1. Introduction to Information Security מרצים : Dr. Eran Tromer: tromer@cs.tau.ac.il Prof. Avishai Wool: yash@eng.tau.ac.il מתרגלים : Itamar Gilad (itamargi@post.tau.ac.il) Nir Krakowski (nirkrako@post.tau.ac.il)

2. Course guidlines The course exercises aren’t easy! o You will have to learn and do a lot. o Google is your friend, but so are we! Best 75% of exercises will be used to calculate the average exercise grade. Exercises are to be submitted the week after the recitation Ask questions!! Download exercises from website https://course.cs.tau.ac.il/infosec13/exercises https://course.cs.tau.ac.il/infosec13/exercises Fill out the course questionnaire!

3. Instructors We’ll be instructing the course together Reception hour: o Schedule an appointment by email General note: Please keep in mind that the lectures and recitations will often not match. This is by design, not a mistake.

4. Recitation #1 Subjects: o Course IT Framework o X86 Assembly o Reverse Engineering o IDA o Other tools

5. IT Framework VirtualBox VM file, with Ubuntu 12.04.2 LTS o Username: ‘student’ o Password: ‘do or do not there is no try’ o Change the password with the command: passwd Wine: IDA, Hexworkshop Python vi, gedit, ghex, hexedit To get more tools: o sudo apt-get install [toolname] o sudo pip install [pythonmodulename] o Google for more tools All exercises will be provided to work within the VM Framework. Most exercises will not work on a standard machine.

6. VM Demo

7. X86 assembly Command elements: o Instruction – a whole command o Opcode – what you want to do o Operand – what do you want to operate on (source) or with (dest) Opcode types: o Data opcode examples: MOV, XOR, ADD, SUB, INC, SHL, SHR, TEST, CMP o Unconditional control flow (branching) opcode examples: JMP, CALL, RET o Flag based conditional control flow examples: JZ, JNE, JNZ, JBE, JG. o Stack operations: POP, PUSH, PUSHA, POPA

8. X86 assembly Operand types: o Registers o Constants o Memory addresses o Pointers o Flags Commands or Instructions are variable length: o 1 to 8 bytes long.

9. Command structure Command structure (no operand): o Opcode o Example: NOP o Example: RET Command structure (single operand): o Opcode operand o Example: INT 0x3 o Example: JMP [memory address] o Example: POP [register]

10. Command structure Command structure (dual operand): o Opcode dest-operand source-operand o Example: MOV EAX, 0 o Example: SAR EBX, 2 o Example: MOV ECX, [EBX] Cheat Sheet: https://www.ssucet.org/mod/resource/view. php?id=886 Cheat Sheet: https://www.ssucet.org/mod/resource/view. php?id=886 Google: x86 assembly cheat sheet

11. Reverse Engineering What does the following code do: o LEA EDX, [address to “Hello, world!”] o MOV ECX, 12 MYLOOP: o PUSH EDX o CALL printf o ADD ESP, 4 o LOOP MYLOOP

12. Reverse Engineering What is assembly reverse engineering: o Compiling is like a one-way function. o Information is lost, and we might loose access to: Variable and function names Comments o What do we still have: Import and export name (relations between modules) Structure of parameters to functions. Starting point Hard-coded strings Constants Our objectives: o Find the most interesting piece of code in the least amount of time o Understand what it does and how o Find weaknesses and figure out how to exploit them

13. RE Process Use leads: o Strings, UI o Dynamic debugging, breakpoints. o Library and system functions Interpret the assembled code by using intelligent guesses: o Context-based o Code is written by people using regular code conventions o Code is written in an upper level language

14. IDA The Interactive Dis-Assembler ( IDA ) is the most popular reverse engineering tool o Version 5.0 is free-ware and that is what we’ll use. IDA does several things automatically: o Disassemble x86 binary code into human readable format o Identifies ELF headers (executable file formats) o Signature based recognition for library functions and compiler tricks o Creates code graph by basic blocks o Code and data xrefs (references to memory addresses, functions) Provides a good environment for research: o Adding comments (‘;’) o Renaming labels: code blocks, variables, function names, structures. (‘n’) o Change interpretation of binary data (code->data, data->code, data type change, etc.) https://www.hex- rays.com/products/ida/support/freefiles/IDA_Pro_Shortc uts.pdf https://www.hex- rays.com/products/ida/support/freefiles/IDA_Pro_Shortc uts.pdf

15. IDA Options

16. IDA Demo [Helllo World]

17. IDA Demo [stricmp]

18. This week’s exercise VM setup First reverse engineering task It isn’t hard – but please start early and contact us if you have any trouble with the setup