Friday, July 31, 2009

Teaching Reverse Engineering

I'm presenting a paper at the Cyber Experimenation and Test (CSET 2009) workshop, held in conjunction with USENIX Security 2009, on teaching reverse engineering in academia. I'm also presenting a two day tutorial on reverse enegineering for USENIX Security, which is a condensation to bare essentials of the semester-long class on reverse engineering that I teach at the University of New Orleans.

There are a few very important challenges in teaching reverse engineering in an academic setting:

The first is that students will likely show up with poor assembly skills. This is because assembly language courses, if they exist at all as separate courses in a curriculum, are typically full of things that do not help students become better systems people. While High Level Assembler (which drapes assembler in macros that give it a flavor more like a high level language) might be a good idea for development of large scale applications in assembler, it hides details that students *should* be immersed in when learning assembly language. The pain, the attention to myriad minute details, complex interaction with hardware features, et al are essential. For systems research, the devil really is in the details. The punchline is that students will essentially have to be taught deep assembly skills while learning reverse engineering, all in a single semester, which creates important time constraints. More on this below.

Another challenge is not only teaching students about the potential legal ramifications of reverse engineering, but also avoiding these same legal hurdles while teaching the course. In my case, the class is focused exclusively on the analysis of malware, which relieves many of the legal issues, but adds yet another dimension, that of safety for the academic computing environment. My solution is to carefully screen the malware samples that will be analyzed by students in the lab. Since my approach to teaching this course involves detailed walkthroughs of assembler for each malware sample, I have to do exhaustive analysis of the effects of the malware, anyway. As further protection, the laboratory environment consists of an isolate-able gigabit network connecting workstations running Linux and VMWare. Preconfigured Windows XP guests under VMWare are used for most analysis and the guests typically have networking disabled as a safety precaution. The XP VMWare images contain a licensed version of IDA Pro, ollydbg, WinHex, HBGary's Responder, the sysinternals tools, as well as other tools. In the next iteration of the class, we will also use BinDiff and BinNavi.

In the reverse engineering class, I'm not interested in having students learn what reverse engineering is. I want them to be able to *do* reverse engineering. This rules out the traditional academic format of flipping Powerpoint slides and giving exams. The approach I've used for the class, to deal with the fact that students must gain good assembly skills while learning reverse engineering, all in a single semester, is to immerse them immediately in the analysis of real malware samples. The malware that we analyze in the class and in laboratory assignments increases in difficulty as the semester progresses and each sample is chosen to push the students a little harder and to force them to gain more systems knowledge in order to succeed.
An essential component of the class is reliance on a document camera for in-depth walkthroughs of every malware sample, in class. I drive the discussion, but students are expected to participate and what results is a very deep analysis of each sample, which is then distributed to all of the students.

More details on the class and my approach to teaching it can be found in my CSET paper, which is here.

Monday, July 20, 2009


Imagine my surprise (or don't) when I discovered that celery was once a delicacy, and special dishware was created to display your prized vegetable. While I dutifully chop celery for traditional Creole and Cajun recipes, I've never been a huge fan. Enter celeriac. It's not very popular in the US, but the corner store near my apt in Montreal sells celeriac, so I had to give it a try. I've made it several ways, including diced and quickly sauteed in olive oil with fresh sage leaves as well as in a root vegetable mash, with Yukon gold potatoes, olive oil, thyme, sea salt, freshly ground pepper, some chicken stock, and a slosh of whole milk. It's also good raw. Celeriac is yummy, very healthy, and deserves a higher profile on our tables. Here's to one of my new favorite vegetables.

Here's a photo of the celeriac mash:


Friday, June 5, 2009

GNOCIA Approved by the Board of Regents

The Greater New Orleans Center for Information Assurance (GNOCIA), housed in the Department of Computer Science at the University of New Orleans, was just approved by the Louisiana Board of Regents! I will serve as the first director of GNOCIA. The center will focus on digital forensics, malware, and reverse engineering research and will enhance UNO's ability to partner with industry, academia, and government agencies on important projects in these areas. The University of New Orleans has offered a substantial committment to equip the center with state-of-the-art equipment.

Wednesday, May 20, 2009

Every Kitchen Needs...

o Top quality ventilation. My exhaust fan is the size of a small volkswagen.

o A long-handled whisk. OK, several of them.

o Lots of seasoned cast iron.

o A freezer full of homemade stock. Nothing else goes in the freezer except ice cubes and ice cream. Ban the nasty bouillon cubes, man.

o A terrifyingly sharp chef's knife.

o Orange extract.

o Olive oil. Lots of olive oil.

o An open bottle of Gigondas. Or, if you're buying, Chateauneuf du Pape. And a wedge of delice de bourgogne.

There are a few other requirements, but we can mostly make do if these 'ingredients' are available.

Monday, April 27, 2009

Straight, No Chaser

It's possible I'll change my mind, but at least for now, Straight, No Chaser is the ultimate. Current edition: on 5 by Monk by 5, SACD.

Thelonious Monk rewired me long ago.

Tuesday, April 21, 2009

I'm alive

The news:

The University of New Orleans is now designated as a Center of Academic Excellence in Information Assurance Research (CAE-R). We got the news today (April 21).

We have the Scalpel file carving application carving 30 file types at line speed w/ in-place file carving... New release of Scalpel on the way, really. Truly.

I'll be in Montreal at Ecole Polytechnique de Montreal for sabbatical this summer and fall (2009).

The reverse engineering class I've been teaching during Spring 2009 at the University of New Orleans has silenced me. Huge amounts of class prep, but a very nice experience. DOS boot sector virus disassemblies, anyone?

French Quarter Festival was super. The Renard Poche band blew my mind. And Bonerama hardly sucks.

Jazz Fest time. Brass pass in hand.

DFRWS / USENIX Security in Montreal during my sabbatical. I'll be teaching at two day tutorial on (teaching) reverse engineering at USENIX Security.

Wear purple.