Professional Documents
Culture Documents
Course Information
(course number, course title, term, any specific section title)
CS6V81: Advanced Digital Forensics and Data Reverse Engineering, Fall 2011 Professor Contact Information
(Professors name, phone number, email, office location, office hours, other information)
"Programming Language", "Data Structures", "System Security", "Operating System" or permission of the instructor Course Description
CS 6V81 is a graduate level, research oriented, system security course. Our focus is digital forensics and data reverse engineering, which tackles the problem of what information is stored in a computer system and how this information can be extracted and used. There are a wide range of applications of data reverse engineering, including digital forensics, crash analysis, game hacking, kernel rootkit defense, and malware analysis. The overall goal of this course is to introduce students to the current techniques used in both research and practice.
Student Learning Objectives/Outcomes This class will cover the underline technical details (including the most recent techniques) of data reverse engineering, discuss various security applications, analyze potential limitations of existing systems, and propose/develop more secure systems. In the first a few lectures, the instructor will introduce the techniques, foundations, and applications of data reverse engineering. After that, in each class we will read current and seminal research papers from our reading materials. Students are encouraged to prepare a short summary/review of each paper and submit it to the class mailing list cs6v81-5@googlegroups.com. Students will lead and prepare presentations explaining to others.
Course Syllabus
Page 1
Students will also need to perform research, and will pick a semester-long research topic of their choosing. In addition, this course will have one hands-on challenge.
Required Textbooks and Materials No Suggested Course Materials Research papers from the following list: [1] Z. Lin, X. Jiang, D. Xu, and X. Zhang. "Automatic Reverse Engineering of Data Structures from Binary Execution," In NDSS 2010 [2] J. Lee, T. Avgerinos, and D. Brumley. "TIE: Principled Reverse Engineering of Types in Binary Programs," In NDSS 2011 [3] A. Slowinska, T. Stancescu, and H. Bos. "Howard: A Dynamic Excavator for Reverse Engineering Data Structures," In NDSS 2011 [4] T. Zimmermann and A. Zeller. "Visualizing memory graphs," In Revised Lectures on Software Visualization, International Seminar, 2002 [5] Mission Critical Linux -- Crash Core Analysis Suite http://mclx.com/projects/crash/ [6] Charlie Miller, Juan Caballero, Noah M. Johnson, Min Gyung Kang, Stephen McCamant, Pongsin Poosankam, and Dawn Song. "Crash Analysis with Bitblaze," In Blackhat 2010 [7] Shuo Chen, Jun Xu, Nithin Nakka, Zbigniew Kalbarczyk, and Ravishankar K. Iyer, "Defeating Memory Corruption Attacks via Pointer Taintedness Detection," In DSN 2005 [8] Shuo Chen, Jun Xu, Emre C. Sezer, Prachi Gauriar, and Ravishankar K. Iyer, "Non-Control-Data Attacks Are Realistic Threats," In USENIX Security 2005 [9] Miguel Castro, Manuel Costa, and Tim Harris. "Securing software by enforcing data-flow integrity," In OSDI 2006 [10] Z. Lin, X. Zhang, D.Xu, and X. Jiang. "SigGraph: Brute Force Scanning of Kernel Data Structure Instances Using Graph-based Signatures," In NDSS 2011 [11] M. Carbone, W. Cui, L. Lu, W. Lee, M. Peinado, and X. Jiang. "Mapping kernel objects to enable systematic integrity checking," In CCS 2009
Course Syllabus
Page 2
[12] W. Cui, J. Kannan, and H. J. Wang. "Discoverer: Automatic protocol reverse engineering from network traces," In USENIX Security 2007 [13] J. Caballero and D. Song. "Polyglot: Automatic extraction of protocol format using dynamic binary analysis," In CCS 2007 [14] Z. Lin, X. Jiang, D. Xu, and X. Zhang. "Automatic protocol format reverse engineering through context-aware monitored execution," In NDSS 2008 [15] G. Wondracek, P. M. Comparetti, C. Kruegel, and E. Kirda. "Automatic Network Protocol Analysis," In NDSS 2008 [16] "A Road Map for Digital Forensic Research," Report From the First Digital Forensic Research Workshop (DFRWS). 2001 [17] Simson L. Garfinkel. "Digital forensics research: The next 10 years". In DFRWS 2010 [18] Metadata Extraction Tool, http://meta-extractor.sourceforge.net/ [19] Hachoir https://bitbucket.org/haypo/hachoir/wiki/Home [20] Sleuthkit http://www.sleuthkit.org/ [21] Mikus, Nicholas A. "An analysis of disc carving techniques," MS Thesis. Naval Postgraduate School, 2006 [22] Golden G. Richard and Vassil Roussev. "Scalpel: A Frugal, High Performance File Carver," In DFRWS 2005 [23] Anandabrata Pal and Nasir Memon. "The Evolution of File Carving," IEEE Signal Processing Magazine, Vol26(2) March 2009 [24] Vrizlynn L.L. Thing, Kian-Yong Ng, Ee-Chien Chang. "Live memory forensics of mobile phones," In DFRWS 2010 [25] Guidelines on Cell Phone Forensics (NIST SP 800-101), May 2007 [26] Cell Phone Forensic Tools: An Overview and Analysis (NISTIR 7250) [27] PDA Forensic Tools: An Overview and Analysis (NISTIR 7100) [28] R Ahmed. "Mobile forensics: an overview, tools, future trends and challenges from law enforcement perspective". 6th International Conference on E-Governance. 2008
Course Syllabus
Page 3
[29] http://en.wikipedia.org/wiki/Network_forensics [30] Hitesh Ballani, Paul Francis, and Xinyang Zhang. "A study of prefix hijacking and interception in the internet," In SIGCOMM 2007 [31] Techniques in OS-Fingerprinting, http://nostromo.joeh.org/osf.pdf [32] J. Halderman, S. Schoen, N. Heninger, W. Clarkson, W. Paul, J. Calandrino, A. Feldman, J. Appelbaum, E. Felton. "Lest We Remember: Cold Boot Attacks on Encryption Keys," In USENIX Security 2008 [33] Carsten Maartmann-Moe, Steffen E. Thorkildsen, Andre Arnes. "The persistence of memory: Forensic identification and extraction of cryptographic keys," In DFRWS 2009 [34] Andreas Schuster. "Searching for Processes and Threads in Microsoft Windows Memory Dumps," In DFRWS 2006 [35] Ali Reza Arasteh and Mourad Debbabi. "Forensic Memory Analysis: From Stack and Code to Execution History," In DFRWS 2007 [36] Mariusz Burdach. "Finding Digital Evidence In Physical Memory," In Black Hat Federal 2008 [37] Brendan Dolan-Gavitt. "Forensic Analysis of the Windows Registry in Memory," In DFRWS 2008 [38] Andreas Schuster. "The impact of Microsoft Windows pool allocation strategies on memory forensics," In DFRWS 2008 [39] Aaron J. Burstein, "Toward a Culture of Cybersecurity Research," UC Berkeley Public Law Research Paper No. 1113014, 2008 [40] A. Cozzie, F. Stratton, H. Xue, and S. T. Kin. "Digging for Data Structures," In OSDI 2008 [41]Fang Yu, Muath Alkhalaf, Tevfik Bultan. Stranger: An Automata-based String Analysis Tool for PHP. [Tool paper http://www.cs.ucsb.edu/~vlab/stranger/]. In TACAS 2010 [42] Mihai Christodorescu, Nicholas Kidd, and Wen-Han Goh. "String analysis for x86 binaries," In PASTE 2005 [43] Michael D. Ernst, Jeff H. Perkins, Philip J. Guo, Stephen McCamant, Carlos Pacheco, Matthew S. Tschantz, and Chen Xiao. "The Daikon system for dynamic detection of likely invariants," Science of Computer Programming, 2007
Course Syllabus
Page 4
[44] Michael D. Ernst, Jake Cockrell, William G. Griswold, and David Notkin. "Dynamically discovering likely program invariants to support program evolution," IEEE Transactions on Software Engineering, 27(2) 2001 [45] Y. Jhi, X. Wang, X. Jia, S. Zhu, P. Liu, and D. Wu. "Value-Based Program Characterization and Its Application to Software Plagiarism Detection," In ICSE 2011 [46] Junghwan Rhee, Ryan Riley, Dongyan Xu, and Xuxian Jiang. "Kernel malware analysis with un-tampered and temporal views of dynamic kernel memory. In RAID 2010 [47] A. Baliga, V. Ganapathy, and L. Iftode. "Automatic inferenceand enforcement of kernel data structure invariants," In ACSAC 2008 [48] An architecture for specification-based detection of semantic integrity violations in kernel dynamic data. In USENIX Security 2006 [49] Copilot - a coprocessor-based kernel runtime integrity monitor. In USENIX Security 2004 [50] E. Bursztein, J. Lagarenne, M. Hamburg, D. Boneh. "OpenConflict: Preventing Real Time Map Hacks in Online Games," In IEEE S&P (Oakland) 2011 [51] Thomas Ristenpart, Eran Tromer, Hovav Shacham, Stefan Savage. "Hey, You, Get Off of My Cloud! Exploring Information Leakage in Third-Party Compute Clouds," In CCS 2009 [52] B. Dolan-Gavitt, A. Srivastava, P. Traynor, and J. Giffin. "Robust signatures for kernel data structures," In CCS 2009
Dates/Session
Topics to be covered
08/26 A Course Overview Course Foundations 08/26 B OS (Memory Management), File System, Compilers Techniques, Tools, and Applications 09/02 A Data Structure Reverse Engineering: REWARDS [1], TIE [2], and HOWARD [3] 09/02 B Kernel Rootkit Defense I: SigGraph [10], KOP [11] 09/09 A Vulnerability Analysis: Pointer corruption [7], Non control data attack[8], and Data flow integrity [9] 09/09 B Memory Analysis: Memory graph [4], crash dump analysis [5][6], value invariant [52] 09/16 A Protocol Reverse Engineering: Discoverer [12], Polyglot [13], AutoFormat [14], Protocol Analysis [15]
Course Syllabus
Page 5
Digital Forensics I: Research problem and roadmap [16], the next 10 years [17] 09/23 A Digital Forensics II: Metadata extraction [18][19][20] 09/23 B Digital Forensics III: File carving [21][22][23] 09/30 A Digital Forensics IV: Cell phone forensics [24][25][26][27][28] 09/30 B Digital Forensics V: Network Forensics [29] (Wireshark/TCPdump, IP prefix hijacking[30], OS Fingerprinting[31]) 10/07 A Digital Forensics VI: Crypto key discovery [32], and extraction [33] 10/07 B Digital Forensics VII: Windows Memory Analysis[34][35][36][37][38] 10/14 A Digital Forensics VIII: Legal and ethical issues [39] 10/14 B Kernel Rootkit Defense II: kernel hook (function pointer) protection (Hookmap Hooksafe, HookScot) 10/21 Working on your project 10/28 A Malicious Code Analysis I: Using data structure as program signature (Laika[40]) 10/28 B Malicious Code Analysis II: String analysis for PHP [41, x86 binary [42] 11/04 A Program Analysis I: Value invariant discovery (Daikon[43][44]) 11/04 B Program Analysis II: Value based program characterization [45] 11/11 A Kernel Rootkit Defense II: data centric approach [46] 11/11 B Kernel Rootkit Defense III: data invariant approach [47], SBCFI [48], Copilot[49] 11/18 A Game Hacking: Preventing map hacks [50] 11/18 B Cloud Computing: Information leakage in 3rd party cloud [51] 11/25 Thanksgiving Hollidays. No Class Project Presentation 12/06 A Students present their course project 12/06 B Students present their course project Hands on Challenge: Participating UCSB iCTF http://ictf.cs.ucsb.edu/
09/16 B
Grading Policy
(including percentages for assignments, grade scale, etc.)
30% In-Class Presentations 10% Class participation 20% Paper review/summary 40% Class Project Exceptional work will be rewarded appropriately
Course Syllabus
Page 6
No late submission of the course project. Students can miss one class in the whole semester.
Academic Integrity
The faculty expects from its students a high level of responsibility and academic honesty. Because the value of an academic degree depends upon the absolute integrity of the work done by the student for that degree, it is imperative that a student demonstrate a high standard of individual honor in his or her scholastic work. Scholastic dishonesty includes, but is not limited to, statements, acts or omissions related to applications for enrollment or the award of a degree, and/or the submission as ones own work or material that is not ones own. As a general rule, scholastic dishonesty involves one of the following acts: cheating, plagiarism, collusion and/or falsifying academic records. Students suspected of academic dishonesty are subject to disciplinary proceedings. Plagiarism, especially from the web, from portions of papers for other classes, and from any other source is unacceptable and will be dealt with under the universitys policy on plagiarism (see general catalog for details). This course will use the resources of turnitin.com, which searches the web for possible plagiarism and is over 90% effective.
Email Use
Course Syllabus
Page 7
The University of Texas at Dallas recognizes the value and efficiency of communication between faculty/staff and students through electronic mail. At the same time, email raises some issues concerning security and the identity of each individual in an email exchange. The university encourages all official student email correspondence be sent only to a students U.T. Dallas email address and that faculty and staff consider email from students official only if it originates from a UTD student account. This allows the university to maintain a high degree of confidence in the identity of all individual corresponding and the security of the transmitted information. UTD furnishes each student with a free email account that is to be used in all communication with university personnel. The Department of Information Resources at U.T. Dallas provides a method for students to have their U.T. Dallas mail forwarded to other accounts.
Disability Services
The goal of Disability Services is to provide students with disabilities educational opportunities equal to those of their non-disabled peers. Disability Services is located in room 1.610 in the
Course Syllabus
Page 8
Student Union. Office hours are Monday and Thursday, 8:30 a.m. to 6:30 p.m.; Tuesday and Wednesday, 8:30 a.m. to 7:30 p.m.; and Friday, 8:30 a.m. to 5:30 p.m. The contact information for the Office of Disability Services is: The University of Texas at Dallas, SU 22 PO Box 830688 Richardson, Texas 75083-0688 (972) 883-2098 (voice or TTY) Essentially, the law requires that colleges and universities make those reasonable adjustments necessary to eliminate discrimination on the basis of disability. For example, it may be necessary to remove classroom prohibitions against tape recorders or animals (in the case of dog guides) for students who are blind. Occasionally an assignment requirement may be substituted (for example, a research paper versus an oral presentation for a student who is hearing impaired). Classes enrolled students with mobility impairments may have to be rescheduled in accessible facilities. The college or university may need to provide special services such as registration, note-taking, or mobility assistance. It is the students responsibility to notify his or her professors of the need for such an accommodation. Disability Services provides students with letters to present to faculty members to verify that the student has a disability and needs accommodations. Individuals requiring special accommodation should contact the professor after class or during office hours.
These descriptions and timelines are subject to change at the discretion of the Professor.
Course Syllabus
Page 9