Course Syllabus

Course Information
(course number, course title, term, any specific section title)

CS6V81: Advanced Digital Forensics and Data Reverse Engineering, Fall 2011 Professor Contact Information
(Professors name, phone number, email, office location, office hours, other information)

Zhiqiang Lin (972)-883-4244 zhiqiang.lin@utdallas.edu ECSS 3.701 Thursday 2-3PM

Course Pre-requisites, Co-requisites, and/or Other Restrictions

(including required prior knowledge or skills)

"Programming Language", "Data Structures", "System Security", "Operating System" or permission of the instructor Course Description

CS 6V81 is a graduate level, research oriented, system security course. Our focus is digital forensics and data reverse engineering, which tackles the problem of what information is stored in a computer system and how this information can be extracted and used. There are a wide range of applications of data reverse engineering, including digital forensics, crash analysis, game hacking, kernel rootkit defense, and malware analysis. The overall goal of this course is to introduce students to the current techniques used in both research and practice.

Student Learning Objectives/Outcomes This class will cover the underline technical details (including the most recent techniques) of data reverse engineering, discuss various security applications, analyze potential limitations of existing systems, and propose/develop more secure systems. In the first a few lectures, the instructor will introduce the techniques, foundations, and applications of data reverse engineering. After that, in each class we will read current and seminal research papers from our reading materials. Students are encouraged to prepare a short summary/review of each paper and submit it to the class mailing list cs6v81-5@googlegroups.com. Students will lead and prepare presentations explaining to others.

Course Syllabus

Page 1

Students will also need to perform research, and will pick a semester-long research topic of their choosing. In addition, this course will have one hands-on challenge.

Required Textbooks and Materials No Suggested Course Materials Research papers from the following list: [1] Z. Lin, X. Jiang, D. Xu, and X. Zhang. "Automatic Reverse Engineering of Data Structures from Binary Execution," In NDSS 2010 [2] J. Lee, T. Avgerinos, and D. Brumley. "TIE: Principled Reverse Engineering of Types in Binary Programs," In NDSS 2011 [3] A. Slowinska, T. Stancescu, and H. Bos. "Howard: A Dynamic Excavator for Reverse Engineering Data Structures," In NDSS 2011 [4] T. Zimmermann and A. Zeller. "Visualizing memory graphs," In Revised Lectures on Software Visualization, International Seminar, 2002 [5] Mission Critical Linux -- Crash Core Analysis Suite http://mclx.com/projects/crash/ [6] Charlie Miller, Juan Caballero, Noah M. Johnson, Min Gyung Kang, Stephen McCamant, Pongsin Poosankam, and Dawn Song. "Crash Analysis with Bitblaze," In Blackhat 2010 [7] Shuo Chen, Jun Xu, Nithin Nakka, Zbigniew Kalbarczyk, and Ravishankar K. Iyer, "Defeating Memory Corruption Attacks via Pointer Taintedness Detection," In DSN 2005 [8] Shuo Chen, Jun Xu, Emre C. Sezer, Prachi Gauriar, and Ravishankar K. Iyer, "Non-Control-Data Attacks Are Realistic Threats," In USENIX Security 2005 [9] Miguel Castro, Manuel Costa, and Tim Harris. "Securing software by enforcing data-flow integrity," In OSDI 2006 [10] Z. Lin, X. Zhang, D.Xu, and X. Jiang. "SigGraph: Brute Force Scanning of Kernel Data Structure Instances Using Graph-based Signatures," In NDSS 2011 [11] M. Carbone, W. Cui, L. Lu, W. Lee, M. Peinado, and X. Jiang. "Mapping kernel objects to enable systematic integrity checking," In CCS 2009

Course Syllabus

Page 2

[12] W. Cui, J. Kannan, and H. J. Wang. "Discoverer: Automatic protocol reverse engineering from network traces," In USENIX Security 2007 [13] J. Caballero and D. Song. "Polyglot: Automatic extraction of protocol format using dynamic binary analysis," In CCS 2007 [14] Z. Lin, X. Jiang, D. Xu, and X. Zhang. "Automatic protocol format reverse engineering through context-aware monitored execution," In NDSS 2008 [15] G. Wondracek, P. M. Comparetti, C. Kruegel, and E. Kirda. "Automatic Network Protocol Analysis," In NDSS 2008 [16] "A Road Map for Digital Forensic Research," Report From the First Digital Forensic Research Workshop (DFRWS). 2001 [17] Simson L. Garfinkel. "Digital forensics research: The next 10 years". In DFRWS 2010 [18] Metadata Extraction Tool, http://meta-extractor.sourceforge.net/ [19] Hachoir https://bitbucket.org/haypo/hachoir/wiki/Home [20] Sleuthkit http://www.sleuthkit.org/ [21] Mikus, Nicholas A. "An analysis of disc carving techniques," MS Thesis. Naval Postgraduate School, 2006 [22] Golden G. Richard and Vassil Roussev. "Scalpel: A Frugal, High Performance File Carver," In DFRWS 2005 [23] Anandabrata Pal and Nasir Memon. "The Evolution of File Carving," IEEE Signal Processing Magazine, Vol26(2) March 2009 [24] Vrizlynn L.L. Thing, Kian-Yong Ng, Ee-Chien Chang. "Live memory forensics of mobile phones," In DFRWS 2010 [25] Guidelines on Cell Phone Forensics (NIST SP 800-101), May 2007 [26] Cell Phone Forensic Tools: An Overview and Analysis (NISTIR 7250) [27] PDA Forensic Tools: An Overview and Analysis (NISTIR 7100) [28] R Ahmed. "Mobile forensics: an overview, tools, future trends and challenges from law enforcement perspective". 6th International Conference on E-Governance. 2008

Course Syllabus

Page 3

[29] http://en.wikipedia.org/wiki/Network_forensics [30] Hitesh Ballani, Paul Francis, and Xinyang Zhang. "A study of prefix hijacking and interception in the internet," In SIGCOMM 2007 [31] Techniques in OS-Fingerprinting, http://nostromo.joeh.org/osf.pdf [32] J. Halderman, S. Schoen, N. Heninger, W. Clarkson, W. Paul, J. Calandrino, A. Feldman, J. Appelbaum, E. Felton. "Lest We Remember: Cold Boot Attacks on Encryption Keys," In USENIX Security 2008 [33] Carsten Maartmann-Moe, Steffen E. Thorkildsen, Andre Arnes. "The persistence of memory: Forensic identification and extraction of cryptographic keys," In DFRWS 2009 [34] Andreas Schuster. "Searching for Processes and Threads in Microsoft Windows Memory Dumps," In DFRWS 2006 [35] Ali Reza Arasteh and Mourad Debbabi. "Forensic Memory Analysis: From Stack and Code to Execution History," In DFRWS 2007 [36] Mariusz Burdach. "Finding Digital Evidence In Physical Memory," In Black Hat Federal 2008 [37] Brendan Dolan-Gavitt. "Forensic Analysis of the Windows Registry in Memory," In DFRWS 2008 [38] Andreas Schuster. "The impact of Microsoft Windows pool allocation strategies on memory forensics," In DFRWS 2008 [39] Aaron J. Burstein, "Toward a Culture of Cybersecurity Research," UC Berkeley Public Law Research Paper No. 1113014, 2008 [40] A. Cozzie, F. Stratton, H. Xue, and S. T. Kin. "Digging for Data Structures," In OSDI 2008 [41]Fang Yu, Muath Alkhalaf, Tevfik Bultan. Stranger: An Automata-based String Analysis Tool for PHP. [Tool paper http://www.cs.ucsb.edu/~vlab/stranger/]. In TACAS 2010 [42] Mihai Christodorescu, Nicholas Kidd, and Wen-Han Goh. "String analysis for x86 binaries," In PASTE 2005 [43] Michael D. Ernst, Jeff H. Perkins, Philip J. Guo, Stephen McCamant, Carlos Pacheco, Matthew S. Tschantz, and Chen Xiao. "The Daikon system for dynamic detection of likely invariants," Science of Computer Programming, 2007

Course Syllabus

Page 4

[44] Michael D. Ernst, Jake Cockrell, William G. Griswold, and David Notkin. "Dynamically discovering likely program invariants to support program evolution," IEEE Transactions on Software Engineering, 27(2) 2001 [45] Y. Jhi, X. Wang, X. Jia, S. Zhu, P. Liu, and D. Wu. "Value-Based Program Characterization and Its Application to Software Plagiarism Detection," In ICSE 2011 [46] Junghwan Rhee, Ryan Riley, Dongyan Xu, and Xuxian Jiang. "Kernel malware analysis with un-tampered and temporal views of dynamic kernel memory. In RAID 2010 [47] A. Baliga, V. Ganapathy, and L. Iftode. "Automatic inferenceand enforcement of kernel data structure invariants," In ACSAC 2008 [48] An architecture for specification-based detection of semantic integrity violations in kernel dynamic data. In USENIX Security 2006 [49] Copilot - a coprocessor-based kernel runtime integrity monitor. In USENIX Security 2004 [50] E. Bursztein, J. Lagarenne, M. Hamburg, D. Boneh. "OpenConflict: Preventing Real Time Map Hacks in Online Games," In IEEE S&P (Oakland) 2011 [51] Thomas Ristenpart, Eran Tromer, Hovav Shacham, Stefan Savage. "Hey, You, Get Off of My Cloud! Exploring Information Leakage in Third-Party Compute Clouds," In CCS 2009 [52] B. Dolan-Gavitt, A. Srivastava, P. Traynor, and J. Giffin. "Robust signatures for kernel data structures," In CCS 2009

Assignments & Academic Calendar

(Topics, Reading Assignments, Due Dates, Exam Dates)

Dates/Session

Topics to be covered

08/26 A Course Overview Course Foundations 08/26 B OS (Memory Management), File System, Compilers Techniques, Tools, and Applications 09/02 A Data Structure Reverse Engineering: REWARDS [1], TIE [2], and HOWARD [3] 09/02 B Kernel Rootkit Defense I: SigGraph [10], KOP [11] 09/09 A Vulnerability Analysis: Pointer corruption [7], Non control data attack[8], and Data flow integrity [9] 09/09 B Memory Analysis: Memory graph [4], crash dump analysis [5][6], value invariant [52] 09/16 A Protocol Reverse Engineering: Discoverer [12], Polyglot [13], AutoFormat [14], Protocol Analysis [15]

Course Syllabus

Page 5

Digital Forensics I: Research problem and roadmap [16], the next 10 years [17] 09/23 A Digital Forensics II: Metadata extraction [18][19][20] 09/23 B Digital Forensics III: File carving [21][22][23] 09/30 A Digital Forensics IV: Cell phone forensics [24][25][26][27][28] 09/30 B Digital Forensics V: Network Forensics [29] (Wireshark/TCPdump, IP prefix hijacking[30], OS Fingerprinting[31]) 10/07 A Digital Forensics VI: Crypto key discovery [32], and extraction [33] 10/07 B Digital Forensics VII: Windows Memory Analysis[34][35][36][37][38] 10/14 A Digital Forensics VIII: Legal and ethical issues [39] 10/14 B Kernel Rootkit Defense II: kernel hook (function pointer) protection (Hookmap Hooksafe, HookScot) 10/21 Working on your project 10/28 A Malicious Code Analysis I: Using data structure as program signature (Laika[40]) 10/28 B Malicious Code Analysis II: String analysis for PHP [41, x86 binary [42] 11/04 A Program Analysis I: Value invariant discovery (Daikon[43][44]) 11/04 B Program Analysis II: Value based program characterization [45] 11/11 A Kernel Rootkit Defense II: data centric approach [46] 11/11 B Kernel Rootkit Defense III: data invariant approach [47], SBCFI [48], Copilot[49] 11/18 A Game Hacking: Preventing map hacks [50] 11/18 B Cloud Computing: Information leakage in 3rd party cloud [51] 11/25 Thanksgiving Hollidays. No Class Project Presentation 12/06 A Students present their course project 12/06 B Students present their course project Hands on Challenge: Participating UCSB iCTF http://ictf.cs.ucsb.edu/

09/16 B

Grading Policy
(including percentages for assignments, grade scale, etc.)

30% In-Class Presentations 10% Class participation 20% Paper review/summary 40% Class Project Exceptional work will be rewarded appropriately

Course & Instructor Policies

(make-up exams, extra credit, late work, special assignments, class attendance, classroom citizenship, etc.)

No exams in this course.

Course Syllabus

Page 6

No late submission of the course project. Students can miss one class in the whole semester.

Field Trip Policies No

Student Conduct & Discipline

The University of Texas System and The University of Texas at Dallas have rules and regulations for the orderly and efficient conduct of their business. It is the responsibility of each student and each student organization to be knowledgeable about the rules and regulations which govern student conduct and activities. General information on student conduct and discipline is contained in the UTD publication, A to Z Guide, which is provided to all registered students each academic year. The University of Texas at Dallas administers student discipline within the procedures of recognized and established due process. Procedures are defined and described in the Rules and Regulations, Board of Regents, The University of Texas System, Part 1, Chapter VI, Section 3, and in Title V, Rules on Student Services and Activities of the universitys Handbook of Operating Procedures. Copies of these rules and regulations are available to students in the Office of the Dean of Students, where staff members are available to assist students in interpreting the rules and regulations (SU 1.602, 972/883-6391). A student at the university neither loses the rights nor escapes the responsibilities of citizenship. He or she is expected to obey federal, state, and local laws as well as the Regents Rules, university regulations, and administrative rules. Students are subject to discipline for violating the standards of conduct whether such conduct takes place on or off campus, or whether civil or criminal penalties are also imposed for such conduct.

Academic Integrity
The faculty expects from its students a high level of responsibility and academic honesty. Because the value of an academic degree depends upon the absolute integrity of the work done by the student for that degree, it is imperative that a student demonstrate a high standard of individual honor in his or her scholastic work. Scholastic dishonesty includes, but is not limited to, statements, acts or omissions related to applications for enrollment or the award of a degree, and/or the submission as ones own work or material that is not ones own. As a general rule, scholastic dishonesty involves one of the following acts: cheating, plagiarism, collusion and/or falsifying academic records. Students suspected of academic dishonesty are subject to disciplinary proceedings. Plagiarism, especially from the web, from portions of papers for other classes, and from any other source is unacceptable and will be dealt with under the universitys policy on plagiarism (see general catalog for details). This course will use the resources of turnitin.com, which searches the web for possible plagiarism and is over 90% effective.

Email Use

Course Syllabus

Page 7

The University of Texas at Dallas recognizes the value and efficiency of communication between faculty/staff and students through electronic mail. At the same time, email raises some issues concerning security and the identity of each individual in an email exchange. The university encourages all official student email correspondence be sent only to a students U.T. Dallas email address and that faculty and staff consider email from students official only if it originates from a UTD student account. This allows the university to maintain a high degree of confidence in the identity of all individual corresponding and the security of the transmitted information. UTD furnishes each student with a free email account that is to be used in all communication with university personnel. The Department of Information Resources at U.T. Dallas provides a method for students to have their U.T. Dallas mail forwarded to other accounts.

Withdrawal from Class

The administration of this institution has set deadlines for withdrawal of any college-level courses. These dates and times are published in that semester's course catalog. Administration procedures must be followed. It is the student's responsibility to handle withdrawal requirements from any class. In other words, I cannot drop or withdraw any student. You must do the proper paperwork to ensure that you will not receive a final grade of "F" in a course if you choose not to attend the class once you are enrolled.

Student Grievance Procedures

Procedures for student grievances are found in Title V, Rules on Student Services and Activities, of the universitys Handbook of Operating Procedures. In attempting to resolve any student grievance regarding grades, evaluations, or other fulfillments of academic responsibility, it is the obligation of the student first to make a serious effort to resolve the matter with the instructor, supervisor, administrator, or committee with whom the grievance originates (hereafter called the respondent). Individual faculty members retain primary responsibility for assigning grades and evaluations. If the matter cannot be resolved at that level, the grievance must be submitted in writing to the respondent with a copy of the respondents School Dean. If the matter is not resolved by the written response provided by the respondent, the student may submit a written appeal to the School Dean. If the grievance is not resolved by the School Deans decision, the student may make a written appeal to the Dean of Graduate or Undergraduate Education, and the deal will appoint and convene an Academic Appeals Panel. The decision of the Academic Appeals Panel is final. The results of the academic appeals process will be distributed to all involved parties. Copies of these rules and regulations are available to students in the Office of the Dean of Students, where staff members are available to assist students in interpreting the rules and regulations.

Incomplete Grade Policy

As per university policy, incomplete grades will be granted only for work unavoidably missed at the semesters end and only if 70% of the course work has been completed. An incomplete grade must be resolved within eight (8) weeks from the first day of the subsequent long semester. If the required work to complete the course and to remove the incomplete grade is not submitted by the specified deadline, the incomplete grade is changed automatically to a grade of F.

Disability Services
The goal of Disability Services is to provide students with disabilities educational opportunities equal to those of their non-disabled peers. Disability Services is located in room 1.610 in the

Course Syllabus

Page 8

Student Union. Office hours are Monday and Thursday, 8:30 a.m. to 6:30 p.m.; Tuesday and Wednesday, 8:30 a.m. to 7:30 p.m.; and Friday, 8:30 a.m. to 5:30 p.m. The contact information for the Office of Disability Services is: The University of Texas at Dallas, SU 22 PO Box 830688 Richardson, Texas 75083-0688 (972) 883-2098 (voice or TTY) Essentially, the law requires that colleges and universities make those reasonable adjustments necessary to eliminate discrimination on the basis of disability. For example, it may be necessary to remove classroom prohibitions against tape recorders or animals (in the case of dog guides) for students who are blind. Occasionally an assignment requirement may be substituted (for example, a research paper versus an oral presentation for a student who is hearing impaired). Classes enrolled students with mobility impairments may have to be rescheduled in accessible facilities. The college or university may need to provide special services such as registration, note-taking, or mobility assistance. It is the students responsibility to notify his or her professors of the need for such an accommodation. Disability Services provides students with letters to present to faculty members to verify that the student has a disability and needs accommodations. Individuals requiring special accommodation should contact the professor after class or during office hours.

Religious Holy Days

The University of Texas at Dallas will excuse a student from class or other required activities for the travel to and observance of a religious holy day for a religion whose places of worship are exempt from property tax under Section 11.20, Tax Code, Texas Code Annotated. The student is encouraged to notify the instructor or activity sponsor as soon as possible regarding the absence, preferably in advance of the assignment. The student, so excused, will be allowed to take the exam or complete the assignment within a reasonable time after the absence: a period equal to the length of the absence, up to a maximum of one week. A student who notifies the instructor and completes any missed exam or assignment may not be penalized for the absence. A student who fails to complete the exam or assignment within the prescribed period may receive a failing grade for that exam or assignment. If a student or an instructor disagrees about the nature of the absence [i.e., for the purpose of observing a religious holy day] or if there is similar disagreement about whether the student has been given a reasonable time to complete any missed assignments or examinations, either the student or the instructor may request a ruling from the chief executive officer of the institution, or his or her designee. The chief executive officer or designee must take into account the legislative intent of TEC 51.911(b), and the student and instructor will abide by the decision of the chief executive officer or designee.

Off-Campus Instruction and Course Activities

Off-campus, out-of-state, and foreign instruction and activities are subject to state law and University policies and procedures regarding travel and risk-related activities. Information regarding these rules and regulations may be found at the website address given below. Additional information is available from the office of the school dean. (http://www.utdallas.edu/Business Affairs/Travel_Risk_Activities.htm)

These descriptions and timelines are subject to change at the discretion of the Professor.

Course Syllabus

Page 9