Computer and Network Security

EECS 588 — Winter 2009

Overview | Schedule | Readings | Attack Presentation | Course Project

Guidelines

  1. Work with a partner.
  2. Review the list of topics below, and email me your top three choices, along with the name of your partner, by 5pm on Monday, January 26. I'll resolve conflicts and let you know which topic you've been assigned by the end the day. Let me know if there are connections to your research area (e.g. machine learning or wireless networking), and I will take these into account when making the assignments.
  3. Write a fresh exploit—don't borrow from pre-packaged attack tools. You may, however, use general purpose tools such as packet sniffers.
  4. You must not test your attack against any real systems. If you need attack subjects, set up your own dummy systems or use a VM.
  5. If many systems are vulnerable to the attack, construct your demonstration with safety in mind. Design it so that it would be difficult to use against real systems even if it fell into the wrong hands.
  6. Give a 15-20 minute presentation in class on the specified date. In it, you should:
    1. Describe how the attack works, how it was discovered, how it was disclosed, and what damage is has caused.
    2. Talk about how you implemented it, including any challenges you faced.
    3. Give a demonstration of your exploit.
    4. Discuss defenses against the attack. If the attack has been fixed, describe how similar problems might be prevented in the future; if it's still a threat, suggest some defenses that might be investigated in new research.

Topics

DateTopicDescription
2/5/09Compiler Trojan horse Modify GCC to implement the self-propagating compiler-resident Trojan horse suggested by Ken Thompson in Reflections on Trusting Trust.
2/10/09Kernel-level rootkit* For the operating system of your choice, construct a rootkit (like the one described here) that operates in kernel mode and hides from standard administrative tools; while running, it should not be visible in the file system, process list, or startup files.
2/3/09
2/12/09
Privilege escalation* Demonstrate how a flaw in the Macrovision SafeDisc DRM driver that ships with Windows XP could be used to cause a local privilege escalation, granting a user with limited permissions access to a SYSTEM shell (more info here).
2/19/09CAPTCHA cracking Choose a simple CAPTCHA (like one of these) and create a program that reliably defeats it. You might adapt some of the techniques used by this work or this work.
3/3/09XSS worm Build a simple dummy social networking site with a cross-site scripting vulnerability, and construct an XSS worm to attack it, like the Samy worm that infected MySpace.
3/5/09DNS rebinding Use Flash or Java to implement a DNS rebinding attack; show how it can be used to attack hosts behind a firewall.
3/17/09Fast DNS spoofing Demonstrate Dan Kaminsky's DNS spoofing attack (another description), where the attacker brute forces responses exploiting the predictable source port number, and implement a countermeasure.
3/24/09WEP key recovery Implement an efficient attack against WiFi's WEP encryption layer that can recover the key by analyzing intercepted traffic. Use whatever recent technique you like, e.g. this one.
3/26/09Rogue wireless access point* Modify an open-source wireless access point to conduct a man-in-the-middle attack against users who connect through it. Whenever a binary is downloaded via HTTP or HTTPS, modify it on the fly to insert a Trojan horse. For HTTPS, replace the server's cert with a fake one. I can provide a Linksys WRT54G router.
3/31/09VoIP side channels Capture encrypted VoIP traffic and develop a classifier that can accurately distinguish which of two languages is being spoken without decrypting the packets. Train and test it with several speakers, and try it live in class.
4/7/09Cold-boot attack Targeting a popular disk encryption product, create an automated tool to implement the attacks described here. Your tool should recover memory contents after a cold reboot, locate the encryption key, and provide access to the disk contents.

* These topics will be easier if you have some familiarity with x86 assembly language.