Program Analysis for Cybersecurity (2020-2023)
This post contains the materials for the Program Analysis for Cybersecurity (PAC) training I’ll be teaching at the US Cyber Challenge security boot camps. The training is aimed at audiences with little or no experience in program (code) analysis.
Materials
Please use the links below to download the training materials. Note that minor updates have been applied to the 2020 materials and all links have been updated accordingly.
- Slides: PAC.pdf
- All Materials: Labs + Slides
Virtual Machines
The following virtual machines were tested with VirtualBox, which is freely available. A setup guide for importing and configuring the virtual machines for lab 4 is provided here.
| Virtual Machine | Credentials | Notes |
|---|---|---|
| Hacking Live Virtual Machine | pac:badpass | This virtual machine covers labs 1 and 2. It is known to only play in VirtualBox players, but students have succeeded in getting it to work with VMWare. |
| PAC2023 Virtual Machine | pac:badpass | This virtual machine covers labs 3 through 9. In order to complete lab 4, be sure that this virtual machine is the same network as the Windows XP SP3 x86 machine and that the two virtual machines can ping each other. This virtual machine will import into VMWare, but using VirtualBox is recommended. Note that malware samples are zip encrypted with the password: infected. |
| Windows XP SP3 x86 | N/A | The provided file contains an ISO that can be used as installation media in VirtualBox. You are not provided with a license key (the activation servers have been disabled anyway). When prompted for the license key, skip the prompt to continue installation and use the 30-day evaluation mode to complete the lab. This machine will serve as the victim machine for an attack performed in lab 4 from the PAC 2023 virtual machine. |
Note: These virtual machines were built for x86_64 architectures and will not run on incompatible processors.
Note: The current release of VirtualBox guest additions (7.0.8) has a known defect that may result in WindowsXP machines diplaying a black screen after install. Guest additions are not required for this lab, but if desired a simple workaround is to install the 7.0.6 guest additions directly from the ISO file (navigate to Devices > Optical Drive > Choose a disk file... > select the VBoxGuestAdditions_7.0.6.iso ISO file > navigate to My Computer inside virtual machine and double click the CD-ROM to install as normal).
Note: When using the VirtualBox player the mouse integration feature is turned on be default. If the feature is not working properly (particularly in the HackingLive VM) you can disable it my navigating to Input > Mouse Integration and toggle it on and off.
Note: These materials are a major revision of past course materials, which can be found here.
Update: A bug was fixed in the PAC2023 with version PAC2023.1 of the VM. The 2023.0 VM can be fixed by replacing #!/usr/bin/env ruby with #!/opt/metasploit-framework/embedded/bin/ruby in both /opt/metasploit-framework/embedded/framework/tools/exploit/pattern_create.rb and /opt/metasploit-framework/embedded/framework/tools/exploit/pattern_offset.rb files.
Update: For lab 6, AFL requires a root modification. In Ubuntu 18, the required modification can be performed with sudo -i (enter pac username’s password of badpass) and echo core >/proc/sys/kernel/core_pattern.
Learning Objectives
By the end of this course you should be able to:
- Demonstrate basis exploitation, bug hunting, and evasion skills
- Describe commonalities between vulnerability analysis and malware detection
- Describe fundamental limits in program analysis
- Challenge conventional viewpoints of security
- Confidently approach large third party software
- Critically evaluate software security products
- Locate additional relevant resources
Learning Modules
The course material is broken into several modules that cover both defensive and offensive materials.
Exploit Development
First we will become intimately familiar with one particular type of bug, a buffer overflow. We will iteratively develop exploits for a simple Linux program with a buffer overflow and examine various mitigations and potential mitigation bypasses before we move on to developing an exploit for a Windows web server called MiniShare.
- Lab 0: Turing machine to buffer overflow simulators
- Lab 1: 32-bit buffer overflow (executable stack)
- Lab 2: 32-bit buffer overflow (ret2libc)
- Lab 3: 64-bit buffer overflow
- Lab 4: Development of remote exploit for Windows web server CVE-2004-2271
Fundamentals of Program Analysis
Next we will discuss program analysis and how it can be used to analyze programs to detect bugs and malware. We will also consider some fundamental challenges and even limitations of what is possible in program analysis. Through this module we will explore analysis techniques that range from graph based static analysis to fuzzing with dynamic analysis to symbolic execution with SAT/SMT solvers (and more in between!).
- Lab 5: Source code static analysis of CVE-2004-2271 with Atlas
- Lab 6: Fuzzing with AFL
- Lab 7: Symbolic execution with Angr
Antivirus Evasion
Since antivirus is used to actively thwart exploitation attempts, we will take a detour to examine techniques to bypass and evade antivirus. Specifically we will examine what is necessary to manually modify a year 2012 browser drive by attack to become undetectable by all modern antivirus. We will also build a tool to automatically obfuscate and pack our exploit.
- Lab 8: Obfuscating CVE-2012-4681 and CVE-2013-0422 exploits to evade antivirus on VirusTotal
Bug/Malware Hunting
This module discusses relationships between bugs and malware, as well as strategies for integrating human intelligence in automatic program analysis. You will be presented with an enormous task of quickly locating malware in a large Android application (several thousand lines of code). Through this activity you will be challenged to develop strategies for auditing something that is too big to personally comprehend in the time you are allocated to perform the task. As a group we will collectively develop strategies to audit the application and then we will use those strategies to develop automated techniques for detecting malware.
- Lab 9: Human-in-the-loop analysis of large Android applications (with and without source code)
Going Beyond
In this final module, we explore future directions in the field and examine some open problems in the context of what we learned in the previous modules.
Support
The labs in this course are designed to push everyone in this course. Likely there will be some subject that you feel ill equipped to try, but don’t let that be a barrier. Attempt the lab to the best of your ability and try your best to learn the core ideas behind each activity. Then attempt the lab again when you have more time. Please send questions, thoughts, and comments to [email protected] and I will be happy to help you find your way to success for any of the labs. There are multiple solutions to each lab, and in some cases there are no right answers!