• malware, generally
• course overview, logistics
• (if time) x86-64 assembly review

• AT&T, Intel syntax
• official sources for calling convention info
• some x86-64 nits
  • floating point/SSE2

• misc. ASM things (label(%rip); segmentation)
• ELF executable format (start)

• ELF executable format (finish)
• dynamic loading realities
  • procedure linkage table
  • global offset table
• x86-64 encoding (start)

• x86-64 encoding (finish)

• Ghidra as example
• annotation, tricky cases for disassembly
• control flow graphs
• intermediate representation
• decompiling

• virus example: Vienna

• options for viruses/worms:
• where to put code
  • appending, replacing
  • “cavities” in executables
  • system files, bootloaders
• how to get to code to run
  • bootloaders
  • replacing jumps, returns
  • dynamic linking information
  • default start-up program

• whitelisting
• signatures as regexes

• state machines for pattern matching
• combining patterns
• heuristic matching on “weird” executables
• behavior monitoring

• RE2, part B
• obfuscation techniques to hide flow-control
  • merging/splitting functions
  • Tigress’s flatten pattern
• “encrypted” code

• “encrypted” code and decrypter generators
• emulation as analysis tool
• anti-emulation/virtualization techniques
• (start) “mutation engines”

• (finish) “mutation engines”
• anti-debugging techniques
• rootkit-style malware

• command injection vulnerabilities
• dynamic taint tracking
• buffer overflows

• stack smashing pattern

• stack smashing pattern (finish)
• dealing with restrictions on shellcode
• stack canaries

• notes on quiz; reviewing stack canary overwrite
• information disclosure
• shadow stacks

• pointers on the stack
• “write gadgets”
• targets for write gadgets
  • global offset table
  • VTables (start)

• targets for write gadgets
  • VTables (finish)
    • exercise
• arc injection
• ntpd exploit example
• exercise

• memory protection, guard pages
• write XOR execute

(Reiss out of town)

• ASLR: making addresses hard to predict
  • limits on entropy
  • things that must be kept together

• idea of using gadgets
• chaining gadgets together

• finding gadgets automatically
• automatic chain generation
• gadgets without RET

• exercise on placing chain
• attempting to get rid of gadgets
• blind ROP

• overflows on the heap
  • into other objects (sudo example)
  • into heap metadata
• consistency and the heap
• pointer subterfuge via heap metadata

• pointer subterfuge via heap metadata (con’t)
• double-free vulnerabilities
• use-after-free
  • prevalence
  • using type confusion

• use-after free exercises / examples

• integer overflow

• integer overflow (con’t)

• why people like C/C++

• Rust intro

• ownership rule

• Rust borrowing

• escape hatch in Rust; smart pointer
• Rc (reference counting)
• RefCell (dynamic borrow tracking)

• greybox fuzz testing

• symbolic execution idea
  • solving equations
• splitting execution on if statements
• collecting/solving for constraints
• automatic overflows
• optimizing symbolic execution in practice

• briefly static analysis — tracking approximations
  • example for use-after-free
  • points-to analysis difficulty
• sandboxing idea
• problem of applications doing too much
• privilege seperation intro

• challenges with selecting system call filters
• privilege seperation con’t
  • example interface
  • limits on what it does/does not mitigate

• limiting naming — chroot, Linux namespaces

• sandbox escapes (start)

• sandbox escapes (finish)
• whole-application sandboxing
• usability issues with mobile permissions
• sandboxing without OS help

• “fat” pointers (pointer has objcet bounds)
• baggy bounds checking (lookup object bounds)

Note: there are more detailed answer slides for the last exericse in lecture in the slide PDF (added after lecture).

• baggy bounds checking (con’t)
• AddressSanitizer
• comparing bounds checking

9AM-12PM.