Description

Lecture contents

• Slides-I
• Slides-II

Reading material

• Mind Your Languages
• Some thoughts on security after ten years of qmail 1.0
• Undefined Behavior: What happened to My Code?
• wtfjs

Description

This session presents basic low-level attack techniques:

• buffer overflows;
• heap overflows; &
• format string exploitation.

Most of the session is allotted to hands-on experimentation.

Lecture contents

• Slides
• Exercises
• Tarball
  sha256 da8065fa691294bfde119003ab6f4a120f811cebc2109165b07056d58d1ef399

Reading material

• Hacking: The Art of Exploitation (Jon Erickson) -- (Ch. 0x200 & 0x300)
• 80x86 CodeTable
• Intel full ISA reference
• Low-level Software Security by Example
• How to write Buffer Overflows
• Smashing The Stack For Fun And Profit
• Microcorruption
• X86 opcode/instruction reference
• w00w00 on Heap Overflows

Description

Description

This session presents three main basic binary exploitation mitigation techniques:

• stack canaries;
• data execution prevention; &
• ASLR.

We will also talk about their limitations and briefly present more advanced control-flow integrity measures that are currently available.

A good part of the session is allotted to hands-on experimentations.

Lecture contents

• Exercises
• Tarball
  sha256 a30e6a6ac7e0e6744c70c311ad944cc1b4c5c4182e32db33e0766b56e6aea6b0

Reading material

• Stack Smashing as of Today
• Practical Control-Flow Integrity & Randomization for Binary Executables
• Enforcing Forward-Edge Control-Flow Integrity in GCC & LLVM
• The Geometry of Innocent Flesh on the Bone
• Framing Signals --- A Return to Portable Shellcode
• ASLR Smack & Laugh Reference
• Exploiting OpenBSD
• Bypassing PaX ASLR Protection
• The Frame Pointer Overwrite
• Bypassing StackGuard and StackShield

Description

Description

Lecture contents

• Exercises
• Tarball
  sha256 14c6d02dd7feb407ffac28022558b9cb7f2760c0ce731235901d5fdd20e9707c

Reading material

• Driller: Augmenting Fuzzing Through Selective Symbolic Execution
• VUzzer: Application-aware Evolutionary Fuzzing
• Directed Greybox Fuzzing
• FairFuzz: A Targeted Mutation Strategy for Increasing Greybox Fuzz Testing Coverage
• Angora: Efficient Fuzzing by Principled Search
• AFL homepage

Description

The final exam will contain 2 parts:

• The presentation of a research article (groups of 2, 20 minutes + questions) – rank the articles from the list in decreasing order and send a message ranking them to the professors; (see list here) ;
• A mini CTF problem (find the secret key!) and its written solution report (5p. max).

The CTFs are available from https://github.com/rbonichon/asi36-ctf

Presentations (Feb. 28)

Papers

• The Geometry of Innocent Flesh on the Bone
• Hacking Blind
• Transparent ROP Exploit Mitigation using Indirect Branch Tracing
• Compiler Agnostic Function Detection in Binary
• Binary Code is not easy
• All you Ever Wanted to Know About Dynamic Taint Analysis and Forward Symbolic Execution (but might have been afraid to ask)
• SoK: (State of) The Art of War: Offensive Techniques in Binary Analysis
• Weird Machines in ELF
• Practical Control Flow Integrity & Randomization for Binary Executables
• Q: Exploit Hardening Made Easy
• Towards Paving the Way for Large-Scale Windows Malware Analysis: Generic Binary Unpacking with Orders-of-Magnitude Performance Boost