Pretty self explanatory. Wikipedia doesn't have these articles and they are pretty important. Writing them will demonstrate you have a clear working knowledge of dynamic linking and runtime behavior and your work will be seen by many people.

https://github.com/isislab/Project-Ideas/wiki/Network-Security

Burp plugin to use Burp Repeater functionality to fuzz web applications.

The plugin needs to:

• generate lists of POST/GET data
• send items from lists of payloads to sites

The documentation for Burp Extender is poor and the approach for writing this plugin is unclear. Work needs to be done in deciphering the documentation, scripting Burp Repeater to submit information pragmatically, and keep track of requests and their appropriate responses.

http://portswigger.net/burp/extender/

The plugin can be written in Java, Jython, or JRuby. Most likely given the preferences in the lab, Jython will be chosen as the plugin language. In addition, it is probable that the Burp Extender demo extensions will be of more assistance than the Extender documentation if you choose to use Jython or JRuby.

• http://channel9.msdn.com/coding4fun/blog/Digging-into-your-code-with-the-free-Microsoft-Code-Digger-and-the-power-of-Pex
• http://blogs.msdn.com/b/nikolait/archive/2013/04/23/introducing-code-digger-an-extension-for-vs2012.aspx
• http://visualstudiogallery.msdn.microsoft.com/fb5badda-4ea3-4314-a723-a1975cbdabb4

http://osehra.org/
http://osehra.org/wiki/code-status-dashboard
http://osehra.org/page/osehra-code-repository
http://osehra.org/content/va-enterprise-vista-standard
http://code.osehra.org/gitweb
https://github.com/OSEHRA

Use the vulnerability research methodology from project idea #3.

Post it to our blog or your blog.

Synopses should be ran past me

• Verizon 2013 Data Breach Investigations Report
• Mandiant APT1 Report
• F-Secure Mobile Threat Report
• http://www.bloomberg.com/news/2013-04-04/cyberattacks-abound-yet-companies-tell-sec-losses-are-few.html
• Any paper from http://www.reddit.com/r/vrd
• Any paper from http://www.reddit.com/r/REmath
• Any paper from http://recon.cx/2013/archive.html
• Certain papers from https://www.defcon.org/html/links/dc-archives.html

http://acm.poly.edu/wiki/Net_Sensor

Use the vulnerability research methodology from project idea #3.

This can be implemented as a Burp plugin (see #8) or a stand alone application.

http://acm.poly.edu/wiki/Rogue_DHCP_Server_Detector

Use the vulnerability research methodology from project idea #3.

E-mail clients like Thunderbird and Mail.app support S/MIME out of the box but various essential components are missing.

For example, e-mails aren't automatically upgraded to encrypt when it's detected that a public key for the recipient exists in your keystore for Thunderbird. Various other conditions lead many e-mails to be sent that you may believe are signed and encrypted but are not. This functionality could be investigated in the open-source Thunderbird repository and changed or added to.
https://www.mozilla.org/en-US/contribute/
https://wiki.mozilla.org/Thunderbird

As another example, attackers may find an unscrupulous CA to sign a CSR and get an S/MIME cert in the name of a friend of yours. Mail.app provides little to no facilities to check whether the S/MIME cert used by a third party is the one you expect. It's not possible to view the certificate used to sign a message from the message display, compare it to previous certificates used by that sender, or inspect that the keys used were strong enough to resist cracking. Changing this functionality would require developing a plugin, similar to GPGTool's GPGMail which is open-source and might serve as a template.
https://github.com/GPGTools/GPGMail
https://developer.apple.com/library/mac/#documentation/CoreFoundation/Conceptual/CFBundles/Introduction/Introduction.html

This is a pretty simple concept and it might already exist. A user would run something like !plugin RtlHeapAlloc and the plugin would automatically set a breakpoint on RtlHeapAlloc() that will print out the arguments when the function is originally called and the return value of the function after it returns.

Possible design goals

• Detectable malware
• Stealthy malware
• APT-like malware
• Design undetectable malware

Use cases

• Reverse obfuscated or otherwise stealthy malware
• Detect malware by traditional techniques
• Discover malware by detecting APT indicators
• Design security mechanisms that prevent this malware from operating

In European countries, ',' and '.' are reversed when used to delimit thousands/the decimal. This could be the source of a few bugs out there. Write a static analysis tool that looks for these bugs.

One possible approach is to search for the following pattern /(,|.)\d{3}/.

Some other notes:
Look for locations where a function is receiving more arguments than it expects. (Perl, Ruby?)
Python lists (a = 1,000)

http://en.wikipedia.org/wiki/Cross-site_request_forgery
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)

http://internetcensus2012.bitbucket.org/paper.html

Some students are self-starters, others need their hand held every step of the way. Some students need to hear it, others just need to touch it, and some need to see concepts demonstrated over and over again.

What can we do so Hack Night, and our other publicly available materials are useful for everyone?

https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API

Use the vulnerability research methodology from project idea #3.

Idea from Thomas Reddington.

Mapping a network from the perspective of an external attacker or an internal attacker. The lab has expertise in many areas of networking, and this expertise can be turned into a stealthy, sensitive information gathering tool that's useful for both offense and defense.

https://code.google.com/p/skipfish/

Use the vulnerability research methodology from project idea #3.

https://www.updateframework.com/

Use the vulnerability research methodology from project idea #3.

https://github.com/BUILDS-/Derpnet

Use the vulnerability research methodology from project idea #3.

This project can be done for Windows or Linux.

• The simple version is attach Windbg/AppVerifier/gdb/Apport to the crashing process and log output.
• The hard version is writing a debugger to attach before or after a crash and do analysis.

The hard version of this project is very educational. This project is related to project #15.

http://spin.atomicobject.com/2013/01/13/exceptions-stack-traces-c/

What information do new students need to be exposed to in order to be high-functioning members of the ISIS Lab and the information security industry?

Research Type Confusion and Content Sniffing, and build a working payload for a vulnerable browser (like IE 6).

Often not discussed, this complex vulnerability has huge ramifications on the web. Although having multiple short bursts of popularity with GIFAR and JPEGZIP, this vulnerability still doesn't have an OWASP page. Please feel free to add any more resources you find on this subject.

General Information

• http://www.gnucitizen.org/blog/java-jar-attacks-and-features/
• http://www.adambarth.com/papers/2009/barth-caballero-song.pdf
• http://code.google.com/p/browsersec/wiki/Part2#Content_handling_mechanisms
• http://riosec.com/how-to-create-a-gifar
• http://software.imdea.org/~juanca/papers/caballero_thesis_sep2010.pdf (Section 6.2)
• http://www.zdnet.com/blog/security/black-hat-sneak-preview/1619
• http://www.zdnet.com/blog/security/on-gifars/1635
• http://heasman.blogspot.com/2008/08/on-gifars.html
• http://riosec.com/more-on-gifars-and-other-java-smuggling-fun
• https://bugzilla.mozilla.org/show_bug.cgi?id=175848
• http://security.stackexchange.com/questions/12896/does-x-content-type-options-really-prevent-content-sniffing-attacks
• https://www.owasp.org/index.php/Podcast_13

Solutions and Responses

• http://securethoughts.com/2009/01/easy-server-side-fix-for-the-gifar-security-issue/
• http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-v-comprehensive-protection.aspx

Like this but for Windows.

http://duartes.org/gustavo/blog/post/anatomy-of-a-program-in-memory

https://github.com/isislab/Project-Ideas/wiki/Program-Analysis

• BAP
• LLVM Static Analyzer
• KLEE
• BitBlaze
• Insight
• Jakstab

Web application software made for serving advertisements, like OpenX, are among the most exploited web applications on the internet due to the large volume of web traffic they come in contact with. Criminals frequently exploit these systems to redirect this flow of traffic towards a crimeware pack like the Blackhole Exploit Kit. Much of this software was written years ago in PHP and they have not been the subject of close study.

Perform a targeted assessment of these web applications with a eye towards vulnerabilities that can result in a server compromise.

The shellcode repository needs some work.
A list of all the issues is available here: https://github.com/isislab/Shellcode/issues
Some of the tickets currently open are:
Write a stager and some awesome stages: osirislab/Shellcode#5
Come up with a strategy to organize and maintain the collection: osirislab/Shellcode#4
Help finish authoring the socket reuse shellcode: osirislab/Shellcode#3
Author some connect back shellcode on IPv6:
osirislab/Shellcode#1

http://www.matasano.com/articles/crypto-challenges/

Writing a debugger can be an enlightening process. This project will help you understand how debuggers interface with the operating system to allow program debugging. It will also teach you the techniques debuggers need to use to provide simple and complex debugging features.

This project is related to project #14.

@isislab/jewdbg.

This could be a simple standalone tool or an add-on to an existing static analysis framework, such as:

• clang static analyzer
• graudit
• RATS
• Source-Navigator
• Frama-C
• BLAST
• cpplint
• cppcheck
• Codan

This could also be written as a rule for commercial static analysis engine, such as:

• HP Fortify Static Code Analyzer
• Understand
• Coverity Static Analysis Verification Engine
• Klocwork Insight

This could be a simple standalone tool or an add-on to an existing static analysis framework, such as:

• clang static analyzer
• graudit
• RATS
• Source-Navigator
• Frama-C
• BLAST
• cpplint
• cppcheck
• Codan

This could also be written as a rule for commercial static analysis engine, such as:

• HP Fortify Static Code Analyzer
• Understand
• Coverity Static Analysis Verification Engine
• Klocwork Insight

https://www.owfgoss.org/

https://github.com/ozoneplatform/owf

The Ozone Widget Framework, a government developed application for widget development is available on GitHub under version 2.0 of the Apache license. The Defense Department was under a year-end congressional deadline to release the code as open source; its developers describe it in the ReadMe as "basically a glorified web portal engine, with the unusual characteristic that the content within the portal (i.e. the widgets) is decentralized."

Security Researchers could look to see how security is implemented on this framework, and to check to see if any vulnerabilities exist.

http://www.microsoft.com/en-us/server-cloud/system-center/configuration-manager-2012.aspx

Use the vulnerability research methodology from project idea #3.

• http://defcon.org/html/torrent/DEF%20CON%2018%20ctf.torrent
• http://defcon.org/html/torrent/DEF%20CON%2019%20ctf.torrent

Cuckoo is one of the leading automatic malware analysis engines. Bypass it consistently with common malware or contrived malware, and notify the developers. Then work on better ways for Cuckoo to detect your malware.

http://www.cuckoosandbox.org/

https://github.com/isislab/Project-Ideas/wiki/Hardware-Security

https://github.com/isislab/Project-Ideas/wiki/Reverse-Engineering

• radare
• ERESI
• vdb
• IDA Pro/IDA Python
• Immunity Debugger
• Capstone

http://www.wireshark.org/
http://www.wireshark.org/develop.html
http://www.wireshark.org/docs/wsdg_html_chunked/
https://bugs.wireshark.org/bugzilla/
https://bugs.wireshark.org/bugzilla/buglist.cgi?quicksearch=fuzz

Methodology

This methodology assumes you have already completed the Hack Night curriculum.

• Find a previously patched security vulnerability in the bug tracker.
• Analyze this vulnerability until you understand it completely. This will help you to start understanding the code base and get you familiar with how this type of bug manifests in the target application.
• Exploit this vulnerability or continue onto the next step.
• Choose a method to find new bugs in the target application (Also see Finding Bugs below):
  • Manual source code analysis
  • Program analysis
  • Fuzzing
  • Analyze more old bugs in search to help you find new ones
• Report and/or exploit the bug you found in the target application.

Finding Bugs

Remember always focus on the easiest way to find bugs first. This might change from project to project, but here's a guide.

• Start with a dumb fuzzer. It's easy to set up and it might find low-hanging fruit.
• Search for vulnerable API calls, either through source code analysis or reverse engineering.
• Do an operational review of the target application, find out what libraries it uses and how the application is designed to be used.
• Figure out how the target application is architected and start learning more about where input enters the program and how input is structured.
• Once you start learning about how input is structured, you can use a smarter fuzzer, or build your own fuzzer.
• Keep learning more about the target application to find interesting parts of the program that might have unsafe functionality or hidden bugs.

This could be a simple standalone tool or an add-on to an existing static analysis framework, such as:

• clang static analyzer
• graudit
• RATS
• Source-Navigator
• Frama-C
• BLAST
• cpplint
• cppcheck
• Codan

This could also be written as a rule for commercial static analysis engine, such as:

• HP Fortify Static Code Analyzer
• Understand
• Coverity Static Analysis Verification Engine
• Klocwork Insight

http://www.mozilla.org/projects/firefox/
https://developer.mozilla.org/en-US/docs/Introduction
https://developer.mozilla.org/en-US/docs/Simple_Firefox_build
https://bugzilla.mozilla.org/buglist.cgi?query_format=specific&order=relevance+desc&bug_status=__all__&product=Firefox&content=crash&comments=0
http://www.mozilla.org/security/known-vulnerabilities/firefox.html

Use the vulnerability research methodology from project idea #3.

http://www.eresi-project.org/wiki/Community

Related to #14.

See me for details.

Abstract:
Android's Intents are a way of communication that takes place between the app's components. The communication can be within a single app or can be with other apps in the system. Intent's are a two layer abstraction of what the actual Inter-Process Communication (IPC) mechanism is being performed on the low level(Kernel). Binder kernel module in the Android's architecture is responsible for all the IPC communications. It would be interesting to see how the marshaling and un-marshaling takes place, and if any vulnerability is present, it would lead intents being passed to other app's than intended, or worse an arbitary code execution.

Short-Term Goals:

• Understand how Linux kernel works
  http://tldp.org/LDP/lkmpg/2.6/html/
  http://lwn.net/Kernel/LDD3/
• Understand Android Internals, esp. Binder module.
  Would a vulnerability here solely be useful?

Long-Term Goals:

• Bug hunting in the Binder module, with a potential exploit

Reference:

• http://www.nds.rub.de/media/attachments/files/2012/03/binder.pdf
• http://ericdev.blogspot.com/2010/06/ccshare-memory-using-ashmem-and-binder.html
• http://0xlab.org/~jserv/android-binder-ipc.pdf
• http://www.angryredplanet.com/~hackbod/openbinder/docs/html/BinderIPCMechanism.html

Using publicly available information about different groups of attackers and their motives, build a taxonomy of different types of attackers and their motives, capabilities, resources, growth, and more.

Make sure to follow standard principles of economics, like an actor will take the path of least effort/resources/sophistication to achieve their goal. For instance, crimeware groups who are stealing bank account information don't need to use 0-day to install their malware so chances are, they won't.

This project is designed to help show laymen how and why attackers operate the way they do. And also to prevent bullshit and lies from ending up in the New York Times. :)

• http://bugcrowd.com/list-of-bug-bounty-programs/
• http://computersecuritywithethicalhacking.blogspot.com/2012/09/web-product-vulnerabilty-bug-bounty.html
• http://www.ehackingnews.com/2012/12/list-of-bug-bounty-program-for.html

• http://www.microsoft.com/security/msrc/report/bountyprograms.asp

• http://www.google.com/about/appsecurity/reward-program/
• http://www.mozilla.org/security/bug-bounty.html
• https://www.facebook.com/whitehat/
• http://www.barracudalabs.com/bugbounty/
• http://www.tarsnap.com/bugbounty.html
• http://www.avast.com/bug-bounty
• https://samsungtvbounty.com/
• http://packetstormsecurity.com/bugbounty/
• http://www.etsy.com/help/article/2463

http://acm.poly.edu/wiki/ARP_Counterattack

Use the vulnerability research methodology from project idea #3.

msec.dll is open source.
http://msecdbg.codeplex.com/

• Figure out how it works.
• How accurate is it?
• How much information does it use to determine exploitability?
• How many different bug classes does it take into consideration when determining exploitability?
• Try to improve it's accuracy.

Research bugs in the python interpreter. Research how to exploit bugs in the python interpreter.

http://en.wikipedia.org/wiki/Cross-site_scripting
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

This project can yield a tool specific to a web programming language:

• PHP
• Java
• ASP.NET
• Ruby
• Python
• Perl
• C/C++

This project could also yield a tool that works across platforms.

This could be a simple standalone tool or an add-on to an existing static analysis framework, such as:

• clang static analyzer
• graudit
• RATS
• Source-Navigator
• Frama-C
• BLAST
• cpplint
• cppcheck
• Codan

This could also be written as a rule for commercial static analysis engine, such as:

• HP Fortify Static Code Analyzer
• Understand
• Coverity Static Analysis Verification Engine
• Klocwork Insight