Courses/Computer Science/CPSC 525.W2013/Tutorial Schedule

Tutorial topics that we will discuss each week are below.

Tutorial session 1 takes place on Tuesday and Thurday from 11.00 to 11.50 in ENF334.

Tutorial session 2 takes place on Wednesday and Friday from 13.00 to 13.50 in ENC129.

Tutorials begin on January 17, 2013

= 17 January: VM Creation =
 * Instructions

= 22 January: Analyze Firewall Rules =
 * Click

= 24 January: Lockdown VM =
 * Click

= 29 January: Analyze Permissions =
 * Click

= 5 February: Create ACL's =
 * Click

= 12,13 February: Digital Footprint and Password Entropy =

The size of our digital footprint has rapidly increased (1). Given the number of password-related fails that have taken place, especially over the last two years, humans clearly do not engage in safe password practices. Nevertheless, passwords seem to have a lasting appeal for usability reasons (2).

In this tutorial, you will undertake two activities:

Activity 1
 * Team up with a partner.
 * Quickly estimate the "size" of your digital footprint in number of accounts you possess. Include things like web accounts, email accounts -- pretty much anything requiring digital credentials or the ability to log into some service. Do this quickly -- do not think too much about it. Ballpark number.
 * Now take 10 minutes to carefully enumerate as close to actual number of accounts you have. Include things like defunct accounts that you haven't closed, fake email addresses, etc. Please try to produce as accurate a number as possible. For example, you may look at your password manager, your ssh keys, and your "saved passwords" in Firefox (or whatever web browser you use).
 * Compare both numbers with your partner.

Activity 2
 * Do this one solo -- you'll be manipulating the contents of your passwords, and you will likely want to keep them private.
 * In this exercise, we ask you to evaluate the entropy of your passwords.
 * Obtain or write down a list of your passwords (as many as you can remember or access).
 * Split each password into characters or tokens
 * create a frequency-ordered list of these characters (e.g., simulate uniq(1) -c | sort(1) )
 * create a Z-string: a frequency ordered list without the frequency

For example:

I have three passwords:
 * 1) abc
 * 2) password
 * 3) secret

All the characters of my password are: abcpasswordsecret

Sort them: aabccdeeoprrssstw

Histogram frequency: a:2 b:1 c:2 d:1 e:2 o:1 p:1 r:2 s:3 t:1 w:1 Sort them.

3 s 2 a 2 c 2 e 2 r 1 b 1 d 1 o 1 p 1 t 1 w

Produce zstring: sacerbdoptw

What does your Z-string say about your password habits?

Background


 * 1) Security and Privacy Considerations in Digital Death. Michael E. Locasto, Michael Massimi, and Peter J. DePasquale. Proceedings of the 20th New Security Paradigms Workshop (NSPW 2011). September 12-15 2011. Marin County, CA, USA.
 * 2) A Research Agenda Acknowledging the Persistence of Passwords”

Password Breaches


 * http://ieeelog.com/
 * https://dazzlepod.com/rootkit/

= Web Vulns =

In this tutorial, you will start to explore some of the basic issues involved in attacks against web-based infrastructure.

We will do this via two publicly accessible tools / sites external to the U of C.

Background Material


 * TCSS, Chapter 12.1 “The Web and Security: Basic Structure”
 * OWASP
 * http://www.owasp.org/index.php/Top_10_2007
 * http://www.owasp.org/index.php/Top_10_2010
 * http://www.owasp.org/index.php/PHP_Top_5
 * http://code.google.com/p/browsersec/wiki/Main (this book is a great resource for learning about the issues involved in web security)
 * HTTP Request/Response Modifiers
 * https://addons.mozilla.org/en-US/firefox/addon/9727 (RequestPolicy)
 * https://addons.mozilla.org/en-US/firefox/addon/967 (ModifyHeaders)
 * OWASP WebScarab Project http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project
 * http://code.google.com/p/owaspbwa/

Fun
 * How unique is your browser? See at: https://panopticlick.eff.org/
 * Politically-charged HTTP topic of the day: http://www.webmonkey.com/2012/06/error-451-this-page-has-been-burned/

You can do these activities in any order you choose. They will probably take longer than the tutorial session, so feel free to continue at home or in your spare time. Both are "self-guided" tours through web services that present you with "hacking" challenges.

Activity 1


 * http://www.hack-test.com/

Activity 2


 * http://googleonlinesecurity.blogspot.com/2010/05/do-know-evil-web-application.html
 * http://google-gruyere.appspot.com/

= March 5 / 6: Langsec I =

In this tutorial, you will begin to explore some langsec issues. One activity heavily involves theory and the other involves a practical example. Do them in order.

You should pair up and collectively recall your lessons in computability and automata theory.

Activity 1

Given this list of strings (i.e., sequences of symbols; symbols are one byte):


 * AABCAAABBACACCAC
 * AAABCAAACAC

Write a grammar that is able to produce just the first string. To do this, you might look for long substrings that repeat and infer a list of grammar rules that could produce the string.

Now modify the grammar to include the second string.

Do you feel confident in your answer? Why or why not? This question was on your midterm before we removed it.

Do the grammars you have constructed match what a tool like SEQUITUR tells you?

http://sequitur.info/

Activity 2

In this activity, you will try to mimic the "packet-in-packet" work we saw, but you'll do it within the PCAP file format.

Your team's goal is to answer the questions:


 * can you encapsulate a tcpdump pcap record inside another?
 * can you confuse tcpdump's replay functionality (i.e., tcpdump -r) by messing around with the record structure and content in one of these files?

Here is an overview of the pcap file format. It talks about the overall file header as well as the structure of each record.

http://www.manpagez.com/man/5/pcap-savefile/

The wireshark wiki also has information on this format:

http://wiki.wireshark.org/Development/LibpcapFileFormat

You can create a PCAP file either by capturing network traffic with wireshark or tcpdump, or you can create one "by hand" in your favorite hex editor. Try to see if you can modify a record's structure so that it is damaged, but you embed another PCAP packet record in that record's payload. What output does tcpdump emit for this damaged record?

= Marcy 7 / 8: Langsec II =

In this session, you'll further explore some applications of langsec principles.

Activity 1: Recognizing Strings Game

This activity will likely take longer than one tutorial session. Start on it and continue on your own.

Pick a partner. Choose one of you to create a simple language of your own. Your language might describe anything you want. Here are a few suggestions:


 * describing movements in a virtual world (e.g., WumpusWorld)
 * describing a file format
 * describing sequences of program execution (i.e., jmp targets)
 * describing system call sequences
 * describing network packets and flows
 * describing an expression language such as a simple calculator notation

Share the choice of language and its general design ideas and primitives with your friend (very high level description, no details).

On paper, create a grammar for this language, keeping it secret from your partner.

Randomly produce a set of strings in that language by running your grammar for a random # of rules and randomly choosing a production to follow. Give your example strings to a friend. Have them try to reconstruct the grammar you wrote.

How well do your grammars match? At this stage, you can compare your work with what SEQUITUR generates.

Activity 2: RFC to Real World

This exercise is mainly a take-home exercise; you won't have time for it in the lab/tutorial.

Pick an RFC that contains a BNF. Based on the documented BNF, supply to grammar rules to a parser generator. Ask the parser generator to build a recognizer for that language. Now capture input data, such as network traffic, for that file format or protocol.

Feed this input to your new recognizer. Keep a list of the bugs or incomplete features or behavior of your recognizer. Try to fix the first few flaws or incomplete features. Where do things go wrong and why?

You will probably want to explore tools like Antlr, yacc, bison, flex, etc.