Overview | Schedule | Readings | Attack Presentation | Course Project
Date | Topic | Description |
---|---|---|
2/5/09 | Compiler Trojan horse | Modify GCC to implement the self-propagating compiler-resident Trojan horse suggested by Ken Thompson in Reflections on Trusting Trust. |
2/10/09 | Kernel-level rootkit* | For the operating system of your choice, construct a rootkit (like the one described here) that operates in kernel mode and hides from standard administrative tools; while running, it should not be visible in the file system, process list, or startup files. |
2/12/09 | Privilege escalation* | Demonstrate how a flaw in the Macrovision SafeDisc DRM driver that ships with Windows XP could be used to cause a local privilege escalation, granting a user with limited permissions access to a SYSTEM shell (more info here). |
2/19/09 | CAPTCHA cracking | Choose a simple CAPTCHA (like one of these) and create a program that reliably defeats it. You might adapt some of the techniques used by this work or this work. |
3/3/09 | XSS worm | Build a simple dummy social networking site with a cross-site scripting vulnerability, and construct an XSS worm to attack it, like the Samy worm that infected MySpace. |
3/5/09 | DNS rebinding | Use Flash or Java to implement a DNS rebinding attack; show how it can be used to attack hosts behind a firewall. |
3/17/09 | Fast DNS spoofing | Demonstrate Dan Kaminsky's DNS spoofing attack (another description), where the attacker brute forces responses exploiting the predictable source port number, and implement a countermeasure. |
3/24/09 | WEP key recovery | Implement an efficient attack against WiFi's WEP encryption layer that can recover the key by analyzing intercepted traffic. Use whatever recent technique you like, e.g. this one. |
3/26/09 | Rogue wireless access point* | Modify an open-source wireless access point to conduct a man-in-the-middle attack against users who connect through it. Whenever a binary is downloaded via HTTP or HTTPS, modify it on the fly to insert a Trojan horse. For HTTPS, replace the server's cert with a fake one. I can provide a Linksys WRT54G router. |
3/31/09 | VoIP side channels | Capture encrypted VoIP traffic and develop a classifier that can accurately distinguish which of two languages is being spoken without decrypting the packets. Train and test it with several speakers, and try it live in class. |
4/7/09 | Cold-boot attack | Targeting a popular disk encryption product, create an automated tool to implement the attacks described here. Your tool should recover memory contents after a cold reboot, locate the encryption key, and provide access to the disk contents. |
* These topics will be easier if you have some familiarity with x86 assembly language.