Wednesday 20 June (Ethics, System Basics, Shellcode)

   08:30 - 09:00 Breakfast (Sudi 213)
   09:00 - 10:30 Lecture 1 (Sudi 213) Ethics Discussion
   10:30 - 11:00 Break
   11:00 - 12:30 Lecture 2 (Sudi 213) Intro to IA-32, ELF format, ELF toolchain (readelf, objdump)
   12:30 - 14:30 Lunch (2 hour break)
   14:30 - 16:00 Lab 1 (Sudi 002) IA-32 Assembly Programming with NASM / System Calls on Linux
   16:00 - 16:15 Break
   16:15 - 18:00 Lab 2 (Sudi 002) Shellcode Disassembly

Lab 1

Setup: see how gcc produces x86 assembly. Examine assembly. How can we write small amount of assembly code and directly assemble from that to a valid ELF binary? For task 2, where do we find syscall definitions? What is the system call calling convention on Linux?

   Task 1: Your task is to print out the distribution of instructions in glibc on your Linux machine.
   Task 2: Write a small assembly program to output “hello, world”
   Task 2b: (Optional) If you are ambitious, modify above program to read from a file or stdin and echo to stdout
   Task 3: (Optional) Modify your program to execve a shell

Lab 2

This lab further illustrates the system call calling conventions and how to spawn a shell via execve(2)

   Task 1: Hand-execute a piece of shellcode ( )
   Task 2: Analyze the semantics of this shellcode (fix broken -p, patch xor ecx,ecx)
   Task 3: (Advanced: hand-execute a piece of polymorphic shellcode)

Goals / Outcomes

The purpose of these labs is to provide you with an introduction to low-level assembly programming and viewing the execution of programs from multiple layers of abstraction (source code, assembly code, ELF, system call API).

Things you should know after doing these labs:

   Difference between a system call and a library call
   How to invoke a system call in Linux at the assembly level
   Understand how a program is loaded and executed by the OS
   Understand the ELF concept and format
   Understand the tools available for static disassembly (ndisasm, udcli, objdump -d)
   Understand how individual instructions manipulate various parts of the process address space

Reading for Wed. Night
   AoE: pages 19 - 37
   AoE: pages 281 - 295

Other References (tool we can use for disassembly of byte sequences at the command line)
   Intel Software Developers Manual, Volume 3A: System Programming Guide, Part 1 Sections 2.1, 2.2, 2.3, 2.4, 2.5 and 2.7

Ethics Discussion

Ethical Considerations in Information Security

Notes Thursday 21 June (System Instrumentation)

   08:30 - 09:00 Breakfast (Sudi 213)
   09:00 - 10:30 Lecture 1 (Sudi 213) Hardware Support for Protection
   10:30 - 11:00 Break
   11:00 - 12:30 Lecture 2 (Sudi 213) understanding ptrace(2) kernel implementation
   12:30 - 14:30 Lunch (2 hour break)
   14:30 - 16:00 Lab 1 (Sudi 002) Guest Lecture: Dickie George
   16:00 - 16:15 Break
   16:15 - 18:00 Lab 2 (Sudi 002) ptrace exercises

Lab 1

template code is here

These links point to various places in the Linux kernel source code dealing with ptrace.

   The ptrace API: (defines function prototypes for internal kernel service routines related to ptrace and “types” for ptrace requests)
   The platform-specific ptrace API:
   The architecture-specific ABI:
   Definition of sys_ptrace system call function signature:
   enumeration of sys_ptrace in the system call list (number 26):
   Definition of Linux “task_struct”, the Process Control Block. Note particularly the location of ptrace-related flags and signal-related flags like 'ptrace', 'parent', 'real_parent', etc.
   The “highest” layer of ptrace's implementation dealing with finding the process to trace and attaching: (note the use of the SYSCALL_DEFINE4 macro)
   See definition of the SYSCALL_DEFINE macros:
   The part of ptrace's implementation dealing with architecturally-specific requests:


   Intel Developer Manual
       Section 6.1 (Interrupt and Exception Overview)
       Section 6.2 (Exception and Interrupt Vectors)
       Section 6.10 (Interrupt Descriptor Table (IDT))
       Section 6.11 IDT Descriptors
       Figure 2-1 (specifically, the IDTR+IDT use)
       Section 2.7 (System Instruction Summary)
       Table 2-2
       VDSO definition:
       Linux-gate vdso insight:
       SYSENTER/SYSEXIT trivia:

Friday 22 June (Debugging and Simple Vulnerabilities)

   08:30 - 09:00 Breakfast (Sudi 213)
   09:00 - 10:30 Lecture 1 (Sudi 213) Guest Lecture by Doug Madory, Renesys
   10:30 - 11:00 Break
   11:00 - 12:30 Lecture 2 (Sudi 213) GDB basics, stack setup/activation record layout/calling conventions
   12:30 - 14:30 Lunch (2 hour break)
   14:30 - 15:00 Lecture 3: Studying Risk, Wreckage, and Errors
   15:00 - 16:00 Lab 1 (Sudi 002) libpng vuln analysis
   16:00 - 16:15 Break
   16:15 - 18:30 Lab 2 (Sudi 002) Inject small shellcode into target

Notes / References

Lab 1

This lab is a guided exercise and walkthrough of this vulnerability and a PoC exploit.
   link to proof of concept PNG exploit:

Your machine likely has a number of these in place already, and performing basic exploit research to understand the basic concepts (e.g., those presented in “Smashing the Stack for Fun and Profit” ) requires you to turn them off to remove some complexity. This includes (but isn't limited to:

   compiling programs with fno-stack-protector
   turning off ASLR: as root, `echo 0 > /proc/sys/kernel/randomize_va_space'
   marking executables as needing executable data areas: `execstack -s a.out'

Lab 2

This lab is a joint class exercise to design the various pieces and then implement them.

   Write a small piece of standalone assembly code that executes a system call (do something interesting, like open, read, or write to a file, or fetch the process ID)
   store the resulting bytes in a file
   write a small, intentionally-vulnerable program that opens the “payload” file and reads in the bytes to a buffer on the program's stack; you should construct this buffer and the payload so that you overwrite the return address
   make sure to disable any protections and enable something else FIXME
   running your victim program on your payload should cause your “injected” shellcode to execute and achieve the goal of your shellcode

Lab 3 (option)

   “weaponize” the PoC libpng vulnerability

Lab 4 (option)

   Profile ASLR w/ assembly code

Saturday 23 June (Shellcode Injection cont.)

   noon - 1pm: prepare for shellcode injection exercise
   1 - 2pm: pizza
   2 - 5pm: shellcode injection lab
   5 - 6pm: movie

Sunday 24 June (Off) Monday 25 June (Introduction to Network Security)

   08:30 - 09:00 Breakfast (Sudi 213)
   09:00 - 10:30 Lecture 1 (Sudi 213) Participant paper presentations (4)
   10:30 - 11:00 Break
   11:00 - 12:30 Lecture 2 (Sudi 213) Introduction to Web Security
   12:30 - 14:30 Lunch (2 hour break)
   14:30 - 16:00 Lab 1 (Sudi 002) Lecture: Introduction to networking (Sergey Bratus)
   16:00 - 16:15 Break
   16:15 - 18:00 Lab 2 (Sudi 002) Lab: Introduction to network (cont).

   ICMP message types:
   on IDS evasion:
   on IDS evasion:
   (multiple traceroutes picture)
   on the legal and ethical issues involved in sniffing network traffic:
   VM-based Security Overkill: A Lament for Applied Systems Security Research. Sergey Bratus, Michael E. Locasto, Ashwin Ramaswamy, and Sean W. Smith. Proceedings of the 19th New Security Paradigms Workshop (NSPW 2010). September 2010. Concord, MA, USA.

Friday Night Reading

   TCSS, Chapter 12.1 “The Web and Security: Basic Structure”

Tuesday 26 June (Network Manipulation)

   08:30 - 09:00 Breakfast
   09:00 - 10:30 Lecture 1: Paper presentations
   10:30 - 11:00 Break
   11:00 - 12:30 Lecture/Lab 1: networking utilities: nc, ifconfig, ping/icmp, tcpdump, traceroute
   12:30 - 14:30 Lunch (on own)
   14:30 - 16:30 Lab 2: packet construction
   16:30 - 16:45 Break
   16:45 - 17:45 Lab 3: Google Gruyere

Lab 1

Traceroute and tcpdump. Draw your network associations. Reproduce this kind of graph, using GraphViz, for your machine.

Lab 2

Packet construction.

The purpose of this lab is to gain experience with command-line packet crafting tools.

   Task 0: Warmup. Install sendip or dnet. I find dnet to be easier to use than sendip. Install netcat.
   Task 1: Pair up. Find out what your neighbor's IP address is. Verify that you can contact them. Examine your ARP table. Examine your routing table.
   Task 2: Stretch. Use the netcat tool to initiate a port scan of your partner's machine. Do not use nmap. Have your partner run tcpdump, filtering by packets from your machine, to observe the scan. What type of packets do you see? Does a full TCP handshake occur for each port?
   Task 3: Have your partner run netcat on a port of their choosing. Use dnet or sendip to craft a nice message to this netcat instance.
   Task 4: Using dnet or sendip only, convince your partner's machine that your machine has the gateway's IP and MAC address by crafting the appropriate ARP messages and sending them to the network. Challenge: use an existing tool like Graphviz to illustrate the evolution of your machine's ARP table.
   Task 5: Using tcpdump, observe only DHCP traffic on the network.
   Task 6: Inject DHCP offers into the network. You may wish to read the DHCP RFC
   Task 7: Hint: you may wish to read the DHCP RFC. You may also wish to peruse the DHCP RFC, after which you should refresh your knowledge of the DHCP RFC.

Lab 3

You can tackle these in any order.

   Task 1: Visit and get as far through it as possible.
   Task 2: Visit and work through these exercises.

Notes and Resources
   Google's Browser Security Handbook:
   Platform for Privacy Preferences (P3P) (list appears midway down page)
   HTTP Request/Response Modifiers (RequestPolicy) (ModifyHeaders)
       OWASP WebScarab Project
   reviewed web application architecture
   OWASP Top Ten Web Security Issues for 2007
   OWASP Top Ten Web Security Issues for 2010
   OWASP Top Five PHP Security Issues
   PHP Prepared Statements and Stored Procedures (link is broken, see his blog) (Web App Vulnerability Scanner) (OWASP “broken” web app examples)

Wednesday 27 June (Organizational Security, Intrusion Detection)

   08:30 - 09:00 Breakfast
   09:00 - 10:30 Lecture 1: Guest Lecture: Steve Nyman, CISO of Dartmouth PKCS
   10:30 - 11:00 Break
   11:00 - 12:30 Lecture 2: Intrusion detection. Intrusion recovery scenario; libpcap, libvei
   12:30 - 14:30 Lunch (on own)
   14:30 - 16:30 Lab 1: Building an intrusion sensor. intrusion sensor engineering. Intrusion detection planning exercise
   16:30 - 16:45 Break
   16:45 - 17:45 Lab 2: finish presentations

Presentation Notes

Wed 27 Notes
   Verizon's Data Breach Report (2008)
   Big-Box Breach: The Inside Story of Wal-Mart’s Hacker Attack
   Chronicle of a Server Break-In (see link to Paul's actual postmortem)
   Abe Singer. “Tempting Fate,” ;login:, Volumn 30, #1, Usenix Association, November 2005.
   Cliff Stoll. The Cuckoo's Egg
   IDS evasion

Lab 1 / Team 1

Your task is to produce a set of valid x86 sequences that end in RET from the glibc (a ROP gadget toolkit).

Lab2 / Team GelatoR001Z

Your task to to build, as a large team, an intrusion sensor that reads network packets from the network and tries to disassemble them.

Programming Notes for Lab 1

   Locasto's libpcap tutorial:
   programming systems sense
       if you are on public:
   “Hints for Computer System Design”:
   Concurrent programming help:

Thursday 28 June (Attacks and Bugs)

   08:30 - 09:00 Breakfast
   09:00 - 10:30 Lecture 1: Guest Lecture: Adam Goldstein (Dartmouth PKCS)
   10:30 - 11:00 Break
   11:00 - 12:30 Lecture 2: Guest Lecture: Richard Weiss “On the Attack Chain”
   11:30 - 13:30 Lunch (on own)
   13:30 - 14:00 Meet at 002
   14:00 - 14:30 SISMAT group photo
   14:30 - 16:00 Lab 1: Nessus lab (scan Apache)
   16:00 - 16:15 Break
   16:15 - 17:45 Lab 2: Polymorphic shellcode lab (see links below)
   17:45 - 18:45 Outwash and Ethics Discussion (wrap up)

Lab 1

Scanning for vulnerabilities.

Install Apache and Nessus. Scan.

Lab 2

Polymorphic shellcode.

What do these pieces of shellcode do? Hand-execute them to find out.

28 June Notes

Ethical Considerations in Information Security

Notes Friday 29 June (Capture the Flag / Packetwars)

   08:30 - 09:00 breakfast
   09:00 - 10:00 Introduction to Packetwars
   10:00 - 12:30 Session 1 PacketWars (plus video, photos)
   12:30 - 14:00 Lunch break (1 hour)
   14:00 - 16:30 Session 2 PacketWars
   16:30 - 17:00 post-CtF outwash (do we want to form an official SISMAT CtF team?)
   17:00 - 17:30 SISMAT 2012 Post test

29 June Notes

Today Bryan Fite will guide us in an all-day capture-the-flag style team competitive exercise called PacketWars. Take-Home Exercises

   digital footprint size experiment:
       how big is your digital footprint?
       how much entropy do your passwords have? (z-strings)
   bug diagnoses (find and analyze a bug in real software)
   beat up your OS:

Paper Presentations

Pick a paper and prepare a 20 minute presentation on it pretending that you are the author defending the work and providing a summary of it. Prepare for 5..10 minutes of questions on the paper from other students and the instructors. Your presentations will take place next week. Paper Presenter Monday 1 2 Philip Monday 1 3 Dibyo Monday 1 4 Trey Monday 1 5 Evaristo Tuesday 1 7 Mike Tuesday 1 8 Corey Tuesday 1 9 Stefan Tuesday 1 11 Daniel Tuesday 1 13 Eman Tuesday 1 14 Wadha Wednesday 3 18 Michele Wednesday 3 10 Nathan Wednesday 3 17 Jordan

   Protection in an information processing utility
   A hardware architecture for implementing protection rings
   Protection in Operating Systems
   SecureSwitch: BIOS-Assisted Isolation and Switch between Trusted and Untrusted Commodity OSes
   Intrusion Recovery Using Selective Re-execution
   XFI: Software Guards for System Address Spaces
   "Transparent Runtime Defense Against Stack Smashing Attacks"
   "StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks"
   "On the Effectiveness of Address Space Randomization"
   "Return Oriented Rootkits" by Hund, Holz, and Freiling
   "Building Diverse Computer Systems"
   "Randomized Instruction Set Emulation to Disrupt Binary Code Injection Attacks" or "Countering Code-Injection Attacks with Instruction-Set Randomization"
   "The Geometry of Innocent Flesh on the Bone"
   "A Comparison of Publicly Available Tools for Dynamic Buffer Overflow Prevention"
   StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks
   PointGuard(TM): Protecting Pointers From Buffer Overflow Vulnerabilities
   RIPE:Runtime Intrusion Prevention Evaluator
   Hit 'em Where it Hurts: A Live Security Exercise on Cyber Situational Awareness

News and Links;title;mostPop
   Operation Shady Rat (as reported by The Register)
   Operation Shady Rat (the McAffee report)
   Random Number Generation (what has Intel been doing?)
   Ethics (plagiarism hurts everyone)
   Swatting Attack (ethics; using the digital to affect the real)
   Who Are Attackers After? (money)
   Govt "Fights" "Hackers" (two unrelated stories: Anonymous/Wikileaks arrests, and the arrest of Aaron Swartz for downloading JSTOR articles)
   Deep Packet Inspection (Canada Digital Freedom)
   The Windows Heap (Microsoft knows that the heap keeps on giving)
   Disguising Malware is Easy
   Frustrating Facial Analysis
   GRSecurity (these guys are awesome)
   Recurity (these guys are also awesome)
   Update on RSA Hack of 2011 (it is much worse than initially admitted, but this was an open secret…)
   disclosure policy cite:
   Bugs stay unpatched
   technical approaches to avoiding cross-border data examination (by the EFF)
   usenet flamewar on “hackers”:!topic/
   Was AntiSec an FBI front?
   Ethics: Stanford prison experiment
   Privacy/Ethics: Should we let children on Facebook:
   A Case Study of the Application of Dynamic Symbolic Execution to Real-World Binary Programs
   Free malware and security tools:
   Duqu Analysis:
   Chris Evans on Browser security:
   The Problem With OAuth:
   Observations about Linux ASLR:
   VMWare Backdoor:
   INFILTRATE presentations:
   Recurity (Security Industry Research)
   mail list post: exploiting NULL dereferences:
   FLAME crypto breakthrough:
   Connection btwn stuxnet and flame?
   supply chain vulns (hardware backdoors)
   or not:
   cybersecurity demand growing: (demand grows, but does real actual need grow?)
   Security fail? in MySQL:
   Security Indicators: why cybersecurity experiments may be flawed:
   Code is complex:
   Concealing XSS injection in HTML5:
   See also: advanced topics in privacy:
   Bellovin Network Security class:
   Google Apps doesn't meet LAPD security requirements (how do you do that, anyway?)
   You Selling Your Priavcy:
   Ethical Disclosure: OK to publish bird flu studies?
   embedded device hacking:
   attacking linux kernel security:
   disclosure and patch battle:
   data integrity of backups and remote storage:
   protected mode execution as an anti-debugging feature:
   It's OK to let students hack:
   Information Security Audit class / case study:
   MintChip audit anyone?
   Sheila: a client-side honeypot:


   ERESI: (reverse engineering)
   Google NaCL: Native Client

Specific Vulnerabilities

   link to NULLHttpd:
   NULLhttpd exploit:
   ghttpd vuln:
   ghttpd exploit:
   MS06-001: (WMF vulnerability)


   pull student's network cable: what did you leave exposed?
   ethics: cell phone survillence
   exercise: decoy documents
   intro: what is security?
   beautiful security: TSA visualization, topics from confs.
   legality of drones
   digital sit ins ==? DDoS?
   coding exercise: write as many lines of code as you can in 5 minutes; must compile and run with no errors. language of your choice.