CS410/510 - Malware

CS 410/510: Malware

Course coordinates:
Mondays/Wednesdays 8:15am-10:05am
Neuberger Hall [NH]: Room 241

Class e-mail/WWW:
cs410 at lists dot pdx dot edu
https://www.lists.pdx.edu/lists/listinfo/cs410
http://thefengs.com/wuchang/work/courses/cs410

Instructor:
Wu-chang Feng
wuchang at cs pdx edu

Office hours:
Wednesdays: 10:30-11:30am
By Appointment
FAB 120-14
(4th Ave Bldg.)

Textbook (optional):
Malware: Fighting Malicious Code
Ed Skoudis, ISBN: 0131014056

Tentative schedule

Week #1	1/9	Course introduction Course project: kaPoW slides PHP guestbook code (tar.gz) \| PHP webmail code (tar.gz) \| PHP AJAX guestbook code (tar.gz)
Week #1	1/11	Chapter 1: Introduction slides Internet overview slides
Week #2	1/16	NO CLASS
Week #2	1/18	NO CLASS (snow)
Week #3	1/23	x86 basics slides
Week #3	1/25	Chapter 2: Viruses slides Chet Hosmer, "Polymorphic & Metamorphic Malware", BlackHat 2008, slides , m4v (0:15) Structure/function of metamorphic engines Compiler traits to determine malware
Week #4	1/30	Chapter 3: Worms, Stack Smashing slides #1 \| slides #2
Week #4	2/1	Chapter 4: Malicious mobile code slides Programming project selection due (see below)
Week #5	2/6	Eric Lawrence, "Designing Trustworthy User Agents for a Hostile Web", USENIX Security 2009, slides, mov (0:42-0:72) From Group Policy: Social engineering Julia Wolf, "OMG WTF PDF: What You Didn't Know About Acrobat", slides , video (1:00)
Week #5	2/8	Chapter 5: Backdoors slides Chapter 6: Trojans slides
Week #6	2/13	Chapter 7: User-mode rootkits slides
Week #6	2/15	Chapter 8: Kernel mode rootkits slides Joanna Rutkowska, "Subverting Vista Kernel for Fun and Profit", BlackHat 2006 slides \| m4v (BluePill from 0:26-0:40) Thomas Ptacek, "Don't Tell Joanna: The Virtualized Rootkit is Dead", BlackHat 2007 m4v
Week #7	2/20	Greg Hoglund, "Hacking World of Warcraft", video (0:50)
Week #7	2/22	Extra material: Reverse engineering (debuggers, anti-debuggers, reversing, packing) slides Joanna Rutkowska, "Introducing Qubes OS", Campus Party Europe, April 2010 slides \| link (0:00-15:30)
Week #8	2/27	Will Drewry, "Toward an Open and Secure Platform for Using the Web", USENIX Security 2010 slides, m4v Midterm Quiz (open note) : 30 minutes
Week #8	2/29	Student presentations Return-Oriented Programming Without Returns (Tinghua Xu) Stephen Checkoway , Lucas Davi, Alexandra Dmitrienko, Ahmad-Reza Sadeghi , Hovav Shacham , Marcel Winandy ACM CCS 2010 Paper in PDF Bluetooth issues (Giovanni Cavalieri) Pin cracking: http://www.eng.tau.ac.il/~yash/shaked-wool-mobisys05/ BlueSnarf: http://trifinite.org/Downloads/21c3_Bluetooth_Hacking.pdf The Security Architecture of the Chromium Browser (Erin Chapman) Adam Barth, Collin Jackson, Charles Reis, and the Google Chrome Team Stanford Technical Report Paper in PDF
Week #9	3/5	Student presentations On the Effectiveness of Address-Space Randomization (Peter Pokorny) Hovav Shacham, Matthew Page, Ben Pfaff, Eu-Jin Goh, Nagendra Modadugu, Dan Boneh USENIX Security 2001 Paper in PDF Building a Dynamic Reputation System for DNS (David Harwood) Manos Antonakakis, Roberto Perdisci, David Dagon, Wenke Lee, and Nick Feamster USENIX Security 2010 Paper in PDF Re: CAPTCHAs—Understanding CAPTCHA-Solving Services in an Economic Context (Alexis Carlough) Marti Motoyama, Kirill Levchenko, Chris Kanich, Damon McCoy, Geoffrey M. Voelker, and Stefan Savage USENIX Security 2010 Paper in PDF
Week #9	3/7	Panorama: Capturing System-wide Information Flow for Malware Detection and Analysis (Justin Bailey), Heng Yin, Dawn Song, Manuel Egele, Engin Kirda and Christopher Kruege ACM CCS 2007 Secure platforms (Chrome OS) Kyle Osborn, Matt Johanson, "Hacking Google Chrome OS", DEFCON 19 video
Week #10	3/12	Extra talks Rich Cannings, "Android: Securing a Mobile Platform from the Ground Up", USENIX Security 2009 m4v \| slides Peleus Uhley, "The Evolution of the Flash Security Model", USENIX Security 2010, m4v
Week #10	3/14	Final project due, Code walkthrough of final project in class 8:15-8:30am: Justin 8:30-8:45am: Peter 8:45-9:00am: Tinghua 9:00-9:15am: David 9:15-9:30am: Alexis 9:30-9:45am: Giovanni 9:45-10:00am: Erin
Extra talks		Modern Malware Protection John Heasman, "Hacking the Extensible Firmware Interface", DEFCON 15, 2007. link Niels Provos, "The Ghost in the Browser and Other Frightening Stories About Web Malware", mp3 Itzik Kotler, Jonathan Rom, "Jinx - Malware 2.0", BlackHat 2008, slides, m4v Alexander Sotirov, "Modern Exploitation and Memory Protection Bypasses", USENIX Security 2009, slides, m4v (1:20) Jesse D'Aguanno, "iRK - Crafting OS X Kernel Rootkits", BlackHat 2008, slides \| m4v (1:15) Gyan Chawdhary, Varun Uppal, "Cisco IOS Shellcodes/Backdoors", slides, m4v (0:45) Mikko Hypponen, "Mobile Malware", USENIX Security 2007 slides, m4v (1:20)

Course objectives

This course will study the motivations of malicious code developers and the common weaknesses expoited by such code. The course will then examine the identification and remedy of malicious code.

Describe the motivation for writing malware
Describe what viruses are and how they spread
Describe what worms are and how they spread
Describe what backdoors are and their functions
Describe what trojans are and their functions
Describe what rootkits are and their functions
Describe various forms of malicious mobile code
Understand basic vulnerabilities and how they are exploited
Describe state-of-the-art research for tackling the problem of malware.

Presentation

You are to become the class expert on a piece of research related to malware. After reading and understanding the paper, you will present the paper as your own via a 20-25 minute slide presentation. The presentation slides can be generated on your own or, if the authors have slides available, you may use them. The presentation will succintly describe

The problem that the paper is trying solve
Related previous work in the area
The motivation for the approach being taken
A description of the paper's technical contribution
An analysis that evaluates the merit of the contribution

*Before* the class period that you are scheduled to present, you will e-mail the instructor your slides.

A list of papers to choose from will be placed at http://thefengs.com/wuchang/work/courses/cs410/papers.html

If you wish to cover a paper that is not listed, you may arrange it

Programming project

Malware is often used to create bots for use in sending web-based spam. In the kaPoW project, a client puzzle is issued to slow down automated attacks from bots. In this project, you will identify an open-source web application you can augment with the kaPoW approach in order to thwart such attacks. Such applications can include blog software (Wordpress), bulletin board software (phpBB), photo gallery software (Gallery), or webmail software (Horde/IMP, SquirrelMail).

*Before* the end of Week #4, e-mail the instructor a pointer to the source code of the web application you will be modifying for your project.

*Before* the last class period, you will e-mail the instructor:

The original source code of the web application used
Your source code modifications that implement your system
A one-page write-up that describes what you have implemented.

*During* the last class period, you will do a demo and a code-walkthrough of your system with the instructor.

Grading

Class participation	15%
Midterm quiz	25%
Oral presentation	25%
Programming project	35%