| Version | Changes |
|---|---|
| 07-04 | Initial version |
| 20-04 | Fixed lecture time |
| 11-05 | Updated topics schedule |
| 22-05 | Updated topics schedule |
TL;DR
- Course: NWI-IPC025 Hacking in C
- Credits: 3 EC
- Schedule: Fourth Quarter of 2019–2020
- Start: 13 April 2020
- Exam date: 24 June 2020 (for now)
- Main lecturer: Thom Wiggers
<[email protected]> - Supporting lecturers: Denisa Greconici
<[email protected]> - Course URLs (clickable):
- Discord (tutorials)
- Brightspace (handing in assignments)
- Course Website (supplemental resources, slides)
- Lectures (live streams and recordings)
- OSIRIS (“official” but outdated syllabus)
Preliminary Schedule
| When | What | Subject | Deadline |
|---|---|---|---|
| 13-4 | Easter Monday | ||
| 14-4 | Tutorial | C programming, Shell, Make | 21-4 12:30 |
| 20-4 | Lecture | Hello, C, types, pointers I | |
| 21-4 | Tutorial | C programming, Shell, Make | 12-5 12:30 |
| 04-5 | Lecture | Pointers, buffers, memory | |
| 05-5 | Liberation Day | ||
| 11-5 | Lecture | Stack, Heap, printf | |
| 12-5 | Tutorial | Stack, Heap | 19-5 12:30 |
| 18-5 | Lecture | Buffer overflows, prinf continued | |
| 19-5 | Tutorial | Buffer overflows | 26-5 12:30 |
| 25-5 | Lecture | Taking control of the return address | |
| 26-5 | Tutorial | Attacks, cont. | 2-6 12:30 |
| 01-6 | Pentecost Monday | ||
| 02-6 | Tutorial | Attacks, wrap-up | 8-6 12:30 |
| 08-6 | Lecture | Beating W$\oplus$X with ROP | |
| 09-6 | Tutorial | Introduction Exam? | 24-6 12:30 ? |
Course website
Thom hosts the Course Website and will try to fill this space with supplemental resources and links. There already is a Makefile tutorial and a Shell tutorial on that website. We will also put slides with the links to the lectures on those pages.
Call for Contributions
There are a quadrillion resources on the internet that could replace or supplement any part of this course. I would like to invite anyone to contribute to the course website. It is hosted on GitHub and there are Edit links below pages. Contributions will be reviewed by Thom via the GitHub pull request system.
Lectures
Lectures will be done at the scheduled time on Mondays, 15:45. We will follow the ‘regular’ concept of lectures, including the scheduled break. They will be live-streamed on YouTube and we will be able to interact via chat. Although recordings will be made available, it would be appreciated if you are present for the lectures.
The first lecture. As the first lecture is scheduled for Easter Monday, there will be no regular lecture that week. Instead, we will provide some videos and other materials for you to get started with Linux and C programming. This means that the tutorial will continue as scheduled!
Tutorials
Tutorials will happen on Discord instead of in a computer lab. You will need to install a Linux on your computer. We recommend installing Ubuntu 19.10 in a virtual machine. Any flavour of Linux should be sufficient, however.
Please note that Linux Subsystem for Windows is not sufficient. That version of Linux isn’t really Linux because Windows still provides the operating system features through a Linux-like API. As a consequence, the types of attacks that we will be doing might not work reliably or at all.
Homework
Homework will be handed in and graded by the student assistants. In principle, the deadline is a week after the tutorial, after the second tutorial, but due to holidays this is sometimes longer. You will need to hand in all homework to be able to participate in the exam.
Grading
Grades given will be the familiar “Good/Sufficient/Insufficient” system. If you don’t hand in any real work, you might also receive a Fail mark. In this case, you should contact the student assistant as soon as possible and discuss how to amend this.
I couldn’t figure out an assignment
If you can’t figure out how a particular assignment works, please still try to hand in something the SAs can give feedback on. For example, consider writing about the following things:
- What did you try?
- What problems did you run into?
- How much worked of what you tried?
- Why do you think that (did not) work?
Exam
You need to have participated in the homework to take the exam.
The following is not final yet
We will probably be doing some assignments instead of the normally scheduled, written exam, if we have to do it online. You will complete these individually and write a short report on what you did. We have also not decided yet on how much time you will have to complete this.
Learning goals (copy/paste from OSIRIS)
- explain how standard C data types are represented, and write C programs to inspect and manipulate these representations
- explain how the stack and heap are used to allocate data in C programs
- write C programs that makes use of pointers and pointer arithmetic
- explain how the stack is used to administer procedure calls
- explain how buffer overflows work
- explain some of the countermeasures against these vulnerabilities, how these work, and apply some of them
- develop simple exploits for code with buffer overflow weaknesses.