For the first 10-15 minutes of most classes, student groups will present attacks that are relevant to that lecture (for example, when discussing user authentication, the group may present techniques for cracking CAPTCHAs).
09/03 5:00pm PM Dave & Josephine on Piazza with:
For the presentation:
Note All attacks must be performed in an ethical, safe manner; please see the discussion of legality and ethics in the syllabus.
| Date | Attack | Attacker | Description | |
|---|---|---|---|---|
| 08/27 | ||||
| 08/29 | ||||
| 09/03 | ||||
| 09/05 | ||||
| 09/17 | TLS information leakage | Noemi | Demonstrate the BEAST, CRIME, or Lucky 13 attacks against TLS. | |
| 09/19 | Certificate mis-validation | Preston | Demonstrate two examples of incorrect validation of a certificate with a modern browser of your choosing, such as not checking for revocations various attacks listed here. | |
| 09/24 | Traffic deanonymization | Josiah | Demonstrate a traffic deanonymization attack on Tor, like the one described here. | |
| 09/24 | Data deanonymization | Yusuf | Apply a deanonymization technique like the one here to the Netflix challenge dataset and demonstrate what information you can extract. | |
| 09/26 | On-path censorship and evasion | Benjamin | Set up a (virtual) network with an "on-path" censor who can observe and inject (but not block) packets, and use this censor to respond with lemon DNS queries like here, or tear down connections like here. Demonstrate an evasion technique. | |
| 09/26 | IoT device compromise | Mackenzie | I will provide you with IoT devices of your choosing. Demonstrate an attack that allows you to run arbitrary code on them, like those described here, here, or here. | |
| 10/01 | Cracking passwords | Nick | Obtain a publicly available dataset of password hashes and implement rainbow tables to crack the passwords. | |
| 10/03 | Breaking CAPTCHAs | Gang | Implement a tool that automatically solves CAPTCHAs, such as the attack on text-based ones described here and/or the one on audio-based ones described here. Demonstrate its use on an Alexa top-1000 site. | |
| 10/08 | None | |||
| 10/10 | Project proposal presentations | |||
| 10/15 | None | |||
| 10/17 | Control flow attacks | Clifford | Demonstrate a modern control flow attack against modern defenses such as DEP, ASLR, and Canaries. | |
| 10/22 | Kernel-level rootkit | Alex | Launch a kernel rootkit that hides from detection. | |
| 10/24 | Cold-boot attack | Tamer | Launch a cold-boot attack like the ones described here. | |
| 10/29 | Tricking users | Aadesh | Build a malicious website of your choice that tricks users by (1) launching a clickjacking attack, (2) performing a picture-in-picture attack, and (3) performs an SSL stripping attack (MitM transparently proxies HTTP requests and rewrites HTTPS links to point to look-alike HTTP links). | |
| 10/31 | Smartphone spyware | Frankie | Develop a spyware program for a mobile choice of your choice. This should demonstrate data theft, recording, location tracking, etc. Make this as convincing an app as you can. | |
| 11/05 |
Speculative execution attacks |
Janus | Launch a speculative execution attack like Meltdown, Spectre, or Foreshadow | |
| 11/05 | Rowhammer | Sindhoor | Launch a rowhammer attack. Demonstrate its use by maliciously altering state in a separate VM, as described here or here | |
| 11/07 | Compiler Trojan horse | Stephanie | Modify LLVM to create a malicious compiler as described here. | |
| 11/07 | Cross-VM side-channel attack | Saeed | Launch a cross-VM side-channel attack like the ones described here. | |
| 11/12 | Kaminsky attack | Mohammad | Demonstrate the Kaminsky DNS cache poisoning attack on a dummy DNS server you run. | |
| 11/14 | Off-path TCP attack | Cuong | Demonstrate an off-path TCP inference attack and use it to inject data and to reset the connection. Example side-channels include WiFi's exponential backoff and the global rate limit. | |
| 11/14 | Opt-ACK Attack | Amirmohsen | Demonstrate the optimistic acknowledgment attack on a small cluster of machines. Perform this across a wide-area network and discuss the rates you can achieve. | |
| 11/19 | Malicious peripheral | Kyle | I will provide you with a PIC32 microcontroller. Use this to interpose between a keyboard and a computer to capture keystrokes and filter out user passwords. When you provide a "secret knock", your malicious device should dump the data. Bonus: interpose between a computer and a printer to alter output of printed election results. | |
| 11/21 | Rogue wireless AP | Sahil | I will provide you with a OpenWRT access point. Modify its software to infect downloaded executables with malware. | |
| 11/26 | Firmware-resident malware | Mitchell | I will provide a digital camera; use the CHDK framework to install malicious code that does not allow the user to take pictures if you are in it (or if you are not in it, etc.). Other firmware attacks are also acceptable. | |
| 11/28 | Thanksgiving Break | |||
| 12/03 | Project presentations | |||
| 12/05 | Project presentations |