(Audio is missing for the first ~15 minutes.)

Topics:

• Malware definitions
• Some Malware history
• Course logistics
• Ethics pledge

Topics:

• Process/System VMs
• Utility for malware analysis
• VM escape/detection

Topics:

• VM (review)
• definitive ISA reference: via Intel, via AMD
• calling convention review
  • x86-64 ABI
• floating point/SSE2
• addressing modes
• segmentation (incomplete)

Topics:

• segmentation (finish/review)
• executable formats
  • Introduction to ELF
  • ELF specification
• dynamic linking
• executable startup
• x86 instruction encoding (start)

Topics:

• x86 instruction encoding (finish)
• virus example: Vienna (start)

Topics:

• virus example: Vienna (finish)
• viruses: hiding code in programs
• viruses: invoking hidden code (start)

(Szor reference: chapter 4.)

Topics:

• viruses: invoking hidden code (finish)
• regular expressions and lex
• on anti-virus effectiveness

(Szor reference: chapter 11.)

Further reference: Hanno Böck’s talk “In Search of Evidence-Based IT-Security”

Topics:

• heuristic detection
• behavior-based detection
• polymorphic malware
• packers and packer detection (start)

(Szor reference: chapter 11, chapter 7.)

• packers and packer detection (finish)
• metamorphic case studies
• anti-reverse engineering
  • anti-disassembly
  • anti-emulation
  • anti-goat
  • anti-debugging (start)

(Szor reference: chapter 7, chapter 6)

Further reference (1): Lakhotia et al, “Are Metamorphic Viruses Really Invincible?” (part 1 in VB Dec’04 and part 2 in VB Jan’05 and appendix).

Topics:

• anti-debugging (finish)
• retroviruses / tunneling / stealth
• Nasi article

(Szor reference: chapter 7)

Further reference: Nasi, “Bypass Antivirus Dynamic Analysis: Limitations of the AV model and how to exploit them”

Topics:

• definitions: vulnerabilities, exploits
• buffer overflows
• basic stack smashing

(Szor reference: chapter 10)

Further reference: Aleph1, “Stack smashing for fun and profit”, Phrack issue 48

notes; drawing 1 2 3; RE example: C file; objdump

Topics:

• stack smashing review
• not-so-great GDB demo
• stack canaries
• pointer subterfuge (start)

Further reference:

• GDB cheat sheet
• Pincus and Baker, “Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overflows”

(Szor reference: chapter 10)

Topics:

• pointer subterfuge
• non-return address targets
• frame pointer overwrite
• heap structure exploits (start)

Topics:

• heap structure exploits
• double-free
• use-after-free
• format string exploits (start)

(Szor reference: chapter 13)

Topics:

• format string exploits (finish)
• mitigations continued
• stack canary review
• shadow stacks
• ASLR (start)

Format string example archive, directory.

Topics:

• ASLR (finish)
• NX
• return-oriented programming

Further reference: Payer, “Too much PIE is bad for performance”

Further reference: Roemer et al, “Return-Oriented Programming: Systems, Languages, and Applications”

Topics:

• ROP (finish)
• C library functions and bounds checking
• adding bounds checking in C

notes

Topics:

• Memory error detectors
• Fuzzing, black and white box

Topics:

• Static analysis
• Rust as a case study

Topics:

• SQL injection
• Command injection
• Taint tracking

Further Reference: OWASP page on Command Injection

Topics:

• Shellshock command injection example
• Cookies and Referrers
• Cross-Site Scripting (XSS)

Further Reference: OWASP page on Cross-Site Scripting

Topics:

• Same Origin Policy
• Cross-Site Request Forgery
• Clickjacking

Further Rererence: Cross-Site Request Forgeries: Exploitation and Prevention

Topics:

• User Tracking
• Sandboxing and Privilege Separation

Further Reference: Cookieless Monster: Exploring the Ecosystem of Web-Based Device Fingerprinting

Further Reference: The Security Architecture of the Chromium Browser

notes