• How confident can we be about the isolation provided by containers? (lxc for instance)
• One idea would be to insert a kernel module in an LXC container, which tries to override the interrupt vector, to get ring 0 privilege on the host.

SNI makes possible to share a single IP address with several virtualhosts using TLS encryption. But this leaks some information about the website's domain name. Provide a proof of concept of a sniffer which prints website's domain name when connected on a wifi network for instance.

It is really simple to create a keylogger for X11 systems using builtin tools. But if you want to remove the dependency, you have to write your own program to perform the hook on X11.

• Write a generic keylogger (no hardcoded keymap) which sends the keystrokes over network.
• How stealth is it?
• Can you hide the network frames?

Provide a proof of concept of a two factor authentication of ssh. For instance, send an email or an SMS with an additionnal code to provide at login.

Provide a program to infect an executable (elf, pe, omach, your choice) to inject a payload in the entry point.

For instance, xor the packed code with 42 before running :)

Need to be automatised for various operations, including cert revokation. Could be used to implement client authentication over https or VPN. This would make a great free software tool!

Learn about reverse engineering, vulnerability hunting or web exploitation with the MS team.

http://blogs.technet.com/b/srd/archive/2013/07/31/the-bluehat-challenge.aspx

Microcorruption is an embedded security game made to learn the basics of reverse engineering and debugging.

https://microcorruption.com/

Try to understand a real world software vulnerability in a high profile target and develop an actual exploit for it!

• CVE-2012-4792 CButton UAF - IE8 / Win7 : http://blog.exodusintel.com/2013/01/02/happy-new-year-analysis-of-cve-2012-4792/
• MS14-040 AFD driver double free : http://www.siberas.de/papers/Pwn2Own_2014_AFD.sys_privilege_escalation.pdf

Some vulnerabilities and targets are easier to attack than others. Just ask if you need any advice!

If you want to learn about computer exploits, you can do something easier : learn the very basics of exploitation by following this tutorial. https://www.corelan.be/index.php/articles/

Sandboxes can be used to isolate processes. This is the case in good protected softwares such as chrome browser. If an attack manages to pwn a browser process, he then has to escape the sandbox in order to take control of the actual computer.

There are a lot of papers on the topic such as :

https://www.cr0.org/paper/jt-ce-sid_linux.pdf https://media.blackhat.com/bh-eu-11/Tom_Keetch/BlackHat_EU_2011_Keetch_Sandboxes-WP.pdf

Learn about the nitty gritty of a specific malware. You can follow tutorials such as:

http://fumalwareanalysis.blogspot.fr/p/malware-analysis-tutorials-reverse.html

You can also simply learn from books such as “Pratical Reverse Engineering” (highly recommended) or “Practical malware analysis”.

Wondering how softwares are protected? You could learn about obfuscation. Some of these techniques include :

• code virtualization
• code flattening
• whitebox cryptography
• instruction substituion, mixed boolean arithmetic
• opaque predicates

http://www.quarkslab.com/dl/SSTIC2014-Article-dsobfuscation-de-drm-par-attaques-auxiliaires-mougey-gabriel.pdf

Learn how to defeat OLLVM obfuscation and practice it!

http://blog.quarkslab.com/deobfuscation-recovering-an-ollvm-protected-program.html

Analyze a crackme in order to be able to make a keygen for it. http://beatrix2004.free.fr/YO1/index.html

Read the book “practical reverse engineering” and implement one of the obfuscation schemes explained in it.

http://llvm.org/ https://github.com/obfuscator-llvm/obfuscator/wiki http://0vercl0k.tuxfamily.org/bl0g/?p=260

Take a video game you own and try to make a keygen for it.

Implement your own ring0 rootkit.

Read the book “rootkit arsenal”.

http://crackmes.de/ http://www.binary-auditing.com/

Who said it is wrong to cheat? :) https://www.blackhat.com/eu-14/briefings.html#next-level-cheating-and-leveling-up-mitigations

If you think pwning internet explorer is easy, then go ahead an escape its sandbox.

http://www.contextis.com/documents/79/IE_Sandbox_Escapes_Presentation.pdf

Study some know cases of guest-to-host exploits for VirtualBox or Xen.

• CVE-2014-0983 VirtualBox 3D Acceleration VM Escape : http://www.vupen.com/blog/20140725.Advanced_Exploitation_VirtualBox_VM_Escape.php
• The super famous sysret vulnerability : http://www.vupen.com/blog/20120904.Advanced_Exploitation_of_Xen_Sysret_VM_Escape_CVE-2012-0217.php

Jonathan Salwan offers to mentor any student interested by this topic. http://shell-storm.org/blog/Binary-analysis-Concolic-execution-with-Pin-and-z3/

Jonathan Salwan offers to mentor any student interested by this topic. http://shell-storm.org/blog/Stack-and-heap-overflow-detection-at-runtime-via-behavior-analysis-and-PIN

Try to implement a basic debugger and make it circumvent a few anti-debugging tricks.

• http://winappdbg.sourceforge.net/
• http://www.nostarch.com/grayhatpython
• http://pferrie.host22.com/papers/antidebug.pdf