Computer and Network Security

EECS 588 — Winter 2011

Overview | Schedule | Readings | Attack Presentation | Course Project

Guidelines

  1. Work with a partner. If you need a partner, try posting to the ctools forum.
  2. Review the list of topics below, and email your top five choices, along with the name of your partner, to by 5pm on Monday, 17. I'll resolve conflicts and tell you which topic you've been assigned on Tuesday. Let me know if there are connections to your research area (e.g. machine learning or wireless networking), and I will take these into account when making the assignments.
  3. Write a fresh exploit—don't borrow from pre-packaged attack tools. You may, however, use general purpose tools such as packet sniffers.
  4. You must not test your attack against any real systems except as noted. If you need attack subjects, set up your own dummy systems or use a VM.
  5. If many systems are vulnerable to the attack, construct your demonstration with safety in mind. Design it so that it would be difficult to use against real systems even if it fell into the wrong hands.
  6. Some vulnerabilities have been fixed via software updates. If this is the case, you'll need to demonstrate your attack on an older version.
  7. Many topics include optional bonus challenges. I'll award extra credit proportional to the difficulty of the challenge.
  8. Give a 20 minute presentation in class on the specified date. In it, you should:
    1. Describe how the attack works, how it was discovered, how it was disclosed, and what damage is has caused.
    2. Talk about how you implemented it, including any challenges you faced.
    3. Give a demonstration of your exploit.
    4. Discuss defenses against the attack. If the attack has been fixed, describe how similar problems might be prevented in the future; if it's still a threat, suggest some defenses that might be investigated in new research.

Topics

* Starred topics will be easier if you have some familiarity with assembly language.
Web security topics will probably be in high demand. If you pick any of these attacks, please indicate at least two non-web topics that you'd like to do.

.
DateTopicDescription
1/25/11Modern buffer overflow* Pick a buffer overflow discovered in a major application during the past year and implement your own exploit. Explain how you bypassed modern defenses such as ASLR, DEP, and canaries, if applicable. These articles will help you get started. Bonus challenge: Find and exploit an undocumented buffer overflow in a popular program.
1/27/11Return-oriented programming* Create a dummy program containing a buffer overflow and exploit it using the technique described in this paper. Construct a Turing-complete set of gadgets using the suggested algorithm and demonstrate how this allows you to perform arbitrary computation without injecting any traditional code. Bonus challenge: Apply this to a buffer overflow in a real program.
2/1/11Compiler Trojan horse Modify GCC to implement the self-propagating compiler-resident Trojan horse suggested by Ken Thompson in Reflections on Trusting Trust. Your Trojan should propagate when GCC builds a new copy of itself, and it should inject a demonstration payload when compiling some standard utility program. Bonus challenge: Make a single Trojan that works with two or more compilers, propagating when each builds itself or the other.
2/3/11Kernel-level rootkit* For the operating system of your choice, construct a rootkit (like the one described here) that operates in kernel mode and hides from standard administrative tools; while running, it should not be visible in the file system, process list, or startup files. Bonus challenge: Implement a minimal hypervisor rootkit that contains a basic payload. You could also adapt techniques from SubVirt.
2/8/11Malicious code in websites† Part 1: Build a simple dummy social networking site and use it to demonstrate SQL injection, XSS, and CSRF vulnerabilities. Part 2: Construct an XSS worm to attack your site, like the Samy worm that infected MySpace. Part 3: Implement defenses against each threat. Bonus challenge: Discover an undocumented XSS vulnerability in a popular website.
2/10/11Abusing cookies† [revised] Part 1: Build a simple dummy website and use it to demonstrate XSS-based session hijacking and session fixation vulnerabilities. Explain some basic defenses against these attacks. Part 2: Demonstrate how the evercookie technique combines multiple persistence mechanisms to resist deletion. Experiment with your browser's private browsing mode and evaluate how effectively it segregates persistent state.
2/22/11
2/15/11
Password cracking with rainbow tables Implement a fast password cracker based on the Rainbow Table data structure (more details here). Compute a table containing SHA-1 hashes for as many passwords as you can (assuming a length of 8-characters or less). Adapt the wordlist and letter frequency approaches used by programs like John the Ripper. In class, demonstrate that you can quickly recover passwords from hashes provided by other students. Explain the time-memory trade-offs you faced and how you chose the parameters for your implementation.
2/24/11
2/17/11
CAPTCHA cracking Start with a simple CAPTCHA (like one of these) and create a program that reliably defeats it. Extend your work to break at least two of these CAPTCHAs: AOL Mail, Sirius Radio, and eBay. You might adapt some of the techniques used by this work or this work. Bonus challenge: For major extra points, break reCAPTCHA or the Google CAPTCHA with at least 1% success.
2/15/11
2/22/11
Fooling web users† [revised] Build a simple mock bank site and demonstrate: (1) an SSL stripping attack, where a man-in-the-middle transparently proxies HTTP requests and rewrites HTTPS links to point to look-alike HTTP links; (2) a clickjacking attack, as described here; (3) picture-in-picture and homograph attacks; (4) enhance your SSL attack to demonstrate the null prefix vulnerability (I'll provide a cert) and to defeat OCSP revocation.
2/17/11
2/24/11
Browser DNS rebinding† Use Flash or Java to implement a DNS rebinding attack that subverts the browser's same origin policy. Show how this technique can be used to attack hosts behind a firewall.
3/8/11DNS cache poisoning Demonstrate Dan Kaminsky's fast DNS poisoning attack (another description), where the attacker brute forces responses to insert a false IP address into a DNS cache. Implement the countermeasure described in this paper.
3/10/11Multiuser keystroke eavesdropping This paper describes how an attacker with an account on a multiuser Linux system can exploit side channels to recover keystroke timing from other users. Develop a program to extract timings for login and show that it can be used to speed up password guessing. Bonus challenge: Extract timings for vim and implement a Hidden Markov Model to reconstruct English text.
3/15/11Rogue wireless access point Modify an open-source wireless access point to conduct a man-in-the-middle attack against users who connect through it. Whenever a binary is downloaded via HTTP, modify it on the fly to insert a Trojan horse. I will provide a Linksys WRT54G router. Bonus challenge: Support HTTPS, exploiting the null prefix vulnerability (I'll provide a cert) and defeating OCSP revocation.
3/17/11Smartphone spyware Develop a demonstration spyware program for Android or jailbroken iPhones. Your program should illustrate the dangers of surreptitious data theft, recording, photographing, and location tracking. Think like an attacker: How would you convince users to install the software? How would you conceal it? How would you exfiltrate collected data? Make your demo as realistic as possible. Bonus challenge: Exploit a bug in the smartphone OS to install your spyware as a “drive-by” download.
3/29/11
3/22/11
Cold-boot attack Targeting a popular disk encryption product, create an automated tool to implement the attacks described here. Your tool should recover memory contents after a cold reboot, locate the encryption keys, and provide access to the disk contents. You may use existing memory imaging tools as part of your implementation. Bonus challenge: Target Windows BitLocker.
3/24/11Malicious devices [new] I'll provide a PIC development board that can act as a man-in-the-middle between a PC and a USB device. Program it to simulate the behavior of any two of these malicious peripherals: (1) a keyboard that stores the last n keystrokes and replays them when you type a “secret knock”; (2) a printer that detects official election results and alters them, by shifting votes, to benefit a preset candidate; (3) a drive or a card reader that behaves normally, except during bootup, when it acts like a bootable disk containing malicious code. Bonus challenge: Build your own hardware, and conceal it inside a real peripheral.
3/29/11Web tracking† [new] Part 1: Implement and demonstrate CSS history sniffing, timing-based history sniffing, and browser fingerprinting. Explain how Tor attempts to defend against these techniques. Part 2: Select a widely deployed web bug and instrument your browser to monitor it. Display the data the web bug reports as it tracks you across various popular sites. Explain how sites could use client-side tracking to show targeted ads with far less invasion of privacy.
3/31/11Traffic de-anonymization [revised] Consider a simple anonymizer service, in which clients use SSH tunnels to connect to a SOCKS proxy. Eve is monitoring some of the clients and wants to determine which of them visit a particular website. She enlists the help of Mallory, a man-in-the-middle on the web server's upstream connection. Mallory inserts a watermark into the server's outbound traffic—say, by manipulating packet timing to create jitter with a distinct distribution—and Eve tries to detect the watermark in each client's inbound traffic. Demonstrate this attack, and introduce traffic analysis. Bonus challenge: Demonstrate it against Tor.
4/5/11Internet voting fraud [new] Helios is an Internet voting system that gives every voter a cryptographic proof that their ballot was properly counted. Though Helios is theoretically strong, incautious voters may be fooled in practice by client-side vote stealing attacks. Configure a Helios server, and implement the man-in-the-browser (MiTB) attack described in this paper. Demonstrate your attack by holding a small mock election in class. Discuss the advantages and risks of using end-to-end verifiable Internet voting. Bonus challenge: Exploit a vulnerability in Acrobat Reader to distribute your MiTB attack in a Trojan PDF file sent to voters (see §4.3 of the paper).
4/7/11Jailbreaking [new] Investigate iOS jailbreaking tools (e.g. Spirit, redsn0w, PwnageTool) to understand the low-level techniques they employ. Explain the platform's security architecture and the major techniques that have been used to compromise it. Evaluate the progression of the war between Apple and device hackers—is either side gaining ground? Adapt the jailbreaking toolset to provide a clear step-by-step demonstration to the class. Implement at least one nontrivial component yourselves, and adapt the rest from pieces of existing tools.