Program Analysis for Cybersecurity
This post contains the materials for the Program Analysis for Cybersecurity (PAC) training I’ll be teaching at each of the 2017 US Cyber Challenge security boot camps. The training is aimed at audiences with little or no experience in program analysis.
Please use the links below to download the training materials.
The course materials include details on building the virtual machines at home from scratch, but to save time at the USCC camps we will be providing pre-made virtual machines with temporary software licenses. The labs requiring Microsoft Windows can be run in the evaluation mode of Windows. A free academic, community, or trial license of Atlas can be requested directly from EnSoft Corp. All other software is free or open source.
The following virtual machines are provided as Virtual Box OVA files.
|Virtual Machine||Role||Credentials||VM Modifications||Additional Resources|
|Kali 2017.1||Attacker Machine||root:toor||None.||All Kali Linux Downloads, VMware Edition|
|Hacking Live||Victim Machine (local)||pac:badpass||Updated repository sources, installed hexedit tool, console color preferences, added course materials||Hacking Live ISO, Hacking Live ISO (mirror)|
|Windows XP SP3 x86||Victim Machine (remote)||XPVictim:badpass||OllyDBG, MiniShare server, Java 8, added course materials||WinXPSP3 ISO|
|Windows 7 x64||Analysis Machine, Optional Victim Machine||Victim:badpass||GNU C++ Compiler, Java 8, Eclipse, Atlas, Android Developer Toolkit, JReFrameworker, registry edits to enable remote login, EMET, added course materials||Win7SP1 ISO|
Note: When using the VirtualBox player the mouse integration feature is turned on be default. If the feature is not working properly you can disable it my navigating to Input > Mouse Integration and toggle it on and off.
Note: Each OVA file can also be opened with VMWare players, with the noted exception of the HackingLive VM. There is an issue with VMWare players and the particular distribution of Linux the HackingLive VM is using that causes a kernel panic on boot. If the WindowsXP VM does not have a network adapter correctly configured after importing you may need to remove and add a new connected adapter.
By the end of this course you should be able to:
- Demonstrate basic bug hunting, exploitation, evasion, and post-exploitation skills
- Describe commonalities between vulnerability analysis and malware detection
- Describe fundamental limits in program analysis
- Challenge conventional viewpoints of security
- Confidently approach large third party software
- Critically evaluate software security products
- Locate additional relevant resources
The course material is broken into 6 modules that cover both defensive and offensive materials.
First we will become intimately familiar with one particular type of bug, a buffer overflow. We will iteratively develop exploits for a simple Linux program with a buffer overflow before we move on to developing an exploit for a Windows web server called MiniShare.
Fundamentals of Program Analysis
Next we will discuss program analysis and how it can be used to analyze programs to detect bugs and malware. We will also consider some fundamental challenges and even limitations of what is possible in program analysis. This module discusses relationships between bugs and malware, as well as strategies for integrating human intelligence in automatic program analysis. Later you will be presented with an enormous task of quickly locating malware in a large Android application (several thousand lines of code). Through this activity you will be challenged to develop strategies for auditing something that is too big to personally comprehend. As class we will collectively develop strategies to audit the application, we will use those strategies to develop automated techniques for detecting malware.
In this module we will examine strategies for hunting for unknown bugs in software. We will revisit our buffer overflow vulnerabilities and consider what is involved to automatically detect the vulnerability for various programs while considering the limitations of program analysis. We will develop a tool to automatically locate the line number of the code that was exploited in the MiniShare web server.
Since antivirus is used to actively thwart exploitation attempts, we will take a detour to examine techniques to bypass and evade antivirus. Specifically we will examine what is necessary to manually modify a 4 year old browser drive by attack to become undetectable by all modern antivirus. We will also build a tool to automatically obfuscate and pack our exploit.
In this module we will develop a Managed Code Rootkit (MCR) and deploy the rootkit on the victim machine using our previous exploit against MiniShare.
In this final module, we explore future directions in the field and examine some open problems in the context of what we learned in the previous modules.
Note: The labs in this course are designed to push everyone in this course. Likely there will be some subject that you feel ill equipped to try, but don’t let that be a barrier. Attempt the lab to the best of your ability and try your best to learn the core ideas behind each activity. Then attempt the lab again when you have more time. Please send questions, thoughts, and comments to [email protected] and I will be happy to help you find your way to success for any of the labs. There are multiple solutions to each lab, and in some cases there are no right answers!