Syllabus - CSE 598 "Applied Vulnerability Research" Fall 2024

Course Info

Course Numbers: CSE 598 (87602)
Meeting Times: Wednesdays, 4:30pm--7:15pm (PSH 152)
Course Discord: Join the pwn.college discord

Instructors

Instructor: Prof. Adam Doupé aka adamd
Email: doupe@asu.edu
Office: BYENG 472
Office Hours: TBA.

TAs

TBA

Course Description

Cybersecurity is taught on a mostly theoretical level, but real-world Security Researchers are expected to operate in the practical realm. This course attempts to bridge the gap between theory and practice by tackling similar problems, albeit on a slightly smaller scale, as researchers in world-class industry security labs.

The inspiration for the course are Vulnerability Research labs such as Google Project Zero, CISCO Talos, and Theori. Throughout the course, we will explore, in a hands-on way, the following topics in Vulnerability Research:

Target Selection: We will discuss what makes for a good target for Vulnerability Research, how to identify a good target, and legalities.

Target Recon: We will discuss how to understand a given target and how to reverse engineer a target.

Analysis Planning: We will discuss how to analyze a target, what techniques can be used, and how to map a technique to a target.

Vulnerability Detection: We will discuss how to identify and triage vulnerabilities in a target.

Proof-of-Concept Development: We will discuss how to verify that a potential vulnerability exists by creating a Proof-of-Concept that triggers an identified vulnerability.

Exploit Development: We will discuss how to turn a discovered vulnerability, or several vulnerabilities, into an exploit to achieve our goals.

Responsible Disclosure: We will discuss what CVEs are used for, why CVEs are important, and how to responsibly disclose vulnerabilities to the target maintainers.

Each iteration of this course will cover a unique set of software targets with unique analysis and exploitation challenges, and can vary in how the material is covered.

Iteration-specific Description

In Fall 2024, the whole class will focus on Apple's XNU operating system, which is the core OS kernel that runs MacOS, iOS, iPadOS, watchOS, visionOS, and tvOS.

Through demanding hands-on modules that will be hosted on the pwn.college platform, we will study the XNU kernel, several vulnerability classes in XNU, how exploitation works in XNU, and historical vulnerabilities and exploitation techniques.

By the end of this course, students should have the knowledge and skills to identify and exploit vulnerabilities on the XNU kernel.

Prerequisites

This course will be very challenging, and students are expected to learn some of the necessary technologies on their own time.

A successful completion of CSE 466 or the equivalent knowledge is critical to success in this course.

Specifically, students are expected to know the following:

• Extensive knowledge of x86_64 writing and reverse engineering (knowledge of ARM is a plus).
• Extensive proficiency in writing x86_64 shellcode under advanced constraints.
• Extensive proficiency in writing C programs, with ease of writing C programs to talk to device drivers.
• Extensive proficiency in reading C programs, on the order of complexity as a real Operating System kernel.
• Proficiency debugging running OS kernels in gdb (we will use lldb).
• Expertise with the causes and effects of memory errors in software, and the resulting potential for program exploitation.
• Significant experience with advanced exploitation techniques, including control-flow hijacking, heap metadata corruption, return oriented programming, and race conditions.

Recommended Textbook

There is no recommended textbook for this course. Any reading material assigned will be from publicly-available sources on the Internet, such as the XNU .

However, if you wish to purchase books for this course, the following are good (although quite out-of-date):

Jonathan Levin, ^*OS Internals, Volume I User Mode, Volume II Kernel Mode, and Volume III Security & Insecurity.

Course Communication

All announcements and communications for the class will take place on the discord, with announcements in the #announcements public channel and discussion in the #text class-specific channel. Students are required to be on this discord.

Student may use the discord to ask questions or clarifications, and the TA, Instructor, or other students can answer. Note that sharing full solution scripts or answers is expressly prohibited, but otherwise, collaboration on the way to the solution is allowed.

Questions may be directly messaged to the instructors.

Name	Discord Handle
Adam Doupé	adamd

Before directly messaging your question, please consider asking it on the discord instead. This way, the entire class will benefit from your question.

Office Hours

Remote office hours will be held weekly via Twitch. All students are encouraged to attend office hours.

Course Role	Name	Office Hours
Instructor	Adam Doupé	TBA

Assignments

Assignments only, no exams or quizzes.

Students performance will be evaluated on between 7 and 14 homework equally weighted assignments (the modules), where each assignment will consist of between 10 and 100 challenge problems.

Challenge-based assignments with flags as rewards.

Each assignment will consist of a large amount of varied, but related challenges, and will be live for between one and two weeks. Solving these challenges may require the use or implementation of fairly complex hacking tools. Solving each individual challenge will grant a challenge-specific passcode, called a "flag". The maximum number of flags possible to score for an assignment is equal to the maximum number of challenges in the assignment.

The existence of flags means that there is no wrong way to solve a challenge. If you tricked the challenge into giving you the valid flag, good job.

Extra credit: Helping Others

We have recruited the help of a reputation bot on the discord. Whenever you get thanked by a student in a public discord channel, the reputation bot will react with a thanks emoji and log the interaction. Extra credit for receiving thanks is logarithmic (5 * log_50_(thanks)), for up to 5% extra credit at 50 thanks received. Additionally, Instructors or TAs can flag a forum post as a "good question". Each "good question" will contribute to the thanks count.

Collaboration Policy

Collaboration is highly encouraged in this course. However, there is a delicate balance between being excessively helpful, and learning. The purpose of course collaboration is understanding concepts. As such, questions and answers should be focused on concepts, and not how to solve challenge X.

The challenges explore important concepts, and so it is fine to discuss the challenges. However, you may not discuss full or significant portions of a challenge's solution. Furthermore, you may not intentionally solve challenges as a group. The assignments must still be solved individually.

Feel free to discuss ideas important to the challenge, or tools which may be useful.

If there is any confusion, just ask! We try to assume good intentions, but egregious violations are an academic integrity violation.

Extra credit: Memes

Are you a meemer? Meme, and earn grades! If you post an on-topic meme in the #memes channel and we emoji-react to acknowledge it, you will get 0.5% extra credit, to your final grade, per week. In order to foster a good learning community, and encourage creative thinking around the material, you may receive extra credit each week for sharing educational memes in the course discord. It is important to note that memes must be relevant, educational, and non-offensive. No excessively spicy memes please. The course discord bot will acknowledge credited memes with a "good_meme" emoji if the meme is approved by the course staff. Good memes might be reviewed in class. Meme extra credit will be at most 3% of your grade.

More Extra Credit: Bug Bounty Program

Any responsibly-disclosed serious security issues in course infrastructure will earn an extra 1 to 25 "bug bounty" percentage points to their final grade, depending on the severity of the issue. Blatantly spurious reports may earn a negative percentage report of up to -5 percentage points. Allowances will be made for honest mistakes leading to a spurious bug bounty filing, but please don't waste our time on purpose.

Final Grade Calculation

The final grade will be calculated by averaging the grades of each homework assignment, equally weighted, then adding extra credit. Percentages will be translated to letter grades with the following initial cutoffs:

Percentage Grade	Letter Grade
>= 100	A+
>= 93	A
>= 90	A-
>= 88	B+
>= 83	B
>= 80	B-
>= 78	C+
>= 70	C
< 70	E

With the exception of the cutoff for A+, these cutoffs can be curved downward in the event that students do worse than expected.

Special Accommodations

Students requesting disability accommodations should register with the Disability Resource Center (DRC) and present the instructor with appropriate documentation from the DRC.

Plagiarism and Cheating

Plagiarism or any form of cheating in assignments or projects is subject to serious academic penalty. To understand your responsibilities as a student read: ASU Student Code of Conduct and ASU Student Academic Integrity Policy. There is a zero tolerance policy in this class: any violation of the academic integrity policy will result in a zero on the assignment and the violation will be reported to the Dean’s office. Plagiarism is taken very seriously in this course.

Examples of academic integrity violations include (but are not limited to):

• Sharing code with a fellow student (even if it’s only a few lines).
• Collaborating on code with a fellow student (unless explicitly allowed).
• Using another student's solution to solve a challenge and get a flag.
• Sharing a flag with another student (NEVER ALLOWED UNDER ANY CIRCUMSTANCES).

Posting your assignment solutions online is expressly forbidden, and will be considered a violation of the academic integrity policy. Note that this includes working out of a public Github repository. The Github Student Developer Pack provides unlimited private repositories while you are a student, making it easy to begin with a private GitHub repository.

Syllabus Update

Information in the syllabus may be subject to change with reasonable advance notice and an announcement on discord.

Misc

Syllabus copyright 2024 Adam Doupé, along with all lectures and course-related written materials. During this course students are prohibited from making audio, video, digital, or other recordings during class, or selling notes to or being paid for taking notes by any person or commercial firm without the express written permission of the faculty member teaching this course. Be reasonable.

Title IX is a federal law that provides that no person be excluded on the basis of sex from participation in, be denied benefits of, or be subjected to discrimination under any education program or activity. Both Title IX and university policy make clear that sexual violence and harassment based on sex is prohibited. An individual who believes they have been subjected to sexual violence or harassed on the basis of sex can seek support, including counseling and academic support, from the university. If you or someone you know has been harassed on the basis of sex or sexually assaulted, you can find information and resources at https://sexualviolenceprevention.asu.edu/faqs.

As a mandated reporter, I am obligated to report any information I become aware of regarding alleged acts of sexual discrimination, including sexual violence and dating violence. ASU Counseling Services, https://eoss.asu.edu/counseling, is available if you wish discuss any concerns confidentially and privately.