a highly immersive approach to teaching reverse
play

A Highly Immersive Approach to Teaching Reverse Engineering Golden - PowerPoint PPT Presentation

Dec 22, 2022 •330 likes •576 views

A Highly Immersive Approach to Teaching Reverse Engineering Golden G. Richard III, Ph.D. Professor Director, Greater New Orleans Center for Information Assurance (GNOCIA) Department of Computer Science University of New Orleans Co-founder,

  1. A Highly Immersive Approach to Teaching Reverse Engineering Golden G. Richard III, Ph.D. Professor Director, Greater New Orleans Center for Information Assurance (GNOCIA) Department of Computer Science University of New Orleans Co-founder, Digital Forensics Solutions, LLC golden@cs.uno.edu http://www.cs.uno.edu/~golden

  2. What? • A hands-on course in reverse engineering, focusing on malware • Provide solid background in theory of reversing – Code generation – How tools work: e.g., disassemblers, debuggers – Anti-analysis and anti-debug strategies • Interleaved with hard reversing / analysis projects • Not a collection of Powerpoint and toy examples • Not a general “hacking” course – Not because I object (I don’t) – Not enough time in one semester to cover any additional “hacking” topics • Goal: Students develop serious, usable reverse engineering skills in one semester

  3. Why So Little RE in Academia? • Because it’s hard for the instructor? • Perception that skills can’t be developed in a single semester? • The university won’t allow it • Should we be doing this? • Lack of student interest? • I’m here to discover the others

  4. Aside: Building Trust • I personally have no problems getting courses like this approved • I seriously lay down the law concerning what will happen to: – Classes like this being offered – Access to all the cool toys, HW, and SW in my security lab • …should things go “horribly wrong” • Historically, despite teaching very hands-on courses in: – OS internals – Digital forensics – Network security • And despite having classes of students running around with root privileges on the machines in the lab…

  5. Aside: Building Trust (2) • Nothing external and nothing significant has been destroyed • Students understand network is monitored and impact of blowing something up outside my lab • As a result, students are careful and self-policing • I’ve been around for a long time and haven’t blown anything up • Your mileage may vary

  6. Why Do It? • 60%: RE is useful and should be taught – Great way to motivate students to dig deeper into systems – ASM skills, OS internals, Intel manuals as recreational reading – Computing != Computer + Java • 20%: Students begging – Resistance: I knew it would be a lot of work to do correctly, tho it’s been coming together for awhile • 20%: I’m a hacker in professorial clothing – Good chance to do what I like

  7. Who? • Class taught in Spring 2009 for the first time • 25 students, 2/3 graduate, 1/3 undergrad • ~20% had taken an OS internals course • 100% had taken the Intro to Security course • ~50% had taken or were enrolled in a digital forensics course • Few had serious assembler skills • 1 student had nearly expert RE skills • 2-3 others had at least basic RE skills • “The hardest course I’ve ever had” • 1 student dropped in Spring 2009

  8. Aside: ASM Courses: Don’t Get Me Started • Serious problem: Students have poor ASM skills • Don’t know about yours, but our ASM course is (IMO) worthless • Didn’t use to be…I took that course in 1983! • Can’t volunteer to teach that course…no time • No time to “teach” the ASM course inside RE • Solution: – (Nearly) compassion-free immersion – ASM every day – Tight deadlines assignments requiring ASM comprehension

  9. Topics • Goals of reverse engineering – Software interoperability, patch verification, malware analysis, cracking • Ethics and legal issues – DMCA, EULAs, RE == jail, seek ye lawyers • Techniques / Tools for RE – Static vs. dynamic analysis, disassemblers, debuggers, live forensics tools, memory dumpers, packing / unpacking, … • Malware background – Types, propagation strategies, payload delivery, poly- and metamorphic malware, … • Basic Intel assembler (a few lectures, then “on the job”) – Registers, flags, common instructions, data formats, 32 vs. 64bit code, hardware components, paging, debugging architecture, examples

  10. Topics (2) • Windows Portable Executable (PE) format • C control structure, function, array, struct/union patterns generated by common compilers • Common malware functionality – Delta offset calculation, API address discovery, infection and propagation, … • Anti-debugging / anti-VM functionality – Dynamic jumps, instruction prefetch attacks, LDT/ GDT/IDT location analysis, use of debugging facilities • Packing and unpacking techniques – Hand-rolled, UPX, Armadillo, …

  11. Laboratory Setup • Isolated gigabit network with fast, private fileserver (16 x 15K SAS drives) – has to serve VMWare images • Workstations running Linux + VMWare • User accounts including XP VMWare image stored by file server • XP image contains: – sysinternals suite – Visual C++ Express Edition – MASM32 – ollydbg – IDA Pro 5.x + x86emu plugin for x86 emulation – HBGary Responder (thanks, Penny!) – FACE , Volatools, ptfinder, … • Networking OFF in VMWare image whenever possible

  12. Approach: Challenges • Time is short! • ASM skills • Flipping Powerpoint guaranteed to fail • Want actual, rather than theoretical, skills to emerge • Skills at end of semester should be (almost?) sufficient to analyze modern malware • Must hurt students (a lot) to achieve skill levels without completely discouraging them

  14. Approach: Malware Sampler • Requirements: – Students start RE immediately – With each new malware sample, push students almost to breaking point  but not quite • Michelangelo  DOS-7  SQL Slammer  Murkry  Lucius  Harulf  Conficker • These were interleaved with short “malware” samples (that I wrote) to introduce: – Registry hacking – Replacement of system binaries – Addition of user accounts – …

  15. Approach: Workflow Reversing assignments of Traditional lectures w/ increasing difficulty, Powerpoint for in teams of 2-3 necessary background Documented ASM Documented ASM walkthroughs on document Lab sessions walkthroughs on document camera: team assignments camera: new malware in lieu of lecture to introduce use of tools or concepts such as unpacking Midterm / Final: 60% reverse engineering assignments 40% background material

  16. Approach: Assignments • Series of team-based malware analyses • Goal is to produce fully documented disassemblies • Initially, uncommented but correct disassemblies • Later, only a binary malware sample – Must coax tools to generate correct disassembly – Deal with packing, anti-analysis techniques • Modest expectations initially, increase sharply as the semester progresses • In some cases: – Solutions accepted and signed – Necessary concepts for complete solution discussed in class – Solution returned and then may be resubmitted • Always let students try (and potentially fail) before giving away the solution

  17. NukeHD: sub cx,cx NukeDism: inc cx push cs pop es mov ax,FE05h jmp $-2 sub ax,E702h mov bh,1 mov dx,80h int 13h jmp short NukeDism

  18. NukeHD: sub cx,cx ; cx == sector number <-- 0 ; FALL THROUGH... NukeDism: inc cx ; target next sector push cs ; pop es ; es <-- cs mov ax,FE05h ; ax <-- FE05h jmp $-2 ; jumps into middle of last instruction ; last instruction disassembled = ; B8 05 FE EB FC ; ; JMP targets 05 byte which is the ; opcode for a 16-bit immediate add ; to AX, thus ax <-- ax + EBFEh ; ; the remaining byte, FC, is the ; opcode for the single byte instruction ; CLD (clear direction flag) ; sub ax,E702h ; ax <-- ax - 0E702h = 301h mov bh,1 ; mov dx,80h ; first hard drive int 13h ; write 1 sector to hard drive jmp short NukeDism ; write "forever"

  19. Approach: Exams • 30%: Abstract scenarios / “Book material” – “You discover that a binary is packed with UPX. To discover the original entry point (OEP), you…” – “A malware sample makes heavy use of dynamic JMPs. Which disassembler design is more likely to encounter problems? Why? Solutions?” • 70%: References to RE exercises – Precise, detailed answers required – Hard to answer within available time if student didn’t participate in the team-based analyses – “When you analyzed the following section of Harulf, what did you discover? Comment each line.” – Example follows on next slide

  20. Start: jmp stuck sig_1 dd 0 sig_2 dd 0 stuck: call here jmp getdelta here: assume fs:nothing mov eax,[esp] push eax push fs:[0] mov fs:[0],esp xor eax,eax mov eax,[eax] ret getdelta: ... pop fs:[0] pop edx pop ebp sub ebp,offset here add ebp,2h cmp ebp,0 je skipdecrypt

  21. Start: jmp stuck sig_1 dd 0 sig_2 dd 0 stuck: call here ; start delta offset calculation, ; trip up debuggers with stack-based SEH jmp getdelta ; this will be new SEH here: assume fs:nothing mov eax,[esp] ; address of “jmp getdelta” in eax push eax ; save address on stack (new SEH) push fs:[0] ; save old SEH head mov fs:[0],esp ; “jmp getdelta” is new SEH xor eax,eax ; zero eax mov eax,[eax] ; null ptr reference, invokes SEH ret getdelta: ... pop fs:[0] ; restore SEH pop edx ; pop ebp ; address of getdelta sub ebp,offset here ; subtract compile-time offset of ‘here’ add ebp,2h ; jmp getdelta is two bytes cmp ebp,0 ; are we at entry point? je skipdecrypt ; yes, no need to decrypt body

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Welcome Inge Li Grtz. Reverse teaching and discussion of exercises: 3 teaching

Welcome Inge Li Grtz. Reverse teaching and discussion of exercises: 3 teaching

Welcome Inge Li Grtz. Reverse teaching and discussion of exercises: 3 teaching assistants 02110 8.00-9.15 Group work 9.15-9.45 Discussions of your solutions in class Inge Li Grtz 10.00-11.15 Lecture 11.15-11.45 Work

307 views • 19 slides
Multisensory Teaching Approach Richardson ISD What is MTA ? Multisensory Teaching Approach is a

Multisensory Teaching Approach Richardson ISD What is MTA ? Multisensory Teaching Approach is a

Multisensory Teaching Approach Richardson ISD What is MTA ? Multisensory Teaching Approach is a program for the remediation of Dyslexia. This program is an Orton- Gillingham multisensory approach to teaching reading that combines Visual,

236 views • 20 slides
Immersive Educational transform Edwin Ching Kevin Lui Immersive education Immersive

Immersive Educational transform Edwin Ching Kevin Lui Immersive education Immersive

Immersive Educational transform Edwin Ching Kevin Lui Immersive education Immersive learning is the process of learning with the usage of a simulated or artificial environment. The environment enables the learners to completely get

1.11k views • 76 slides
Agenda Introduction Key Outcomes What is Immersive Technologies Why Immersive

Agenda Introduction Key Outcomes What is Immersive Technologies Why Immersive

Agenda Introduction Key Outcomes What is Immersive Technologies Why Immersive technology for Tourism 360 Video Augmented Reality Virtual Reality Immersive technology and SMEs Key issues

435 views • 14 slides
Explaining the Boom-Bust Cycle in the U.S. Housing Market: A Reverse-Engineering Approach

Explaining the Boom-Bust Cycle in the U.S. Housing Market: A Reverse-Engineering Approach

Overview Evidence Model Calibration Quantitative Results Reverse Engineered Shocks Conclusion Extras Explaining the Boom-Bust Cycle in the U.S. Housing Market: A Reverse-Engineering Approach Paolo Gelain Kevin J. Lansing Gisle J.

717 views • 50 slides
Enhancing Communication Skills Development within Immersive Virtual Environments (ECSDIVE):

Enhancing Communication Skills Development within Immersive Virtual Environments (ECSDIVE):

Enhancing Communication Skills Development within Immersive Virtual Environments (ECSDIVE): Applying Collaboration Aware Applications and Spatialised Sound. Learning and Teaching Innovation Fund Learning and Teaching Innovation Fund September

331 views • 21 slides
Immersive Telepresence in in Immersive Telepresence Immersive Telepresence in Responsive

Immersive Telepresence in in Immersive Telepresence Immersive Telepresence in Responsive

Immersive Telepresence in in Immersive Telepresence Immersive Telepresence in Responsive Virtual Environments Environments Responsive Virtual Responsive Virtual Environments Martin Gbel GMD - German National Research Center for

396 views • 25 slides
Center of Excellence for Immersive Technologies Contents o Immersive Technologies o Impacts on

Center of Excellence for Immersive Technologies Contents o Immersive Technologies o Impacts on

Center of Excellence for Immersive Technologies Contents o Immersive Technologies o Impacts on Aerospace and Defence o Beacon Labs VR, AR and MR Collectively XR MIXED or Key Sector Impacts Sectors and Verticals where XR

497 views • 14 slides
The Immersive VR Self: Performance, Embodiment and Presence in Immersive Virtual Reality

The Immersive VR Self: Performance, Embodiment and Presence in Immersive Virtual Reality

The Immersive VR Self: Performance, Embodiment and Presence in Immersive Virtual Reality Environments Raz Schwartz, Research Lead, Oculus William Steptoe, Research &amp; Software Engineer, Oculus Abstract Virtual avatars are a common way to

627 views • 13 slides
A NON-TRADITIONAL APPROACH TO TEACHING AND LEARNING NON-TRADITIONAL APPROACHES TO TEACHING AND

A NON-TRADITIONAL APPROACH TO TEACHING AND LEARNING NON-TRADITIONAL APPROACHES TO TEACHING AND

SECONDARY ALTERNATIVE PROGRAMMING A NON-TRADITIONAL APPROACH TO TEACHING AND LEARNING NON-TRADITIONAL APPROACHES TO TEACHING AND LEARNING OUR GOALS Help ALL students meet their full academic, social and emotional potential. Provide

477 views • 31 slides
Next Generation Online Simulations, Serious Games and Immersive Learning Nigel Wynne Lead

Next Generation Online Simulations, Serious Games and Immersive Learning Nigel Wynne Lead

Next Generation Online Simulations, Serious Games and Immersive Learning Nigel Wynne Lead OSIME RDG Senior Academic Learning and Teaching National Teaching Fellow nigel.wynne@bcu.ac.uk OSIME RDG: Staff Nigel Wynne Lead Xi Guo

911 views • 67 slides
Immersive Game Design A look at three pilot programs focusing on designing digital video games

Immersive Game Design A look at three pilot programs focusing on designing digital video games

Immersive Game Design A look at three pilot programs focusing on designing digital video games with visiting teaching artists in schools funded by the NEA and Young Audiences Presented by: Katie Lynn, Arts Partners Wichita Marsha Dobrzynski,

267 views • 13 slides
Architecture of the Immersive Web Platform: Where would accessibility fit in? In order to

Architecture of the Immersive Web Platform: Where would accessibility fit in? In order to

Immersive Web Architecture of the Immersive Web Platform: Where would accessibility fit in? In order to understand the components of WebXR, it may be helpful to see the way it has evolved out of the 2d web platform. Early CSS 3D Transform

591 views • 3 slides
Building Immersive NVIDIA SHIELD Android TV Games GTC 2016 | Luc Beaulieu (CTO) &amp; JP Doiron

Building Immersive NVIDIA SHIELD Android TV Games GTC 2016 | Luc Beaulieu (CTO) &amp; JP Doiron

Building Immersive NVIDIA SHIELD Android TV Games GTC 2016 | Luc Beaulieu (CTO) &amp; JP Doiron (Technology Director) Todays Menu Immersive experience What went right Challenges What's next Immersive experience

473 views • 33 slides
Reverse-Engineering of Personal and Inter- personal Work Practices: A context-based Approach

Reverse-Engineering of Personal and Inter- personal Work Practices: A context-based Approach

Reverse-Engineering of Personal and Inter- personal Work Practices: A context-based Approach Marielba Zacarias, H. Sofia Pinto, Jos Tribolet CEO/ALGOS (INESC-INOV)/IST, Lisboa Universidade do Algarve, Faro - Portugal Summary Introduction

543 views • 26 slides
Creating Immersive Narrative Games Without Big Budgets or Resources Georg Backer

Creating Immersive Narrative Games Without Big Budgets or Resources Georg Backer

Creating Immersive Narrative Games Without Big Budgets or Resources Georg Backer @georgbacker Developer, Hotsauce Interactive www.hotsauceinteractive.co.uk IMMERSIVE &amp; NARRATIVE GAMES $$$$$$$$$$$ IMMERSIVE &amp; NARRATIVE GAMES

296 views • 28 slides
Anatomy of an Apache OpenOffice Extension Pedro Giffuni pfg@apache.org AOO Architecture: Jigsaw

Anatomy of an Apache OpenOffice Extension Pedro Giffuni pfg@apache.org AOO Architecture: Jigsaw

Anatomy of an Apache OpenOffice Extension Pedro Giffuni pfg@apache.org AOO Architecture: Jigsaw Puzzle 26/11/14 2 So how do I develop for Apache OpenOffice - Develop within the main OpenOffice platform (yes, it is open): - Mostly C++

162 views • 12 slides
Mail Merge Internals Eilidh McAdam Mail Merge Mail merge fjlls a template from a

Mail Merge Internals Eilidh McAdam Mail Merge Mail merge fjlls a template from a

Mail Merge Internals Eilidh McAdam Mail Merge Mail merge fjlls a template from a datasource, producing a single or separate documents Datasource includes databases and spreadsheets Also used to generate labels and envelopes

345 views • 17 slides
. Linux/Moose endangered or extinct? An update on this atypical embedded Linux botnet by

. Linux/Moose endangered or extinct? An update on this atypical embedded Linux botnet by

. Linux/Moose endangered or extinct? An update on this atypical embedded Linux botnet by Olivier Bilodeau $ apropos Statically linked stripped ELF challenges Moose DNA (description) Moose Herding (the Operation) A Strange Animal Latest

727 views • 55 slides
The raise of Social Assistance in sub-Saharan Africa Miguel Nio-Zaraza, UNU-WIDER Background

The raise of Social Assistance in sub-Saharan Africa Miguel Nio-Zaraza, UNU-WIDER Background

The raise of Social Assistance in sub-Saharan Africa Miguel Nio-Zaraza, UNU-WIDER Background Over the past two decades, social assistance has emerged as a new welfare paradigm in the fight against poverty and vulnerability in the

280 views • 24 slides
Embedded Systems Intro to the Arduino Laboratory for Perceptual Robotics Department of

Embedded Systems Intro to the Arduino Laboratory for Perceptual Robotics Department of

Embedded Systems Intro to the Arduino Laboratory for Perceptual Robotics Department of Computer Science Arduino Uno www.arduino.cc &gt; Learning &gt; Getting started 1. Digital pins - Use these pins with digitalRead(), digitalWrite(),

67 views • 3 slides
bkura@uno.edu Ph.: 504-280-6572; Cell: 504-390-9405 June 1, 2015 1 Outline Welcome

bkura@uno.edu Ph.: 504-280-6572; Cell: 504-390-9405 June 1, 2015 1 Outline Welcome

Bhaskar Kura, Ph.D., P.E. Professor and Chairman of Civil &amp; Environmental Engineering Director, Maritime Environmental Resources &amp; Information Center (MERIC) Engineering Building, EN 810 bkura@uno.edu Ph.: 504-280-6572; Cell:

585 views • 10 slides
Understanding Performance Bottleneck to Improve Parallel Efficiency of Louvain Algorithm Naw

Understanding Performance Bottleneck to Improve Parallel Efficiency of Louvain Algorithm Naw

P D S W- D I S C S 2 0 1 9 : 4 t h Jo i n t I n t e r n a t i o n a l Wo r k s h o p o n Pa r a l l e l D a t a S t o r a g e &amp; D a t a I n t e n s i v e S c a l a b l e C o m p u t i n g S y s t e m s Understanding Performance

273 views • 9 slides
Qduino: A Multithreaded Arduino System for Embedded Computing Zhuoqun Cheng, Ye Li, Richard West

Qduino: A Multithreaded Arduino System for Embedded Computing Zhuoqun Cheng, Ye Li, Richard West

Qduino: A Multithreaded Arduino System for Embedded Computing Zhuoqun Cheng, Ye Li, Richard West Computer Science Background Many Robotics, Internet of Things, Home Automation applications have been developed recently Perform complicated

609 views • 34 slides

More recommend