Software Security Study Group Report
In the first week of our Software Security Study Group, we started with some examples from classical cryptography such as shift cipher and vigenere cipher. We discussed their weaknesses and differences from modern cryptography. We also defined "Perfect Secrecy" and proved that when used correctly one-time pad is actually secure.
In the second part of our study group, we focused on Low-Level Security. At first we explained the memory layout, how stack and heap works, how functions are called and returned. And then we talked about how we can use buffer overflow, and bypass security against buffer overflows, other memory exploits like heap overflow and finally format string exploits.
Finally we solved a question from Angstrom CTF 2018 - Rop to the Top (https://www.pwndiary.com/write-ups/angstrom-ctf-2018-rop-to-the-top-write-up-pwn120/). We analysed the binary using gdb and crafted an input string that will cause the program to call a function that actually has never been called.
We also wrote a script that exploits the vulnerability of the vigenere cipher. Using frequency analysis (how frequent each character shows up in a regular english writing) we deciphered a secret only using ciphertext.
See you next week!