CS 6V81--005: Advanced Digital Forensics and Data Reverse Engineering Friday 04:00-06:45PM (two sessions) at ECSS 2.312 $Id: fall2011.t2t, v1.0, last updated %%mtime(%c) Exp $ %! Target: %! Options: --toc --css-sugar --encoding=iso-8859-1 %! Style: tech.css %! PreProc: %! PostProc: --------------------------------------------------------------------------- === Course Overview === CS 6V81 is a graduate level, research oriented, system security course. Our focus is //digital forensics and data reverse engineering//, which tackles the problem of what information is stored in a computer system and how this information can be extracted and used. There are a wide range of applications of data reverse engineering, including //digital forensics//, //crash analysis//, //game hacking//, //kernel rootkit defense//, and //malware analysis//. The overall goal of this course is to introduce students to the current techniques used in both research and practice. In particular, we will cover the underline technical details (including the most recent techniques) of digital forensics and data reverse engineering, discuss various security applications, analyze potential limitations of existing systems, and propose/develop more secure systems. In the first a few lectures, the instructor will introduce the techniques, foundations, and applications of digital forensics and data reverse engineering. After that, in each class students will read current and seminal research papers from the reading materials. Students are encouraged to prepare a short summary/review of the paper of their choosing and submit it to the discussion board in [UT Dallas elearning system https://elearning.utdallas.edu]. %[cs6v81-5@googlegroups.com http://groups.google.com/group/cs6v81-5?hl=en&lnk=gcimh]. Students will lead and prepare for presentations explaining to others. Students will also need to perform research, and will pick a semester-long research topic of their choosing. In addition, this course will have one hands-on challenge. --------------------------------------------------------------------------- === Course Schedule === || Date | Topic To Be Covered | Presenter | Slides | | 08/26 A | Course Overview | Instructor | [[pdf fall2011/lec1.pdf]] [[handout fall2011/lec1-handout6up.pdf]] | || Foundations |||| | 08/26 B | OS (Memory Data Management), File System (Disk Data Management) | Instructor | [[pdf fall2011/lec2.pdf]] [[handout fall2011/lec2-handout6up.pdf]] | || Techniques, Tools, and Applications |||| | 09/02 A | Data Structure Reverse Engineering: REWARDS [[1 #rewards]], TIE [[2 #tie]], and HOWARD [[3 #howard]] | Instructor | [[pdf fall2011/lec3.pdf]] [[handout fall2011/lec3-handout6up.pdf]] | | 09/02 B | Kernel Rootkit Defense I: SigGraph [[10 #siggraph]], KOP [[11 #kop]], Crash tool[[5 #crash]], Memory graph [[4 #mgraph]] | Instructor | [[pdf fall2011/lec4.pdf]] [[handout fall2011/lec4-handout6up.pdf]] | | 09/09 A | Vulnerability Analysis I: Exploit Hardening [[Q #Q]], Surgically Returning to Randomized lib(c) [[58 #ret]], Pointer corruption [[7 #chen1]], Non-control data attack[[8 #chen2]], and Data flow integrity [[9 #dfi]] | Mitchell Adair | [[pdf fall2011/lec5.pdf]] [[handout fall2011/lec5-handout6up.pdf]] | | 09/09 B | Vulnerability Analysis II: Crash dump analysis using Bitblaze [[6 #bitblaze]] | Kevin Weaver | [[pdf fall2011/lec6.pdf]] [[handout fall2011/lec6-handout6up.pdf]] | | 09/16 A | Protocol Reverse Engineering: Discoverer [[12 #cui]], Polyglot [[13 #polyglot]], AutoFormat [[14 #autoformat]], Protocol Analysis [[15 pa]] ... | Yangchun Fu | [[pdf fall2011/lec7.pdf]] [[handout fall2011/lec7-handout6up.pdf]] | | 09/16 B | Digital Forensics I: Research problem and roadmap [[16 #roadmap]], the next 10 years [[17 #simson]] | Kevin Weaver | [[pdf fall2011/lec8.pdf]] [[handout fall2011/lec8-handout6up.pdf]] | | 09/23 A | Digital Forensics II: Metadata extraction [[18 #meta]][[19 #hachoir]][[20 #sleuthkit]] | Junyuan Zeng | [[pdf fall2011/lec9.pdf]] [[handout fall2011/lec9-handout6up.pdf]] | | 09/23 B | Digital Forensics III: File carving [[21 #ms1]][[22 #scalpel]][[23 #evo]] | Kevin Hulin | [[pdf fall2011/lec10.pdf]] [[handout fall2011/lec10-handout6up.pdf]] | | 09/30 A | Digital Forensics IV: Cell phone forensics [[24 #smart1]][[25 #smart2]][[26 #smart3]][[27 #smart4]][[28 #smart5]] | Donald Talkington | [[pdf fall2011/lec11.pdf]] [[handout fall2011/lec11-handout6up.pdf]] | 09/30 B | Digital Forensics V: Network Forensics [[29 #nf]] (Wireshark/TCPdump, IP prefix hijacking[[30 #prefix]], OS Fingerprinting[[31 #finger]]) | Scott Hand | [[pdf fall2011/lec12.pdf]] [[handout fall2011/lec12-handout6up.pdf]] | | 10/07 A | Digital Forensics VI: Crypto key discovery [[32 #coldboot]], and extraction [[33 #crypto]] | Tom Hill | [[pdf fall2011/lec13.pdf]] [[handout fall2011/lec13-handout6up.pdf]] | | 10/07 B | Digital Forensics VII: Windows Memory Analysis[[34 #win1]][[35 #win2]][[36 #win3]][[37 #win4]][[38 #win5]] | Camron Quitugua | [[pdf fall2011/lec14.pdf]] [[handout fall2011/lec14-handout6up.pdf]] | | 10/14 A | Digital Forensics VIII: Legal and ethical issues [[39 #law]] | Donald Talkington | [[pdf fall2011/lec15.pdf]] [[handout fall2011/lec15-handout6up.pdf]] | | 10/14 B | Game Hacking I: Differentiating human and bots [[59 #bot]] | Nathan McDaniel | [[pdf fall2011/lec16.pdf]] [[handout fall2011/lec16-handout6up.pdf]] | | 10/21 | Working on your project (instructor on leave for a conference) |||| | 10/28 A | Malicious Code Analysis I: Using data structure as program signature (Laika[[40 #laika]]), Data structure layout randomization ([[DSLR #dslr]]) | Scott Hand | [[pdf fall2011/lec17.pdf]] [[handout fall2011/lec17-handout6up.pdf]] | | 10/28 B | Malicious Code Analysis II: String analysis for PHP [[41 #php], x86 binary [[42 #x86]] | Mitchell Adair | [[pdf fall2011/lec18.pdf]] [[handout fall2011/lec18-handout6up.pdf]] | | 11/04 A | Program Analysis I: Value-invariant discovery (Daikon[[43 #daikon1]][[44 #daikon2]]), Robust signatures using value-invariant [[52 #vi]] | Junyuan Zeng | [[pdf fall2011/lec19.pdf]] [[handout fall2011/lec19-handout6up.pdf]] | | 11/04 B | Program Analysis II: Server-side verification of client behavior in online games [[60 #game2]] | Nathan McDaniel | [[pdf fall2011/lec20.pdf]] [[handout fall2011/lec20-handout6up.pdf]] | | 11/11 A | Kernel Rootkit Defense II: data centric approach [[46 #rhee]] | Camron Quitugua | [[pdf fall2011/lec21.pdf]] [[handout fall2011/lec21-handout6up.pdf]] | | 11/11 B | Using Reverse Engineering Practices to Improve Systems-of-Systems Understanding | Tom Hill | [[pdf fall2011/lec22.pdf]] [[handout fall2011/lec22-handout6up.pdf]] | | 11/18 A | Game Hacking II: Preventing map hacks [[50 #map]] | Kevin Hulin | [[pdf fall2011/lec23.pdf]] [[handout fall2011/lec23-handout6up.pdf]] | | 11/18 B | Cloud Computing: Information leakage in 3rd party cloud [[51 #cloud]] | Yangchun Fu | [[pdf fall2011/lec24.pdf]] [[handout fall2011/lec24-handout6up.pdf]] | | 11/25 | Thanksgiving Hollidays. No Class |||| || Hands on Challenge: Participating UCSB iCTF http://ictf.cs.ucsb.edu/ |||| | 12/02 A | UCSB iCTF (10AM - 7PM) | ECSS 4.619 | | | 12/02 B | UCSB iCTF (10AM - 7PM) | ECSS 4.619 | | || Project Presentation |||| | 12/09 A | Project Presentation | Adair, Fu, Hand, Hill, Hulin, McDaniel | | | 12/09 B | Project Presentation | Talkington, Quitugua, Weaver, Zeng | | --------------------------------------------------------------------------- === Reading List === We do not have a text book, but we have the following reading list. Students are requied to read all of these papers (at least of their choosing) and encouraged to submit their summary on each paper. =====[1] Z. Lin, X. Zhang, and D. Xu. "Automatic Reverse Engineering of Data Structures from Binary Execution," In NDSS 2010 =====[rewards] =====[2] J. Lee, T. Avgerinos, and D. Brumley. "TIE: Principled Reverse Engineering of Types in Binary Programs," In NDSS 2011 =====[tie] =====[3] A. Slowinska, T. Stancescu, and H. Bos. "Howard: A Dynamic Excavator for Reverse Engineering Data Structures," In NDSS 2011 =====[howard] =====[4] T. Zimmermann and A. Zeller. "Visualizing memory graphs," In Revised Lectures on Software Visualization, International Seminar, 2002 =====[mgraph] =====[5] Mission Critical Linux -- Crash Core Analysis Suite http://mclx.com/projects/crash/ =====[crash] =====[6] Charlie Miller, Juan Caballero, Noah M. Johnson, Min Gyung Kang, Stephen McCamant, Pongsin Poosankam, and Dawn Song. "Crash Analysis with Bitblaze," In Blackhat 2010 =====[bitblaze] =====[7] Shuo Chen, Jun Xu, Nithin Nakka, Zbigniew Kalbarczyk, and Ravishankar K. Iyer, "Defeating Memory Corruption Attacks via Pointer Taintedness Detection," In DSN 2005 =====[shuo1] =====[8] Shuo Chen, Jun Xu, Emre C. Sezer, Prachi Gauriar, and Ravishankar K. Iyer, "Non-Control-Data Attacks Are Realistic Threats," In USENIX Security 2005 =====[shuo2] =====[9] Miguel Castro, Manuel Costa, and Tim Harris. "Securing software by enforcing data-flow integrity," In OSDI 2006 =====[dfi] =====[10] Z. Lin, X. Zhang, D.Xu, and X. Jiang. "SigGraph: Brute Force Scanning of Kernel Data Structure Instances Using Graph-based Signatures," In NDSS 2011 =====[siggraph] =====[11] M. Carbone, W. Cui, L. Lu, W. Lee, M. Peinado, and X. Jiang. "Mapping kernel objects to enable systematic integrity checking," In CCS 2009 =====[kop] =====[12] W. Cui, J. Kannan, and H. J. Wang. "Discoverer: Automatic protocol reverse engineering from network traces," In USENIX Security 2007 =====[cui] =====[13] J. Caballero and D. Song. "Polyglot: Automatic extraction of protocol format using dynamic binary analysis," In CCS 2007 =====[polyglot] =====[14] Z. Lin, X. Jiang, D. Xu, and X. Zhang. "Automatic protocol format reverse engineering through context-aware monitored execution," In NDSS 2008 =====[autoformat] =====[15] G. Wondracek, P. M. Comparetti, C. Kruegel, and E. Kirda. "Automatic Network Protocol Analysis," In NDSS 2008 =====[pa] =====[16] "A Road Map for Digital Forensic Research," Report From the First Digital Forensic Research Workshop (DFRWS). 2001=====[roadmap] =====[17] Simson L. Garfinkel. "Digital forensics research: The next 10 years". In DFRWS 2010=====[simson] =====[18] Metadata Extraction Tool, http://meta-extractor.sourceforge.net/=====[meta] =====[19] Hachoir https://bitbucket.org/haypo/hachoir/wiki/Home=====[hachoir] =====[20] Sleuthkit http://www.sleuthkit.org/=====[sleuthkit] =====[21] Mikus, Nicholas A. "An analysis of disc carving techniques," MS Thesis. Naval Postgraduate School, 2006 =====[ms1] =====[22] Golden G. Richard and Vassil Roussev. "Scalpel: A Frugal, High Performance File Carver," In DFRWS 2005 =====[scalpel] =====[23] Anandabrata Pal and Nasir Memon. "The Evolution of File Carving," IEEE Signal Processing Magazine, Vol26(2) March 2009 =====[evo] =====[24] Vrizlynn L.L. Thing, Kian-Yong Ng, Ee-Chien Chang. "Live memory forensics of mobile phones," In DFRWS 2010=====[smart1] =====[25] Guidelines on Cell Phone Forensics (NIST SP 800-101), May 2007 =====[smart2] =====[26] Cell Phone Forensic Tools: An Overview and Analysis (NISTIR 7250) =====[smart3] =====[27] PDA Forensic Tools: An Overview and Analysis (NISTIR 7100) =====[smart4] =====[28] R Ahmed. "Mobile forensics: an overview, tools, future trends and challenges from law enforcement perspective". 6th International Conference on E-Governance. 2008=====[smart5] =====[29] http://en.wikipedia.org/wiki/Network_forensics =====[nf] =====[30] Hitesh Ballani, Paul Francis, and Xinyang Zhang. "A study of prefix hijacking and interception in the internet," In SIGCOMM 2007=====[prefix] =====[31] Techniques in OS-Fingerprinting, http://nostromo.joeh.org/osf.pdf=====[finger] =====[32] J. Halderman, S. Schoen, N. Heninger, W. Clarkson, W. Paul, J. Calandrino, A. Feldman, J. Appelbaum, E. Felton. "Lest We Remember: Cold Boot Attacks on Encryption Keys," In USENIX Security 2008 =====[coldboot] =====[33] Carsten Maartmann-Moe, Steffen E. Thorkildsen, Andre Arnes. "The persistence of memory: Forensic identification and extraction of cryptographic keys," In DFRWS 2009=====[crypto] =====[34] Andreas Schuster. "Searching for Processes and Threads in Microsoft Windows Memory Dumps," In DFRWS 2006 =====[win1] =====[35] Ali Reza Arasteh and Mourad Debbabi. "Forensic Memory Analysis: From Stack and Code to Execution History," In DFRWS 2007 =====[win2] =====[36] Mariusz Burdach. "Finding Digital Evidence In Physical Memory," In Black Hat Federal 2008 =====[win3] =====[37] Brendan Dolan-Gavitt. "Forensic Analysis of the Windows Registry in Memory," In DFRWS 2008 =====[win4] =====[38] Andreas Schuster. "The impact of Microsoft Windows pool allocation strategies on memory forensics," In DFRWS 2008=====[win5] =====[39] Aaron J. Burstein, "Toward a Culture of Cybersecurity Research," UC Berkeley Public Law Research Paper No. 1113014, 2008 =====[law] =====[40] A. Cozzie, F. Stratton, H. Xue, and S. T. Kin. "Digging for Data Structures," In OSDI 2008 =====[laika] =====[41]Fang Yu, Muath Alkhalaf, Tevfik Bultan. "Stranger: An Automata-based String Analysis Tool for PHP." [Tool paper http://www.cs.ucsb.edu/~vlab/stranger/]. In TACAS 2010=====[php] =====[42] Mihai Christodorescu, Nicholas Kidd, and Wen-Han Goh. "String analysis for x86 binaries," In PASTE 2005 =====[x86] =====[43] Michael D. Ernst, Jeff H. Perkins, Philip J. Guo, Stephen McCamant, Carlos Pacheco, Matthew S. Tschantz, and Chen Xiao. "The Daikon system for dynamic detection of likely invariants," Science of Computer Programming, 2007 =====[daikon1] =====[44] Michael D. Ernst, Jake Cockrell, William G. Griswold, and David Notkin. "Dynamically discovering likely program invariants to support program evolution," IEEE Transactions on Software Engineering, 27(2) 2001=====[daikon2] =====[45] Y. Jhi, X. Wang, X. Jia, S. Zhu, P. Liu, and D. Wu. "Value-Based Program Characterization and Its Application to Software Plagiarism Detection," In ICSE 2011 =====[value] =====[46] Junghwan Rhee, Ryan Riley, Dongyan Xu, and Xuxian Jiang. "Kernel malware analysis with un-tampered and temporal views of dynamic kernel memory. In RAID 2010=====[rhee] =====[47] A. Baliga, V. Ganapathy, and L. Iftode. "Automatic inferenceand enforcement of kernel data structure invariants," In ACSAC 2008 =====[acsac08] =====[48] An architecture for specification-based detection of semantic integrity violations in kernel dynamic data. In USENIX Security 2006 =====[sbcfi] =====[49] Copilot - a coprocessor-based kernel runtime integrity monitor. In USENIX Security 2004 =====[copilot] =====[50] E. Bursztein, J. Lagarenne, M. Hamburg, D. Boneh. "OpenConflict: Preventing Real Time Map Hacks in Online Games," In IEEE S&P (Oakland) 2011=====[map] =====[51] Thomas Ristenpart, Eran Tromer, Hovav Shacham, Stefan Savage. "Hey, You, Get Off of My Cloud! Exploring Information Leakage in Third-Party Compute Clouds," In CCS 2009 =====[cloud] =====[52] B. Dolan-Gavitt, A. Srivastava, P. Traynor, and J. Giffin. "Robust signatures for kernel data structures," In CCS 2009 =====[vi] =====[53] Zhi Wang, Xuxian Jiang, Weidong Cui, Xinyuan Wang. "Countering Persistent Kernel Rootkits Through Systematic Hook Discovery". In RAID 2008 =====[hookmap] =====[54] Zhi Wang, Xuxian Jiang, Weidong Cui, and Peng Ning. "Countering Kernel Rootkits with Lightweight Hook Protection". In CCS 2009 =====[hooksafe] =====[55] Heng Yin, Pongsin Poosankam, Steve Hanna, and Dawn song. "HookScout: Proactive and Binary-Centric Hook Detection". In DIMVA 2010 =====[hookscout] =====[56] Zhiqiang Lin, Ryan Riley, and Dongyan Xu. "Polymorphing Software by Randomizing Data Structure Layout". In DIMVA 2009 =====[dslr] =====[57] Edward J. Schwartz, Thanassis Avgerinos, and David Brumley. "Q: Exploit Hardening Made Easy ". In USENIX Security 2011 =====[Q] =====[58] Giampaolo Fresi Roglia, Lorenzo Martignoni, Roberto Paleari, Danilo Bruschi "Surgically Returning to Randomized lib(c)". In ACSAC 2009 =====[ret] =====[59] Steven Gianvecchio, Zhenyu Wu, Mengjun Xie, and Haining Wang, "Battle of Botcraft: Fighting Bots in Online Games with Human Observational Proofs". In ACM CCS 2009 =====[bot] =====[60] D. Bethea, R. A. Cochran and M. K. Reiter, "Server-side verification of client behavior in online games". In NDSS 2010 =====[game2] --------------------------------------------------------------------------- === Office Hours === Thursday 3-5PM --------------------------------------------------------------------------- === Prerequisites === "Data Structures", "Compilers", "Operating System", "System Security", or permission of the instructor. Note for undergraduate students who may be interested in taking this class, please be aware that the class is designed for graduate students, you are encouraged to attend the first lecture and then talk to the instructor. --------------------------------------------------------------------------- === Course Projects === - Data structure reverse engineering - Decompilation - Forensic data caving - ... --------------------------------------------------------------------------- === Course Policy === ==== Grading Policy ==== - 40% In-Class Presentations - 10% Class participation - 10% Paper review/summary - 40% Class Project - Exceptional work will be rewarded appropriately ==== Late Policy ==== No late submission. Otherwise, it will be penalized or may not be graded. ==== Collaboration Policy ==== Students are encouraged to collaborate, particularly on the course project. But we will limit the team member to at most two students. For paper review, studentes are encourage to talk to each other as well, but each student must turn in his or her summary. ==== Cheating Policy ==== We will strictly follow the university policy on cheating and plagiarism which is available [here http://www.utdallas.edu/judicialaffairs/UTDJudicialAffairs-policies.html]. Please [avoid http://www.utdallas.edu/judicialaffairs/UTDJudicialAffairs-AvoidDishonesty.html]. There are also several examples of [Scholastic Dishonesty http://www.utdallas.edu/judicialaffairs/UTDJudicialAffairs-Basicexamples.html] If you have any questions regarding this issue, please contact the instructor. === Acknowledgememt === - http://www.forensicswiki.org/wiki/Main_Page - http://www.4tphi.net/fatkit/#links - http://www.dfrws.org - http://duartes.org/gustavo/blog/ (memory management) - Understanding the Linux Kernel. http://oreilly.com/catalog/9780596005658 %!include: ''cs.js'' --------------------------------------------------------------------------- [HOME index.html] [SOURCE %%infile]