Overvew

This is a graduate-level research-oriented course. The goal of this course is to teach graduate students the state-of-the-art binary analysis techniques and tools and their applications to security problems. This course is aimed to balance between lectures, lab assignments and projects, such that the students can grasp the core concepts, gain first-hand experience through lab assignments to reinforce the understanding of these concepts, and further explore unknowns via course projects.

  • Instructor: Heng Yin
  • Email: heng AT cs DOT ucr DOT edu
  • Office: Winston Chung Hall 316
  • Office hours: Mon/Thu 1-3PM
  • Location and Time:CHASS Interdisciplinary-South 2138, Tue/Thu 5:10-6:30PM

Topics

  • Security Applications
    • Malware analysis and deobfuscation
    • Vulnerability discovery and mitigation
  • Basics about binary code
    • Disassembler and debugger
    • Call graph, control-flow graph, stack frames, global and local variables, calling conventions, vTables, etc.
  • Dynamic binary analysis
    • Dynamic binary instrumentation
    • Dynamic taint analysis
    • Fuzzing: blackbox/greybox/whitebox, mutation and generation based.
    • Symbolic execution: online and offline, concolic testing
  • Static binary analysis
    • Data flow analysis
    • Value set analysis
    • Slicing
  • Program integrity models
    • Control flow integrity
    • Data flow integrity
    • Software fault isolation
    • Code pointer integrity

Schedule

Date Topics Note
01/10 Course Syllabus
Introduction of Software Security
Introduction of DARPA Cyber Grand Challenge
01/12 Introduction of Software Security (cont'ed)
01/17 Disassembly Basics
Buffer Overflow Exploit Construction		 Lab 1 is out. Due next Tuesday
01/19 Dynamic Binary Translation and Instrumentation
Reading materials:
Pin: Building Customized Program Analysis Tools with Dynamic Instrumentation
Valgrind: A Framework for Heavyweight Dynamic Binary Instrumentation
QEMU, a Fast and Portable Dynamic Translator
01/24 How to write a pintool
Dynamic Taint Analysis: Pointer Tainting, Taint Explosion, Soundness and Precision
Reading materials:
Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software
Pointless Tainting? Evaluating the Practicality of Pointer Tainting
On the Soundness and Precision of Dynamic Taint Analysis 		Lab 2 is out, due next Tuesday.
01/26 Whole-System Dynamic Binary Analysis: System-Wide Tainting, Virtual Machine Introspection, TEMU, DECAF.
Reading materials:
Panorama: capturing system-wide information flow for malware detection and analysis
Make It Work, Make It Right, Make It Fast: Building a Platform-Neutral Whole-System Dynamic Binary Analysis Platform
01/31 Whole-System Dynamic Analysis (cont'ed):Panda, DroidScope.
Reading materials:
Repeatable Reverse Engineering for the Greater Good with PANDA
DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis 		Lab 3 is out, due next Tuesday.
02/02 Fuzzing: blackbox, whitebox, greybox, mutation based, generation based.
Reading materials:
Optimizing Seed Selection for Fuzzing
Scheduling Black-box Mutational Fuzzing
Revolutionizing the Field of Grey-box Attack Surface Testing with Evolutionary Fuzzing
02/07 Introduction to symbolic execution
Reading materials:
Symbolic Execution for Software Testing: Three Decades Later
Unleashing MAYHEM on Binary Code
Driller: Augmenting Fuzzing Through Selective Symbolic Execution 		Lab 4 is out, due next Tuesday.
02/09 Introduction to Angr
02/14 Control Flow Integrity
Reading materials:
Control-Flow Integrity
Control Flow Integrity for COTS Binaries 		Lab 5 is out, due next Tuesday.
02/16 More about Control Flow Integrity; Software-based Fault Isolation
Reading materials:
vfGuard: Strict Protection for Virtual Function Calls in COTS C++ Binaries
Binary Code Continent: Finer-Grained Control Flow Integrity for Stripped Binaries
Efficient Software-based Fault Isolation
Native Client: A Sandbox for Portable, Untrusted x86 Native Code
02/21 Introduction to Program Slicing
Reading materials:
Program Slicing
Dynamic Program Slicing
02/23 Data Structure Reverse Engineering and Type Inference
Reading materials:
Automatic Reverse Engineering of Program Data Structures from Binary Execution
TIE: Principled Reverse Engineering of Types in Binary Programs 		Project proposal is due by now
02/28 No Class Due to conference travel
03/02
03/07
03/09
03/14
03/16
03/18 Final Project Presentation

Lab Assignments (Tentative)

  1. Binary Code Comprehension: Construct simple exploits from binary code.
  2. Dynamic Binary Instrumentation: Develop a simple pintool for shadow stack protection.
  3. Dynamic Taint Analysis: Develop a simple DECAF plugin to perform dynamic taint analysis to detect exploits.
  4. Symbolic Execution: Write simple angr scripts to find vulnerabilities.
  5. Control Flow Integrity: Implement CFI in pintool.
  6. Automatic Exploit Generation: Modify/enhance angr scripts to generate exploits.

Projects

A list of suggeted projects will be provided. Students may also propose their own projects.

Grading (Tentative)

  • Class participation: 10%
  • Lab assignments: 60%
  • Project presentation: 15%
  • Final report: 15%