CS 443 Semester project Spring, 2007 Important dates: March 23: part I due April 26: part II due April 26-27: in class project presentations This project is to be done in groups of 3-4 students. The goal of the assignment is to develop a software security tool that examines binaries for security flaws. The analysis can be both static and dynamic. That is, the tool you develop can analyze a binary statically by scanning through the object code, or dynamically, by running the code and instrumenting it. Part I - survey report ------ This part of the project is due on March 23. Your assignment is to research all of the important previous work on object code analysis. Look for papers on static analysis, running the programs in virtual machines, fault injection, and any other techniques you can find. Produce a comprehensive survey paper describing all of the previous techniques and especially focusing on tools, both research and commercial. You will be graded on the quality of your coverage - how many systems you find, and the quality of your description and comparison. A feature comparison chart, for example, would be a great thing to include in your survey. Be sure to conclude what the current state of the art is for binary code analysis and where you think future systems and tools might go. There is no length requirement for this paper. Make it as long as it needs to be, but no longer. Be sure to include a comprehensive bibliography. Turn in a hard copy of the report. Part II - your tool ------- For this part of the project, your group must develop a tool for finding security flaws and vulnerabilities, given only a binary. Assume that you do not have access to the source code. Your tool can be a combination of new tools that may be designed to be used in conjunction with a human analyst. You may integrate existing tools into your solution, but be sure to clearly document what is your contribution and what you are using off the shelf. Be sure to include any off the shelf tools in the CD you turn in. In all likelihood, you will need to focus on a particular platform, although that is not a requirement of the assignment. The tool should come with well documented instructions for installation and use. In addition to developing the tool, you must demonstrate it. Pick a well known vulnerable program. For example, find an old version of a program with a well documented vulnerability, such as in a CERT advisory, and show how your tool discovers the vulnerability. You will receive significant extra credit if you can also discover a new, previously unknown vulnerability in a widely used program using your tool, and such projects will likely lead to a responsible disclosure that I will work with you to achieve, and possibly to a research publication. If at any time, you discover a serious security flaw that was previously unknown, please tell me about it right away. Part II is due at the beginning of class on April 26. April 26 and 27 will be project presentation day, and each group will present their tool and their findings to the class. You should turn in a CD with the following: - code listing and development/installation environment for your tool - installation and user manual for your tool - describe the capabilities of the tool, which vulnerabilities it focuses on, and which it does not address - describe the techniques you used to achieve the tool's capabilities - the binaries that were analyzed - any off the shelf tools or systems you used (if applicable) - trace of a session with your tool demonstrating its capabilities make sure the trace run can be easily reproduced by the TAs on the binaries - report describing the known vulnerability and how your tool discovered it - report describing any new vulnerabilities discovered with your tool - a brief report on "future work" - how the tool could be improved Grading: Survey paper: 25 points ------- Ease of installation of tool: 5 points Overall quality and creativity of the tool at finding security flaws: 25 points Versatility of the tool (different kinds of flaws it finds): 10 pionts Ease of use of the tool: 5 points Demonstration of a known vulnerability: 15 points Quality of the reports: 10 points Quality of presentation: 10 points ------- Extra credit: Finding a previously unknown vulnerability: 10-30 points at grader discression