Thanks to Lockheed Martin for a generous gift in support of this class.
This schedule will be updated as the semester progresses. Here is a quick link to the current lecture.
- [Aug 30: Lecture 1] Lecturer: Jonathan Katz
Private-key encryption; CBC-mode encryption; plaintext padding
Homework (ungraded): implement CBC-mode encryption and decryption (using AES).
Your program should read the plaintext from an ASCII text file,
and output the
ciphertext (in hex) to another file. You may assume the plaintext has length a multiple of 128 bits. You may also hardcode an IV; you do not have to worry about generating a (pseudo)random IV.
- [Sept 4: Lecture 2] Lecturer: Jonathan Katz
In-class lab: Implementing padding-oracle attacks.
Useful files are here.
Homework (graded): Complete your implementation of the padding-oracle attack, and submit the program along with a Makefile. (You can assume your program will be compiled in a directory containing all the files linked from the class website.) Name your program attack.c, and the executable attack.
Your program should take two command-line arguments, the first specifying an input file (containing a ciphertext, encrypted under some unknown key, formatted as in challenge-ciphertext.txt) and the second specifying an output file.
Your program may call a function cbcdec which implements a "padding oracle" for the same unknown key, and should output (in hex) the resulting plaintext to the specified output file.
You should not exploit buffer-overflow or similar attacks in the padding-oracle code, or attempt to extract the key from the compiled padding oracle.
You may assume the challenge ciphertext is exactly 3 blocks long (as is challenge-ciphertext.txt), for simplicity.
Submit your homework via the submit server
Also: please install BackTrack 5 (any release) on your laptop in advance of lecture 4, and bring your laptop to class that day. (Note: the easiest is just to run BackTrack within a VM on your machine.)
- [Sept 6: Lecture 3] Lecturer: Jonathan Katz
Wireless security; attacking WEP
- [Sept 11: Lecture 4] Lecturer: Jonathan Katz
In-class lab: Wireless security; attacking WEP
- [Sept 13: Lecture 5] Lecturer: Mike Hicks
Introduction to the web; web-app penetration testing
- W3Schools tutorials on
- Aspect Security on-line trainings: an indexed PDF will
take to all the ones available to us. You can use the account
information you received in e-mail to access these. Relevant modules
include 211-216, 411-412 (among others). Many
thanks to Aspect Security for giving us free access to this on-line material!
- Zap proxy
on-line videos for setup and basic use, and the wiki documentation
manual, which contains links to useful penetration testing
- [Sept 18: Lecture 6] Lecturer: Mike Hicks
In-class lab: Penetration testing on Bad Store
- [Sept 20: Lecture 7] Lecturer: Mike Hicks
Static analysis for finding vulnerabilities
Lecture slides (3 slide decks):
PQL; LAPSE; pointer analysis (bug in the last slide deck corrected 10/15/12, 9:30am)
- [Sept 25: Lecture 8] Lecturer: Mike Hicks
In-class lab: Finding security vulnerabilities using LAPSE
Homework (graded, due October 15, 9am): Complete the
following labs by exploiting the vulnerabilities in WebGOAT:
You do not have to do the extra credit parts.
You will need to use a web proxy to complete some of these (e.g.,
Zap). You are free to try using LAPSE to find the potential source of
- Numeric SQL injection
- String SQL injection
- Reflected XSS attack
Please submit a document describing how you completed the attacks. In
particular, say what you typed into a form field, how you changed in
Zap (if at all), and what the outcome was. Feel free to collect
screenshots to explain. It's OK for you to view the solution videos
if you get stuck.
- [Sept 27: Lecture 9] Lecturer: Jeff Foster
Symbolic execution (slides,
- [Oct 2: Lecture 10] Lecturer: Jeff Foster
In-class lab: Using KLEE to
find security vulnerabilities. (Lab notes: Symbolic
Homework (graded, Due Oct 25, 2012): Finish part 3 of the symbolic
execution lab, and write up your experiences. In particular, discuss
Submit your homework as a pdf or plain text file by email to Prof. Foster.
- Were you able to reproduce each bug in Figure 7 of the paper?
- What symbolic inputs did you use?
- How long did KLEE take to find the bugs with the symbolic inputs
you chose? What timeout did you use? (I suggest sticking to
something between 1 minute and 1 hour.)
- If you run KLEE multiple times with the same program and symbolic
input, what is the distribution of the time KLEE takes to find the
bug? Is there a high degree of variation?
- Do the results vary if you choose different search strategies?
(See KLEE Options.)
- [Oct 4: Lecture 11] Lecturer: Jeff Foster
Software vulnerabilities (slides: Software
and Return-oriented programming)
- [Oct 9: Lecture 12] Lecturer: Jeff Foster
There is no homework associated with the lab, but we recommend you
complete parts 1-4 of the lab on your own if you do not finish them in class.
- [Oct 11: Lecture 13] Lecturer: Jonathan Katz
Password cracking, rainbow tables.
In-class lab: Crack the passwords from here
Homework: See here
- [Oct 16: Lecture 14] Lecturer: Jonathan Katz
Host exploitation, nmap, metasploit
- [Oct 18: Midterm]
- [Oct 23: Lecture 15] Lecturer: Michel Cukier
- [Oct 25: Lecture 16] Lecturer: Michel Cukier
- [Oct 30: Lecture 17] Lecturer: Michel Cukier
- [Nov 1: Lecture 18] Lecturer: Michel Cukier
- [Nov 6: Lecture 19] Lecturer: Michel Cukier
- [Nov 8: Lecture 20] Lecturer: Michel Cukier
- [Nov 13: Lecture 21] Lecturer: Michel Cukier
- [Nov 15: Lecture 22] Lecturer: Gang Qu
- [Nov 20: Lecture 23] Lecturer: Gang Qu
- [Nov 27: Lecture 24] Lecturer: Gang Qu
- [Nov 29: Lecture 25] Lecturer: Gang Qu
- [Dec 4: Lecture 26] Lecturer: Gang Qu
- [Dec 6: Lecture 27] Lecturer: Gang Qu
- [Dec 11: Lecture 28] Lecturer: Gang Qu