Reverse Engineering for Security Analysis (Wintersemester 2023/2024)

Dozent: Dr. Jiska Classen (Cybersecurity - Mobile & Wireless)

Allgemeine Information

• Semesterwochenstunden: 4
• ECTS: 6
• Benotet: Ja
• Einschreibefrist: 01.10.2023 - 31.10.2023
• Prüfungszeitpunkt §9 (4) BAMA-O: 30.01.2024
• Lehrform: Seminar
• Belegungsart: Wahlpflichtmodul
• Lehrsprache: Englisch
• Maximale Teilnehmerzahl: 6

Studiengänge, Modulgruppen & Module

Beschreibung

This seminar consists of two parts:

1. An introduction to security analysis and reverse engineering (approximately three classic lectures).
2. A security research project, which will be graded.

The security research project can be done individually or in small groups (up to four students). Each group chooses a real-world target. Targets must be legal to reverse-engineer in the context of security research. Many companies offer bug bounty programs that explicitly allow reverse engineering, such as Apple and Microsoft. In case vulnerabilities are found, students coordinately disclose them to the vendors, thereby improving the security of popular software. Instead of reverse engineering a particular target, students can also choose to develop reverse engineering tools.

Students are free to choose their security research method. If applicable, they can use fuzzing and even collaborate with students from the course Open-Source Fuzzing. While fuzzing is generally great for finding memory safety issues, there are further bug classes that require other approaches.

Voraussetzungen

Students should be proficient in the programming language of the target they choose. A strong programming background in a low-level programming language, such as C, is required. Students should be familiar with the underlying concepts of programming languages, such as pointers and registers. Having seen Assembly before is a plus, even though modern reverse engineering tools provide good decompilation and not only disassembly.

Basics on reverse engineering are part of the lectures accompanying the seminar. Depending on the target, tools to be used include Ghidra, jadx, Frida, debuggers, etc. 

Leistungserfassung

Grading is based on the projects. Since there is no guarantee of finding vulnerabilities in real-world software, grading will consider the quality of the results. Grading will be based on the following deliverables:

• Project proposal (10%)
• Regular demonstration of the progress in the form of multiple mid-term presentations (60%)
• The final presentation of the results (30%)

Grading the mid-term and final results includes quality of code and results, overall progress, and presentation style. PDFs of presentation slides must be handed in a day before each presentation date.

Source code created during the seminar will be open-sourced under the MIT license or a license compatible with extended projects (e.g., Apache, GPL).

Termine

Kickoff: October 19, 15:15, room HE.51/52.

The course is organized via Moodle.

Should there be more than 6 students who would like to attend this seminar, everyone can indicate their interest until October 22nd. Students will then be selected during the second lecturing week.

Details for this process will be announced in the kickoff, and only if there are more than 6 students. Please do not apply before.

Zurück