News
MAID Exam Results in CMSWritten on 12.04.19 by Christian Rossow Thanks to an enormeous effort of your tutor, the MAID exam has already been corrected. Good news: All exam participants have passed! Note that we had to withdraw the IDS task, as you were not able to answer the questions based on the material covered in the MAID lecture (mea culpa). The maximum number… Read more Thanks to an enormeous effort of your tutor, the MAID exam has already been corrected. Good news: All exam participants have passed! Note that we had to withdraw the IDS task, as you were not able to answer the questions based on the material covered in the MAID lecture (mea culpa). The maximum number of points in the exam is thus 80 pts instead of 90 pts. Overall MAID grade distribution (16 people passed, new record!):
You can view your grade in CMS under Final Results (Exam 1) (mixed exam and project, each 50%), and can inspect your points for exam subtasks under Exam 1. The exam inspection will be on Tue 10:00 - 11:00 am in room 0.06 of CISPA (E9 1). |
MAID Exam DetailsWritten on 01.04.19 by Christian Rossow We have received 17 registrations for the MAID exam. The exam will be on Thursday (April 4) in HS002 (E1 3) and last 90 min from 10-11:30. We'll start at 10am sharp. Please arrive 15 min earlier such that we can place your seats. The written exam will be for pen and paper only. It is not allowed to… Read more We have received 17 registrations for the MAID exam. The exam will be on Thursday (April 4) in HS002 (E1 3) and last 90 min from 10-11:30. We'll start at 10am sharp. Please arrive 15 min earlier such that we can place your seats. The written exam will be for pen and paper only. It is not allowed to bring any books and/or calculators. We will have one printed copy of the Intel Instruction Set Reference available that you can use to look up instruction details (in emergency situations, given that it's just one copy). Having said this: If you want to solve the exam on time, you should know the instruction semantics by heart. |
MAID Exam RegistrationWritten on 18.03.19 by Christian Rossow Alice, You did a fabulous job. We received 19 submissions, out of which 17 are of sufficient quality (>= 50 points) to proceed with the exam. You can inspect your personal project score in CMS. More feedback will be shared upon request via email to your favorite MAID tutor… Read more Alice, You did a fabulous job. We received 19 submissions, out of which 17 are of sufficient quality (>= 50 points) to proceed with the exam. You can inspect your personal project score in CMS. More feedback will be shared upon request via email to your favorite MAID tutor (s8sewall@stud.uni-saarland.de). Please do not forget to register to (and prepare for) the exam by March 28. Bernd |
Guidance for MAID ReportsWritten on 04.02.19 by Christian Rossow Dear Alice, About 4 weeks to go until the final submission deadline for your MAID report. You may start to wonder about the report itself. We would like to give you some ideas on what level of detail and what contents we expect from you in this document. Please note that the reports make up 50%… Read more Dear Alice, About 4 weeks to go until the final submission deadline for your MAID report. You may start to wonder about the report itself. We would like to give you some ideas on what level of detail and what contents we expect from you in this document. Please note that the reports make up 50% of your overall project grade. This means that we do not only expect correct results and annotated reversing database for each project, but also a detailed (yet concise) description of the technical workings. Put serious efforts in the reports. Past experience has shown that you will loose points mainly because the report lacks findings, rather than submitting wrong solutions. For each project, this means the following:
Good luck! |
New p2png version: please upgrade!Written on 11.01.19 (last change on 11.01.19) by Christian Rossow Dear Alice, Bad news on the horizon: Left-wing populists have discovered severe flaws in our p2png implementation, which made it trivial for everyone to identify all party members. We were just forced to release a new version of p2png (p2png.v2) that mitigates this trivial vulnerability and makes… Read more Dear Alice, Bad news on the horizon: Left-wing populists have discovered severe flaws in our p2png implementation, which made it trivial for everyone to identify all party members. We were just forced to release a new version of p2png (p2png.v2) that mitigates this trivial vulnerability and makes peer discovery much harder. You can download the new binary here. p2png.v2 is largely the same binary as the previous one, we just had to change one constant and add one check. Note that the default port was updated to 13337 (which, obviously, is significantly more leet than 1337). Furthermore, all existing peers updated their software and changed their addresses. Please make sure that your assignment solution is based on this particular binary. Given the trivial solution of the old version, p2png solutions that were created before today will be invalid. I can totally feel your pain. But wait! Normally, a new binary would have meant that your reversing efforts completely start from scratch, as you'd need to start a new IDA database. Yet, we spent significant amount of time to create an in-line patch that, luckily, leaves code offsets and everything in place. You can apply this patch to your IDA database and continue working on your existing IDB. To be on the safe side, make sure to make a copy of your database before applying the script. To cope with this extra burden, we will grant you two things: |
MAID NewsWritten on 12.12.18 by Christian Rossow Please note a few things:
Please note a few things:
|
MAID Challenges Are LiveWritten on 10.12.18 by Christian Rossow Alice, Get your VPN started and let the show begin! http://10.8.0.1/ Good luck, Bernd PS: The PCAP that is required to solve challenge #3 will be released latest by the end of this week. In the meanwhile: happy reversing. |
MAID Lecture and Tutorials on Thu Dec 13Written on 10.12.18 by Christian Rossow We will have a final MAID lecture on Thu, Dec 13. It will be very hands-on, giving you a quick demo how to use a disassembler. Furthermore, we will hand out the course evaluation forms. And: We will have tutorials as usual, discussing two exercise sheets on Control Flow Graphs and Code Optimizations (see CMS). |
MAID Lecture Nov 8 at 10:00 s.t. (sharp)Written on 07.11.18 by Christian Rossow Gentle reminder: Tomorrow's (and all other subsequent) lecture(s) will start at 10:00 sharp to accomodate for the tutorial sessions in the afternoon. The exercise sessions will start tomorrow in the following rooms:
Gentle reminder: Tomorrow's (and all other subsequent) lecture(s) will start at 10:00 sharp to accomodate for the tutorial sessions in the afternoon. The exercise sessions will start tomorrow in the following rooms:
The first exercise sheet is available in CMS. We will do this sheet live during the tutorials. There is no need for any preparations other than a recap what was discussed in the lectures. |
MAID Lecture Wed 31.10. (Tomorrow) 10-12Written on 30.10.18 by Christian Rossow This is a gentle reminder for the out-of-band MAID lecture that we will have tomorrow, Wed 31.10. 10-12 in HS001. We will be back to normal schedule starting next week. Tutorials will start next week, too. |
Tutorial Slots AssignedWritten on 22.10.18 by Christian Rossow We've just assigned you to the two Thursday tutorials (12:30 / 14:15) according to your preferences. Tutorials will start on Nov 8th. From Nov 8th onward, the lecture will also start 10:00 sharp, such that everyone has sufficient time to have lunch from 11:30-12:30. There is no need to prepare… Read more We've just assigned you to the two Thursday tutorials (12:30 / 14:15) according to your preferences. Tutorials will start on Nov 8th. From Nov 8th onward, the lecture will also start 10:00 sharp, such that everyone has sufficient time to have lunch from 11:30-12:30. There is no need to prepare anything for most tutorials. We will hand out exercises in the tutorial session, and solve them live. |
Change of Schedule for Next Two LecturesWritten on 21.10.18 by Christian Rossow As indicated in the CMS outline, we'll have to reschedule the lectures of the upcoming week and the week thereafter. The next two lectures will be Mon 22.10. 14-16 (tomorrow!) and Wed 31.10. 10-12 in our usual lecture room (HS001). We'll be back to normal Thu 10-12 starting Nov 8. Gentle reminder:… Read more As indicated in the CMS outline, we'll have to reschedule the lectures of the upcoming week and the week thereafter. The next two lectures will be Mon 22.10. 14-16 (tomorrow!) and Wed 31.10. 10-12 in our usual lecture room (HS001). We'll be back to normal Thu 10-12 starting Nov 8. Gentle reminder: You can choose your tutorial preferences until tonight (23:59). |
Select your tutorial preferencesWritten on 18.10.18 by Christian Rossow We've added three potential tutorial slots in CMS, out of which we'll choose ideally one (and max two):
Please select your availability in CMS by Sunday:… Read more We've added three potential tutorial slots in CMS, out of which we'll choose ideally one (and max two):
Please select your availability in CMS by Sunday: https://cms.cispa.saarland/maid1819/ Note: It'll be tough to find a good time slot, so please specify as many slots as you can to enable a good (and solvable) assignment. In CMS, you'll also be able to find the slides and (soon) exercise sheets. |
MAID starts on Thu 10:00Written on 17.10.18 by Christian Rossow If you receive this email your registration to MAID was successful. We will welcome you on Thu 10am (c.t.) in HS001 (E1 3). |
Malware Analysis and Intrusion Detection
MAID will basically teach you various skills that you require for reverse engineering malware, that is, understand its inner working without having access to its source code. We will dive deep into Intel x64 assembly (mostly 64-bit), look at how to understand the higher-level semantics of low-level assembly code, cover methodologies commonly found in malware (e.g., obfuscation, C&C communication), and learn various malware analysis techniques (e.g., control flow graphs, symbolic execution, dynamic analysis). While we will also cover intrusion detection, this topic will only be a small subpart of the entire lecture.
Register by Mon, Oct 15. Attendance is limited to 40 students. We will give preference to Master students and BSc students in their fifth (or higher) semester in case more than 50 students sign up. We will announce the final attendee list by Tue, Oct 16.
WARNING: If you search for an easy course, be advised and do not take this one. Despite the fact that we will have fewer lectures than an average advanced lecture, the course projects are serious work and significantly exceed small projects you may know from other lectures. We planned the project work specifically such you won’t feel bored over Christmas and in semester break in February. Reconsider attending if you take other intensive courses during the same semester. This warning is no bullshit: Previous editions have shown that only about 25% of the initial students will finish this lecture. But if you do, it will be super fun.
Timeline and Content
- Thu 18.10.: Introduction + Assembly 101
- Mon 22.10. 14:15-15:45: Assembly 101
- Wed 31.10. 10:15-11:45: Assembly 101
- Thu 08.11. 10:00 sharp: Assembly Data Structures
- Thu 15.11. 10:00 s.t.: Control Flow Graphs, Code Optimizations + Dynamic Analysis
- Thu 22.11. 10:00 s.t.: Obfuscation + Packing
- Thu 29.11. 10:00 s.t.: Malware / Botnets
- Thu 06.12. 10:00 s.t.: Intrusion Detection
- Thu 13.12. 10:00 s.t.: IDA Hands-on Session