Final Project

As mentioned in the syllabus, you will have to complete an individual final project for this course. The project can be on any topic as long as it involves at least one of the six high-level skills that we go over in this course.

This is your chance to specialize and apply the skills we're teaching you to a problem that you think is interesting. What I'm asking is that you document what you do and share it with the class so all of us can benefit. This 'documentation' can be a paper, an advisory, a walkthrough, or commented code. It doesn't matter how long it is, as long as it teaches us something.

The goals for your final project are to:

  • Allow you to explore whichever technical skill you're most interested in
  • Display your mastery of at least one such technical skill
  • Document your experience for others like you to follow and learn from

Project proposals are due by the 4th week of class, leaving 8 weeks to actually research and work on it. I'm well aware that this is a limited amount of time for overworked students and I'm not expecting a master's thesis to come out of this project. Look at some of the example projects below and past student work for an idea of the scale that is appropriate.

CommentPost a Comment |

Example Final Projects

If you're not sure what you want to do for a final project, you can look through past projects that students have done or maybe an idea below will spark your interest.

----- BEGIN BRAIN DUMP -----

Source code analysis

  • Review the source code of an open-source project and prepare a report that documents the issues you found.
  • Write a lightweight source code scanner for any language (check out Microsoft Phoenix)
  • Write an application that demonstrates a wide array of general and language-specific vulnerabilities (maybe something I can use next semester!)

Reversing

  • Reverse a previously unknown malware, part of a closed-source application, or an undocumented network protocol (beware the legality)
  • Write an Immunity Debugger script to do something useful
  • Complete a reversing challenge and document the solution, such as: http://www.t2.fi/challenge/

Exploitation

  • Write your own shellcode for ARM, SPARC, or another architecture w/ any OS
  • Convert 2 milw0rm.com Proof of Concepts into fully polished Metasploit modules
  • Document, identify limitations, and come up with improvements in one of Metasploit's new features
  • Demonstrate techniques to gain execution other than jump's to esp (SEH overwrites, heap overflows, format strings, etc)
  • Write meterpreter scripts for post-exploitation (ideas: http://www.offensivecomputing.net/?q=node/845)
  • Research and demonstrate techniques for bypassing HIPS products

Fuzzing

  • Write a new fuzz module for SPIKE, Sulley, or Peach, fuzz something with it, and research your results
  • Improve an existing fuzzer (or bring it into the year 2009's build tools *cough* SPIKE)

Clientsides

  • Develop a framework to facilitate phishing attacks
  • Analyze the security of the Polytechnic SSL VPN. Reverse its ActiveX control, figure out its functionality and its protocols, fuzz it, and identify vulnerabilities in it.

Still more ideas:

  • Analyze the security of any device you can reasonably say you have permission to. Past targets have included a Network Attached Storage device and a Google Android phone.
  • Improve the functionality of a security tool (ideas: sqlmap)
CommentPost a Comment |