index.json

[{"authors":["admin"],"categories":null,"content":"I am an Assistant Professor at Purdue University in the Computer Science Department and co-founder of the PurSec Lab.\nMy research interests span the domains of software and systems security. Specifically, I am currently focusing on enhancing the security of edge devices, such as smartphones, IoT devices, drones, and embedded systems.\nWithin this area, my work is dedicated to designing and developing innovative automated methodologies and tools that identify vulnerabilities, remediate them, and prevent future occurrences. To achieve these goals, I have developed novel techniques in program analysis, binary analysis, fuzzing, reverse engineering, program repair, and binary patching. Additionally, I have performed several user studies, involving both developers and end-users, to evaluate the usability of the proposed solutions.\nAs a core member of the Shellphish, OOO , and Nautilus teams, I played and organized many security competitions (CTFs), and I won the third place at the DARPA Cyber Grand Challenge.\nI am looking for interns, PhD students, and Postdocs working in the areas of Mobile Authentication, IoT, Trustzone, and Binary Analysis.Please contact me if you are interested.\n","date":1559001600,"expirydate":-62135596800,"kind":"term","lang":"en","lastmod":1559001600,"objectID":"2525497d367e79493fd32b198b28f040","permalink":"/authors/admin/","publishdate":"0001-01-01T00:00:00Z","relpermalink":"/authors/admin/","section":"authors","summary":"I am an Assistant Professor at Purdue University in the Computer Science Department and co-founder of the PurSec Lab.\nMy research interests span the domains of software and systems security. Specifically, I am currently focusing on enhancing the security of edge devices, such as smartphones, IoT devices, drones, and embedded systems.\nWithin this area, my work is dedicated to designing and developing innovative automated methodologies and tools that identify vulnerabilities, remediate them, and prevent future occurrences.","tags":null,"title":"Antonio Bianchi","type":"authors"},{"authors":null,"categories":null,"content":"Flexibility This feature can be used for publishing content such as:\n Online courses Project or software documentation Tutorials  The courses folder may be renamed. For example, we can rename it to docs for software/project documentation or tutorials for creating an online course.\nDelete tutorials To remove these pages, delete the courses folder and see below to delete the associated menu link.\nUpdate site menu After renaming or deleting the courses folder, you may wish to update any [[main]] menu links to it by editing your menu configuration at config/_default/menus.toml.\nFor example, if you delete this folder, you can remove the following from your menu configuration:\n[[main]] name = \u0026#34;Courses\u0026#34; url = \u0026#34;courses/\u0026#34; weight = 50 Or, if you are creating a software documentation site, you can rename the courses folder to docs and update the associated Courses menu configuration to:\n[[main]] name = \u0026#34;Docs\u0026#34; url = \u0026#34;docs/\u0026#34; weight = 50 Update the docs menu If you use the docs layout, note that the name of the menu in the front matter should be in the form [menu.X] where X is the folder name. Hence, if you rename the courses/example/ folder, you should also rename the menu definitions in the front matter of files within courses/example/ from [menu.example] to [menu.\u0026lt;NewFolderName\u0026gt;].\n","date":1536451200,"expirydate":-62135596800,"kind":"section","lang":"en","lastmod":1536451200,"objectID":"59c3ce8e202293146a8a934d37a4070b","permalink":"/courses/example/","publishdate":"2018-09-09T00:00:00Z","relpermalink":"/courses/example/","section":"courses","summary":"Learn how to use Academic's docs layout for publishing online courses, software documentation, and tutorials.","tags":null,"title":"Overview","type":"docs"},{"authors":null,"categories":null,"content":"In this tutorial, I\u0026rsquo;ll share my top 10 tips for getting started with Academic:\nTip 1 Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis posuere tellus ac convallis placerat. Proin tincidunt magna sed ex sollicitudin condimentum. Sed ac faucibus dolor, scelerisque sollicitudin nisi. Cras purus urna, suscipit quis sapien eu, pulvinar tempor diam. Quisque risus orci, mollis id ante sit amet, gravida egestas nisl. Sed ac tempus magna. Proin in dui enim. Donec condimentum, sem id dapibus fringilla, tellus enim condimentum arcu, nec volutpat est felis vel metus. Vestibulum sit amet erat at nulla eleifend gravida.\nNullam vel molestie justo. Curabitur vitae efficitur leo. In hac habitasse platea dictumst. Sed pulvinar mauris dui, eget varius purus congue ac. Nulla euismod, lorem vel elementum dapibus, nunc justo porta mi, sed tempus est est vel tellus. Nam et enim eleifend, laoreet sem sit amet, elementum sem. Morbi ut leo congue, maximus velit ut, finibus arcu. In et libero cursus, rutrum risus non, molestie leo. Nullam congue quam et volutpat malesuada. Sed risus tortor, pulvinar et dictum nec, sodales non mi. Phasellus lacinia commodo laoreet. Nam mollis, erat in feugiat consectetur, purus eros egestas tellus, in auctor urna odio at nibh. Mauris imperdiet nisi ac magna convallis, at rhoncus ligula cursus.\nCras aliquam rhoncus ipsum, in hendrerit nunc mattis vitae. Duis vitae efficitur metus, ac tempus leo. Cras nec fringilla lacus. Quisque sit amet risus at ipsum pharetra commodo. Sed aliquam mauris at consequat eleifend. Praesent porta, augue sed viverra bibendum, neque ante euismod ante, in vehicula justo lorem ac eros. Suspendisse augue libero, venenatis eget tincidunt ut, malesuada at lorem. Donec vitae bibendum arcu. Aenean maximus nulla non pretium iaculis. Quisque imperdiet, nulla in pulvinar aliquet, velit quam ultrices quam, sit amet fringilla leo sem vel nunc. Mauris in lacinia lacus.\nSuspendisse a tincidunt lacus. Curabitur at urna sagittis, dictum ante sit amet, euismod magna. Sed rutrum massa id tortor commodo, vitae elementum turpis tempus. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Aenean purus turpis, venenatis a ullamcorper nec, tincidunt et massa. Integer posuere quam rutrum arcu vehicula imperdiet. Mauris ullamcorper quam vitae purus congue, quis euismod magna eleifend. Vestibulum semper vel augue eget tincidunt. Fusce eget justo sodales, dapibus odio eu, ultrices lorem. Duis condimentum lorem id eros commodo, in facilisis mauris scelerisque. Morbi sed auctor leo. Nullam volutpat a lacus quis pharetra. Nulla congue rutrum magna a ornare.\nAliquam in turpis accumsan, malesuada nibh ut, hendrerit justo. Cum sociis natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. Quisque sed erat nec justo posuere suscipit. Donec ut efficitur arcu, in malesuada neque. Nunc dignissim nisl massa, id vulputate nunc pretium nec. Quisque eget urna in risus suscipit ultricies. Pellentesque odio odio, tincidunt in eleifend sed, posuere a diam. Nam gravida nisl convallis semper elementum. Morbi vitae felis faucibus, vulputate orci placerat, aliquet nisi. Aliquam erat volutpat. Maecenas sagittis pulvinar purus, sed porta quam laoreet at.\nTip 2 Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis posuere tellus ac convallis placerat. Proin tincidunt magna sed ex sollicitudin condimentum. Sed ac faucibus dolor, scelerisque sollicitudin nisi. Cras purus urna, suscipit quis sapien eu, pulvinar tempor diam. Quisque risus orci, mollis id ante sit amet, gravida egestas nisl. Sed ac tempus magna. Proin in dui enim. Donec condimentum, sem id dapibus fringilla, tellus enim condimentum arcu, nec volutpat est felis vel metus. Vestibulum sit amet erat at nulla eleifend gravida.\nNullam vel molestie justo. Curabitur vitae efficitur leo. In hac habitasse platea dictumst. Sed pulvinar mauris dui, eget varius purus congue ac. Nulla euismod, lorem vel elementum dapibus, nunc justo porta mi, sed tempus est est vel tellus. Nam et enim eleifend, laoreet sem sit amet, elementum sem. Morbi ut leo congue, maximus velit ut, finibus arcu. In et libero cursus, rutrum risus non, molestie leo. Nullam congue quam et volutpat malesuada. Sed risus tortor, pulvinar et dictum nec, sodales non mi. Phasellus lacinia commodo laoreet. Nam mollis, erat in feugiat consectetur, purus eros egestas tellus, in auctor urna odio at nibh. Mauris imperdiet nisi ac magna convallis, at rhoncus ligula cursus.\nCras aliquam rhoncus ipsum, in hendrerit nunc mattis vitae. Duis vitae efficitur metus, ac tempus leo. Cras nec fringilla lacus. Quisque sit amet risus at ipsum pharetra commodo. Sed aliquam mauris at consequat eleifend. Praesent porta, augue sed viverra bibendum, neque ante euismod ante, in vehicula justo lorem ac eros. Suspendisse augue libero, venenatis eget tincidunt ut, malesuada at lorem. Donec vitae bibendum arcu. Aenean maximus nulla non pretium iaculis. Quisque imperdiet, nulla in pulvinar aliquet, velit quam ultrices quam, sit amet fringilla leo sem vel nunc. Mauris in lacinia lacus.\nSuspendisse a tincidunt lacus. Curabitur at urna sagittis, dictum ante sit amet, euismod magna. Sed rutrum massa id tortor commodo, vitae elementum turpis tempus. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Aenean purus turpis, venenatis a ullamcorper nec, tincidunt et massa. Integer posuere quam rutrum arcu vehicula imperdiet. Mauris ullamcorper quam vitae purus congue, quis euismod magna eleifend. Vestibulum semper vel augue eget tincidunt. Fusce eget justo sodales, dapibus odio eu, ultrices lorem. Duis condimentum lorem id eros commodo, in facilisis mauris scelerisque. Morbi sed auctor leo. Nullam volutpat a lacus quis pharetra. Nulla congue rutrum magna a ornare.\nAliquam in turpis accumsan, malesuada nibh ut, hendrerit justo. Cum sociis natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. Quisque sed erat nec justo posuere suscipit. Donec ut efficitur arcu, in malesuada neque. Nunc dignissim nisl massa, id vulputate nunc pretium nec. Quisque eget urna in risus suscipit ultricies. Pellentesque odio odio, tincidunt in eleifend sed, posuere a diam. Nam gravida nisl convallis semper elementum. Morbi vitae felis faucibus, vulputate orci placerat, aliquet nisi. Aliquam erat volutpat. Maecenas sagittis pulvinar purus, sed porta quam laoreet at.\n","date":1557010800,"expirydate":-62135596800,"kind":"page","lang":"en","lastmod":1557010800,"objectID":"74533bae41439377bd30f645c4677a27","permalink":"/courses/example/example1/","publishdate":"2019-05-05T00:00:00+01:00","relpermalink":"/courses/example/example1/","section":"courses","summary":"In this tutorial, I\u0026rsquo;ll share my top 10 tips for getting started with Academic:\nTip 1 Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis posuere tellus ac convallis placerat. Proin tincidunt magna sed ex sollicitudin condimentum. Sed ac faucibus dolor, scelerisque sollicitudin nisi. Cras purus urna, suscipit quis sapien eu, pulvinar tempor diam. Quisque risus orci, mollis id ante sit amet, gravida egestas nisl. Sed ac tempus magna. Proin in dui enim.","tags":null,"title":"Example Page 1","type":"docs"},{"authors":null,"categories":null,"content":"Here are some more tips for getting started with Academic:\nTip 3 Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis posuere tellus ac convallis placerat. Proin tincidunt magna sed ex sollicitudin condimentum. Sed ac faucibus dolor, scelerisque sollicitudin nisi. Cras purus urna, suscipit quis sapien eu, pulvinar tempor diam. Quisque risus orci, mollis id ante sit amet, gravida egestas nisl. Sed ac tempus magna. Proin in dui enim. Donec condimentum, sem id dapibus fringilla, tellus enim condimentum arcu, nec volutpat est felis vel metus. Vestibulum sit amet erat at nulla eleifend gravida.\nNullam vel molestie justo. Curabitur vitae efficitur leo. In hac habitasse platea dictumst. Sed pulvinar mauris dui, eget varius purus congue ac. Nulla euismod, lorem vel elementum dapibus, nunc justo porta mi, sed tempus est est vel tellus. Nam et enim eleifend, laoreet sem sit amet, elementum sem. Morbi ut leo congue, maximus velit ut, finibus arcu. In et libero cursus, rutrum risus non, molestie leo. Nullam congue quam et volutpat malesuada. Sed risus tortor, pulvinar et dictum nec, sodales non mi. Phasellus lacinia commodo laoreet. Nam mollis, erat in feugiat consectetur, purus eros egestas tellus, in auctor urna odio at nibh. Mauris imperdiet nisi ac magna convallis, at rhoncus ligula cursus.\nCras aliquam rhoncus ipsum, in hendrerit nunc mattis vitae. Duis vitae efficitur metus, ac tempus leo. Cras nec fringilla lacus. Quisque sit amet risus at ipsum pharetra commodo. Sed aliquam mauris at consequat eleifend. Praesent porta, augue sed viverra bibendum, neque ante euismod ante, in vehicula justo lorem ac eros. Suspendisse augue libero, venenatis eget tincidunt ut, malesuada at lorem. Donec vitae bibendum arcu. Aenean maximus nulla non pretium iaculis. Quisque imperdiet, nulla in pulvinar aliquet, velit quam ultrices quam, sit amet fringilla leo sem vel nunc. Mauris in lacinia lacus.\nSuspendisse a tincidunt lacus. Curabitur at urna sagittis, dictum ante sit amet, euismod magna. Sed rutrum massa id tortor commodo, vitae elementum turpis tempus. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Aenean purus turpis, venenatis a ullamcorper nec, tincidunt et massa. Integer posuere quam rutrum arcu vehicula imperdiet. Mauris ullamcorper quam vitae purus congue, quis euismod magna eleifend. Vestibulum semper vel augue eget tincidunt. Fusce eget justo sodales, dapibus odio eu, ultrices lorem. Duis condimentum lorem id eros commodo, in facilisis mauris scelerisque. Morbi sed auctor leo. Nullam volutpat a lacus quis pharetra. Nulla congue rutrum magna a ornare.\nAliquam in turpis accumsan, malesuada nibh ut, hendrerit justo. Cum sociis natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. Quisque sed erat nec justo posuere suscipit. Donec ut efficitur arcu, in malesuada neque. Nunc dignissim nisl massa, id vulputate nunc pretium nec. Quisque eget urna in risus suscipit ultricies. Pellentesque odio odio, tincidunt in eleifend sed, posuere a diam. Nam gravida nisl convallis semper elementum. Morbi vitae felis faucibus, vulputate orci placerat, aliquet nisi. Aliquam erat volutpat. Maecenas sagittis pulvinar purus, sed porta quam laoreet at.\nTip 4 Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis posuere tellus ac convallis placerat. Proin tincidunt magna sed ex sollicitudin condimentum. Sed ac faucibus dolor, scelerisque sollicitudin nisi. Cras purus urna, suscipit quis sapien eu, pulvinar tempor diam. Quisque risus orci, mollis id ante sit amet, gravida egestas nisl. Sed ac tempus magna. Proin in dui enim. Donec condimentum, sem id dapibus fringilla, tellus enim condimentum arcu, nec volutpat est felis vel metus. Vestibulum sit amet erat at nulla eleifend gravida.\nNullam vel molestie justo. Curabitur vitae efficitur leo. In hac habitasse platea dictumst. Sed pulvinar mauris dui, eget varius purus congue ac. Nulla euismod, lorem vel elementum dapibus, nunc justo porta mi, sed tempus est est vel tellus. Nam et enim eleifend, laoreet sem sit amet, elementum sem. Morbi ut leo congue, maximus velit ut, finibus arcu. In et libero cursus, rutrum risus non, molestie leo. Nullam congue quam et volutpat malesuada. Sed risus tortor, pulvinar et dictum nec, sodales non mi. Phasellus lacinia commodo laoreet. Nam mollis, erat in feugiat consectetur, purus eros egestas tellus, in auctor urna odio at nibh. Mauris imperdiet nisi ac magna convallis, at rhoncus ligula cursus.\nCras aliquam rhoncus ipsum, in hendrerit nunc mattis vitae. Duis vitae efficitur metus, ac tempus leo. Cras nec fringilla lacus. Quisque sit amet risus at ipsum pharetra commodo. Sed aliquam mauris at consequat eleifend. Praesent porta, augue sed viverra bibendum, neque ante euismod ante, in vehicula justo lorem ac eros. Suspendisse augue libero, venenatis eget tincidunt ut, malesuada at lorem. Donec vitae bibendum arcu. Aenean maximus nulla non pretium iaculis. Quisque imperdiet, nulla in pulvinar aliquet, velit quam ultrices quam, sit amet fringilla leo sem vel nunc. Mauris in lacinia lacus.\nSuspendisse a tincidunt lacus. Curabitur at urna sagittis, dictum ante sit amet, euismod magna. Sed rutrum massa id tortor commodo, vitae elementum turpis tempus. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Aenean purus turpis, venenatis a ullamcorper nec, tincidunt et massa. Integer posuere quam rutrum arcu vehicula imperdiet. Mauris ullamcorper quam vitae purus congue, quis euismod magna eleifend. Vestibulum semper vel augue eget tincidunt. Fusce eget justo sodales, dapibus odio eu, ultrices lorem. Duis condimentum lorem id eros commodo, in facilisis mauris scelerisque. Morbi sed auctor leo. Nullam volutpat a lacus quis pharetra. Nulla congue rutrum magna a ornare.\nAliquam in turpis accumsan, malesuada nibh ut, hendrerit justo. Cum sociis natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. Quisque sed erat nec justo posuere suscipit. Donec ut efficitur arcu, in malesuada neque. Nunc dignissim nisl massa, id vulputate nunc pretium nec. Quisque eget urna in risus suscipit ultricies. Pellentesque odio odio, tincidunt in eleifend sed, posuere a diam. Nam gravida nisl convallis semper elementum. Morbi vitae felis faucibus, vulputate orci placerat, aliquet nisi. Aliquam erat volutpat. Maecenas sagittis pulvinar purus, sed porta quam laoreet at.\n","date":1557010800,"expirydate":-62135596800,"kind":"page","lang":"en","lastmod":1557010800,"objectID":"1c2b5a11257c768c90d5050637d77d6a","permalink":"/courses/example/example2/","publishdate":"2019-05-05T00:00:00+01:00","relpermalink":"/courses/example/example2/","section":"courses","summary":"Here are some more tips for getting started with Academic:\nTip 3 Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis posuere tellus ac convallis placerat. Proin tincidunt magna sed ex sollicitudin condimentum. Sed ac faucibus dolor, scelerisque sollicitudin nisi. Cras purus urna, suscipit quis sapien eu, pulvinar tempor diam. Quisque risus orci, mollis id ante sit amet, gravida egestas nisl. Sed ac tempus magna. Proin in dui enim. Donec condimentum, sem id dapibus fringilla, tellus enim condimentum arcu, nec volutpat est felis vel metus.","tags":null,"title":"Example Page 2","type":"docs"},{"authors":[],"categories":null,"content":"Slides can be added in a few ways:\n Create slides using Academic\u0026rsquo;s Slides feature and link using slides parameter in the front matter of the talk file Upload an existing slide deck to static/ and link using url_slides parameter in the front matter of the talk file Embed your slides (e.g. Google Slides) or presentation video on this page using shortcodes.  Further talk details can easily be added to this page using Markdown and $\\rm \\LaTeX$ math code.\n","date":1906549200,"expirydate":-62135596800,"kind":"page","lang":"en","lastmod":1906549200,"objectID":"96344c08df50a1b693cc40432115cbe3","permalink":"/talk/example/","publishdate":"2017-01-01T00:00:00Z","relpermalink":"/talk/example/","section":"talk","summary":"An example talk using Academic's Markdown slides feature.","tags":[],"title":"Example Talk","type":"talk"},{"authors":null,"categories":[],"content":"","date":1704067200,"expirydate":-62135596800,"kind":"page","lang":"en","lastmod":1704067200,"objectID":"77e1b1667b0f7bdd41d76cb027c58b54","permalink":"/teaching/spring2024/","publishdate":"2024-01-01T00:00:00Z","relpermalink":"/teaching/spring2024/","section":"teaching","summary":" ","tags":["Academic"],"title":"Spring 2024: Software Security (CS-52700)","type":"teaching"},{"authors":null,"categories":[],"content":"","date":1692489600,"expirydate":-62135596800,"kind":"page","lang":"en","lastmod":1692489600,"objectID":"d638daa91914722d6da755959b1719f5","permalink":"/teaching/fall2023_2/","publishdate":"0001-01-01T00:00:00Z","relpermalink":"/teaching/fall2023_2/","section":"teaching","summary":" ","tags":["Academic"],"title":"Fall 2023: Honors Seminar (CS-39700)","type":"teaching"},{"authors":null,"categories":[],"content":"","date":1690848000,"expirydate":-62135596800,"kind":"page","lang":"en","lastmod":1690848000,"objectID":"556e9fed57d56eea28b6f25d1c5b76f7","permalink":"/teaching/fall2023/","publishdate":"2023-08-01T00:00:00Z","relpermalink":"/teaching/fall2023/","section":"teaching","summary":" ","tags":["Academic"],"title":"Fall 2023: Software Security (CS-49000-SWS)","type":"teaching"},{"authors":null,"categories":[],"content":"","date":1682899200,"expirydate":-62135596800,"kind":"page","lang":"en","lastmod":1682899200,"objectID":"25ccf1ab5d7ad4b6041eed98f5d508d0","permalink":"/teaching/spring2023/","publishdate":"2023-05-01T00:00:00Z","relpermalink":"/teaching/spring2023/","section":"teaching","summary":" ","tags":["Academic"],"title":"Spring 2023: Software Security (CS-52700)","type":"teaching"},{"authors":null,"categories":[],"content":"","date":1660953600,"expirydate":-62135596800,"kind":"page","lang":"en","lastmod":1660953600,"objectID":"a7c82906d0063a536f5f4635da959be8","permalink":"/teaching/fall2022_2/","publishdate":"0001-01-01T00:00:00Z","relpermalink":"/teaching/fall2022_2/","section":"teaching","summary":" ","tags":["Academic"],"title":"Fall 2022: Honors Seminar (CS-39700)","type":"teaching"},{"authors":null,"categories":[],"content":"","date":1659312000,"expirydate":-62135596800,"kind":"page","lang":"en","lastmod":1659312000,"objectID":"8657e797e483b6b4e0cf92237748a591","permalink":"/teaching/fall2022/","publishdate":"2022-08-01T00:00:00Z","relpermalink":"/teaching/fall2022/","section":"teaching","summary":" ","tags":["Academic"],"title":"Fall 2022: Software Security (CS-49000-SWS)","type":"teaching"},{"authors":null,"categories":[],"content":"","date":1588291200,"expirydate":-62135596800,"kind":"page","lang":"en","lastmod":1577836800,"objectID":"c766580fa9163b9e52241b2697efe15f","permalink":"/teaching/spring2022/","publishdate":"2020-05-01T00:00:00Z","relpermalink":"/teaching/spring2022/","section":"teaching","summary":" ","tags":["Academic"],"title":"Spring 2022: Software Security (CS-52700)","type":"teaching"},{"authors":null,"categories":[],"content":"","date":1583020800,"expirydate":-62135596800,"kind":"page","lang":"en","lastmod":1577836800,"objectID":"f2ff84efb5455ca588aa7b029237fc3a","permalink":"/teaching/fall2021_2/","publishdate":"2020-03-01T00:00:00Z","relpermalink":"/teaching/fall2021_2/","section":"teaching","summary":" ","tags":["Academic"],"title":"Fall 2021: Honors Seminar (CS-39700)","type":"teaching"},{"authors":null,"categories":[],"content":"","date":1580515200,"expirydate":-62135596800,"kind":"page","lang":"en","lastmod":1577836800,"objectID":"12a32914ec7b2f10f95d01abab929824","permalink":"/teaching/fall2021/","publishdate":"2020-02-01T00:00:00Z","relpermalink":"/teaching/fall2021/","section":"teaching","summary":" ","tags":["Academic"],"title":"Fall 2021: Automated Security Testing (CS-59200-AST)","type":"teaching"},{"authors":null,"categories":[],"content":"","date":1580515200,"expirydate":-62135596800,"kind":"page","lang":"en","lastmod":1577836800,"objectID":"688f9f111be61c72083b954ae7498ef6","permalink":"/teaching/spring2021/","publishdate":"2020-02-01T00:00:00Z","relpermalink":"/teaching/spring2021/","section":"teaching","summary":" ","tags":["Academic"],"title":"Spring 2021: Software Security (CS-52700)","type":"teaching"},{"authors":null,"categories":[],"content":"","date":1577836800,"expirydate":-62135596800,"kind":"page","lang":"en","lastmod":1577836800,"objectID":"812226c960e0840e91642d0dfd313b9b","permalink":"/teaching/fall2020/","publishdate":"2020-01-01T00:00:00Z","relpermalink":"/teaching/fall2020/","section":"teaching","summary":" ","tags":["Academic"],"title":"Fall 2020: CERIAS Security Seminar (CS-59100)","type":"teaching"},{"authors":null,"categories":[],"content":"Class time: Tuesday and Thursday: 6:00-6:50 pm\nClass location: Lawson Computer Science Building (LWSN) 1106\nCourse Webpage: Blackboard and Piazza\n Instructor: Antonio Bianchi\nOffice: LWSN 1167\nOffice Hours: Tuesday: 4:15-5:45 pm and by appointment\nEmail: antoniob@purdue.edu\n Teaching Assistant: Bader AlBassam\nTeaching Assistant Email: balbassa@purdue.edu\nLab Sessions:Wednesdays 1:30-3:20 pm in HAAS G056, Thursdays at 11:30-1:20 pm in LWSN B146.\n Course Overview\nThis course focuses on software security fundamentals, secure coding guidelines and principles, and advanced software security concepts. Students will learn to assess and understand threats, how to reverse engineering code to find vulnerabilities, and they will get hands-on experience with detection and exploitation of common security pitfalls.\nThe course consists of two lectures per week (50 minutes each) and lab sessions.\nCourse Objectives\nSoftware running on current systems is exploited by attackers despite many deployed defence mechanisms and best practices for developing new software. In this course students will learn about current security threats, attack vectors, and defence mechanisms on current systems. The students will work with real world problems and technical challenges of security mechanisms (both in the design and implementation of programming languages, compilers, and runtime systems).\nLearning Outcomes\nStudents who complete the course will have demonstrated the ability to do the following:\n  Explain the most common weaknesses in software security and understand how such problems can be avoided in software.\n  Identify common security threats, risks, and attack vectors for software systems.\n  Evaluate and assess current security best practices and defense mechanisms for current software systems. Become aware of limitations of existing defense mechanisms and how to avoid them.\n  Identify security problems in source code and binaries, assess the associated risks, and reason about their severity and exploitability.\n  Assess the security of given source code or applications.\n  Prerequisites\nCS 52600, Introduction to Information Security or equivalent course with the consent of the instructor.\nThis is an advanced, hands-on, class. Significant programming experience and skills are required. Students enrolling in this course are strongly recommended to already have a good knowledge of:\n  System programming and C (pointers, memory management, system calls)\n  a Linux-based operating system and programming environment\n  In addition, students are required to write code using Python.\nCourse Policies\nThis course will be run under the \u0026ldquo;reasonable adults\u0026rdquo; policy wherein it is assumed that all students are reasonable adults that want to benefit the most of the course by attending the course regularly, completing the homework assignments on time, asking questions during the course and if they run into problems, and checking back with the instructor and the TA regularly to ensure good progress.\nExams will be comprehensive, covering everything up to the exam date, emphasizing integrating material from recent assignments. The exam may include open questions, multiple-choice questions, numerical problems, and understanding/writing snippets of code. The exams will be closed book.\nHomework assignments grading will mainly focus on automated test and emphasize correctly completing all or a part of the assignment. Submitting incorrect homework (e.g., submitting the wrong file, files in the wrong format, not compiling code, \u0026hellip;) will result in zero points. Students should double check the file(s) they submitted.\nCheating will not be tolerated and will result in a grade of zero for that assignment. Further actions against cheating students will be considered. Students are encouraged to consult the instructor to ensure whether (and to which extent) collaboration and discussion among students are allowed for a particular assignment. Students are not allowed to share, copy, or show, the code they developed for an assignment. Students are not allowed to copy homework solutions from online resources (even partially). All homework assignments should be done individually, unless otherwise noted.\nIf you have any question about the course policy, do not hesitate to ask the instructor or the TA.\nLate Work\nEach student will be entitled to 3 late days. One late day may be used to delay the homework submission for a single day (24 hours). A student can use all the 3 late days for a single homework assignment submission. Note that, late submissions for which students have no late days available will not be accepted, regardless of the reason why the student submitted late. Students should exercise the use of late days wisely as the homework assignments are likely to be progressively harder. There will not be any fractional late day.\nLate days cannot be used for midterm and final exams. It may not be possible to use late days for some of the homework assignments, as specified by the instructor in the assignment\u0026rsquo;s description.\nCommunication Policies\nAs a general rule, questions about homework assignments and class material should be posted publicly on Piazza, so that everyone can benefit from their answers. However, be careful not to post publicly assignment solutions (even partially).\nAll emails sent to the instructor and the TA must be sent from the student\u0026rsquo;s official Purdue email address. All emails must clearly state the student\u0026rsquo;s full name and Purdue ID (something like: john123).\nQuestions about grading should be first sent to the TA.\nGrading\nThe course grade will be assigned based on the student’s performance on the following testing criteria.\nHomework assignments will contribute to the 65% of the course grade.\nMidterm examination will contribute to the 16% of the course grade.\nFinal examination will contribute to the 19% of the course grade.\nGrades with +/- will be assigned.\nAfter 2 weeks from the day in which an assignment\u0026rsquo;s grades have been posted, re-grading requests will not be considered.\n","date":1577836800,"expirydate":-62135596800,"kind":"page","lang":"en","lastmod":1577836800,"objectID":"30b45c3aa4a86cf1827b995f296c9d14","permalink":"/teaching/spring2020/","publishdate":"2020-01-01T00:00:00Z","relpermalink":"/teaching/spring2020/","section":"teaching","summary":" ","tags":["Academic"],"title":"Spring 2020: Software Security (CS-52700-LE1)","type":"teaching"},{"authors":null,"categories":[],"content":"Class time: Tuesday and Thursday: 10:30-11:45 am\nClass location: Psychological Sciences Bldg 3102\nCourse Webpage: Blackboard and Piazza (https://piazza.com/purdue/fall2019/cs59000mss)\nInstructor: Antonio Bianchi\nOffice: LWSN 1167\nEmail: antoniob@purdue.edu\nThis course will discuss security and privacy aspects relevant to mobile systems (smartphones, tablets, …).\nMore than one billion mobile devices are sold every year, and, for billions of people these devices have become the primary way to access online services and perform sensitive operations (e.g., monetary transactions using mobile banking apps). Unfortunately, the security of these devices, their operating systems, and their apps is far from perfect.\nThis course will cover topics such as the mobile application ecosystem, the design and architecture of mobile operating systems, rooting/jailbreaking, mobile applications and malware reverse engineering, vulnerability assessment, automatic static and dynamic analysis, and exploitation and mitigation techniques.\nGiven its open nature, this course will mostly focus on Google’s Android, but it will also provide some details about Apple’s IOS.\nRequirements:\nThis is an advanced, hands-on, class. Students enrolling in this course are strongly recommended to already have a good knowledge of:\n  Java programming\n  System programming and C (pointers, memory management, system calls)\n  Knowledge in the following areas is also highly suggested:\n  a Linux-based operating system and programming environment\n  TCP/IP networking\n  In addition, students may be required to write code using scripting languages, such as Python or Javascript.\nCourse resources:\nThis class does not have a primary textbook. Resources will be provided by the instructor on Blackboard and the Piazza online forum. Resources will be in the form of slides, code samples, web links, and scientific publications. Students are required to enroll in the Piazza online forum.\nGrading Policies:\nExams will be comprehensive, covering everything up to the exam date, emphasizing integrating material from recent assignments. The exam may include open questions, multiple-choice questions, numerical problems, and understanding/writing snippets of code. The exams will be closed book. Students that cannot attend the exam due to conflicts (e.g., illness, religious holidays) may make alternate arrangements (in advance, if at all possible).\nHomework grading will mainly focus on automated test and emphasize correctly completing all or a part of the assignment. Submitting incorrect homework (e.g., submitting the wrong file, files in the wrong format, not compiling code, …) will result in zero points. Students should double check the file(s) they submitted.\nCheating will not be tolerated and will result in a grade of zero for that assignment. Further actions against cheating students will be considered. Students are encouraged to consult the instructor to ensure whether (and to which extent) collaboration and discussion among students are allowed for a particular assignment. Students are not allowed to share, copy, or show, the code they developed for an assignment. Students are not allowed to copy homework solutions from online resources (even partially). All homework assignments should be done individually, unless otherwise noted.\nGrading:\nThe course grade will be assigned based on the student’s performance on the following testing criteria.\nHomework assignments, including written and programming assignments, will contribute to the 60% of the course grade.\nMidterm examination will contribute to the 18% of the course grade.\nFinal examination will contribute to the 22% of the course grade.\nGrades with +/- will be assigned.\nAfter 2 weeks from the day in which an assignment\u0026rsquo;s grades have been posted, re-grading requests will not be considered.\nLate Work:\nEach student will be entitled to 3 late days. One late day may be used to delay the homework submission for a single day (24 hours). A student can use all the 3 late days for a single homework assignment submission. Note that, late submissions for which students have no late days available will not be accepted, regardless of the reason why the student submitted late. Students should exercise the use of late days wisely as the homework assignments are likely to be progressively harder. There will not be any fractional late day.\nLate days cannot be used for midterm and final exams. It may not be possible to use late days for some of the homework assignments, as specified by the instructor in the assignment\u0026rsquo;s description.\nCommunication Policies:\nAs a general rule, questions about homework assignments and class material should be posted publicly on Piazza, so that everyone can benefit from their answers. However, be careful not to post publicly assignment solutions (even partially).\nAll emails sent to the instructor should be sent from the student\u0026rsquo;s official Purdue email address. All emails should clearly state the student\u0026rsquo;s full name and Purdue ID (something like: john123).\n","date":1564617600,"expirydate":-62135596800,"kind":"page","lang":"en","lastmod":1564617600,"objectID":"645dcbeb6648596d59d34c3ddc13400c","permalink":"/teaching/fall2019/","publishdate":"2019-08-01T00:00:00Z","relpermalink":"/teaching/fall2019/","section":"teaching","summary":" ","tags":["Academic"],"title":"Fall 2019: Mobile Systems and Smartphone Security (CS-59000-MSS)","type":"teaching"},{"authors":["Antonio Bianchi"],"categories":[],"content":"Introduction For Defcon Quals 2019, I wrote a challenge called VeryAndroidoso.\nIt is an Android crackme, written using both Java and native code.\nMany teams solved this challenge using reverse engineering and Frida. However, I designed it so that it could also be solved using angr. In fact, angr now has some experimental support for symbolic execution of Java and Android apps (including apps using a combination of Dalvik bytecode and native C/C++ code).\nThe code of my solution using angr is available in the angr-doc repository.\nA few notes To run correctly, the solution script needed a small fix to angr. This fix adds support for the cmp Soot bytecode expression. To avoid potentially leaking information about the challenge, the fix was pushed and merged to the angr repository only after the end of the competition. I think that a team who wanted to use angr to solve this challenge could have quite easily figured out how to fix this issue.\nA more subtle issue is the following Exception from CLE:\n... File \u0026#34;/home/antoniob/git/angr_pypy/angr-dev/cle/cle/backends/externs/__init__.py\u0026#34;, line 112, in allocate raise CLEOperationError(\u0026#34;Ran out of room in the extern object...! Report this as a bug.\u0026#34;) cle.errors.CLEOperationError: Ran out of room in the extern object...! Report this as a bug. My understanding is that this happens due to a bug on how the JNI interface is implemented. The linked solution contains a workaround for this issue:\n# extern_size=0x800000 prevents CLE bug project = angr.Project(apk_location, main_opts=loading_opts, extern_size=0x800000) My solution provides good examples of how to:\n load a mixed Java/native Android app, specify Java \u0026ldquo;addresses\u0026rdquo; (different code locations), run symbolic execution starting from a specific Java code location and having specific symbolic values, run symbolic execution until a condition is met, pruning failed paths, write SimProcedures re-defining Java methods, read and write values from the symbolic Java memory.  My solve.py script runs in about one hour using pypy. It does not stop immediately after a solution is found since it explores all paths. For this reason, it takes more time to finish than what strictly necessary, but I could use it to double check that this challenge had a single solution.\n","date":1559001600,"expirydate":-62135596800,"kind":"page","lang":"en","lastmod":1559001600,"objectID":"3ae3d2daa0ae88cb903f178bbf52dd0f","permalink":"/posts/ctf-defconquals2019-veryandroidoso/","publishdate":"2019-05-28T00:00:00Z","relpermalink":"/posts/ctf-defconquals2019-veryandroidoso/","section":"posts","summary":" ","tags":["CTF"],"title":"Solving Defcon Quals 2019 VeryAndroidoso using angr","type":"posts"},{"authors":["Antonio Bianchi"],"categories":[],"content":"Introduction For Defcon Quals 2019, I wrote a challenge called ASRybaB.\nYou can find the challenge, its solution, and other scripts here.\n challenge.py contains what given during the competition. Some of the code is obfuscated. secret.py contains the secret used to compute the HMAC, and it was, obviously, not released. compile.py was used to generate challenge.py starting from originalchallenge.py. originalchallenge.py contains the non-obfuscated challenge code. solve_d.sage contains my solution, which uses sage.  The challenge sends you 3 RSA \u0026ldquo;challenges\u0026rdquo; in the form of n, e, v. The goal is to provide a \u0026ldquo;signed\u0026rdquo; value of v, which requires finding the secret exponent d, corresponding to the provided public key (n, e).\nTo get the flag, it is necessary to provide the 3 signed messages in about 15 minutes. To ensure this time constraint, I used an HMAC, \u0026ldquo;authenticating\u0026rdquo; the sent n, e, v values and the timestamp of when they were generated. I chose this solution to avoid requiring a long-term connection or saving some state on the challenge\u0026rsquo;s server.\nObfuscation The public key (n, e) is computed so that the corresponding private exponent has special properties. This function computing the key (create_key) is obfuscated (see the compile.py file) by:\n serializing it using Python marshal, modifying its bytecode to make decompilers fail.  Specifically, I inserted a STOP_CODE bytecode instruction in some dead code. It was still possible to reverse engineer the create_key function by using the dis module, however that required reading Python bytecode instead of Python code. Another possibility was to add a .pyc header to the marshaled code, manually remove the STOP_CODE bytecode, and then use a Python decompiler (e.g., uncompyle6).\nProperties of the private exponent The non-obfuscated code of the create_key function is the following:\ndef create_key(): if False: #used by obfuscation x = 7/0 x = 7/0 Nsize = NSIZE pqsize = Nsize/2 N = 0 while(N.bit_length()!=Nsize): while True: p = number.getStrongPrime(pqsize) q = number.getStrongPrime(pqsize) if abs(p-q).bit_length() \u0026gt; (Nsize*0.496): break N = p*q phi = (p-1)*(q-1) limit1 = 0.261 limit2 = 0.293 while True: d = number.getRandomRange(pow(2,int(Nsize*limit1)),pow(2,int(Nsize*limit1)+1)) while d.bit_length()\u0026lt;Nsize*limit2: ppp = 0 while not number.isPrime(ppp): ppp = number.getRandomRange(pow(2,45),pow(2,45)+pow(2,12)) d *= ppp if number.GCD(d, phi)!=1: continue e = number.inverse(d, phi) if number.GCD(e, phi)!=1: continue break zzz = 3 return (N, e) The key is generated so that the private exponent d is slightly larger of the 0.292 limit, so that the Boneh-Durfee attack cannot be applied directly.\nHowever, given how the key is computed:\n it is guaranteed to contain a prime ppp (within a set of 125 values), d/ppp \u0026lt; N^0.292  My solution My solution reuses the Boneh-Durfee attack implemented by David Wong and available on GitHub, with 2 major modifications.\nExploiting the known prime Let\u0026rsquo;s assume for now that we know the value ppp of the prime composing d. We can then rewrite the equations at page 14 of the paper mentioned above in the following way:\ne*d = 1 (mod phi(N)) e*d = k * phi(N) + 1 (e*ppp)*(d/ppp) = k * phi(N) + 1 k*phi(N) + 1 = 0 (mod e*ppp) Consequently, if we know ppp we can just apply the \u0026ldquo;standard\u0026rdquo; Boneh-Durfee attack using ppp * e as the modulo of our equation, instead of e. In my code this is implemented by the line:\nmodulus *= ppp Bruteforcing the known prime As mentioned above ppp can only have 125 values. Since we need to solve 3 challenges, at most, we need to run the Boneh-Durfee 125*3 = 375 times. My code uses a Python multiprocessing Queue to parallelize this process. On a modern 64 cores machine, this takes, at most, about 15 minutes.\nSome considerations Bruteforcing I wanted to write a challenge requiring writing parallel code. At the same time, I wanted to avoid a solution that could only be implemented by spending a lot of money or using special hardware. For this reason, while implementing the challenge I intentionally tuned things so that it was solvable using less than $1 of cloud computing. On Amazon EC2 a 64 vCPU machine (m4.16xlarge) costs $3.20 per hour, which is only about $0.80 for the required 15 minutes of computation.\nThe 0.292 limit I did quite a lot of testing and, at least with the code I used, it was basically impossible to find a solution for d above N ^ 0.28. For this reason, I think that the 0.292 is more a theoretical limit than a real one.\np and q This paper explains that if p-q is \u0026ldquo;small\u0026rdquo; a variation of the Boneh-Durfee could be possible even if d \u0026gt; N ^ 0.292. To avoid this issue, my code rejects p and q values if their difference is not large enough. However, this check increased the computation time needed to generate the keys and made me concerned about the service using too much CPU, slowing down our infrastructure. For this reason, to access this challenge, it was first needed to generate a Proof-of-Work.\n","date":1558915200,"expirydate":-62135596800,"kind":"page","lang":"en","lastmod":1558915200,"objectID":"b1242891c624d3f6ae8b61e2a016090a","permalink":"/posts/ctf-defconquals2019-asrybab/","publishdate":"2019-05-27T00:00:00Z","relpermalink":"/posts/ctf-defconquals2019-asrybab/","section":"posts","summary":" ","tags":["CTF"],"title":"Defcon Quals 2019: ASRybaB","type":"posts"},{"authors":[],"categories":[],"content":"Welcome to Slides Academic\n Features  Efficiently write slides in Markdown 3-in-1: Create, Present, and Publish your slides Supports speaker notes Mobile friendly slides   Controls  Next: Right Arrow or Space Previous: Left Arrow Start: Home Finish: End Overview: Esc Speaker notes: S Fullscreen: F Zoom: Alt + Click PDF Export: E   Code Highlighting Inline code: variable\nCode block:\nporridge = \u0026#34;blueberry\u0026#34; if porridge == \u0026#34;blueberry\u0026#34;: print(\u0026#34;Eating...\u0026#34;)  Math In-line math: $x + y = z$\nBlock math:\n$$ f\\left( x \\right) = ;\\frac{{2\\left( {x + 4} \\right)\\left( {x - 4} \\right)}}{{\\left( {x + 4} \\right)\\left( {x + 1} \\right)}} $$\n Fragments Make content appear incrementally\n{{% fragment %}} One {{% /fragment %}} {{% fragment %}} **Two** {{% /fragment %}} {{% fragment %}} Three {{% /fragment %}} Press Space to play!\n A fragment can accept two optional parameters:\n class: use a custom style (requires definition in custom CSS) weight: sets the order in which a fragment appears   Speaker Notes Add speaker notes to your presentation\n{{% speaker_note %}} - Only the speaker can read these notes - Press `S` key to view {{% /speaker_note %}} Press the S key to view the speaker notes!\n Only the speaker can read these notes Press S key to view    Themes  black: Black background, white text, blue links (default) white: White background, black text, blue links league: Gray background, white text, blue links beige: Beige background, dark text, brown links sky: Blue background, thin dark text, blue links    night: Black background, thick white text, orange links serif: Cappuccino background, gray text, brown links simple: White background, black text, blue links solarized: Cream-colored background, dark green text, blue links   Custom Slide Customize the slide style and background\n{{\u0026lt; slide background-image=\u0026#34;/img/boards.jpg\u0026#34; \u0026gt;}} {{\u0026lt; slide background-color=\u0026#34;#0000FF\u0026#34; \u0026gt;}} {{\u0026lt; slide class=\u0026#34;my-style\u0026#34; \u0026gt;}}  Custom CSS Example Let\u0026rsquo;s make headers navy colored.\nCreate assets/css/reveal_custom.css with:\n.reveal section h1, .reveal section h2, .reveal section h3 { color: navy; }  Questions? Ask\nDocumentation\n","date":1549324800,"expirydate":-62135596800,"kind":"page","lang":"en","lastmod":1549324800,"objectID":"0e6de1a61aa83269ff13324f3167c1a9","permalink":"/slides/example/","publishdate":"2019-02-05T00:00:00Z","relpermalink":"/slides/example/","section":"slides","summary":"An introduction to using Academic's Slides feature.","tags":[],"title":"Slides","type":"slides"},{"authors":null,"categories":[],"content":"Class time: Tuesday and Thursday: 2:00-3:15 p.m\nClass location: 205 MLH (MacLean Hall)\nCourse Webpage: ICON, https://sites.google.com/view/antoniobianchiuiowa/teaching/cs4980-spring-2019-operating-systems, and https://piazza.com/uiowa/spring2019/cs4980\nInstructor: Antonio Bianchi\nOffice: 201g\nEmail: mailto:antonio-bianchi@uiowa.edu\nTeaching assistant: Muhammad Hammad Mazhar (mailto:muhammadhammad-mazhar@uiowa.edu)\nInstructor’s office hours: Tuesday: 4:15-5:45 pm, Thursday: 3:30-5:00 pm\nTeaching assistant’s office hours: Monday and Wednesday: 3:30-4:20pm in 201N MLH\nDEO contact information:\nAlberto Segre, 14 MLH (MacLean Hall), 319 3350713, mailto:CS-INFO@list.uiowa.edu\nCourse description and objective:\nThis course will discuss security and privacy aspects relevant to mobile systems (smartphones, tablets, \u0026hellip;).\nMore than one billion mobile devices are sold every year, and, for billions of people these devices have become the primary way to access online services and perform sensitive operations (e.g., monetary transactions using mobile banking apps). Unfortunately, the security of these devices, their operating systems, and their apps is far from perfect.\nThis course will cover topics such as the mobile application ecosystem, the design and architecture of mobile operating systems, rooting/jailbreaking, mobile applications and malware reverse engineering, vulnerability assessment, automatic static and dynamic analysis, and exploitation and mitigation techniques.\nGiven its open nature, this course will mostly focus on Google\u0026rsquo;s Android, but it will also provide some details about Apple\u0026rsquo;s IOS.\nRequirements:\nThis is an advanced, hands-on, class. Students enrolling in this course are strongly recommended to already have a good knowledge of:\n  Java programming\n  System programming and C (pointers, memory management, system calls)\n  Knowledge in the following areas is also highly suggested:\n  a Linux-based operating system and programming environment\n  TCP/IP networking\n  In addition, students may be required to write code using scripting languages, such as Python or Javascript.\nCourse resources:\nThis class does not have a primary textbook. Resources will be provided by the instructor on ICON and the Piazza online forum. Resources will be in the form of slides, code samples, web links, and scientific publications. Students are required to enroll in the Piazza online forum.\nGrading Policies:\nExams will be comprehensive, covering everything up to the exam date, emphasizing integrating material from recent assignments. The exam may include open questions, multiple-choice questions, numerical problems, and understanding/writing snippets of code. The exams will be closed book. Students that cannot attend the exam due to conflicts (e.g., illness, religious holidays) may make alternate arrangements (in advance, if at all possible).\nHomework grading will mainly focus on automated test and emphasize correctly completing all or a part of the assignment. Submitting incorrect homework (e.g., submitting the wrong file, files in the wrong format, not compiling code, \u0026hellip;) will result in zero points. Students should double check the file(s) they submitted.\nCheating will not be tolerated and will result in a grade of zero for that assignment. Further actions against cheating students will be considered. Students are encouraged to consult the instructor to ensure whether (and to which extent) collaboration and discussion among students are allowed for a particular assignment. Students are not allowed to share, copy, or show, the code they developed for an assignment. Students are not allowed to copy homework solutions from online resources (even partially).\nGrading:\nThe course grade will be assigned based on the student’s performance on the following testing criteria.\nHomework assignments, including written and programming assignments, will contribute to the 60% of the course grade.\nMidterm examination will contribute to the 18% of the course grade.\nFinal examination will contribute to the 22% of the course grade.\nDates and times of midterms will be shared in class at least two weeks before the exam.\nLetter grades are assigned with attention to collegiate norm-referenced grading guidelines. Grades with +/- will be assigned. The final grade distribution will roughly adhere to the CLAS suggested grade distribution. However, the instructor holds the right to alter this distribution.\nLate Work:\nEach student will be entitled to 3 late days. One late day may be used to delay the homework submission for a single day (24 hours). A student can use all the 3 late days for a single homework assignment submission. Note that, late submissions for which students have no late days available will not be accepted, regardless of the reason why the student submitted late. Students should exercise the use of late days wisely as the homework assignments are likely to be progressively harder. There will not be any fractional late day.\nCommunication Policies:\nMost of the emails regarding grades, homework, and exams should be first directed to the Teaching Assistant. The teaching assistant will forward relevant emails to the instructor as needed. Other emails (e.g., scheduling one-on-one meetings) and also emails of personal nature containing sensitive information, should be directed to the instructor directly. The instructor leaves the decision of determining the sensitivity of an email to the students. All emails directed to the instructor should have the prefix “[CS:4980]” (without the quotes) in the subject line. Complying with this requirement will enable the instructor to process emails faster. Students must use their @uiowa.edu email address when communicating with the TA/instructor. For any matter that requires the instructor’s immediate attention, do not hesitate to schedule a face-to-face meeting.\nThe course will follow the following College policies:\nhttps://clas.uiowa.edu/faculty/teaching-policies-resources-syllabus-insert\n","date":1461110400,"expirydate":-62135596800,"kind":"page","lang":"en","lastmod":1555718400,"objectID":"5f5ce417b0cc449568942e77ed45625b","permalink":"/teaching/spring2019/","publishdate":"2016-04-20T00:00:00Z","relpermalink":"/teaching/spring2019/","section":"teaching","summary":" ","tags":["Academic"],"title":"Spring 2019: Mobile Systems and Smartphone Security (CS:4980)","type":"teaching"},{"authors":null,"categories":[],"content":"Class time: Tuesday and Thursday: 9:30am - 10:45am\nClass location: 110 MLH (MacLean Hall)\nCourse Webpage: https://sites.google.com/view/antoniobianchiuiowa/teaching/cs3620-fall-2018-operating-systems, ICON, and https://piazza.com/uiowa/fall2018/cs3620\nInstructor: Antonio Bianchi\nOffice: 201g\nEmail: mailto:antonio-bianchi@uiowa.edu\nPhone: TBD (Office)\nTeaching assistant: David McDermott (mailto:david-mcdermott-1@uiowa.edu)\nInstructor’s office hours: Tuesday and Thursday: 11:00am – 12:30pm, and by appointment (in MLH 201g)\nTeaching assistant’s office hours: Monday 2:30pm - 4:00pm and Wednesday 10:00am - 11:30am (in MLH 101n)\nDEO contact information: Alberto Segre, 14 MLH (MacLean Hall),\nPhone: 319 335 0713, Email: mailto:CS-INFO@list.uiowa.edu\nCourse description and objective: This course provides an introduction to the design and implementation of modern operating systems.\nThe main topics of this course will be:\n Process management and scheduling, including interrupt-handling and scheduling algorithms Memory management, including virtual memory, segmentation, pagination, and addressing Interprocess communication mechanisms, including locks, semaphores, and synchronization issues (such as deadlocks) Secondary storage, peripherals, and file-system management  Additional topics may include operating system security and the internals of modern operating systems (e.g., Android).\nCourse resources: As part of the class we will be using the book titled: “Operating Systems: Three Easy Pieces” by Remzi H. Arpaci-Dusseau and Andrea C. Arpaci-Dusseau. The book has a free online version available on the website: http://pages.cs.wisc.edu/%7Eremzi/OSTEP/.\nIt is also possible to order a hardcover or paperback version of the book from the above website.\nThe textbook will be complemented by the \u0026ldquo;Advanced Programming in the UNIX Environment (3rd Edition)\u0026rdquo; by Stevens, Rago. Other resources (such as relevant academic papers or online resources) will be made available using ICON. Students are encouraged to discuss the course material and the challenges they face in solving the different homework assignments. An online discussion forum will be available and will be used as the primary way to ask questions about homework assignments. Before posting a new question, students should check that it has not been already answered.\nGrading Policies: Exams will be comprehensive, covering everything up to the exam date, emphasizing integrating material from recent assignments. The exam may include open questions, multiple-choice questions, numerical problems, and understanding/writing snippets of code. The exams will be closed book. Students that cannot attend the exam due to conflicts (e.g., illness, religious holidays) may make alternate arrangements (in advance, if at all possible).\nFor the programming assignments, student will be required to use C, unless otherwise noted. The primary programming environment will be Linux. Students taking this class should have some previous basic knowledge about C programming (in particular, pointers, memory management, \u0026hellip;) and some familiarity interacting with a Linux environment.\nGrading will mainly focus on automated test and emphasize correctly completing all or a part of the assignment. Source code that does not compile may receive zero points. Cheating will not be tolerated and will result in a grade of zero for that assignment. Students are encouraged to consult the instructor to ensure whether (and to which extent) collaboration and discussion among students are allowed for a particular assignment. Students are not allowed to share, copy, show, the code they developed for homework. Students are not allowed to copy homework solutions from online resources (even partially). If any line of code is copied from an online resource (e.g., Stack Overflow), it must be indicated by adding the complete link to the website as a comment.\nGrading: The course grade will be assigned based on the student’s performance on the following testing criteria.\n Homework assignments, including written and programming assignments, will contribute to the 55% of the course grade. Midterm examination will contribute to the 20% of the course grade. Final examination will contribute to the 25% of the course grade.  Dates and times of midterms will be shared in class at least two weeks before the exam.\nLetter grades are assigned with attention to collegiate norm-referenced grading guidelines. Grades with +/- will be assigned. The final grade distribution will roughly adhere to the CLAS suggested grade distribution. Note that, the instructor, however, holds the right to alter this distribution in appropriate circumstances.\nLate Work: Each student will be entitled to 3 late days. One late day may be used to delay the homework submission for a single day (24h). A student can use all the 3 late days for a single homework assignment submission. Note that, late submissions for which students have no late days available will not be accepted. Students should exercise the use of late days wisely as the homework assignments are likely to be progressively harder. There will not be any fractional late day.\nCommunication Policies: Most of the emails regarding grades, homework, and exams should be first directed to the Teaching Assistant. The teaching assistant will forward relevant emails to the instructor as needed. Other emails (e.g., scheduling one-on-one meetings) and also emails of personal nature containing sensitive information, should be directed to the instructor directly. The instructor leaves the decision of determining the sensitivity of an email to the students. All emails directed to the instructor should have the prefix “[CS:3620]” (without the quotes) in the subject line. Complying with this requirement will enable the instructor to process emails faster. Students must use their @uiowa.edu email address when communicating with the TA/instructor. For any matter that requires the instructor’s immediate attention, do not hesitate to schedule a face-to-face meeting.\nThe course will follow the following College policies: https://clas.uiowa.edu/faculty/teaching-policies-resources-syllabus-insert\n","date":1460937600,"expirydate":-62135596800,"kind":"page","lang":"en","lastmod":1555459200,"objectID":"97886a5861f52ebeced2042b146a38c0","permalink":"/teaching/fall2018/","publishdate":"2016-04-18T00:00:00Z","relpermalink":"/teaching/fall2018/","section":"teaching","summary":" ","tags":["Academic"],"title":"Fall 2018: Operating Systems (CS:3620)","type":"teaching"},{"authors":["Antonio Bianchi"],"categories":[],"content":" mathconsole (iCTF 2013): writeup  For the iCTF 2013 competition, I developed the service called mathconsole. This writeup will be a a little bit different than usual: I will try not only to explain how to exploit this service, but also to justify some design choices I made while developing it. Additionally, I will also give some insights about how teams have exploited and patched this service.\niCTF is a CTF competition organized by UCSB, its rules are different than usual CTF and tend to change from year to year. You can read the description of the 2013 edition rules here. My main goal for this service was to implement a server with two well-known vulnerabilities found in the gaming consoles Wii and Playstation 3. As far as I know, both vulnerabilities have been discovered by team Twiizers/fail0verflow [1][2][3][4].\nThe first vulnerability (found in the Wii console) is caused by wrongly checking a RSA signature, the second (found in the Playstation 3) is caused by using a non-random nonce in the generation of an ECDSA signature. I will explain these vulnerabilities in detail later in this writeup. Unfortunately, nobody exploited the second vulnerability (about the ECDSA signature), probably because the other one was easier and, given the structure of the competition, it was not really worthing to exploit it. If you are not interested in this vulnerability, you can skip sections \u0026quot;Authorization level bug\u0026quot; and \u0026quot;ECDSA vulnerability\u0026quot;.\nThis zip file contains the source code of the service, the scripts used to generate benign traffic, the .deb package installed on teams' machines, and all the other files I will refer during this writeup (forgive me for the \u0026quot;not exactly clean\u0026quot; code).\nOverview This service has been written in Python 2.7 and it is implemented as a classical forking server. For the networking part, I mainly reused the code I wrote for the service PowerPlan that I wrote for the previous iCTF (you can read a very good writeup here about it). The service is listening on port 9898; when you connect to it you get the following message:\nWelcome to the most powerful backdoor-free calculator\nYou can use it to safely perform your calculations about Nuclear reactions and trajectories of missiles\nA new on-the-cloud hacker-proof file storage functionality has been just added\navailable commands:\nsum|\u0026lt;n1\u0026gt;|\u0026lt;n2\u0026gt; required authorization: L1 or L2\nmultiply|\u0026lt;n1\u0026gt;|\u0026lt;n2\u0026gt; required authorization: L1\nmod|\u0026lt;n1\u0026gt;|\u0026lt;n2\u0026gt; required authorization: L1 or L2\npower|\u0026lt;n1\u0026gt;|\u0026lt;n2\u0026gt; required authorization: L3\nwrite|\u0026lt;fname\u0026gt;|\u0026lt;b64 content\u0026gt; required authorization: L2\nread_encrypted1|\u0026lt;fname\u0026gt;|\u0026lt;key\u0026gt; required authorization: L2\nread_encrypted2|\u0026lt;fname\u0026gt;|\u0026lt;key\u0026gt; required authorization: L2\nread_protected|\u0026lt;fname\u0026gt;|\u0026lt;password\u0026gt; required authorization: L1 + password\nwhat do you want to do?\nWhen a command is inserted (in the format \u0026lt;command\u0026gt;|\u0026lt;p1\u0026gt;|\u0026lt;p2\u0026gt;) a signature is asked. Different commands require different authorizations that a user can get by providing a (base64 encoded) 256-byte long signature. We will see how a valid L1 signature can be trivially forged, and that both the verifications of L2 and L3 signatures contain fundamental problems that can be exploited. When a correct signature is provided, the specified command will be executed.\nThe commands sum, multiply, mod, and power just perform the corresponding mathematical operations and return the result to the user. write allows the user to write a file in the folder service_files (we used this command to set the flags in teams' machines). read_protected returns the content of a file in the service_files folder but it requires a password. Specifically, it checks that the provided password matches with the first line of the content of the file that has been requested. We used this command to check that the flags we stored in the teams' machines were not deleted.\nFinally, read_encrypted1 and read_encrypted2 read and return the content of a file in the folder service_files, however they need the correct authentication. In theory, it would not be possible to execute them without having the correct RSA and ECDSA private keys (you can find both private keys in file private_keys.txt). In practice, the vulnerabilities of this service allow an attacker to skip almost entirely the verification of the RSA signature and to recover the private ECDSA signature.\nIn this service, flags were written by us using the command write. Specifically, the first line was a random password protecting a file (which value was only known by us), whereas the second line was the flag. The name of the file was the flag_id. Attackers had to write exploits that were able to steal the flag corresponding to the provided flag_id. To do so, the only possibility was to use the commands read_encrypted1 or read_encrypted2. Replay attacks were not possible since the requested flag_id (and so the command that an attacker needed to sign) were random and always different.\nAnti-decompilation I tried to make this service a little bit tricky to be decompiled. From my experience, uncopyle2 is usually able to recover \u0026quot;almost perfectly\u0026quot; the original Python code, given the compiled .pyc file. My goal was to create a .pyc file that was perfectly working when executed by the Python interpreter, but that made the decompilation process to fail.\nBy randomly fuzzing a .pyc file and looking a little bit in the Python bytecode specification I realized that:\n  a division operation (like this: a = 0/0) is compiled to the following 10-byte sequence: 15 5A 12 00 64 04 00 64 04 00\n  changing the second byte from 0x5A to 0x00 makes uncompyle2 to fail with the following error:\n[...]\n194 LOAD_CONST 0\n197 LOAD_CONST 0\n200 BINARY_DIVIDE None\n201 STOP_CODE None\n202 \u0026lt;18\u0026gt; None\n203 STOP_CODE None\n204 LOAD_CONST 0\n207 LOAD_CONST 0\n210 BINARY_DIVIDE None\n211 STORE_NAME 'a'\n214 LOAD_CONST 0\n217 LOAD_CONST 0\n220 BINARY_DIVIDE None\n221 STORE_NAME 'a'\n[...]\nSyntax error at or near `STOP_CODE' token at offset 201\n  So, I inserted in my code (at the \u0026quot;top-level\u0026quot; of the game_server.py file) the following code (that obviously is never executed):\n#uncompyle trick\nfff=False\nif(fff):\na = 0/0\na = 0/0\na = 0/0\na = 0/0\na = 0/0\na = 0/0\na = 0/0\na = 0/0\na = 0/0\na = 0/0\na = 0/0\na = 0/0\na = 0/0\na = 0/0\na = 0/0\ncompile.py compiles game_server.py in game_server.pyc (using the \u0026quot;standard\u0026quot; Python mechanism), then it looks for the byte sequence corresponding to the 15 division instructions I showed before. When it finds this sequence, it patches the second byte of the first division instruction from 0x5A to 0x00. This makes uncompyle2 unable to decompile the .pyc file correctly.\nThe easiest way to fix this is to change the byte at 0xE7 from 0x00 to 0x5A in the file game_server.pyc. After this this modification, uncompyle2 is able to recover the original source code.\nSignatures and authorization levels Before executing a command, the service checks if the provided signature grants the authorization level required to execute it. For instance, to execute the command multiply users have to provide a L1 signature, to execute the command power a L3 signature is necessary, and to execute the command sum they can provide either a L1 or a L2 signature. Every signature is 256-byte long, before sending it to the server, it needs to be base64-encoded.\nI will now explain how L1, L2, and L3 signature are legitimately created by scripts generating benign traffic (see benign1.py, benign2.py, benign3.py, benign4.py). In this context, command is the full string of the requested command, for instance: \u0026quot;mod|23|5\u0026quot;:\n  L1: a sha1 hash of the sent command:\nhash = self.sha1(command)\ncert = \u0026quot;X\u0026quot;*(256-len(hash)) + hash\nOf course, this can be trivially forged by anyone.\n  L2: a RSA signature of the sent command:\nsigner = PKCS1_v1_5.new(private_key_rsa)\ndigest = SHA.new()\ndigest.update(command)\ncert = signer.sign(digest)\nTo compute it, I use a (secret) private key and the PyCrypto library. See the file benign1.py for the complete source code.\n  L3: an ECDSA signature of the sent command:\ncert_key = private_key_ec.sign_digest(hash,k=4)\ncert = \u0026quot;X\u0026quot;*(256-len(cert_key)) + cert_key\nTo compute it, I use a (secret) private key and the Python ecdsa library (install it by using pip install ecdsa). See the file benign2.py for the complete source code.\n  Authorization level bug The code managing this authorization-checking functionality is contained in functions init_access and check_security_level. I implemented this in a deliberately over-complicated way, to be able to hide a subtle bug. My goal was to allow the command read_encrypted2 to be used providing a L3 signature (even if in the textual description of the commands it is written that read_encrypted2 needs a L2 signature). This will be relevant for the full exploitation of the ECDSA vulnerability, if you are not interested in it, you can just skip this section.\nI will now explain the permission checking in terms of mathematical operations, the actual implementation is slightly different. A function indexOf() is defined, such that, given a tuple p = \u0026lt;command, permission\u0026gt;, it returns an index between 1 and 24. For instance: indexOf(\u0026lt;sum, L3\u0026gt;) = 3 and indexOf(\u0026lt;multiply, L1\u0026gt;) = 4. The variable access_summary is computed with the following formula:\naccess_summary=∏pP((primes[indexOf(p)])2)\nWhere primes is a sorted list of all the prime numbers up to 97 and P is a list of tuples \u0026lt;command, permission\u0026gt; as specified in the textual description of each command. For instance:\n\u0026lt;sum,L1\u0026gt;∈P,but\u0026lt;power,L2\u0026gt;∉P\nTo check if a given command C, can be accessed by a signature of level L, it is checked if:\n(access_summary%primes[indefOf(C,L)])==0\nIf true, then the command C can be executed by providing a signature of level L, otherwise it cannot.\nindexOf(\u0026lt;read_encrypted2, L3\u0026gt;) = 21. The list of primes has been deliberately set incorrectly, so that primes[21] = 75 (instead of 79). Since access_summary contains twice the factor 5 (corresponding to the tuple \u0026lt;sum, L2\u0026gt;) and 3 (corresponding to the tuple \u0026lt;sum, L1\u0026gt;), access_summary is divisible by 75 and so the command read_encrypted2 can be used by providing a L3 signature, differently from the textual specification.\nRSA vulnerability As I said, in implementing the RSA vulnerability I tried to mimic the one found in the Wii console [2]. For a general overview of how RSA can be used to sign a message look here [5]. In theory, to produce a valid L2 signature (that can be used to read the flags by invoking the command read_encrypted1 or read_encrypted2), it is necessary to have the original private key. However, there is a fundamental bug in how the signature it is checked:\ndef verify_with_pubkey_rsa(self,public_key_rsa,local_hash,certificate):\nm = public_key_rsa.encrypt(certificate,None)[0]\nm = \u0026quot;\\x00\u0026quot;*(256-len(m)) + m\nremote_hash = m[-20:] #the padding is not checked\nlibc = ctypes.CDLL(\u0026quot;libc.so.6\u0026quot;)\nif(libc.strncmp(local_hash,remote_hash,20)==0):#strncmp is REALLY bad here\nreturn True\nelse:\nreturn False\nAs you can see strncmp is used, instead of memcmp (I used ctypes to directly invoke the libc implementation of strncmp). strncmp returns 0 and stops the comparison between the signed hash and the computed one as soon as 0x00 bytes are encountered in the same position in both strings. In addition, the padding of the original (20-byte long) message is not checked.\nThe easiest way to exploit this is to provide a signature of all 0x00 bytes: given the mathematical properties of RSA, this makes m = \u0026quot;\\x00\u0026quot; * 256. At this point it is just necessary to provide a command whose sha1 hash starts with 0x00. It is possible to bruteforce it by changing the value \u0026lt;key\u0026gt; of the command read_encrypted1 or read_encrypted2 (\u0026lt;key\u0026gt; cannot be bigger than 4000, however, as we will see, we do not actually need so many tries).\nAssuming that the sha1 function returns values with a random distribution, the probability of randomly find such a hash in N tries is:\n1−(255/256)N\nFor instance, trying as \u0026lt;key\u0026gt; all the numbers between 0 and 2000, the probability of finding a command whose hash starts with 0x00 is more that 99.9%. So, a value of \u0026lt;key\u0026gt; generating a hash with the wanted property can be found in a negligible amount of time. This attack is implemented in exploit.py.\nIt is important to notice that, even if the checking of the padding had been implemented correctly, it would have been still possible to forge a signature. Refer to [2] for further details.\nAn easy patch to this vulnerability is to change strncmp to memcmp (or use the == Python operator). Alternatively, it is possible to directly use the verify function provided by PyCrypto (that also checks the validity of the padding).\nTo have a complete and working exploit, it is also necessary to revert the manipulation that the service does to the content of the file read before sending it to the client. In fact, the commands read_encrypted1 use (\u0026lt;key\u0026gt; % 256) as a xor-key, whereas read_encrypted2 works similarly, but it rotates right the value (\u0026lt;key\u0026gt; % 256) before xoring it to a new character. Both operations can be trivially reverted (knowing the value of \u0026lt;key\u0026gt;).\nECDSA vulnerability The code generating the ECDSA signature (see benign2.py):\ncert_key = private_key_ec.sign_digest(hash,k=4)\nuses a fixed value for k. This is a well-known implementation problem that can be exploited to recover the private_key. See [4] (or [3] at minute 35:30) for the mathematical explanation.\nTo do so, it is necessary to obtain two tuples \u0026lt;message1, signature1\u0026gt;, \u0026lt;message2, signature2\u0026gt;. This can be done by recording the signatures used when the command power (that requires a L3 signature) is invoked (benign2.py invokes such a command). The service nicely prints these values on standard output. The script recover_ecdsa_key.py recovers the private key in this way.\nThe code performing the mathematical operations is the following:\n#using the same variable names as in: http://en.wikipedia.org/wiki/Elliptic_Curve_DSA\nn = curve_order\ns1 = string_to_number(sig1[-24:])\ns2 = string_to_number(sig2[-24:])\nr = string_to_number(sig1[-48:-24])\nz1 = string_to_number(sha1(c1))\nz2 = string_to_number(sha1(c2))\nsdiff_inv = inverse_mod(((s1-s2)%n),n)\nk = ( ((z1-z2)%n) * sdiff_inv) %n\nr_inv = inverse_mod(r,n)\nda = (((((s1*k) %n) -z1) %n) * r_inv) % n\nrecovered_private_key_ec = SigningKey.from_secret_exponent(da)\nRefer to the file recover_ecdsa_key.py for the full implementation.\nAfter the recovery of the private key it is possible to use it to generate a valid L3 signature that, due to the bug explained in the section \u0026quot;Authorization level bug\u0026quot;, can be used to invoke the command read_encrypted2.\nOnce the private key has been recovered, an attacker can produce traffic indistinguishable from the \u0026quot;benign\u0026quot; one. In fact, in this case, the vulnerability is not in the service, but it is in how the client (that I wrote to generate \u0026quot;benign\u0026quot; traffic) use the (secret) private ECDSA signature.\nThe generated benign traffic never targets the read_encrypted2 using a L3 signature both because this is against the textual description of the permissions and because, otherwise, it would have been impossible for teams to distinguish between benign and malicious traffic.\nFor this reason, an easy patch is to change the value 75 in the list of primes to 79, making the command read_encrypted2 inaccessible by using a L3 signature (see section \u0026quot;Authorization level bug\u0026quot;).\nWhat happened during the iCTF  Unfortunately nobody exploited the ECDSA vulnerability, even if two hours before the ending of the competition I gave this hint:\nHINT: http://xkcd.com/221/ (and 75 is not prime!)\n35 exploits were submitted, out of which 18 were working. 12 working exploits were just a copy of the exploit for the RSA vulnerability I developed (teams could buy exploits from us). Interestingly, one team obfuscated the source code of its attack. This was pointless, in fact, teams could not see the source code of attacks developed by other teams.\nSome teams submitted exploits generating a signature different than \u0026quot;\\x00\u0026quot; * 256. Specifically, some signatures with the following property were generated:\nrsa_public_key.encrypt((b64decode(signature)))[−20]==0x00\nGiven the bug in the hash comparison, such signatures were still considered as valid if the hash of the submitted command was starting with a 0x00 byte.\nThe first working exploit was submitted by PPP (congratulations!).\nI did not dig into all the teams' machines, but from a quick look I have seen some teams patching the service by changing the strncmp instruction either with the standard \u0026quot;==\u0026quot; Python operator or the memcmp libc function.\nReferences [1] http://hackmii.com/2008/04/keys-keys-keys\n[2] http://wiibrew.org/wiki/Signing_bug\n[3] http://www.youtube.com/watch?v=PR9tFXz4Quc\n[4] http://en.wikipedia.org/wiki/Elliptic_Curve_DSA\n[5] http://en.wikipedia.org/wiki/RSA_%28algorithm%29 ","date":1386633600,"expirydate":-62135596800,"kind":"page","lang":"en","lastmod":1386633600,"objectID":"f91f6750cf5fa8883dc3d4d50276c207","permalink":"/posts/ctf-ictf2013-mathconsole/","publishdate":"2013-12-10T00:00:00Z","relpermalink":"/posts/ctf-ictf2013-mathconsole/","section":"posts","summary":" ","tags":["CTF"],"title":"iCTF 2013: mathconsole","type":"posts"},{"authors":["Antonio Bianchi"],"categories":[],"content":"Android Forkbomb\nRecently, we found that it is possible to freeze any Android device with a simple forkbomb attack.\nNot really exciting, however it is strange that a forkbomb is not considered a security issue by Google, whereas this is.\nFor more details, read this blogpost here.\n","date":1386547200,"expirydate":-62135596800,"kind":"page","lang":"en","lastmod":1386547200,"objectID":"4ff6cac04a7dd8028b00cec6d52cc81d","permalink":"/posts/android-forkbomb/","publishdate":"2013-12-09T00:00:00Z","relpermalink":"/posts/android-forkbomb/","section":"posts","summary":" ","tags":["Security"],"title":"Android Forkbomb","type":"posts"},{"authors":["Antonio Bianchi"],"categories":[],"content":" Defcon 19 (2011) - BINARY L33tness 500 - Writeup  \n[Original Binary](media/b500) Preliminary analysis\nThis is a standard Windows 32bit PE binary file.\nWhen you open it, a random sentence appears in a MessageBox. If you press OK, the program closes.\nWhile the MessageBox is open, CPU utilization goes to 100%. Using ProcessExplorer you can see that, inside the b500 process, there are 4 threads using the CPU.\n    \u0026quot;Standard\u0026quot; b500 executable behavior    If you try to open it using Ollydbg and press F9, you will get an exception and the process ends. This means that there are some anti-debugging checks.\nMain thread\nLet's start analyzing the main thread.\n  The import table is almost empty, imports are retrieved dynamically (LoadLibrary/GetProcAddress) using the function at 0x00401170. Fortunately, Ollydbg is able to understand the destination address of a dynamic call, at least when the EIP is on it.\n  At 0x004015EC VirtualAlloc is used to allocate a memory region (at 0x00390000), then memset is used to fill with zeros this region.\n  4 threads are created (0x00401872), for every thread a region in the heap is allocated and inside it the addresses of some APIs are written. The entry point of all these threads is 0x00401930 (this is a parameter of CreateThread API).\n  Then the following APIs are called:\n   WaitForMultipleObjects\n  CloseHandle This is an anti-debugging check [1 (5) kernel32!CloseHandle]\n  VirtualFree    Secondary threads\nFirst of all, we have to take into consideration that threads are scheduled in a non deterministic way, so we can have different results during different execution of b500.\nOllydbg helps us showing the thread ID of the currently debugged thread on the main window caption, moreover, we can see a list of all currently active threads pressing the T button.\n     Ollydbg and threads     So, let's place a breakpoint at 0x00401930 and restart the program. While debugging the secondary threads, keep in mind that, if the breakpoints at 0x00401930 is hit again, this means that a new thread is started.\nThe code of secondary threads is quite complex, however we can easily understand that:\n  The addresses of some APIs are retrived.\n  RDTSC is called (inside function at 0x00401F10), this instruction writes in EDX:EAX the current value of the number of ticks since reset [2], basically this is used for some time-based anti-debugging checks.\n  ZwSetInformationThread is called (0x00401AEC) with flag ThreadHideFromDebugger (push 11). This is an anti-debugging trick [1 (4) NtSetInformationThread].\n  PEB!NtGlobalFlags is checked. This is another anti-debugging check [1 (3) PEB!NtGlobalFlags].\n  Some memory operations are performed.\n  CloseHandle API is called. This is another anti-debugging check [1 (5) kernel32!CloseHandle].\n      ZwSetInformationThread call and PEB!NtGlobalFlags check    Defeating anti-debugging checks\nCloseHandle\nWe can patch the API code in order to return to the caller without performing any action. There could be a problem if CloseHandle would be called even for legitimate reasons, but, in this executable, this is not the case. Since this function takes one argument, we have to restore the stack with a RETN 4 instruction.\n    CloseHandle patch    PEB!NtGlobalFlags\nWe can change the value of this flag before executing any other instruction. I have patched the original b500 executable file. The new b500 changes the value of PEB!NtGlobalFlags (and PEB!IsDebugged, that is used by IsDebuggerPresent API), then it jumps to the original entry point.\nYou can use Ollydbg to patch the code and save the modifications to the executable. Then, use a tool such as LordPE to change the executable entry point to the address where the patch is located.\n    PEB check patch    RDTSC\nJust do not place breakpoints inside the code of secondary threads. Of course you need breakpoints and single-step while debugging these threads, but, once you have understood how they work, you can skip them.\nZwSetInformationThread\nSince this API is called (with flag ThreadHideFromDebugger) hardware breakpoints will not work in the thread that shows the MessageBox, but you can still use regular (INT3) breakpoints!\nWith the CloseHandle patch and the PEB check patch active, the MessageBox will appear even if b500 is open inside Ollydbg. Now we can search for the key.\n\nFinding the key \nRestart the program with patch enabled (since Ollydbg disables patches at every restart, I created a modified version of b500 executable with PEB check patch hardcoded). When the MessageBox appears, you need to understand where it has been called, so place a breakpoint inside USER32 code, for instance here:\n    This breakpoint will be hit when you press the OK button on the MessageBox    Press F8 until you will arrive to some code (0x00390078) located in 0x00390000 memory region (this region has been allocated by the main thread using the API VirtualAlloc)\nThis is the memory dump of this memory region at 0x00390000:\n    Memory dump at 0x00390000 after that MessageBox has been shown    We can see all the message strings. But no string seems to be the key. Probably the key is a value used during the decryption of the strings.\nOn the top of the 0x00390000 region there is some code:\n    Decryption function for MessageBox strings    It is easy to identify the decryption loop. To retrieve the key, you can put a breakpoint inside the decryption loop. The problem is that hardware breakpoints do not seem to work (because ZwSetInformationThread with ThreadHideFromDebugger flag has been called). You can use a standard breakpoint, but, since the memory in this region is written dynamically, you need to place the breakpoint after that the memory has been set correctly.\nPlace an hardware breakpoint on write on 0x0039002B and restart the program. This breakpoint is hit twice, the first time when this region is filled with zeros, the second time when the decryption loop code is written. After that the code has been written, you can place a regular breakpoint on 0x0039002B.\nWhen it is hit for the first time, the decryption of the MessageBox strings is going to start. You can single step the loop and see that at 0x00390038 a key is read from 0x00DEFF64 and it is 0x10*2=0x20 bytes long.\nSo, the solution is:\n2FE3903DF19E4B01AC590FBA671DC8752BD68339E49147F29F5502AD6310BB71\nReferences\n[1] http://www.symantec.com/connect/articles/windows-anti-debug-reference\n[2] http://en.wikipedia.org/wiki/Time_Stamp_Counter\n","date":1312243200,"expirydate":-62135596800,"kind":"page","lang":"en","lastmod":1312243200,"objectID":"7a79845406fbd9c8404fed9aa8bfe7eb","permalink":"/posts/ctf-defconquals2011-bin500/","publishdate":"2011-08-02T00:00:00Z","relpermalink":"/posts/ctf-defconquals2011-bin500/","section":"posts","summary":" ","tags":["CTF"],"title":"Defcon Quals 2011: binary l33tness 500","type":"posts"},{"authors":["Antonio Bianchi"],"categories":[],"content":" Defcon 19 (2011) - BINARY L33tness 400 - Writeup  Preliminary analysis\nThis is a Windows 32bit PE binary file. It shows the string \u0026quot;hello world\u0026quot; inside a shell and it exits.\n    b400 output    It is packed: PEiD reports: tElock 0.98b1 -\u0026gt; tE!\nIf you open it with Ollydbg, it will say you that b400 executable is packed. This message can be quite annoying, if you wish you can patch Ollydbg itself to skip it :-)\nConfiguring Ollydbg\nWhen you run it inside Ollydbg, a lot of different errors appear. You can ignore them all:\nDebugging options --\u0026gt; Exceptions --\u0026gt; \u0026quot;Ignore also the following exceptions or ranges\u0026quot; --\u0026gt; add 00000000-FFFFFFFF range. Set also: \u0026quot;Ignore memory access violations in KERNEL32\u0026quot; and unset all other options.\nIf you press F9 you will get a message \u0026quot;Don't know how to bypass...\u0026quot;, you can skip it by pressing Shift+F9.\nSince this program is heavily packed (probably twice), it is useful to have a breakpoint inside VirtualAlloc API, in order to track memory region creations. You can put it here:\n    When this breakpoint is hit, in EAX you can see the base address of the memory region allocated    If you try to change b400 memory or to place a hardware breakpoint, you will get the following error message:\n    A hardware breakpoint (or a memory modification) has been detected!    This is not a big deal since this check is done only before the first call to VirtualAlloc API, just remember that, when you need to place a hardware breakpoint, you have to do it after that VirtualAlloc has been called at least one time.\nFinding original executable file\nYou can try to find the original executable file in memory. Run the program, when it terminates you can still search inside its memory for the string \u0026quot;hello world\u0026quot;. You will find it in three different locations. The \u0026quot;hello world\u0026quot; string at 0x00415000 is the most interesting since it is located inside b400 memory. It is dinamically decrypted (in fact, when b400 is going to start, memory at 0x00415000 is filled with zeros).\nYou can understand when it is generated by placing a hardware breakpoint on write on 0x00415000 (Remember: hardware breakpoints can be set only after that VirtualAlloc has been called once).\nThis breakpoint is hit twice. The first time some zeros are written, the second time the \u0026quot;hello world\u0026quot; string is written from instruction at: 0x0042E1FB.\nSingle stepping at this location you can easily identify a decryption function. The code is extremely complex, however you only need to know that:\n  Most of the time data are copied from [ESI] to [EDI] one byte at a time.\n  Under \u0026quot;some circumstances\u0026quot; data written to [EDI] are retrieved in different ways\n  For instance, \u0026quot;hello world\u0026quot; is copied from \u0026quot;he? world\u0026quot; (where ?=0x11), 0x11 character is substituted with \u0026quot;llo\u0026quot; string copied from \u0026quot;FlsAlloc\u0026quot; string at 0x40D6EC :-)\nIf you wish, you can dump code from 0x0042E1F8 to 0x0042E2B1 and try to analyze it with IDA Pro, but this is not necessary at all.\n    The decryption function    It is useful to understand the range of data copied by this function. You can place a conditional log on 0x0042E1FB and log the value of EDI. You cannot place this breakpoint when the program starts, because the code of this decryption function is written during the execution of b400. So, place a hardware breakpoint on execution on 0x0042E1FB and when it is hit, place the conditional log on 0x0042E1FB.\nWhat you will get is a log of memory locations written by the decryption function. It is not 100% complete because, as I said before, not all the data are copied with the MOV BYTE PTR DS:[EDI],AL instruction. However, you can see that this function writes memory from 0x00401000 to 0x0042DDCA.\nYou can change the conditional log settings, in order to make it stop the program execution when EDI==0x0042DDCA, in this way you can see that, when this function finishes, the following code is executed:\n    Going to Original Entry Point...    Then:\n  IAT is rebuild\n  Memory access is reset (this is an anti-unpacking technique)\n  The execution jumps to the Original Entry Point at 0x00401560\n  At 0x00401560 we have the OEP.\n    The Original Entry Point    If you wish, now you can dump the process (using LordPE) and fix the IAT (using ImpREC, OEP RVA=0x1560, IAT RVA=0xC000, IAT size=0xF7C). If you do so, you will get a valid PE file. (But it will crash, because some values are read from memory allocated by the packer, I don't know why... ).\nOnce you have a valid PE file, you can load it in IDA Pro. IDA will correctly understands that code at 0x00401000 is the real \u0026quot;main\u0026quot; of this program.\n    IDA Pro analysis of the \u0026quot;main\u0026quot;    And now?\nWe have the unpacked binary, we know where it is decrypted (but it seems that no key is used by the decryption function), so where is the key?\nNow you can lose hours reversing other decryption functions or the fprintf function (as I did), but it is useless. :-)\nThe decryption function writes data up to 0x0042DDCA, so, let's see the memory at this location.\n    There is a PE header!    There is a PE header, if you want, you can see it using Ollydbg integrated PE header parser (you need to paste it inside a full PE header). This PE header is coherent (OEP, IAT, and IAT size) with the original executable we have found, so it is the original PE header of it.\nLet's see if there are other PE headers (you can search for \u0026quot;PE\u0026quot; string).\nAt 0x00432046 there is another PE header, section names are: \u0026quot;ddtek\u0026quot;, \u0026quot;rules\u0026quot;, \u0026quot;rsrc\u0026quot; :-)\nIn my opinion, this means that the original executable file has been packed (at least) twice and this is the PE header of the intermediate step. According to this PE header OEP=0x00426000, IAT RVA=0x30014, IAT size=0x8F. If you want to analyze this intermediate step, you can place an hardware breakpoint on execution on 0x00426000\nSearching for \u0026quot;PE\u0026quot; string you will find also this string (in the middle of hundreds of API names):\nHowCanThisPossiblyBeAValidPEFile?\nwhich is the solution!\nHow I was suppose to know that?\nSolving this challenge can be very simple. You just need to run the program until it terminates, dump the memory and search the \u0026quot;PE\u0026quot; string inside the dump. (There is also an online tool that unpacks an executable file and extracts all the strings it founds [http://eureka.cyber-ta.org])\nThe problem is: how to know which is the string to look for?\nMaybe you can notice that all APIs name are in reverse alphabetical order, except for the \u0026quot;HowCanThisPossiblyBeAValidPEFile?\u0026quot; string.\nAnother possibility is to realize that the program makes a lot of modifications inside PE header and it hides them from memory breakpoints using VirtualProtect API.\n    b400 is removing memory breakpoints from PE header using VirtualProtect API.    So you can understand that PE headers are, in some way, important for solving this challenge and you can have the idea of searching for the \u0026quot;PE\u0026quot; string.\n","date":1312156800,"expirydate":-62135596800,"kind":"page","lang":"en","lastmod":1312156800,"objectID":"73ef461aa596567381f9d10ac2c857eb","permalink":"/posts/ctf-defconquals2011-bin400/","publishdate":"2011-08-01T00:00:00Z","relpermalink":"/posts/ctf-defconquals2011-bin400/","section":"posts","summary":" ","tags":["CTF"],"title":"Defcon Quals 2011: binary l33tness 400","type":"posts"}]