Instructor: Wu-chang Feng
Class: T/Th 2:00pm-3:50pm EB 325
Contact and discussion:

• DM @wuchang pdx-cs.slack.com
• Post on channel #cs492
• In-class questions/feedback anonymously sayat.me

Office hours: here at Code Party
Required textbook

• Practical Malware Analysis, Sikorski and Honig, No Starch Press, 2012.  ISBN-13: 978-1-59327-290-6.

Resources

• Slides and labs Google Drive
• Lecture screencasts on MediaSpace
• CS 205 Review screencasts
• Accounts on linuxlab (FAB 88-09, 88-10)
• Lab VM at https://.../492_WinXP_x86.ova
• Course reviews
• Google's write-up

Lab notebook
Throughout the quarter, you will be maintaining a lab notebook that records your progress on lab assignments using any word document application that you are comfortable with such as a Google Doc (recommended), a Microsoft Word document, or a LibreOffice document. The lab notebook that will contain your write-ups of each lab. The write-up should only include answers to any questions and screenshots of the completed work (via gnome-screenshot, gimp, Print Screen, etc.) as listed in the bulleted lists associated for each lab on the lab site. You do not need to include those from the textbook's lab walkthroughs. The notebook will be graded using the following rubric:

• Thoroughness and clarity of the write-ups.
• Inclusion of your OdinId in all screenshots that are requested
• Inclusion of a table of contents linking to individual labs completed

While you are encouraged to work together on labs, each student must submit an individual notebook at the end of the quarter. Any notebooks found with shared screenshots will result in a 0 for both notebooks.

Homework (MetaCTF)
For homework, we will be applying the concepts learned in the labs to Linux binaries. Assignments are to be done individually at the following sites: cs492.oregonctf.org and angr.oregonctf.org. Binaries are unique to each student and no collaboration is allowed. The binaries implement a set of capture-the-flag challenges that require you to reverse engineer a set of binary executables. Each binary asks for a password that will unlock it and print "Good Job". While you will be running binaries on your own machine, answers to each should be submitted at the above site. To download binaries on a Linux x86 machine, do the following:

mkdir metactf; cd metactf; virtualenv -p python3 env
source env/bin/activate
pip install requests bs4
wget http://thefengs.com/wuchang/courses/cs492/meta_dl.py
python meta_dl.py cs492.oregonctf.org username password

If you wish, instead, to run the binaries on a Ubuntu VM of your own, directions for doing so are here. Note that you must ensure that radare2 and the 32-bit libraries are installed on the VM by performing

sudo apt-get install gcc-multilib radare2

• Understand the underlying mechanisms used by malware on compromised systems.
• Understand counter-measures that detect malware.

• Understand techniques malware uses to circumvent and evade detection and analysis
• Develop skills to monitor the behavior of malware safely.
• Develop skills to reverse-engineer malware

Grading

Attendance	5%
Homeworks	30%
Lab notebook	35%
Final project	30%

Academic misconduct

• Includes allowing another student to copy your work unless specifically allowed by the instructor.
• Results in a grade of 0 for the assignment or exam.
• Results in the initiation of disciplinary action at the university level.