Advisor: Jeff Ondich
Times: Winter 3a
Software has bugs, some of which lead to security vulnerabilities. Sometimes those vulnerabilities are discovered by the makers of the software and repaired without incident. Sometimes they're discovered by security researchers, who may report them to the software maker or to journalists or to the world in a Tweet. Sometimes vulnerabilities are discovered by hackers who use them to break into systems, steal data, install ransomware, etc. Regardless of whether the discoverers of a particular vulnerability use responsible disclosure or start using the bug to attack systems or anything in between, eventually the software maker and the security community become aware of the bug. At that point, the maker needs to patch the software and let users know what they need to do to mitigate the effects of the vulnerability. Unfortunately, there are a lot of software vulnerabilities. Keeping track of them all is hard.
To organize the endless stream of security problems in the software that runs the world, the Common Vulnerabilities and Exposures system was developed starting in 1999, and has been maintained by the Mitre Corporation ever since. The CVE system is funded largely by US government agencies. Here is a little history of the CVE program.
Roughly at the same time the early CVE database was being built, professional then-pen-tester H. D. Moore started work on a tool to help him and his coworkers keep track of and deploy exploits of known software vulnerabilities to help their clients improve their systems' security. (An exploit of a vulnerability is software that uses the vulnerability to attack the vulnerable system. Depending on the bug, the exploit might enable attackers to disrupt the vulnerable system's operation (denial of service) or login as a regular user with limited permissions or login as root/admin and take over the whole system—it just depends on the bug.) Moore's toolkit, named Metasploit has grown since its origins as a few Perl scripts in 2003 to be one of the most powerful and widely used security tools in the world. As is usual with security tools, Metasploit can be used by both attackers and defenders. To learn more about just how complicated the moral and legal landscape is for this sort of tool, check out this episode of the Darknet Diaries podcast.
For this project, you and your team will select a small collection of CVE reports, implement exploits for them, and add your exploits to Metasploit. In the process, you will learn about the history of security vulnerabilities, about some of the techniques of pen-testing, and about just how weird software vulnerabilities can be.
After studying the CVE database and learning the basics of using Metasploit, you will select a small collection of CVEs for which to write exploits. The selection process will be important, since the the difficulty of exploiting CVEs ranges from the trivial to the extraordinarily complex. You will want to select one or two very easy exploits to get started, and then one or two medium-difficulty exploits to stretch your skills.
For each CVE you choose to tackle, you will do the following:
Some knowledge of networking (e.g., from CS331 or CS338) would be helpful (but not absolutely essential, since you could study the relevant material early in the term).