In this project you will explore some of the topics we have covered (or will cover) in class in a more in-depth way. You will have just over a month to work on your project. Grading will be based on project reports and a project presentation done in class. The project will consist of four deliverables:
· A one page project proposal that describes your project, lists your team members (if you chose to work in a group of 2), and talks about your motivation for pursuing this topic. Project proposals should have already been submitted. You may pick any topic we have discussed in class related to secure software development. I’ve included a potential list of projects below. To schedule a time to talk by phone or in person send an email with “Schedule” in the subject line to email@example.com. Once your project proposal is submitted, I will provide feedback on your topic and project scope by email.
· A two page project status report that is due by email by 11:00PM on April 13th.
· A 10-15 minute presentation of your project findings that will be scheduled during class in late April.
· A final project report due the first week in May. This report presents detailed results of your findings. For some projects this may include code/binaries as well as the written report.
A list of possible topics is provided below. If you elect to do a team project, you can have a maximum of 2 team members (in some cases a team of 3 can be approved).
Topic 1: Buffer Overflows exploitation analysis: Take a popular open-source cross-platform application (Apache, Firefox, etc.) and look up a buffer overflow vulnerability reported in 2009 or 20010 (do not use a vulnerability reported in 2011). Make sure the vulnerability exists on both Linux and Windows builds of the application. Do a survey of available buffer overflow exploitation techniques (return to libc, exception handler address overwrites, stack smashing, etc.). For individual projects, write a well documented and benign proof of concept exploit for that vulnerability that launches a text editor on Windows 7, and the latest version of Ubuntu Linux. Describe your results, stumbling blocks, etc. Describe the key differences in buffer overflow defenses of these platforms based on your results.
Topic 2: Fuzzing: Do a review of fuzzzing techniques to uncover buffer overflow vulnerabilities. Write a fuzzer (that runs on Windows) which corrupts files (in an effort to uncover buffer overflow vulnerabilities)and passes these files to the application under test as a command line parameter. The tool should then monitor the application for exceptions and report results. You may build on an existing open-source fuzzer (provided that you document the code you use and your use of it complies with licensing requirements). Discuss the benefits/limitations of the approach you used. Run an experiment using your fuzzer on an old (released before 2009) version of a popular open-source application and discuss results.
Topic 3: Social Networks and Security: Do an analysis of Open Source Intelligence (OSINT) tools such as Exomind that correlate information about individuals and companies. Specifically, how do these tools/techniques and the mass availability of information online change the environment of software security? What does it mean for standard password reset schemes that rely on biographical information? How about the future of spear phishing attacks? A detailed tool and existing research survey would be an important part of such a project.
Additional topics: You can also propose your own project in areas such as: reverse engineering, Java-specific vulnerabilities, defensive coding techniques, security testing, etc. Topics will be approved based on the description you provide in the Project Proposal described above.