Attack Presentations
Guidelines
- Work with a partner. If you need a partner, try posting to the ctools forum.
- Review the list of topics below and assign each topic a preference score from 0–3 stars. Email your nonzero preferences, along with the uniqnames of you and your partner, to by 5pm on Wednesday, January 23. I'll resolve conflicts and tell you which topic you've been assigned. Let me know if there are connections to your research area (e.g. machine learning or wireless networking), and I'll take these into account if possible.
- Write a fresh exploit—don't borrow from pre-packaged attack tools. You may, however, use general purpose tools such as packet sniffers.
- You must not test your attack against any real systems except as noted. If you need attack subjects, set up your own dummy systems or use a VM.
- If many systems are vulnerable to the attack, construct your demonstration with safety in mind. Design it so that it would be difficult to use against real systems even if it fell into the wrong hands.
- Some vulnerabilities have been fixed in newer software. If this is the case, you'll need to demonstrate your attack on an old version.
- Many topics include optional bonus challenges. I'll award extra credit proportional to the difficulty of the challenge.
- Give a 20 minute presentation in class on the specified date.
In it, you should:
- Describe how the attack works, how it was discovered, how it was disclosed, and what damage is has caused.
- Talk about how you implemented it, including any challenges you faced.
- Give a demonstration of your exploit.
- Discuss defenses against the attack. If the attack has been fixed, describe how similar problems might be prevented in the future; if it's still a threat, suggest some defenses that might be investigated in new research.
Topics
Note on early topics: I'm aware that the groups doing the first few topics will have limited time to prepare, so grading will be relatively generous.
* Starred topics will be easier if you have some familiarity with assembly language.
| Date | Topic | Description |
|---|---|---|
| 1/29/13 | Modern buffer overflow* | Pick a buffer overflow discovered in a major application during the past two years and implement your own exploit. Explain how you bypassed modern defenses such as ASLR, DEP, and canaries, if applicable. These articles will help you get started. Bonus challenge: Find and exploit an undocumented buffer overflow in a popular program. |
| 1/31/13 | Return-oriented programming* | Create a dummy program containing a buffer overflow and exploit it using the technique described in this paper. Construct a Turing-complete set of gadgets using the suggested algorithm and demonstrate how this allows you to perform arbitrary computation without injecting any traditional code. Bonus challenge: Apply this to a buffer overflow in a real program. |
| 2/5/13 | Compiler Trojan horse | Modify GCC to implement the self-propagating compiler-resident Trojan horse suggested by Ken Thompson in Reflections on Trusting Trust. Your Trojan should propagate when GCC builds a new copy of itself, and it should inject a demonstration payload when compiling some standard utility program. Bonus challenge: Make a single Trojan that works with two or more compilers, propagating when each builds itself or the other. |
| 2/7/13 | Kernel-level rootkit* | For the operating system of your choice, construct a rootkit (like the one described here) that operates in kernel mode and hides from standard administrative tools; while running, it should not be visible in the file system, process list, or startup files. Bonus challenge: Implement a minimal hypervisor rootkit that contains a basic payload. You could also adapt techniques from SubVirt. |
| 2/12/13 | Malicious code in websites | Part 1: Build a simple dummy social networking site and use it to demonstrate SQL injection, XSS, and CSRF vulnerabilities. Part 2: Construct an XSS worm to attack your site, like the Samy worm that infected MySpace. Part 3: Implement defenses against each threat. Bonus challenge: Discover an undocumented XSS vulnerability in a popular website. |
| 2/14/13 | Abusing cookies | Part 1: Build a simple dummy website and use it to demonstrate XSS-based session hijacking and session fixation vulnerabilities. Explain some basic defenses against these attacks. Part 2: Demonstrate how the evercookie technique combines multiple persistence mechanisms to resist deletion. Experiment with your browser's private browsing mode and evaluate how effectively it segregates persistent state. |
| 2/14/13 | Browser DNS rebinding | Use Flash or Java to implement a DNS rebinding attack that subverts the browser's same origin policy. Show how this technique can be used to attack hosts behind a firewall. |
| 2/19/13 | CAPTCHA cracking | Start with a simple CAPTCHA (like one of these) and create a program that reliably defeats it. Extend your work to defeat a CAPTCHA used by an Alexa Top 500 site. You might adapt some of the techniques used by this work or this work. Bonus challenge: For major extra points, break reCAPTCHA with at least 1% success. |
| 2/19/13 | Web tracking | Part 1: Implement and demonstrate CSS history sniffing, timing-based history sniffing, and browser fingerprinting. Explain how Tor attempts to defend against these techniques. Part 2: Select a widely deployed web bug and instrument your browser to monitor it. Display the data the web bug reports as it tracks you across various popular sites. Explain how sites could use client-side tracking to show targeted ads with far less invasion of privacy. |
| 2/21/13 | Password cracking with rainbow tables | Implement a fast password cracker based on the Rainbow Table data structure (more details here). Compute a table containing SHA-1 hashes for as many passwords as you can (assuming a length of 8-characters or less). Adapt the wordlist and letter frequency approaches used by programs like John the Ripper. In class, demonstrate that you can quickly recover passwords from the leaked LinkedIn password database. Explain the time-memory trade-offs you faced and how you chose the parameters for your implementation. |
| 2/21/13 | Fooling web users | Build a simple mock bank site and demonstrate: (1) an SSL stripping attack, where a man-in-the-middle transparently proxies HTTP requests and rewrites HTTPS links to point to look-alike HTTP links; (2) a clickjacking attack, as described here; (3) picture-in-picture and homograph attacks; (4) enhance your SSL attack to demonstrate the null prefix vulnerability (I'll provide a cert) and to defeat OCSP revocation. |
| 2/26/13 | Smartphone spyware | Develop a demonstration spyware program for Android or jailbroken iPhones. Your program should illustrate the dangers of surreptitious data theft, recording, photographing, and location tracking. Think like an attacker: How would you convince users to install the software? How would you conceal it? How would you exfiltrate collected data? Make your demo as realistic as possible. Bonus challenge: Show such spyware can be automatically installed to a user's Android phone by malware running on the user's computer. |
| 2/28/13 | Firmware-resident malware New! | Demonstrate the potential harm of malicious firmware attacks in the context of a digital camera, using the CHDK framework: (a) Reprogram the camera so that it refuses to take a picture whenever a particular symbol (chosen by the attacker) is visible in the frame; and (b) steganographically embed the time (and location, if the camera has GPS) when each picture is taken in the pixel data, so that it cannot easily be stripped out or decoded by anyone except the attacker. Bonus challenge: Program the camera to mask your own face if anyone takes a picture of you, as in this example. |
| 2/28/13 | TLS Protocol Attacks New! | Implement the CRIME attack against TLS and show how it allows an attacker to steal a user's authentication cookie for an HTTPS website. In your presentation, also explain the related BEAST attack. Bonus challenge: Implement and demonstrate BEAST. |
| 3/12/13 | TCP Attacks New! | Implement an off-path TCP RST attack and show how it can be used to disrupt a long-lived TCP connection (e.g., an SSH tunnel). Your attack should work correctly on modern Windows targets. For your presentation, give a realistic attack scenario, and be sure to describe how you determine the connection parameters (source port, destination port, sequence number) without the ability to observe packets directly. Bonus challenge: Extend the attack to inject arbitrary data into an long-lived TCP connection (with the attacker still off path). |
| 3/14/13 | DNS cache poisoning | Demonstrate Dan Kaminsky's fast DNS poisoning attack (another description), where the attacker brute forces responses to insert a false IP address into a DNS cache. Implement the countermeasure described in this paper. |
| 3/19/13 | Rogue wireless access point | Modify an open-source wireless access point to conduct a man-in-the-middle attack against users who connect through it. Whenever a binary is downloaded via HTTP, modify it on the fly to insert a Trojan horse. I will provide a Linksys WRT54G router. Bonus challenge: Support HTTPS, exploiting the null prefix vulnerability (I'll provide a cert) and defeating OCSP revocation. |
| 3/21/13 | WEP key recovery | Implement an efficient attack against WiFi's WEP encryption layer that can recover the key by analyzing intercepted traffic. Use whatever technique you like, e.g. this one. Explain the technique and demonstrate it in class. |
| 3/26/13 | Cold-boot attack | Targeting a popular disk encryption product, create an automated tool to implement the attacks described here. Your tool should recover memory contents after a cold reboot, locate the encryption keys, and provide access to the disk contents. You may use existing memory imaging tools as part of your implementation. Bonus challenge: Target Windows BitLocker. |
| 3/26/13 | Multiuser keystroke eavesdropping | This paper describes how an attacker with an account on a multiuser Linux system can exploit side channels to recover keystroke timing from other users. Develop a program to extract timings for login and show that it can be used to speed up password guessing. Bonus challenge: Extract timings for vim and implement a Hidden Markov Model to reconstruct English text. |
| 3/28/13 | Hardware Trojan New! | Implement and demonstrate a Trojan horse embedded into a microprocessor core. Use an FPGA (you'll have to provide your own) and an open source core, as in this paper. Your Trojan should implement a simple malicious function that is difficult to detect in normal operation but easy for an attacker to trigger. Bonus challenge: Implement an attack that is remotely triggerable over a network. |
| 3/28/13 | Malicious peripherals | I'll provide a PIC development board that can act as a man-in-the-middle between a PC and a USB device. Program it to simulate the behavior of any two of these malicious peripherals: (1) a keyboard that stores the last n keystrokes and replays them when you type a “secret knock”; (2) a printer that detects official election results and alters them, by shifting votes, to benefit a preset candidate; (3) a drive or a card reader that behaves normally, except during bootup, when it acts like a bootable disk containing malicious code. Bonus challenge: Build your own hardware, and conceal it inside a real peripheral. |
| 4/2/13 | VoIP side channels | Capture encrypted VoIP traffic and develop a classifier that can accurately distinguish (without decrypting the packets) whether the speaker is male or female. Bonus challenge: Distinguish which of two languages is being spoken. |
| 4/2/13 | Deanonymizing search data New! | In 2006, AOL published logs from its search engine that showed the queries performed by 650,000 randomly selected users. To protect privacy, they replaced each user ID with a unique integer, but people quickly realized that they could reidentify users by combining their search history with information from other sources. Download the AOL dataset and demonstrate this attack by deanonymizing (with high confidence) at least 6 users. (Search the web to make sure these IDs have not already been publicly deanonymized.) In your presentation, explain the process you used, but please be sensitive (e.g., black out the individuals' names). Show queries from the dataset that illustrate the many kinds of personal information that have been potentially exposed. |
| 4/4/13 | Traffic deanonymization | Consider a simple anonymizer service, in which clients use SSH tunnels to connect to a SOCKS proxy. Eve is monitoring some of the clients and wants to determine which of them visit a particular website. She enlists the help of Mallory, a man-in-the-middle on the web server's upstream connection. Mallory inserts a watermark into the server's outbound traffic—say, by manipulating packet timing to create jitter with a distinct distribution—and Eve tries to detect the watermark in each client's inbound traffic. Demonstrate this attack, and introduce traffic analysis. Bonus challenge: Demonstrate it against Tor. |
| 4/9/13 | Internet voting fraud | Helios is an Internet voting system that gives every voter a cryptographic proof that their ballot was properly counted. Though Helios is theoretically strong, incautious voters may be fooled in practice by client-side vote stealing attacks. Configure a Helios server, and implement the man-in-the-browser (MiTB) attack described in this paper. Demonstrate your attack by holding a small mock election in class. Discuss the advantages and risks of using end-to-end verifiable Internet voting. Bonus challenge: Exploit a vulnerability in Acrobat Reader to distribute your MiTB attack in a Trojan PDF file sent to voters (see §4.3 of the paper). |
| 4/11/13 | Jailbreaking | Investigate iOS jailbreaking tools (e.g. Spirit, redsn0w, PwnageTool) to understand the low-level techniques they employ. Explain the platform's security architecture and the major techniques that have been used to compromise it. Evaluate the progression of the war between Apple and device hackers—is either side gaining ground? Adapt the jailbreaking toolset to provide a clear step-by-step demonstration to the class. Implement at least one nontrivial component yourselves, and adapt the rest from pieces of existing tools. |
