Computer Security

CS 255 - Winter 2017

OverviewSchedule/ReadingsAttack/Tool PresentationsCourse Project

Attack and Tool Presentation

Guidelines

This is an individual task. Each student is required to find a concrete attack/vulnerability/exploit or a security tool to present in class. The duration of presentation is 4mins. Note that time is very limited, so preparation is key. The content needs to be educational and you need to demonstrate an appropriate level of understanding of the topic (get straight to the point and skip unnecessary background/introduction). The format:

For attack/vulnerability/exploit,

• The attack should be an interesting one. Explain the goal of the attack, e.g., what it can do, how dangerous they are.
• Explain how the attack works, preferably with key pieces of code (if applicable) shown to illustrate the attack process and why the vulnerability exists in the first place.
• Make a live demo when possible. Note it is not required that you implement the attack yourself. You only need to show that it works on a live system (many of attacks have source code available online). Some attacks are not possible to demo without the proper hardware or infrastructure, in which case the concept and effect of the attack should be clearly explained in sufficient detail.
• Discuss possible defenses (optional).

For security tool,

• Explain the background of the tool, e.g., what it does? who made it? how popular it is? mostly used in what circumstances?
• Show what the tool can do. Run the tool and demo (the tool should be demoable).
• Explain how the tool works behind the scene.

Resources (you do not have to choose from the list)

Attacks/Exploits/Vulnerabilities (live demo when possible):

• Heartbleed
• Shellshock
• NSA toolbox
• Android root exploits [1] [2] [3] [4] ...
• iPhone jailbreak [1] [2]
• TLS protocol attacks
[1] [2] ...
• Web attacks (SQL injection, XSS, CSRF, DNS rebinding attacks, etc.)
• DDoS attacks (DNS and NTP reflection/amplification, SYN flooding, etc.)
• IMSI catcher
[1] [2] 
• General: CVE database
• General: VUPEN
• General: Blackhat
• General: Defcon

Security tools (preferablly new ones): [1] [2]

Presentation Schedule

The presentation is scheduled in several classes throughout the quarter. Please sign up on the web sheet published through ilearn. All empty slots are available to pick.

Topics are taken in a FIFO fashion. Sign up early to choose the topics that you'd like to present. Please be courteous and do not overwrite any existing records.