CS410/510 - Malware

CS 410/510: Malware

Course coordinates:
Mondays/Wednesdays 8:15am-10:05am
Neuberger Hall [NH]: Room 241

Class e-mail/WWW:
cs410 at lists dot pdx dot edu
https://www.lists.pdx.edu/lists/listinfo/cs410
http://thefengs.com/wuchang/work/courses/cs410

Instructor:
Wu-chang Feng
wuchang at cs pdx edu

Office hours:
Wednesdays: 10:30-11:30am
By Appointment
FAB 120-14
(4th Ave Bldg.)

Textbook (optional):
Malware: Fighting Malicious Code
Ed Skoudis, ISBN: 0131014056

Tentative schedule

Week #1	1/9	Course introduction Course project: kaPoW slides PHP guestbook code (tar.gz) \| PHP webmail code (tar.gz) \| PHP AJAX guestbook code (tar.gz)
Week #1	1/11	Chapter 1: Introduction slides Internet overview slides
Week #2	1/16	NO CLASS
Week #2	1/18	NO CLASS (snow)
Week #3	1/23	x86 basics slides
Week #3	1/25	Chapter 2: Viruses slides Chet Hosmer, "Polymorphic & Metamorphic Malware", BlackHat 2008, slides , m4v (0:15) Structure/function of metamorphic engines Compiler traits to determine malware
Week #4	1/30	Chapter 3: Worms, Stack Smashing slides #1 \| slides #2
Week #4	2/1	Chapter 4: Malicious mobile code slides Eric Lawrence, "Designing Trustworthy User Agents for a Hostile Web", USENIX Security 2009, slides, mov Programming project selection due (see below)
Week #5	2/6	Chapter 5: Backdoors slides
Week #5	2/8	Chapter 6: Trojans slides
Week #6	2/13	Chapter 7: User-mode rootkits slides
Week #6	2/15	Chapter 8: Kernel mode rootkits slides Joanna Rutkowska, "Subverting Vista Kernel for Fun and Profit", BlackHat 2006 m4v (BluePill from 0:26-0:40) Thomas Ptacek, "Don't Tell Joanna: The Virtualized Rootkit is Dead", BlackHat 2007 m4v
Week #7	2/20
Week #7	2/22	Midterm Quiz (open note)
Week #8	2/27	Student presentations
Week #8	2/29	Student presentations
Week #9	3/5	Extra talks
Week #9	3/7	Extra talks
Week #10	3/12	Extra talks
Week #10	3/14	Final project due, Code walkthrough of final project in class
Extra talks		Reverse engineering (debuggers, anti-debuggers, reversing, packing) slides #1 \| slides #2 Secure platforms (Chrome OS) Will Drewry, "Toward an Open and Secure Platform for Using the Web", USENIX Security 2010 slides, m4v Kyle Osborn, Matt Johanson, "Hacking Google Chrome OS", DEFCON 19 video Cheating in Games Greg Hoglund, "Hacking World of Warcraft", video (0:50) Data exploitation (PDFs, Flash) Julia Wolf, "OMG WTF PDF: What You Didn't Know About Acrobat", slides , video (1:00) Modern Malware Protection Niels Provos, "The Ghost in the Browser and Other Frightening Stories About Web Malware", mp3 Rich Cannings, "Android: Securing a Mobile Platform from the Ground Up", USENIX Security 2009 m4v Itzik Kotler, Jonathan Rom, "Jinx - Malware 2.0", BlackHat 2008, slides, m4v Alexander Sotirov, "Modern Exploitation and Memory Protection Bypasses", USENIX Security 2009, slides, m4v (1:20) Jesse D'Aguanno, "iRK - Crafting OS X Kernel Rootkits", BlackHat 2008, slides \| m4v (1:15) Peleus Uhley, "The Evolution of the Flash Security Model", USENIX Security 2010, m4v Gyan Chawdhary, Varun Uppal, "Cisco IOS Shellcodes/Backdoors", slides, m4v (0:45) Mikko Hypponen, "Mobile Malware", USENIX Security 2007 slides, m4v (1:20) Don Bailey, Martin Mocko, "Winning the Race to Bare Metal - UEFI Hypervisors", Blackhat 2008 slides \| m4v (0:18)

Course objectives

This course will study the motivations of malicious code developers and the common weaknesses expoited by such code. The course will then examine the identification and remedy of malicious code.

Describe the motivation for writing malware
Describe what viruses are and how they spread
Describe what worms are and how they spread
Describe what backdoors are and their functions
Describe what trojans are and their functions
Describe what rootkits are and their functions
Describe various forms of malicious mobile code
Understand basic vulnerabilities and how they are exploited
Describe state-of-the-art research for tackling the problem of malware.

Presentation

You are to become the class expert on a piece of research related to malware. After reading and understanding the paper, you will present the paper as your own via a 20-25 minute slide presentation. The presentation slides can be generated on your own or, if the authors have slides available, you may use them. The presentation will succintly describe

The problem that the paper is trying solve
Related previous work in the area
The motivation for the approach being taken
A description of the paper's technical contribution
An analysis that evaluates the merit of the contribution

*Before* the class period that you are scheduled to present, you will e-mail the instructor your slides.

A list of papers to choose from will be placed at http://thefengs.com/wuchang/work/courses/cs410/papers.html

If you wish to cover a paper that is not listed, you may arrange it

Programming project

Malware is often used to create bots for use in sending web-based spam. In the kaPoW project, a client puzzle is issued to slow down automated attacks from bots. In this project, you will identify an open-source web application you can augment with the kaPoW approach in order to thwart such attacks. Such applications can include blog software (Wordpress), bulletin board software (phpBB), photo gallery software (Gallery), or webmail software (Horde/IMP, SquirrelMail).

*Before* the end of Week #4, e-mail the instructor a pointer to the source code of the web application you will be modifying for your project.

*Before* the last class period, you will e-mail the instructor:

The original source code of the web application used
Your source code modifications that implement your system
A one-page write-up that describes what you have implemented.

*During* the last class period, you will do a demo and a code-walkthrough of your system with the instructor.

Grading

Class participation	15%
Midterm quiz	25%
Oral presentation	25%
Programming project	35%