This page aims to be an up-to-date collection projects that are currently being worked on in the ISIS Lab.  To see a real time list of projects, see our github.  To see an archive of finished or abandoned projects, see our archive.

For project ideas, see the issue tracker on our Project-Ideas repository.  Kai Wen Zhong is a taint tracing plugin for Immunity Debugger.  It keeps track of taint on the byte level.  Currently, marking/unmarking registers and memory locations is supported and taint propagation works for a small set of instructions.  Some work has been done to use VEX IR language instead of directly parsing machine code.

Dynamic Entry  Jeffrey Dileo
Makes use of Java dynamic instrumentation to protect web applications running on Apache Tomcat from cross-site scripting attacks.  The approach currently in use is to instrument Tomcat such that the HttpServletRequest interface (from the Java EE servlet API) implementer org.apache.catalina.connector.RequestFacade, is wrapped with sanitizing code that escapes potentially dangerous characters into their HTML entities.  This is done by adding a sanitizer method to the class at runtime, and instrumenting the class' methods to use it.

HSDis  Kai Wen Zhong
HSDis is a call graph generator written in JavaScript.  It was written as an aid for Haxathon CTF.  This tool parses the output from the disassembler that was provided, breaks the code down into basic blocks and renders them.  Only the HS instruction set is supported currently, but ARM support is being worked on.

Reverse Engineering Software  Evan Jensen, Kevin Chung, Joshua Alexander, Omar Ahmed, and Julian Cohen
License authentication algorithms are perhaps one of the most protected pieces of software available.  The purpose of this project is to shed some light on the internal working of key authentication algorithms without getting sued.  We accomplish this goal by reverse engineering fake anti-virus malware.  Such malware often urge victims to purchase a licence key so that the fake threats can be removed.  By reverse engineering the key authentication algorithm used in malware we hope to examine the complexity of commercial algorithms without damaging any legitimate enterprise.

Developing Debugger Assistance Tools  Rey Cortes, Paolo Soto, and Jim Klopchic
Program Debugging and Crash Analysis are not trivial tasks. The lab regularly writes scripts for IDA Pro, WinDbg, Immunity Debugger, and gdb to help with analysis of applications.
Pop Pop Ret Finder:
Writing into Process Memory in gdb:

Exploitation Mitigation Techniques  Julian Cohen, Luis Garcia, and Rey Cortes
Over the past decade, exploitation mitigations have been making exploitation harder for attackers.   There’s been a seemingly endless battle between exploit developers getting smarter with exploitation, and security engineers getting trickier with mitigations.  The lab follows this battle very closely, conducting research on new and existing exploitation mitigations and how to defeat them.
RELRO: RELocation Read-Only:
Gera’s Insecure Programming Format String #5 (ASLR Bypass):
Gera’s Insecure Programming warming up stack #1 (ROP NX/ASLR Bypass):
SEH Record Exploitation:
Gera’s Insecure Programming Advance Buffer Overflow #1 (ROP NX/ASLR Bypass):

Net Sensor  Boris Kochergin
This project aims to be a general-purpose, modular network-analysis suite for use in research, diagnostics, forensics, and statistics-gathering.  It monitors traffic on an Ethernet interface, performs some preprocessing on it--such as figuring out where a packet's payload begins--and passes it along to any number of modules.  A module is an ELF shared object which may maintain state, write data out to disk using the Berkeley DB-backed Writer library, or send e-mail using the SMTP library.  In addition to processing packets from the network, a module can also accept input from any number of other modules.

ARP Counterattack  Boris Kochergin
This program aims to detect and remedy "ARP attacks." It monitors traffic on any number of Ethernet interfaces and examines ARP replies and gratuitous ARP requests. If it notices an ARP reply or gratuitous ARP request that is in conflict with its notion of "correct" Ethernet/IP address pairs, it logs the attack if logging is enabled, and, if the Ethernet interface that the attack was seen on is configured as being in aggressive mode, it sends out a gratuitous ARP request and a gratuitous ARP reply with the "correct" Ethernet/IP address pair in an attempt to reset the ARP tables of hosts on the local network segment. The corrective gratuitous ARP request and corrective gratuitous ARP reply can be sent from an Ethernet interface other than the one that the attack was seen on. All configuration parameters reside in arpCounterattack.conf.

Virtual Lab  Vikram Padman, Efstratos Gavas, and Nasir Memon
One of the main impediments to establishing an IA program is the requirement of a laboratory facility that will reinforce concepts taught in class with hands-on experiences. This is due to the fact that an IA lab is difficult to build and maintain, as it needs to be dedicated and isolated and cannot be part of a general-purpose campus laboratory. Many schools cannot afford a separate laboratory just for an IS course. For this project, we are working on the design of a virtual laboratory that will allow multiple institutions to share one physical laboratory. This design was done as part of an NSF capacity building project to establish a centralized laboratory facility at Poly that can be used by other schools in the tri-state area surrounding New York. By virtual laboratory, we mean a laboratory that can be accessed via the Internet through a browser interface. In addition to being remotely accessible, the virtual laboratory is also remotely configurable, thereby allowing each individual member of the consortium to independently provision the required hosts and network components and configure them as needed for the specific hands-on assignment being performed by their students.
Sponsors:  NSF

The ISIS Lab CTF Team is an ongoing project that we take very seriously.  :)