This course is one of the security courses of the Security Group in Trento.
It is offered in the framework of the Security and Privacy Master| of the European Institute of Innovation and Technology (ICT Labs). It is also available in the normalMaster Degree in Computer Science at the University of Trento.
Please se the current course on Offensive Technologies for up to date information.
The course aims at advancing students’ concrete knowledge of attacks on operating systems, networks, and applications witha significant spur of creativity. Security notices (and even proof of concept exploits) are a little more than research ideas. They tells that something may be possible but do not explain the details (for obviosu security reasons). The students must use their creativity to understand what can possibly work and transforms the gaps and holes in the description into a workable product.
This course is also part of the 10K students , an European (so far) initiative to improve cyber-security education. Here, we only report some tutorials on buffer overflow. More courses are available on the web site.
The purpose of the course is to develop one or more real-world exploits on the following topic:
This is a practical hand-on course. There would be few lectures and mostly they would be presentations by students themselves to report how they are going.
This is an eligible course. In 2015 this course could be credited for 6, 12 and 18 credits depending on effort. From 2015 onwards this has been standardized to a 12 credits (as the Research Project course for normal CS students).
The lectures/seminars etc. are on
Date | Topic | Slides | Other Material |
---|---|---|---|
2014-09-15 | Administrative Information and Introduction | introductory slides | Presentation on Serverside JS injection and Red Pills for Browsers |
2014-09-22 | TestREx: A Testbed for WebApplication Exploits | web application vulnerabilities TestREx demo | Paper describing TestREx |
2014-09-29 | Malware Lab: testbed for exploit kits | MalwareLab presentation [PPTx (more legible)][PDF] | Papers describing exploits kits and the malware lab. |
2014-10-06 | Discussion of the projects | See below | |
2014-10-13 | no lecture | ||
2014-10-15 | student sends email to Fabio Massacci indicating their choice project and tentatively what vulnerabilities, which tools (this is indicative just to receive feedback) | ||
2014-10-20 | Students' presentation in class of their choice projec and feedback by lecturers | ||
2014-11-03 | Status report by student and feedback by lecturers | ||
2014-11-10 | Status report by student and feedback by lecturers |
Points | Step | Effort | Links |
---|---|---|---|
Deploy Ghost in TestREx | Create configuration file, run application in manual mode, open a page and write something on the blog | https://ghost.org/ https://github.com/tryghost/Ghost https://github.com/dockerfile/ghost | |
Insert vulnerabilities in the code / link vulnerable library | For 6 credits 3/4 vulnerabilities of each category in OWASP Top 10 / SANS Top 50 (12/18 credits require proportionally more vulnerabilities) | https://www.owasp.org/index.php/Top_10_2013-Top_10 http://www.sans.org/top25-software-errors/ Additional information on NodeJS Vulnerabilities is on NodeSecurity Advisories | |
18-21 | Run exploits for the deployed vulnerabilities | Write Selenium script to automate the exploit and add it to TestREx exploit database (open browser/ open page/inject exploit) | http://selenium-python.readthedocs.org/en/latest/api.html https://www.owasp.org/index.php/OWASP_Node_js_Goat_Project http://www.exploit-db.com/ |
21-24 | Run some (static/dynamic) analysis tools on the code to try to detect the vulnerabilities | Run at least two or three tools and write a summary report with the results of every tool (for more credits, you need to run proportionally more tools) | http://blog.nvisium.com/2014/06/javascript-security-tools.html https://github.com/mozilla/scanjs https://github.com/dpnishant/jsprime https://github.com/bekk/retire.js https://github.com/facebook/jsgrep https://github.com/eslint/eslint https://github.com/jshint/jshint/ https://github.com/chrisallenlane/watchtower https://github.com/SRA-SiliconValley/jalangi |
+3-6 | Make the vulnerabilities hard to find | Insert the new vulnerability / write the new exploit / run the tool again | |
+4-8 | Deploy counter-measures | Counter-measure is a run-time monitor for NodeJS. Students would have to write a security policy for the vulnerable component so that the exploit will be foiled by the security monitor | The NodeSentry monitor is available as NodeJS package with an accompaning paper |
+2-4 | Add new rules to the analysis tools |
Points | Step | Effort | Links |
---|---|---|---|
Choose a vulnerable (historic) version of Firefox on NVD | Create a vulnerable configuration in the MalwareLab with the installation of Firefox on a VM | http://nvd.nist.gov | |
18-21 | Choose a vulnerability and write an exploit for it | Build over an existing Proof-of-Concept exploits or write an exploit from scratch and test it in the MalwareLab by arming an exploit kit with it | http://www.exploit-db.com, More information on buffer overflow can be found on the 10Kstudents lectures introductory slides and detailed slides |
21-24 | Choose a second vulnerability and write an exploit for it | Write the new exploit / run the test again in the Malwarelab | |
+3-6 | Write a second, different exploit for one vulnerability | Find a different way to exploit one of the vulnerabilities. | |
+4-8 | Deploy counter-measures | A counter-measure can be either a patch for the vulnerability or an IDS Signature that detects the attack (preferably BRO or Snort) | https://www.bro.org https://www.snort.org |
For 12 credits create a Return-Oriented-Programming (ROP) exploit for one vulnerability | Choose one of the two vulnerabilities for which you have already an exploit and write a ROP exploit for it | ||
For 18 credits create a ROP exploit for two vulnerabilities |
Here we report a selection of past projects successfully pursued by students. The developed exploits are also available upon direct request to the course teachers.