Reverse Engineering for Security Analysis (Wintersemester 2023/2024)

Lecturer: Dr. Jiska Classen (Cybersecurity - Mobile & Wireless)

General Information

Weekly Hours: 4
Credits: 6
Graded: yes
Enrolment Deadline: 01.10.2023 - 31.10.2023
Examination time §9 (4) BAMA-O: 30.01.2024
Teaching Form: Seminar
Enrolment Type: Compulsory Elective Module
Course Language: English
Maximum number of participants: 6

Programs, Module Groups & Modules

IT-Systems Engineering MA

ISAE: Internet, Security & Algorithm Engineering
- HPI-ISAE-K Konzepte und Methoden
ISAE: Internet, Security & Algorithm Engineering
- HPI-ISAE-T Techniken und Werkzeuge
ISAE: Internet, Security & Algorithm Engineering
- HPI-ISAE-S Spezialisierung

Data Engineering MA

Digital Health MA

Cybersecurity MA

SECA: Security Analytics
- HPI-SECA-K Konzepte und Methoden
SECA: Security Analytics
- HPI-SECA-T Techniken und Werkzeuge
SECA: Security Analytics
- HPI-SECA-S Spezialisierung
CYAD: Cyber Attack and Defense
- HPI-CYAD-K Konzepte und Methoden
CYAD: Cyber Attack and Defense
- HPI-CYAD-T Techniken und Werkzeuge
CYAD: Cyber Attack and Defense
- HPI-CYAD-S Spezialisierung

Software Systems Engineering MA

Description

This seminar consists of two parts:

An introduction to security analysis and reverse engineering (approximately three classic lectures).
A security research project, which will be graded.

The security research project can be done individually or in small groups (up to four students). Each group chooses a real-world target. Targets must be legal to reverse-engineer in the context of security research. Many companies offer bug bounty programs that explicitly allow reverse engineering, such as Apple and Microsoft. In case vulnerabilities are found, students coordinately disclose them to the vendors, thereby improving the security of popular software. Instead of reverse engineering a particular target, students can also choose to develop reverse engineering tools.

Students are free to choose their security research method. If applicable, they can use fuzzing and even collaborate with students from the course Open-Source Fuzzing. While fuzzing is generally great for finding memory safety issues, there are further bug classes that require other approaches.

Requirements

Students should be proficient in the programming language of the target they choose. A strong programming background in a low-level programming language, such as C, is required. Students should be familiar with the underlying concepts of programming languages, such as pointers and registers. Having seen Assembly before is a plus, even though modern reverse engineering tools provide good decompilation and not only disassembly.

Basics on reverse engineering are part of the lectures accompanying the seminar. Depending on the target, tools to be used include Ghidra, jadx, Frida, debuggers, etc.

Examination

Grading is based on the projects. Since there is no guarantee of finding vulnerabilities in real-world software, grading will consider the quality of the results. Grading will be based on the following deliverables:

Project proposal (10%)
Regular demonstration of the progress in the form of multiple mid-term presentations (60%)
The final presentation of the results (30%)

Grading the mid-term and final results includes quality of code and results, overall progress, and presentation style. PDFs of presentation slides must be handed in a day before each presentation date.

Source code created during the seminar will be open-sourced under the MIT license or a license compatible with extended projects (e.g., Apache, GPL).

Dates

Kickoff: October 19, 15:15, room HE.51/52.

The course is organized via Moodle.

Should there be more than 6 students who would like to attend this seminar, everyone can indicate their interest until October 22nd. Students will then be selected during the second lecturing week.

Details for this process will be announced in the kickoff, and only if there are more than 6 students. Please do not apply before.

Zurück