ENS Security course 2020


Lecturer: Clémentine Maurice

Teaching assistant: Guillaume Didier

Contact

For questions on the lectures: clementine.maurice AT irisa.fr

For questions on a project: clementine.maurice AT irisa.fr, or guillaume.didier AT irisa.fr, depending on the tutor.

Lectures

Grading

Projects

If you take this class, please form groups of two and send your ordered list of the 7 projects by preference by October 5 (11:59am) at clementine.maurice AT irisa.fr. I will do the assignment for the beginning of the projects on October 8.

Also note that for some projects we are giving you more than two references. It's not to punish you, it's to actually help you ;)

The following projects are available:

#1. Adversarial machine learning

Full description here.

An adversarial attack consists of subtly modifying an original image in such a way that the changes are almost undetectable to the human eye. The modified image is called an adversarial image, and when submitted to a classifier is misclassified, while the original one is correctly classified.

Adversarial machine learning example

Plus one of the following:

#2. 802.11 fingerprinting

Full description here.

802.11 is a set of standards ratified by the IEEE, describing the characteristics of a Wireless Local Area Network (WLAN), often referred to as “Wi-Fi networks”, i.e., networks based on 802.11 devices. WLANs are widely adopted due to the standardization and interoperability between wireless devices. Yet, the wireless link has to deal with problems that have no analogy in the wired world, such as the unreliability of transmissions and potential attackers in the neighborhood with easy remote interactions. The 802.11 standard is therefore complicated and leads to varying implementations.

Fingerprinting is the action of identifying a device by extracting some externally observable characteristics and using supervised learning. It results in a signature (an identifier for the device being fingerprinted) and a classification of the device. Fingerprinting can be used in a defensive way, to detect and to prevent MAC address spoofing for stations and rogue access points. It can be used in an offensive way as well, by identifying a configuration to target a specific vulnerability and launch a driver-specific exploit. It also raises the question of privacy, as one way to ensure anonymity in 802.11 networks is to change regularly a device MAC address - supposed to be a unique identifier. However, by identifying the device by its observable characteristics, tracking becomes possible without relying on any unique identifier.

#3. Password cracking

Full description here.

Password cracking is the process that consists in recovering passwords from databases. Passwords are usually hashed when stored. The basic idea of a hash function is that it takes an input and produces as output a message of a fixed length. (Good) cryptographic hash functions have the property of being very easy to compute, but extremely difficult to reverse, i.e. given the output, it should not be possible to find the input, and it should also not be possible to find two inputs that produce the same output.

In the real world, passwords are sometimes stored in an unsecure fashion, and users tend to choose weak passwords and to reuse them, all of which has consequences on password cracking.

#4. Automated bug finding

Full description here.

Bugs! They are everywhere and everybody is bound to write some in their programming life. Bugs lead to major problems in the reliability, safety, and security of systems both large and small, and it is neither easy nor always feasible to find all bugs by hand. Although it is not a substitute to code review, testing, and program verification, automated bug finding tools can alleviate some of the pain of finding bugs. Numerous techniques have been developed in the past decades, such as fuzzing, dataflow analysis, symbolic execution, model checking, or abstract interpretation. This project should give you a glimpse of this large domain and its current challenges.

And to give you a bit more context about fuzzing:

#5. Reverse-engineering

Full description here.

Understanding what a binary program does is essential for security researchers, as often you only have the compiled version of a malware. Analysing and debugging is thus a significant activity of people who are working on malware, or are trying to understand a bug in compiled code, e.g., for security purposes or to understand what your program is getting compiled into and why it is not behaving as you would expect.

This project, conceived as a series of challenges, will expose you to x86 assembly and to various tools used to analyze binaries.

Here are other resources for more background information:

#6. Crypto in the real world

Full description here.

Cryptanalysis is the process of finding weaknesses in cryptographic systems, and using these weaknesses to decipher the ciphertext without having the secret key. Attacks can target the cryptographic primitive itself (i.e., the mathematical foundations of the algorithm), but more often cryptanalysis targets the usage of this primitive. Indeed, the devil is usually in the details! The interaction between compression and encryption, cipher modes, and protocol negotiation are a few ways attackers can blow up encryption that used primitives that are deemed safe, because they are used inappropriately.

When the iron blast door is attached to a wooden door frame, don’t blow up the door, just break the door frame!

Read this first to familiarize yourself with cryptographic attacks:

And here are the two articles to read and summarize for the project presentation:

#7. Buffer overflows

Full description here.

Out of bound accesses (and writes) to buffer are a recurring issue in computer security, especially for code bases written in C based language. In this project we explore how to exploit buffer overflows (that is writes past the end of buffers) in order to hijack the control flow of the program.

This project will involve learning about the program stack memory layout, assembly, and in the last part memory allocator structures.

Read this seminal publication first to familiarize yourself with buffer overflows:

Here are the two articles to read and summarize for the project presentation:

More publications about attacks on the heap for the last part of the project (to read in order):

And other resources for more background information:

#8. Sandbox escape

Full description here.

Sandboxes are a good way to limit damage that can be caused by someone exploiting a bug in a trusted program or to prevent an untrusted program from harming a system.

But building sandboxes is hard! This project will allow you to break a fake sandbox component and think about how to build a better one.