BlogFeed

Categories

  • Default/Other
  • Computers
  • Friends
  • Family
  • Blog Code
  • Website
  • Programming
  • Open source
  • Scouts
  • School/Educational
  • Math
  • Athletics
  • Journal
  • Quasi-philosophic ramblings
  • Site news
  • Informational
  • Quotes
Protection no

A class with such promise...

This semester I was pretty excited about taking 6.858 --- "Computer Systems Security". I thought there was a decent chance that I'd find security interesting.

A week into the class, I was even more excited --- the first lab had consisted of developing three exploits for a toy web server, which had been both fun and educational --- besides practical security lessons, I also got a much better understanding of C, assembly, gdb, the stack, and related relatively low-level things. That week was particularly successful in teaching about those things, since I'm also taking 6.828 (Operating Systems), and the first lab in that class was largely about familiarizing ourselves with the same sort of ideas. Also, I hadn't had much exposure before --- I nominally learned C a long time ago, but except for a bit of Barnowl hacking a couple years ago, I haven't touched it since (and never touched it much). C --- much less assembly --- and gdb we hence things that were way level than anything I'd worked with in my recent, Python and PHP dominated, activities.

Unfortunately, the class went downhill from there. My interest in defending against buffer overflows by restricting the execution path had been basically satisfied by the papers we'd read, and Lab 2 was largely a painful fight to learn an unfamiliar API rather than a fun challenge. Lab 3 was sort of decent, though privilege separating a webapp gets tedious pretty quickly.

Going into Lab 4A, I had high hopes that it would be more fun. It was about implementing four different types of web application attacks, which sounded a lot like the first lab, which I'd liked so much. I'm not totally sure why, but it didn't really turn out as fun as I'd hoped. Partially, I think that's because it felt too API-driven --- a lot of time was spent trying to figure out how to make a POST from Javascript, or find what HTML element or attribute I could stick my Javascript in on. I think that the buffer overflow exploitation lab had had a much simpler available API --- a list of syscalls and glibc functions, and not a whole lot else that mattered much...

*shrug* Ah, well. At least 6.828 continues to be pretty awesome.

Categories:

  • Computers
  • School/Educational
  • Journal

More stuffs

s/and gdb we hence things/and gdb were hence things/ s/sort of decent/sort-of decent/ s/privilege separating/privilege-separating/ (well, actually not so sure about that one) s/API-driven -- a lot/API-driven: A lot/ s/available API -- a list/API available: a list/

Categories:

  • Serious

*Title:
*Name:
*Text:
Choose your category
*Type "lambda" to prove you're human
* denotes required field

Alex·Dehnert