Week 3 - Source Code Auditing \\ Part 2

This week we will continue with the final video on Code Auditing, and provide you with 2 more applications that are intentionally vulnerable. Your job is to audit the source code and find vulnerabilities in them. Test the skills that you have learned last week to efficiently go over the process of auditing applications.

Lecture Materials

1. Code Auditing 101 [slides]
2. Code Auditing 102 [slides]

Workshop Materials

What we will be covering

1. Memory Corruption Examples
2. https://picoctf.com/binary_demo/binary_demo.html#1

Material we might cover

1. News Paper: This network service simulates a text-based terminal application. The general purpose of the application is to act as a "news server" or text file service. These are two types of users: regular and administrator. Administrators can add users and execute back-end system commands. Users can view and contribute articles (aka text files). Assume the application runs on Linux and is compiled with gcc. (Simple Usage)
2. Siberia Crimeware Pack: (Password: infected) The Siberia kit contains live exploit code and will likely set off AV, however none of the exploit code is in a state where it would be harmful to your computer. In addition to all of the vulnerabilites have been patched years ago, the exploits in Siberia need to be interpreted by PHP and read by your browser for them to have any effect. You can safely disable or create exceptions in your AV for this exercise or place the Siberia files inside a VM.

Resources

1. Source Code Analysis
2. Application Security
3. The Art of Software Security Assessment
4. Integer Overflows
5. Catching Integer Overflows
6. The Fortify Taxonomy of Software Security Flaws

Tools

1. Source Navigator
2. Scitools Understand
3. List of tools for static code analysis