News

MAID Exam Results in CMS

Written on 12.04.19 by Christian Rossow

Thanks to an enormeous effort of your tutor, the MAID exam has already been corrected. Good news: All exam participants have passed! Note that we had to withdraw the IDS task, as you were not able to answer the questions based on the material covered in the MAID lecture (mea culpa). The maximum number… Read more

Thanks to an enormeous effort of your tutor, the MAID exam has already been corrected. Good news: All exam participants have passed! Note that we had to withdraw the IDS task, as you were not able to answer the questions based on the material covered in the MAID lecture (mea culpa). The maximum number of points in the exam is thus 80 pts instead of 90 pts. Overall MAID grade distribution (16 people passed, new record!):

You can view your grade in CMS under Final Results (Exam 1) (mixed exam and project, each 50%), and can inspect your points for exam subtasks under Exam 1. The exam inspection will be on Tue 10:00 - 11:00 am in room 0.06 of CISPA (E9 1).

MAID Exam Details

Written on 01.04.19 by Christian Rossow

We have received 17 registrations for the MAID exam. The exam will be on Thursday (April 4) in HS002 (E1 3) and last 90 min from 10-11:30. We'll start at 10am sharp. Please arrive 15 min earlier such that we can place your seats.

The written exam will be for pen and paper only. It is not allowed to… Read more

We have received 17 registrations for the MAID exam. The exam will be on Thursday (April 4) in HS002 (E1 3) and last 90 min from 10-11:30. We'll start at 10am sharp. Please arrive 15 min earlier such that we can place your seats.

The written exam will be for pen and paper only. It is not allowed to bring any books and/or calculators. We will have one printed copy of the Intel Instruction Set Reference available that you can use to look up instruction details (in emergency situations, given that it's just one copy). Having said this: If you want to solve the exam on time, you should know the instruction semantics by heart.

MAID Exam Registration

Written on 18.03.19 by Christian Rossow

Alice,

You did a fabulous job. We received 19 submissions, out of which 17 are of sufficient quality (>= 50 points) to proceed with the exam. You can inspect your personal project score in CMS. More feedback will be shared upon request via email to your favorite MAID tutor… Read more

Alice,

You did a fabulous job. We received 19 submissions, out of which 17 are of sufficient quality (>= 50 points) to proceed with the exam. You can inspect your personal project score in CMS. More feedback will be shared upon request via email to your favorite MAID tutor (s8sewall@stud.uni-saarland.de). Please do not forget to register to (and prepare for) the exam by March 28.

Bernd

Guidance for MAID Reports

Written on 04.02.19 by Christian Rossow

Dear Alice,

About 4 weeks to go until the final submission deadline for your MAID report. You may start to wonder about the report itself. We would like to give you some ideas on what level of detail and what contents we expect from you in this document.

Please note that the reports make up 50%… Read more

Dear Alice,

About 4 weeks to go until the final submission deadline for your MAID report. You may start to wonder about the report itself. We would like to give you some ideas on what level of detail and what contents we expect from you in this document.

Please note that the reports make up 50% of your overall project grade. This means that we do not only expect correct results and annotated reversing database for each project, but also a detailed (yet concise) description of the technical workings. Put serious efforts in the reports. Past experience has shown that you will loose points mainly because the report lacks findings, rather than submitting wrong solutions.

For each project, this means the following:

  • p2png: We expect that you document the P2P protocol in such a detail that shows that you have understood how the network works. This includes bootstrapping the network, the types of exchanged messages, message formats, encryption, and peering details. Also, you should also describe how you identified the peers, and what challenges needed to be solved first.
  • ransomware: We are obviously interested in the en-/decryption routine, but also in the core technical details of the obfuscation engine. How on earth did it work, why, and why so complex?
  • RAT: Please describe dat evil RAT, but in particular, also highlight how a Suricata module helps to detect it (and also explain why standard rules are insufficient).

Good luck!
Bernd

New p2png version: please upgrade!

Written on 11.01.19 (last change on 11.01.19) by Christian Rossow

Dear Alice,

Bad news on the horizon: Left-wing populists have discovered severe flaws in our p2png implementation, which made it trivial for everyone to identify all party members. We were just forced to release a new version of p2png (p2png.v2) that mitigates this trivial vulnerability and makes… Read more

Dear Alice,

Bad news on the horizon: Left-wing populists have discovered severe flaws in our p2png implementation, which made it trivial for everyone to identify all party members. We were just forced to release a new version of p2png (p2png.v2) that mitigates this trivial vulnerability and makes peer discovery much harder. You can download the new binary here. p2png.v2 is largely the same binary as the previous one, we just had to change one constant and add one check. Note that the default port was updated to 13337 (which, obviously, is significantly more leet than 1337). Furthermore, all existing peers updated their software and changed their addresses. Please make sure that your assignment solution is based on this particular binary. Given the trivial solution of the old version, p2png solutions that were created before today will be invalid.

I can totally feel your pain. But wait! Normally, a new binary would have meant that your reversing efforts completely start from scratch, as you'd need to start a new IDA database. Yet, we spent significant amount of time to create an in-line patch that, luckily, leaves code offsets and everything in place. You can apply this patch to your IDA database and continue working on your existing IDB. To be on the safe side, make sure to make a copy of your database before applying the script.

To cope with this extra burden, we will grant you two things:
 a) The submission deadline will be extended by 4 days to March 4 23:59 CET.
 b) We will give bonus points if you describe in your report how we fixed what problem.
 
Happy reversing,
Bernd

MAID News

Written on 12.12.18 by Christian Rossow

Please note a few things:

  • The PCAP for MAID Challenge #3 is now available.
  • Tomorrow will include a hands-on session to introduce IDA. If you can, please bring a laptop with IDA (https://www.hex-rays.com/products/ida/support/download_freeware.shtml) and the IDA-demo binary (see Materials… Read more

Please note a few things:

  • The PCAP for MAID Challenge #3 is now available.
  • Tomorrow will include a hands-on session to introduce IDA. If you can, please bring a laptop with IDA (https://www.hex-rays.com/products/ida/support/download_freeware.shtml) and the IDA-demo binary (see Materials section in CMS). Unfortunately we won't have room capacities to offer you workstations; we'll aim to arrange partner work tomorrow in case you lack your own laptop.
  • Some of you wondered what to do in case of questions about the projects. Note that it is fully OK if you discuss questions among each other, unless you reveal solutions to others; this includes posting non-sensitive questions to Askbot. In case of doubt, or in case you have a critical question that reveals part of the solution, please send me an email directly (rossow@cispa.saarland). Note that your tutor has to solve the challenges himself and thus won't be able to help you out.

MAID Challenges Are Live

Written on 10.12.18 by Christian Rossow

Alice,

Get your VPN started and let the show begin! http://10.8.0.1/

Good luck,

Bernd

PS: The PCAP that is required to solve challenge #3 will be released latest by the end of this week. In the meanwhile: happy reversing.

MAID Lecture and Tutorials on Thu Dec 13

Written on 10.12.18 by Christian Rossow

We will have a final MAID lecture on Thu, Dec 13. It will be very hands-on, giving you a quick demo how to use a disassembler. Furthermore, we will hand out the course evaluation forms. And: We will have tutorials as usual, discussing two exercise sheets on Control Flow Graphs and Code Optimizations (see CMS).

MAID Lecture Nov 8 at 10:00 s.t. (sharp)

Written on 07.11.18 by Christian Rossow

Gentle reminder: Tomorrow's (and all other subsequent) lecture(s) will start at 10:00 sharp to accomodate for the tutorial sessions in the afternoon.

The exercise sessions will start tomorrow in the following rooms:

  • Thu 12:30-14:00: SR 007 in E2 1 (Bioinformatics building)
  • Thu 14:15-16:00:… Read more

Gentle reminder: Tomorrow's (and all other subsequent) lecture(s) will start at 10:00 sharp to accomodate for the tutorial sessions in the afternoon.

The exercise sessions will start tomorrow in the following rooms:

  • Thu 12:30-14:00: SR 007 in E2 1 (Bioinformatics building)
  • Thu 14:15-16:00: SR 015 in E1 3 (CS building)

The first exercise sheet is available in CMS. We will do this sheet live during the tutorials. There is no need for any preparations other than a recap what was discussed in the lectures.

MAID Lecture Wed 31.10. (Tomorrow) 10-12

Written on 30.10.18 by Christian Rossow

This is a gentle reminder for the out-of-band MAID lecture that we will have tomorrow, Wed 31.10. 10-12 in HS001. We will be back to normal schedule starting next week. Tutorials will start next week, too.

Tutorial Slots Assigned

Written on 22.10.18 by Christian Rossow

We've just assigned you to the two Thursday tutorials (12:30 / 14:15) according to your preferences. Tutorials will start on Nov 8th. From Nov 8th onward, the lecture will also start 10:00 sharp, such that everyone has sufficient time to have lunch from 11:30-12:30.

There is no need to prepare… Read more

We've just assigned you to the two Thursday tutorials (12:30 / 14:15) according to your preferences. Tutorials will start on Nov 8th. From Nov 8th onward, the lecture will also start 10:00 sharp, such that everyone has sufficient time to have lunch from 11:30-12:30.

There is no need to prepare anything for most tutorials. We will hand out exercises in the tutorial session, and solve them live.

Change of Schedule for Next Two Lectures

Written on 21.10.18 by Christian Rossow

As indicated in the CMS outline, we'll have to reschedule the lectures of the upcoming week and the week thereafter. The next two lectures will be Mon 22.10. 14-16 (tomorrow!) and Wed 31.10. 10-12 in our usual lecture room (HS001). We'll be back to normal Thu 10-12 starting Nov 8.

Gentle reminder:… Read more

As indicated in the CMS outline, we'll have to reschedule the lectures of the upcoming week and the week thereafter. The next two lectures will be Mon 22.10. 14-16 (tomorrow!) and Wed 31.10. 10-12 in our usual lecture room (HS001). We'll be back to normal Thu 10-12 starting Nov 8.

Gentle reminder: You can choose your tutorial preferences until tonight (23:59).

Select your tutorial preferences

Written on 18.10.18 by Christian Rossow

We've added three potential tutorial slots in CMS, out of which we'll choose ideally one (and max two):

  • Wed 10-12
  • Thu 12-14 (incl. lunch break: lecture would be 10:00-11:30, and exercises from 12:30-14:00)
  • Thu 14-16

Please select your availability in CMS by Sunday:… Read more

We've added three potential tutorial slots in CMS, out of which we'll choose ideally one (and max two):

  • Wed 10-12
  • Thu 12-14 (incl. lunch break: lecture would be 10:00-11:30, and exercises from 12:30-14:00)
  • Thu 14-16

Please select your availability in CMS by Sunday: https://cms.cispa.saarland/maid1819/

Note: It'll be tough to find a good time slot, so please specify as many slots as you can to enable a good (and solvable) assignment.

In CMS, you'll also be able to find the slides and (soon) exercise sheets.

MAID starts on Thu 10:00

Written on 17.10.18 by Christian Rossow

If you receive this email your registration to MAID was successful. We will welcome you on Thu 10am (c.t.) in HS001 (E1 3).

Show all

Malware Analysis and Intrusion Detection

MAID will basically teach you various skills that you require for reverse engineering malware, that is, understand its inner working without having access to its source code. We will dive deep into Intel x64 assembly (mostly 64-bit), look at how to understand the higher-level semantics of low-level assembly code, cover methodologies commonly found in malware (e.g., obfuscation, C&C communication), and learn various malware analysis techniques (e.g., control flow graphs, symbolic execution, dynamic analysis). While we will also cover intrusion detection, this topic will only be a small subpart of the entire lecture.

Register by Mon, Oct 15. Attendance is limited to 40 students. We will give preference to Master students and BSc students in their fifth (or higher) semester in case more than 50 students sign up. We will announce the final attendee list by Tue, Oct 16.

WARNING: If you search for an easy course, be advised and do not take this one. Despite the fact that we will have fewer lectures than an average advanced lecture, the course projects are serious work and significantly exceed small projects you may know from other lectures. We planned the project work specifically such you won’t feel bored over Christmas and in semester break in February. Reconsider attending if you take other intensive courses during the same semester. This warning is no bullshit: Previous editions have shown that only about 25% of the initial students will finish this lecture. But if you do, it will be super fun.

Timeline and Content

  • Thu 18.10.: Introduction + Assembly 101
  • Mon 22.10. 14:15-15:45: Assembly 101
  • Wed 31.10. 10:15-11:45: Assembly 101
  • Thu 08.11. 10:00 sharp: Assembly Data Structures
  • Thu 15.11. 10:00 s.t.: Control Flow Graphs, Code Optimizations + Dynamic Analysis
  • Thu 22.11. 10:00 s.t.: Obfuscation + Packing
  • Thu 29.11. 10:00 s.t.: Malware / Botnets
  • Thu 06.12. 10:00 s.t.: Intrusion Detection
  • Thu 13.12. 10:00 s.t.: IDA Hands-on Session
Privacy Policy | Legal Notice
If you encounter technical problems, please contact the administrators.