CSCI 591: Malicious Code Analysis
&
CSCI xxx: Software Security
Instructor photo by Dr.Liping
About the Course
This course introduces students to malware analysis issues from end-user perspectives. Throughout the semester students will be introduced to a variety of security issues in malicious software design and development and detection from technical, social, and legal viewpoints. Topics include assembly basics, malware classification, malware retrofitting, malware analysis and malware detection.
Students will study a variety of tools to identify and generate signatures for malware analysis. The course emphasizes “learning by doing,” and requires students to conduct a series of lab exercises. Through these labs, students can enhance their understanding of the principles, and be able to apply those principles to solve real problems.
Upon completion of this course, the student should be able to:
- Master the interaction between assembly codes and registers, and memory and manually analyze the changes in the stack by instruction execution.
- Grasp the rationale for the malware taxonomy and learn to classify malware files manually.
- Grasp binary retrofitting techniques to modify malware binaries.
- Analyze and predict the potential malicious operations in different types of malware.
Prerequisites
Prior to taking this course (CSCI 591), you should have fulfilled the following CSCI prerequisites:
- CSCI 112 — C Programming (Required)
- CSCI 232 — Data Structures and Algorithms (required)
- CSCI 460 — Operating Systems (required)
- CSCI 107 — Python Programming (Required)
- CSCI 466 — Networks (strongly recommended)
If you do not have any of the above prerequisites, you should touch base with me as soon as possible. I’m typically supportive of students that wish to enroll in the course even if they do not satisfy all of the recommended prerequisites, so long as you understand that you may need to talk with me and/or do additional work independently to make sure you are prepared for our coursework.
Logistics (In A Nutshell)
We will use Slack for synchronous and asynchronous communication and discussions, GitHub for collaborating on code and submitting assignments.
Lectures
- In Person
| Tuesday/Thursday (12:15 – 13:30 p.m.)
» Course dates: August 23, 2023 - December 14, 2023
Office Hours / People / Getting Help
- Fangtian’s Office Hours: (T) 9:00-12:00pm, and by appointment (via Webex) » A virtual meeting place for Fangtian’s office hours
- TA Office Hours: » A virtual meeting place for TA office hours
- CS Student Success Center » Get help from TAs and peers
Links
- Textbook » (Required) Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software by Michael Sikorski, Andrew Honig, No Starch Press, 2012
- Textbook » (Required) Windows 64-bit Assembly Language Programming Quick Start: Intel X86-64, SSE, AVX by Robert Dunne,Gaul Communications, 2018.
- Textbook » (Optional) Computer Viruses: From Theory to Applications by Eric Filiol, Springer, 2006. (retrieved it online)
- Code » All of the code from class (on GitHub)
- Slack » For all course-related communications
- D2L (591) » For tracking course grades, etc.
Schedule
This is a tentative schedule that is subject to change with minimal notice
Below is the calendar for this course. It is the responsibility of the students to frequently check this web-page for schedule, readings, and assignment changes. I will attempt to announce any change to the class, but this webpage should be viewed as authoritative. If you have any questions, please contact me.
| Date | Topics & Lectures | Assignments & Reading |
|---|---|---|
| Week 01 | Introduction, Course Overview, and Review | |
| 08/22/2023 (T) |
|
|
| 08/24/2023 (R) | ||
| Week 02 | Assembly Basics |
|
| 08/29/2023 (T) | ||
| 08/31/2023 (R) |
|
|
| Week 03 | Assembly Basics |
|
| 09/05/2023 (T) |
|
|
| 09/07/2023 (R) |
|
|
| Week 04 | Assembly Basics |
|
| 09/12/2023 (T) |
|
|
| 09/14/2023 (R) |
|
|
| Week 05 | Malware Classification |
|
| 09/19/2023 (T) |
|
|
| 09/21/2023 (R) |
|
|
| Week 06 | Malware Classification |
|
| 09/26/2023 (T) |
|
|
| 09/28/2023 (R) |
|
|
| Week 07 | Malware Classification |
|
| 10/03/2023 (T) |
|
|
| 10/05/2023 (R) |
|
|
| Week 08 | Programming Malware | |
| 10/10/2023 (T) |
|
|
| 10/12/2023 (R) |
|
|
| Week 09 | Programming Malware | |
| 10/17/2023 (T) |
|
|
| 10/19/2023 (R) |
|
|
| Week 10 | ||
| 10/24/2023 (T) |
|
|
| 10/26/2023 (R) |
|
|
| Week 11 | Malware Analysis | |
| 10/31/2023 (T) |
|
|
| 11/02/2023 (R) |
|
|
| Week 12 | Malware Analysis |
|
| 11/07/2023 (T) |
|
|
| 11/09/2023 (R) |
|
|
| Week 13 | Malware Analysis | |
| 11/14/2023 (T) |
|
|
| 11/16/2023 (R) |
|
|
| Week 14 | Fall Break | |
| 11/21/2023 (T) |
|
|
| 11/23/2023 (R) |
|
|
| Week 15 | Malware Detection | |
| 11/28/2023 (T) |
|
|
| 11/30/2023 (R) |
|
|
| Week 16 | Malware Detection | |
| 12/05/2023 (T) |
|
|
| 12/07/2023 (R) |
|
|
| Week 17 | “Finals Week” | |
| 12/12/2023 (T) |
|
|
| 12/14/2023 (R) |
|
Grading
These are tentative details that are subject to change with minimal notice
I am always happy to chat, review ideas from this course, try to clarify lab/exam questions, and discuss any questions or concerns you may have about graded work.
I do not pre-grade assignments. I typically do not curve grades.
Any grade disputes must be resolved within one week of the release of the grade.
Grade Breakdown
The grade breakdown is as follows:
- Attend Office Hours: 2.5% » Stop by office hours to follow up on class discussions, ask questions, provide feedback, chat about interests, etc. Grading polily: (1): x >= 5 times, you receive 2.5%; (2) 3 <= x < 5, you receive 1%; (3) x < 3, you receive 0. Noted x is the number of times you stop by my office. Attendance sheet only accessed by the instructor/li>
- Attendance: 2.5% » Participate in the class, ask questions, etc. Grading polily: (1): y >= 5 times, you receive 0; (2) y==4, you receive 1%; (3) y == 3, you receive 2%. (4) y <= 2, you receive 2.5%. Noted y is the number of times you miss the class.
- Assignments and Quizzes: 15% » Low-stakes assessments of comprehension and opportunities for reflection
- Projects: 40% » Projects (i.e., hands-on exercises) are the emphasis in this course. Start early, try stuff, talk with others… Most importantly, do them! It includes three individual projects and one group project.
- Midterm and Final Exam: 40% » typical exams. This will look and feel similar to the exams you take as a student, but must be completed individually. Furthermore, topics from throughout the semester are all “fair game”. As with all questions this semester, these exams will have a mixture of single choice problems, multiple choice problems, as well as short answer problems.
Project Grading Policy
Projects are typically made up of a series of tasks (tasks may have sub-tasks). These tasks typically require you to print certain output and/or complete programming-related tasks. Each task/sub-task will be graded on the following scale:
- High Pass (Finish all required tasks) 100 points
- Pass (Finish 50% of the tasks or above) 85 points
- Low Pass (Finish 25% of the tasks but lower than 50%) 70 points
- Much Low Pass (Runnable and finish partial task but lower than 25%) 50 points
- Incomplete 0 points
A high pass is earned if the solution presents a clear demonstration of the task at hand, as well as clear, correct, and concise description (including observations, explanations, etc.). Solutions lacking clarity in the demonstration and/or the description will be awarded a much low pass, low pass or pass (depending the quality of the solution). A grade of incomplete is earned where no solution is present, or where the solution is incorrect or incoherent.
Assignments
Submitting Work
All assignments are to be submitted via your private GitHub repository. So long as your work is committed and pushed to your private GitHub repository by the deadline, you should be good to go! To ensure that we have access, please double check that Fangtian and the TA(s) are added as “collaborators” in your GitHub repository.
Projects
This section will be updated periodically. Stay tuned for more information coming soon…
-
Project 1: PE Headers
» Due: Tuesday [10/24/2023] @ 11:59 PM (MST) -
Project 2: Tables
» Due: Tuesday [11/07/2023] @ 11:59 PM (MST) -
Project3: Process Context Switch
» Due: Tuesday [11/21/2023] @ 11:59 PM (MST) -
Project4: Kernel Debugging
» Due: Tuesday [12/05/2023] @ 11:59 PM (MST)
For more information please see the Labs page.
Late Penalties
Your evaluation in this course is primarily based on completing the assignments, projects and exams. As such, we take timely submissions seriously. Considering some certain circumstances for students, we have decided to offer some relaxed late penalty policies. Each assignment and project have a set deadline. I encourage students to treat the posted deadlines as “hard” deadlines. However, there are “late coupons”. Each student can extend the deadline for 48 hours 3 times, excluding the group project. So long as you notify me in advance and your assignment is submitted within 48 hours of the posted deadline, your assignment will receive no penalties. I still recommend that you adhere to the deadlines to stay on track with the course as things keep moving. To ensure timely feedback with our large class, no submissions will be accepted/graded 48 hours after the original deadline. Each late submission will lose 50% of your full score.
Communication
We will use Slack for all course communication (except for sensitive stuff like grades!).
Please do not use other means of electronic communication (e.g., D2L, e-mail) unless you absolutely have to.
I typically won’t respond to emails or Slack direct messages (DMs) past 6 p.m. or so. Generally speaking, I will not respond on weekends and certainly not immediately. Please do not expect an instant answer if you send me an email or DM in Slack. (I sometimes go off the grid to focus—something that a great deal of research suggests you do too.) Fortunately, we have a class full of people that are itching to help one another out. I definitely recommend using an appropriate channel on Slack (e.g., #projects) to ask general questions have discussions amongst your peers.
Course Expectations
I greatly value transparency. To this end, I attempt to summarize what I expect from you all as well as what you can expect from me.
Expectations for Students
The expectations for the course are that students will attend classes as often as they are able, do any readings assigned for class, and actively and constructively participate in class discussions. Class participation will be a measure of contributing to the discourse both in class, through discussion and questions, and outside of class through contributing and responding to class forums.
Please make sure to regularly check this website and our course Slack workspace. It is increasingly important for you to communicate with me if our course format is making it difficult for you to do the assigned work. I am eager to make accommodations that serve students well (within reason…) if you can help me identify such opportunities. Please communicate with me early and often if you have concerns or are experiencing hardship with this course — I’m here for you and want to support you however I am able.
Expectations for Instructors & TAs
We understand that these are difficult times, but we will do our best to maintain consistent communication with you, including updating you on any and all course changes or upcoming assignments, and providing timely feedback. I will keep the schedule updated with relevant links, videos, readings, and so forth. Please bear with us as we are constantly trying new and better ways to conduct our course in this new format. We are always open to feedback, so please let us know if there is something you feel we are missing.
Respect for Diversity & Inclusivity
Adapted from MSU’s Center for Faculty Excellence, the University of Iowa, and the University of Northern Colorado
I support an inclusive learning environment where diversity and individual differences are understood, respected, appreciated, and recognized as a source of strength. We expect that students, faculty, administrators and staff at MSU will respect differences and demonstrate diligence in understanding how other peoples’ perspectives, behaviors, and worldviews may be different from their own.
It is my intent that students from all diverse backgrounds and perspectives be well-served by this course, that students’ learning needs be addressed both in and out of class, and that the diversity that students bring to this class be viewed as a resource, strength and benefit. It is my intent to present materials and activities that are respectful of diversity: gender identity, sexual orientation, disability, age, socioeconomic status, ethnicity, race, religion, culture, perspective, and other background characteristics. Your suggestions about how to improve the value of diversity in this course are encouraged and appreciated. Please let me know ways to improve the effectiveness of the course for you personally or for other students or student groups.
Religious Observances
In addition, in scheduling exams and deadlines, I have attempted to avoid conflicts with major religious holidays. If, however, I have inadvertently scheduled an exam or major deadline that creates a conflict with your religious observances, please let me know as soon as possible so that we can make other arrangements.
Accommodations for Disabilities
If you are a student with a disability and wish to use your approved accommodations for this course, I encourage you to reach out to me and the Office of Disability Services (ODS) as soon as possible. Please have your Accommodation Notification or Blue Card available for verification of accommodations. Accommodations are approved through the Office of Disability Services located in SUB 174. For more information, please see: www.montana.edu/disabilityservices.
Academic Honesty
Please review MSU’s Code of Conduct, Policies, Regulations, & Reports. A couple of clarifications and additions:
- Although you may discuss and design with others, the work you hand in (e.g., code, write-ups) must be entirely your own. (Applies to individual assignments only.)
- Anything you submit that did not originate from you must be accompanied by attribution.
- Also, please do not share solutions or detailed information about solutions (e.g., specific code, non-trivial command line sequences) with others.
Protection of Intellectual Property Rights in Course Materials
This syllabus, course lectures and presentations, and any course materials provided throughout this term are protected by U.S. copyright laws. Students enrolled in the course may use them for their own research and educational purposes. However, reproducing, selling or otherwise distributing these materials without written permission of the copyright owner is expressly prohibited, including providing materials to commercial platforms such as Chegg or CourseHero. Doing so may constitute a violation of U.S. copyright law as well as MSU’s Code of Student Conduct.
FAQs
This is a collection of general FAQs related to our course. I will update this section as other questions arise.
Q: How will classes be run?
Our class meetings and office hours will all be conducted in a fully offline format. Unless otherwise stated, our classes will meet on BARNAR 126 on our designated class days/times: Tuesday/Thursday (12:15 – 13:30 p.m.). We will use Slack inside and outside class to facilitate conversations, make announcements, and so forth. Sometimes I may choose to post recordings ahead of time instead of holding offline class sessions, or point to other helpful content if it makes sense to do so. I’ll make it clear when that is happening.
Q: Is attendance required?
Attendance is required unless unforeseen circumstances prevent students from attending classes.
Q: How will office hours be run?
Office hours will follow a similar format as class.
Q: Am I required to buy the textbook? What if I have a different version of the book?
Our textbook is required in the sense that I will often assign readings from the book, and you are expected to understand that material.
Q: What programming languages & tools will we use for programming assignments in this class?
We will use a variety of tools and programming languages this semester. Most of the code we will read and write is either C/C++ or Python. We will spend quite a bit of time at the command line and potentially writing shell scripts (e.g., Bash). We will also likely make use of other tools for exploration or to make our lives easier (e.g., Angr, WinDbg, VMWare/VirtualBox, Git/GitHub, ...). Needing to use a wide range of tools and languages is sort of an occupational hazard in computer science, and more so in the world of a security practitioner. If you find yourself struggling with a language or tool needed in this class, please don’t hesitate to ask for help.
Q: What are exams like in this class?
Multiple answers, multiple choices problems and short answer problems.
Q: Why are we using Slack for class communication instead of D2L or Piazza?
A few reasons: (1) This has worked great in my past courses that have used Slack; (2) This is a much nicer way to facilitate online collaboration and teamwork; and (3) Most students will not use a proper learning management system (LMS) such as Brightspace/D2L, Blackboard, or Canvas after they receive their diplomas. On the other hand, students will almost certainly use a collaboration tool at some point in their careers. Why not introduce one of the most powerful and popular ones used today while you are still in school? :-)
Q: I don’t have all of the required/recommended prerequisites - can I take this class?
I’m typically supportive of students that wish to enroll in the course even if they do not satisfy all of the recommended prerequisites, so long as you understand that you may need to talk with me and/or do additional work independently to make sure you are adequately prepared for assignments.
If you haven’t taken one of the recommended prerequisites, you might consider looking over resources from a recent offering of that class here at MSU or online elsewhere. For example, review the faculty at MSU - if you click into their faculty page (and perhaps their websites) you can see the courses they’ve recently taught; they likely have links to past classes that are available or you can contact them to inquire further. Alternatively, checkout resources from FreeCodeCamp’s List of 500 Free Computer Science Courses from the World’s Top CS Universities or specific online learning platforms such as Coursera, Udemy, edX, or Khan Academy (to name a few).
Feel free to touch base as we get into the semester to discuss any concepts that are unclear.
Q: Help! This stuff is hard… How can I get help in this class?
One of the best ways to get help is to participate in office hours. You are always welcome to come to my office hours and/or TA office hours as often as you like. To get the most out of office hours, you might like reading How To Ask Questions The Smart Way, by Eric Steven Raymond. Please note that I won’t merely provide answers to assignments. I believe in the Socratic method and often answer students’ questions with questions. All of this is to say: come ready to chat :-)
Knowing the proper way to ask for help is a vital skill. Generally, people are more willing and able to help you when you are clear and concise in your communication. I encourage you to practice this skill in our class!
Some specific tips for asking for help:
- Start by posting conceptual questions to public channels in our Slack workspace.
» You are more likely to get a fast response than you are if you send a message to one specific person. - When you need to discuss code, send a DM on Slack to Fangtian and/or the TA(s).
» Be as specific as possible about (1) what you are trying to accomplish, (2) what you’ve already tried, and (3) what you think the problem could be. - Regularly push code to GitHub.
» This enables Fangtian and the TA(s) to review your code and be more equipped to help. - If a Makefile is relevant, have your Makefile put together ASAP.
» This helps you and Fangtian and/or the TA(s) easily build your code in a consistent way. - Make sure your code is commented and formatted consistently.
» Anything you can do to help YOU and Fangtian and/or the TA(s) navigate your code, makes us all more effective in troubleshooting issues! - Start early / ask questions early!
» The hours leading up to the deadline is the wrong time to be getting started…
This website is a living document. Your feedback is always appreciated regarding typos, suggestions for clarifications, etc.