This schedule is tentative more than two weeks in advance.

DateTopicAssignment
Week 1
Mon 01 Feb

Overview / Malware Terminology

 [ 
slides
| screencapture (browser; download; audio only)
| Zoom (passcode on Collab)  ]
  • malware definitions, types
  • course logistics
  • ethics considerations

References:

VM released
Wed 03 Feb

x86 asm 1

 [ 
slides
| screencapture (browser; download; audio only)
| Zoom (passcode on Collab)  ]
  • definitive sources
  • calling convention review
  • floating point/SSE2
  • addressing modes
  • segmentation

References:

  • definitive x86-64 ISA reference: via Intel, via AMD
  • Linux x86-64 calling convention references:
    • x86-64 ABI that Linux uses (based on processor-generic System V ABI); section 3.2.3 is the calling convention
Quiz 1 (quiz for week 1) released, due 2021-02-08 15:15
Week 2
Mon 08 Feb

x86 encoding / Virus

 [ 
slides
| screencapture (browser; download; audio only)
| Zoom (passcode on Collab)  ]
  • x86 instruction encoding
  • virus example: Vienna

References:

  • Szor chapter 4
Quiz 1 (quiz for week 1) due 15:15 (released 2021-02-03)
Wed 10 Feb

Virus 2 / executable formats

 [ 
slides
| screencapture (browser; download; audio only)
| Zoom (passcode on Collab)  ]
  • virus example: Vienna (finish)
  • executable formats
  • viruses: hiding code in programs

References:

Quiz 2 (quiz for week 2) released, due 2021-02-15 15:15
Fri 12 Feb
(no class)		VM due by 11:59pm
RE released
Week 3
Mon 15 Feb

Virus 3

 [ 
slides
| screencapture (browser; download; audio only)
| Zoom (passcode on Collab)  ]
  • viruses: hiding code in programs (finish)
  • viruses: invoking hidden code
    • and boot-loaders and secure boot
    • and dynamic linking
Quiz 3 (quiz for week 3) released, due 2021-02-22 15:15
Quiz 2 (quiz for week 2) due 15:15 (released 2021-02-10)
Wed 17 Feb
(no class)
Fri 19 Feb
(no class)		RE due by 11:59pm
TRICKY released
Week 4
Mon 22 Feb

Signature-based detection

 [ 
slides
| screencapture (browser; download; audio only)
| Zoom (passcode on Collab)  ]
  • (if needed) finish dynamic linking
  • aside: on the cat-and-mouse game of malware detection
  • integrity protection: tripwire, application whitelisting
  • regular expressions and flex

(Szor reference: chapter 11.)

Quiz 3 (quiz for week 3) due 15:15 (released 2021-02-15)
Wed 24 Feb

Signatures / Anti-anti-virus (1)

 [ 
slides
| screencapture (browser; download; audio only)
| Zoom (passcode on Collab)  ]
  • regular expressions and flex (finish)
  • behavior-based detection
  • packers (start)

(Szor reference: chapter 11, chapter 7.)

Quiz 4 (quiz for week 4) released, due 2021-03-01 15:15
Fri 26 Feb
(no class)		TRICKY due by 11:59pm
LEX released
Week 5
Mon 01 Mar

Anti-anti-virus (2)

 [ 
slides
| screencapture (browser; download; audio only)
| Zoom (passcode on Collab)  ]
  • packers (finish)
  • polymorphic/metamorphic malware
  • anti-reverse engineering
    • emulation detection
  • anti-goat

(Szor reference: chapter 7, chapter 6)

Further reference (1): Lakhotia et al, “Are Metamorphic Viruses Really Invincible?” (part 1 in VB Dec’04 and part 2 in VB Jan’05 and appendix).

Quiz 4 (quiz for week 4) due 15:15 (released 2021-02-24)
Wed 03 Mar

Anti-anti-virus (3) / Stack Smashing 0

 [ 
 (tentative) slides
| screencapture (browser; download; audio only)
| Zoom (passcode on Collab)  ]
  • messing up debuggers
  • (possibly) messing up disassembly
  • “virtual machine”/emulator based obfuscation

  • (briefly) root-kit style techniques

  • buffer overflows (start)

(Szor reference: chapter 7)

Further reference: Nasi, “Bypass Antivirus Dynamic Analysis: Limitations of the AV model and how to exploit them

Quiz 5 (quiz for week 5) released, due 2021-03-08 15:15
Fri 05 Mar
(no class)		LEX due by 11:59pm
OBFUSCATE released
Week 6
Mon 08 Mar

Stack Smashing 1

 [ 
slides
| screencapture (browser; download; audio only)
| Zoom (passcode on Collab)  ]
  • buffer overflows
  • basic stack smashing
  • finding stack addresses
  • shellcode

Further reference:

(Szor reference: chapter 10)

Further reference: Aleph1, “Stack smashing for fun and profit”, Phrack issue 48

Quiz 5 (quiz for week 5) due 15:15 (released 2021-03-03)
Wed 10 Mar

Stack Canaries / Format String Exploits

 [ 
slides
| screencapture (browser; download; audio only)
| Zoom (passcode on Collab)  ]
  • integer overflows
  • simple mitigation: stack canaries
  • information disclosure
  • non-contiguous overflows
  • format string exploits
  • non-return address targets (start)
    • virtual tables

(Szor reference: chapter 10)

Quiz 6 (quiz for week 6) released, due 2021-03-15 15:15
Fri 12 Mar
(no class)		OBFUSCATE due by 11:59pm
OVER released
Week 7
Mon 15 Mar

Pointer Subterfuge / Memory Protection

 [ 
slides
| screencapture (browser; download; audio only)
| Zoom (passcode on Collab)  ]
  • non-return address targets (finish)
  • pointer subterfuge
  • guard pages

Further reference:

Quiz 6 (quiz for week 6) due 15:15 (released 2021-03-10)
Wed 17 Mar

Non-executable data / ROP 1

 [ 
 (tentative) slides
| screencapture (browser; download; audio only)
| Zoom (passcode on Collab)  ]
  • write XOR execute
  • return-oriented programming

(Szor reference: chapter 13) Further reference: Roemer et al, “Return-Oriented Programming: Systems, Languages, and Applications” Further reference: Further reference: Payer, “Too much PIE is bad for performance

Quiz 7 (quiz for week 7) released, due 2021-03-22 15:15
Fri 19 Mar
(no class)		SUBTERFUGE released
Week 8
Mon 22 Mar

ROP 2 / ASLR

 [ 
slides
| screencapture (browser; download; audio only)
| Zoom (passcode on Collab)  ]

The slides PDF contains some additional explanation slides for a few of the exercises (added after lecture) that aren’t in the recordings.

  • OBFUSCATE retrospective
  • ROP (finish)
    • jump-oriented programming
    • bootstrapping ROP chains
  • ASLR, revisited (start)
Quiz 7 (quiz for week 7) due 15:15 (released 2021-03-17)
Wed 24 Mar

ASLR / Heap Exploits

 [ 
slides
| screencapture (browser; download; audio only)
| Zoom (passcode on Collab)  ]
  • ROP review
  • ASLR contineud
  • heap structure exploits
  • use-after-free (start)
Quiz 08 (quiz for week 8) released, due 2021-03-31 15:15
OVER due (extended deadline; no late submissions allowed)
Fri 26 Mar
(no class)		SUBTERFUGE due by 11:59pm
ROP released
Week 9
Mon 29 Mar
(no class)
Wed 31 Mar

Heap Exploits / Bounds checking 1

 [ 
slides
| screencapture (browser; download; audio only)
| Zoom (passcode on Collab)  ]
  • use-after-free (finish)
  • double-free
  • C library functions and bounds checking
Quiz 09 (quiz for week 9) released, due 2021-04-05 15:15
Quiz 08 (quiz for week 8) due 15:15 (released 2021-03-24)
Fri 02 Apr
(no class)
Week 10
Mon 05 Apr

Bounds checking 2

 [ 
slides
| screencapture (browser; download; audio only)
| Zoom (passcode on Collab)  ]
  • C library functions and bounds checking (finish)
  • adding bounds checking in C (with minimal code changes, hopefully?)
Quiz 09 (quiz for week 9) due 15:15 (released 2021-03-31)
Wed 07 Apr

Testing + fuzzing

 [ 
slides
| screencapture (browser; download; audio only)
| Zoom (passcode on Collab)  ]
  • bounds checking (finish)
  • simple fuzzing
  • symbolic execution
Quiz 10 (quiz for week 10) released, due 2021-04-12 15:15
ROP due by 11:59pm
UAF released
Fri 09 Apr
(no class)
Week 11
Mon 12 Apr

fuzzing / static analysis

 [ 
slides
| screencapture (browser; download; audio only)
| Zoom (passcode on Collab)  ]
  • symbolic execution (finish)
  • greybox fuzzing
  • static analysis (start)
Quiz 10 (quiz for week 10) due 15:15 (released 2021-04-07)
Wed 14 Apr

static analysis / taint tracking

 [ 
 (tentative) slides
| screencapture (browser; download; audio only)
| Zoom (passcode on Collab)  ]
  • static analysis (finish)
  • Taint tracking
Quiz 11 (quiz for week 11) released, due 2021-04-19 15:15
Fri 16 Apr
(no class)		UAF due by 11:59pm
FUZZ released
Week 12
Mon 19 Apr

safe systems languages

 [ 
slides
| screencapture (browser; download; audio only)
| Zoom (passcode on Collab)  ]
  • Rust as example
Quiz 11 (quiz for week 11) due 15:15 (released 2021-04-14)
Wed 21 Apr

safe systems languages 2 / sandboxing 1

 [ 
slides
| screencapture (browser; download; audio only)
| Zoom (passcode on Collab)  ]
  • other kinds of smart references/pointers
  • other ideas for language-enforcement
  • least privilege
  • privilege separation as an application design
Quiz 12 (quiz for week 12) released, due 2021-04-26 15:15
Fri 23 Apr
(no class)
Week 13
Mon 26 Apr

sandboxing 2

 [ 
slides
| screencapture (browser; download; audio only)
| Zoom (passcode on Collab)  ]
  • unmodified application isolation
    • problem of enumerating system calls
  • chroot
  • SELinux — labels and mandatory access control rules
  • Linux namespaces
  • containers
Quiz 12 (quiz for week 12) due 15:15 (released 2021-04-21)
FUZZ due by 11:59pm
Wed 28 Apr

sandboxing 3 / mobile permissions systems

 [ 
slides
| screencapture (browser; download; audio only)
| Zoom (passcode on Collab)  ]
  • sandboxing without OS support
  • OS X sandbox

  • Qubes

  • Android permissions and humans
  • Android permission omissions
Quiz 13 (quiz for week 13) released, due 2021-05-03 15:15
Thu 29 Apr
(no class)		CHALLENGE released
Fri 30 Apr
(no class)
Week 14
Mon 03 May

shadow stacks / control flow integrity (CFI)

 [ 
slides
| screencapture (browser; download; audio only)
| Zoom (passcode on Collab)  ]
Quiz 13 (quiz for week 13) due 15:15 (released 2021-04-28)
Wed 05 May

Final review

| screencapture (browser; download; audio only)
| Zoom (passcode on Collab) 
Week 15
Wed 12 May
Quiz exam (final exam) released, due 2021-05-13 21:00
Quiz exam-dropped (final exam) released, due 2021-05-13 21:00
due 12 May 2021 at 9PM; normal late policy does not apply
Thu 13 May

Final exam

released 9PM 12 May; due 9PM 13 May

Quiz exam (final exam) due 21:00 (released 2021-05-12)
Quiz exam-dropped (final exam) due 21:00 (released 2021-05-12)
FINAL due