User Tools

Site Tools


course_on_offensive_technologies_2014

Offensive Technologies (2014/2015)

This course is one of the security courses of the Security Group in Trento.

It is offered in the framework of the Security and Privacy Master| of the European Institute of Innovation and Technology (ICT Labs). It is also available in the normalMaster Degree in Computer Science at the University of Trento.

Please se the current course on Offensive Technologies for up to date information.

General Information

The course aims at advancing students’ concrete knowledge of attacks on operating systems, networks, and applications witha significant spur of creativity. Security notices (and even proof of concept exploits) are a little more than research ideas. They tells that something may be possible but do not explain the details (for obviosu security reasons). The students must use their creativity to understand what can possibly work and transforms the gaps and holes in the description into a workable product.

This course is also part of the 10K students , an European (so far) initiative to improve cyber-security education. Here, we only report some tutorials on buffer overflow. More courses are available on the web site.

The Syllabus

The purpose of the course is to develop one or more real-world exploits on the following topic:

  • Red-pills for Javascript (as in the movies “The Matrix”)
  • Attacks to Web applications (NodeJS vulnerabilities)
  • Weaponizing Return Oriented Programming
  • etc.

This is a practical hand-on course. There would be few lectures and mostly they would be presentations by students themselves to report how they are going.

Credits

This is an eligible course. In 2015 this course could be credited for 6, 12 and 18 credits depending on effort. From 2015 onwards this has been standardized to a 12 credits (as the Research Project course for normal CS students).

Schedule

The lectures/seminars etc. are on

  • Monday 16-17 in A215

Lecturers

  • Fabio Massacci (fabio.massacci@unitn.it)
  • Luca Allodi (luca.allodi@unitn.it)
  • Daniel Ricardo Dos Santos (daniel.dossantos@unitn.it)
  • Stanislav Dashevskyi (stanislav.dashevskyi@unitn.it)
  • Viet Hung Nguyen (viethung.nguyen@unitn.it)
Date Topic Slides Other Material
2014-09-15 Administrative Information and Introduction introductory slides Presentation on Serverside JS injection and Red Pills for Browsers
2014-09-22 TestREx: A Testbed for WebApplication Exploits web application vulnerabilities TestREx demo Paper describing TestREx
2014-09-29 Malware Lab: testbed for exploit kits MalwareLab presentation [PPTx (more legible)][PDF] Papers describing exploits kits and the malware lab.
2014-10-06 Discussion of the projects See below
2014-10-13 no lecture
2014-10-15 student sends email to Fabio Massacci indicating their choice project and tentatively what vulnerabilities, which tools (this is indicative just to receive feedback)
2014-10-20 Students' presentation in class of their choice projec and feedback by lecturers
2014-11-03 Status report by student and feedback by lecturers
2014-11-10 Status report by student and feedback by lecturers

Projects

Web Applications Server Side

Points Step Effort Links
Deploy Ghost in TestREx Create configuration file, run application in manual mode, open a page and write something on the blog https://ghost.org/ https://github.com/tryghost/Ghost https://github.com/dockerfile/ghost
Insert vulnerabilities in the code / link vulnerable library For 6 credits 3/4 vulnerabilities of each category in OWASP Top 10 / SANS Top 50 (12/18 credits require proportionally more vulnerabilities) https://www.owasp.org/index.php/Top_10_2013-Top_10 http://www.sans.org/top25-software-errors/ Additional information on NodeJS Vulnerabilities is on NodeSecurity Advisories
18-21 Run exploits for the deployed vulnerabilities Write Selenium script to automate the exploit and add it to TestREx exploit database (open browser/ open page/inject exploit) http://selenium-python.readthedocs.org/en/latest/api.html https://www.owasp.org/index.php/OWASP_Node_js_Goat_Project http://www.exploit-db.com/
21-24 Run some (static/dynamic) analysis tools on the code to try to detect the vulnerabilities Run at least two or three tools and write a summary report with the results of every tool (for more credits, you need to run proportionally more tools) http://blog.nvisium.com/2014/06/javascript-security-tools.html https://github.com/mozilla/scanjs https://github.com/dpnishant/jsprime https://github.com/bekk/retire.js https://github.com/facebook/jsgrep https://github.com/eslint/eslint https://github.com/jshint/jshint/ https://github.com/chrisallenlane/watchtower https://github.com/SRA-SiliconValley/jalangi
+3-6 Make the vulnerabilities hard to find Insert the new vulnerability / write the new exploit / run the tool again
+4-8 Deploy counter-measures Counter-measure is a run-time monitor for NodeJS. Students would have to write a security policy for the vulnerable component so that the exploit will be foiled by the security monitor The NodeSentry monitor is available as NodeJS package with an accompaning paper
+2-4 Add new rules to the analysis tools

OS Vulnerabilities

Points Step Effort Links
Choose a vulnerable (historic) version of Firefox on NVD Create a vulnerable configuration in the MalwareLab with the installation of Firefox on a VM http://nvd.nist.gov
18-21 Choose a vulnerability and write an exploit for it Build over an existing Proof-of-Concept exploits or write an exploit from scratch and test it in the MalwareLab by arming an exploit kit with it http://www.exploit-db.com, More information on buffer overflow can be found on the 10Kstudents lectures introductory slides and detailed slides
21-24 Choose a second vulnerability and write an exploit for it Write the new exploit / run the test again in the Malwarelab
+3-6 Write a second, different exploit for one vulnerability Find a different way to exploit one of the vulnerabilities.
+4-8 Deploy counter-measures A counter-measure can be either a patch for the vulnerability or an IDS Signature that detects the attack (preferably BRO or Snort) https://www.bro.org https://www.snort.org
For 12 credits create a Return-Oriented-Programming (ROP) exploit for one vulnerability Choose one of the two vulnerabilities for which you have already an exploit and write a ROP exploit for it
For 18 credits create a ROP exploit for two vulnerabilities

Past Projects

Here we report a selection of past projects successfully pursued by students. The developed exploits are also available upon direct request to the course teachers.

course_on_offensive_technologies_2014.txt · Last modified: 2016/08/29 18:45 by fabio.massacci@unitn.it