Secure Coding (IN2106)
Master Praktikum (Lab)
Winter Semester 2016/17
Class Time and Room:
Wednesdays , 08:45-11:00 AM,
C programming knowledge
Assembly language knowledge
Knowledge of using Linux, Docker and screen-casting software
Max. Number of participants:
Misc: All participants of this lab must fill-in a disclaimer and hand it to the instructors in original hard-copy form, before the end of the first lab session.
The goal of this lab is to teach students how to protect software applications against so called Man-At-The-End (MATE) attackers. MATE attackers control the system on which the application is running and their goals include but are not limited to: reverse engineering a proprietary algorithm, cracking software, cheating in games, bypassing license checks or extracting secret keys embedded in software. MATE attackers have capabilities that exceed those of remote attackers, e.g. MATE attackers can perform interactive debugging on applications and modify their code and/or memory values during execution. They can do this without needing to exploit any vulnerability of the target application.
This lab will focus on applications written in C, because MATE attacks are often performed at binary level. To defend against MATE attackers we will first present tools and techniques used in reverse engineering and then present tools and techniques for software protection. We will cover an array of techniques employed in state-of-the-art software protection such as: obfuscation, tamper-proofing, watermarking, anti-disassembly, anti-decompiling, anti-debugging, etc. This lab will be accompanied by a hands-on project that will be divided into 5 phases (each phase will be graded):
Phase 1 “Application Protection”: Groups of 2 students will be asked to protect software apps using either existing tools and/or (possibly) self-developed tools/scripts. All groups will be given a set of assets that they must protect against MATE attackers. The protection tools and techniques employed by each group will be documented.
Phase 2 “Reverse Engineering”: Each group of students will exchange their apps and documentation from Phase 1 with another group. Each group will have a set of reverse engineering tasks to perform on the apps which they received using at least one tool specified by the instructors and any other tools they choose or develop. All tasks must be documented (using screenshots or screen-casts) such that they can be reproduced by any other group in Phase 3.
Phase 3 “Verifying Findings”: Each group of students will get the apps of another group form Phase 1 and the reverse engineering documentation from Phase 2 corresponding to the apps. Each group will verify the reverse-engineering findings of another team from Phase 2 by reproducing the tasks according to the documentation. Each task from Phase 2, must be reproduced and recorded as a screen-cast. Incorrect, missing or incompletely documented tasks from Phase 2 will be documented and corrected if possible.
Phase 4 “Application Hardening”: Each group will have to apply additional protection mechanisms to their own apps such that as many attacks as possible from Phases 2 and 3 are mitigated. Each team will have to document which protection techniques were added, why they were employed and which attacks they should defend against.
Phase 5 “Verifying Hardening”: Finally, each group of students will receive the hardened apps and documentation (from Phase 4) of another group and the documentation corresponding to the apps from Phases 2 and 3. Each group will verify which protections added in Phase 4 defend against which attacks from Phases 2 and 3. Results must be documented in a final report and recorded as screen-casts for each reverse-engineering task.
Groups must hand in their results in electronic form at the end of each phase. For all phases each group of students must deliver their software, documents and screen-casts, on a Docker container. Groups will document individual effort (measured in hours per task/activity). This information, together with the delivered documents, screen-casts and software will be taken into account for the final individual grades. The outcome of each phase will be graded and will contribute to 80% of the final grade.
All groups will present and discuss protection mechanisms and reverse engineering techniques in every phase. Every student must present at least once. Presentation grades are assigned to each individual student based on: speech clarity, organization and logical flow of the presentation and ability of the presenter to answer questions and engage the audience. The weight of the presentation is 20% of the final grade.
A grade bonus of 10% is offered to students solve obfuscation challenges provided as homework by the instructor, in an automated way, using self-written scripts and/or an existing reverse-engineering framework.
Modules taught will include
Module 1: Introduction and Motivation
- Software protection scenarios
- Software protection tools
- Overview of obfuscation
- Overview of tamper-proofing
Module 2: Attacker Model
- Attack targets
- Cracking with GDB
- Overview of attack techniques
Module 3: Program Analysis
- Control-flow analysis
- Symbolic / Concolic Execution
- How to deal with self-modifying code
Module 4: Code Obfuscation
- Static obfucation transformations
- Obfuscation used by computer viruses / malware
- Code diversity
- Dynamic obfuscation
Module 5: Tamper-proofing
- Environment checking
- Self-checksumming code
- Response mechanisms
- Temporal code diversity
There is no single literature source for the topics treated in the lab. However the following is a list of recommended further reading:
- Surreptitious Software: Obfuscation, Watermarking, and Tamperproofing for Software Protection, Jasvir Nagra, Christian Collberg, Pearson Education, Jul 24, 2009
- The Ida Pro Book: The Unofficial Guide to the World's Most Popular Disassembler, Chris Eagle No Starch Press, Incorporated, 2011
- Practical Reverse Engineering: x86, x64, ARM, Windows Kernel, Reversing Tools, and Obfuscation, Bruce Dang, Alexandre Gazet, Elias Bachaalany, John Wiley & Sons 2014