Fall 2014 Course Schedule TPL011: Introduction to C Programming ................................................................................................................................ 2 TPL036: Introduction to Ruby and Rails ................................................................................................................................. 2 TPL064: An Introduction to Computer Vision and Automated Object Recognition ................................................................ 3 TPL103: Introduction to Intel x86-64 ....................................................................................................................................... 4 TPL109: Introduction to ARM (Advanced/Acorn RISC Machine) Architecture & Software Systems ..................................... 5 TPL465: Intermediate Intel x86: Architecture, Assembly, and Applications ........................................................................... 6 TPL477: Introduction to Android Forensics and Security Testing ........................................................................................... 8 TPL482: JSON and JSON Schema ........................................................................................................................................ 9 TST414: Introduction to Bayesian Data Analysis.................................................................................................................. 10 TSV062: Privacy Engineering ............................................................................................................................................... 11 TSV064: Introduction to Hardware Hacking .......................................................................................................................... 12 TSV065: Introduction to Side-Channel Analysis ................................................................................................................... 13 TSV066: Linux/Unix Security ................................................................................................................................................ 14 TSV100: Introduction to Secure Coding ............................................................................................................................... 15 TSV404: Introduction to Vulnerability Assessment ............................................................................................................... 16 TSV427: Introduction to Reverse Engineering Software ...................................................................................................... 17 TSV432: Introduction to Trusted Computing and the Use of Trusted Platform Modules...................................................... 19 TSV436: Secure Code Review ............................................................................................................................................. 19 1|Page Approved for Public Release; Distribution Unlimited. Case Number 14-3731 ©2014 The MITRE Corporation. ALL RIGHTS RESERVED Fall 2014 Course Schedule TPL011: Introduction to C Programming Course Description: This course is an introduction to the C programming language. C is primarily a systems programming language suitable for a wide variety of domains. It is the implementation language of the Linux kernel, many standard Unix utilities, and is the basis for higher level languages like C++ and Java. This class for people with prior programming experience in any language, but would like to learn C. It will include instruction as a lecture, with labs interleaved to give students experience in concepts being taught. Course Objectives: • • • • A basic understanding of the C language and standard library Understanding of common C programming techniques, including procedural and object oriented approaches Be able to use the standard socket APIs for Linux and Windows Be able to do file input and output safely Format: Presentation, exercises, and labs. Prerequisites: Previous programming experience. Target Audience: All MITRE technical staff, and staff applying to the Deep System Security & Trusted Computing Learning Path. Length: 2 Days Schedule: December 8-9, 2014 - 8:30am - 4:30pm - EST Instructor: Collin Hockey (chockey@mitre.org) is a Senior Digital/Microprocessor Hardware Engineer in Bedford in the Electronic Systems Development Department J82E. Since 2010, Collin has worked multiple projects, including GPS, the Tactical Wireless Channel Emulator, and most recently on embedded software for the Bistatic Radar portfolio. TPL036: Introduction to Ruby and Rails Course Description: This course provides a thorough introduction to the Ruby programming language. Students will explore what differentiates Ruby from other modern programming languages. The class will have a strong focus on the tools that Ruby provides to generate logic and build applications with less code than other programming languages. Once a basic understanding of the Ruby programming language is attained, the class will provide an introduction to Ruby on Rails. This is a popular development framework for rapidly creating web applications. Students will leave the class with the tools they need to create simple Ruby and Rails applications and explore the ecosystem further on their own. Course Objectives: • • • • Install and setup a Ruby and Rails environment Identify the basics of the Ruby programming language. Create and configure a Rails application Develop a basic understanding of programming with Ruby, with the tools necessary to learn more 2|Page Approved for Public Release; Distribution Unlimited. Case Number 14-3731 ©2014 The MITRE Corporation. ALL RIGHTS RESERVED Fall 2014 Course Schedule • Provide knowledge on the architecture of a Ruby on Rails application, with the ability to create a basic web application using it. Format: Lecture/Lab Prerequisites: Experience with an object oriented programming language, such as Java or C# Target Audience: This course is open to all MITRE technical staff. Length: 2 Days (14 Hours) Schedule: 11-Feb-2015 - 12-Feb-2015 (8:30 - 4:30) Instructor: Andy is an architect and developer on popHealth, a Ruby-based open source platform for calculating clinical quality measures. The design of popHealth allows the software to calculate quality measures for very large groups of patients in an easily scalable fashion. Andy is Technical Lead of the current effort to deploy a popHealth prototype installation at VA. Andy holds a BS in Electrical Engineering from Eastern Nazarene College and an MS in Computer Systems Engineering from Boston University. TPL064: An Introduction to Computer Vision and Automated Object Recognition Course Description: How can computers understand and interpret the visual world of humans? This course is an introduction to computer vision and automated object recognition in images and videos. In the simplest terms, computer vision is the exploration of "teaching machines how to see." Although this field dates back more than forty years, the recent explosive growth of images and videos has made the challenges of automated image interpretation more exciting and relevant than ever. This course will be a handson exploration of some of the fundamental aspects of computer vision. Topics will include image processing, image segmentation, facial recognition, automated object recognition and detection. With the help of the instructor, participants will learn to employ the latest developments in object recognition to build their own recognition systems. Course Objectives: • To understand and address the major approaches of basic issues in computer vision • To develop hands-on experience with the latest automated image and video processing techniques • Learning about image processing and segmentation, facial recognition, automated object recognition and detection Format: Presentation, discussion, combined with a hands-on lab component. Prerequisites: Some programming experience in either C, C++, Python. Target Audience: Participants interested in learning about image and video processing with some programming skills background. Length: 2 Days - 14 Hours Schedule: December 1-2, 2014 - 8:30am - 4:30pm - EST 3|Page Approved for Public Release; Distribution Unlimited. Case Number 14-3731 ©2014 The MITRE Corporation. ALL RIGHTS RESERVED Fall 2014 Course Schedule Instructor: Mikel Rodriguez (mdrodriguez@mitre.org) is a researcher at MITRE. He was a post-doctoral fellow at the INRIA Willow team at the Département d'Informatique of Ecole Normale Supérieure in Paris, France. Mikel completed his PhD in Computer Science at UCF. His research focuses mainly on video interpretation which includes tracking, visual motion analysis, activity recognition, and crowd behavior analysis. An overview of the computer vision research being done by Mikel Rodriguez and his group can be found at: www.computervision.mitre.org/research/overview/ TPL103: Introduction to Intel x86-64 Course Description: Intel processors have been a major force in personal computing for more than 30 years. An understanding of low level computing mechanisms used in Intel chips as taught in this course serves as a foundation upon which to better understand other hardware, as well as many technical specialties such as reverse engineering, compiler design, operating system design, code optimization, and vulnerability exploitation. 25% of the time will be spent bootstrapping knowledge of fully OS-independent aspects of Intel architecture. 50% will be spent learning Windows tools and analysis of simple programs. The final 25% of time will be spent learning Linux tools for analysis. This distribution is partially due to Windows' dominance of the marketplace, but also because the tools on Windows are more mature and easier to use than those on Linux, allowing for a more gradual introduction for the student. This class will serve as a foundation for the follow on Intermediate level class. It will teach the basic concepts and describe the hardware that assembly code deals with. It will also go over many of the most common assembly instructions. Although x86-64 has hundreds of special purpose instructions, students will be shown it is possible to read most programs by knowing only around 20-30 instructions and their variations. The instructor-led lab work will include: Stepping through a small program and watching the changes to the stack at each instruction (push, pop, call, ret (return), mov) Stepping through a slightly more complicated program (adds lea(load effective address), add, sub) Understanding the correspondence between C and assembly control transfer mechanisms (for example, goto in C == jmp in ams) Understanding conditional control flow and how loops are translated from C to asm (conditional jumps, jge(jump greater than or equal), jle (jump less than or equal), ja (jump above), cmp (compare), test, etc.) Boolean logic (and, or, xor, not) Logical and Arithmetic bit shift instructions and the cases where each would be used (shl (logical shift left), shr (logical shift right), sal (arithmetic shift left), sar (arithmetic shift right)) Signed and unsigned multiplication and division Special one instruction loops and how C functions like memset or memcpy can be implemented in one instruction plus setup (rep stos (repeat store to string), rep mov (repeat mov) Misc instructions like leave and nop (no operation) Running examples in the Visual Studio debugger on Windows and the Gnu Debugger (GDB) on Linux The famous "binary bomb" lab from the Carnegie Mellon University computer architecture class, which requires the student to do basic reverse engineering to progress through the different phases of the bomb giving the correct input to avoid it "blowing up." This will be an independent activity. Course Objectives: 4|Page Approved for Public Release; Distribution Unlimited. Case Number 14-3731 ©2014 The MITRE Corporation. ALL RIGHTS RESERVED Fall 2014 Course Schedule • Demonstrate to students with programming experience that assembly is not an arcane art, but rather an API which can be learned like any other. • Allow students to gain exposure to a core set of Intel x86 architecture and assembly so as to be able to read and understand short programs in disassembled form. • Provide exposure to a hands-on environment for both Windows and Linux. • Describe the techniques for analyzing binary programs with both disassemblers and debuggers. Format: Instructor-led seminar with detailed handouts and time for extensive class interaction. This class is a video broadcast. Synchronized audio, video, and presentation materials will be broadcasted to remote student desktops. Return audio from remote students will be sent to audio speakers in the room, so that the remote students are integrated with the students in the classroom. Prerequisites: Must be comfortable with C/C++ code and able to read and understand the source for short programs. Target Audience: The class will provide a base of understanding for the following staff: Developers who want to understand the correspondence between high level code and machine code. Staff who want to better understand the low level hardware mechanisms which support binary program execution and operating system design. Staff interested in reverse engineering and malware analysis. Staff interested in vulnerability research and mitigation. Staff applying to the Deep System Security & Trusted Computing Learning Path. Length: 2 Days - 14 Hours Schedule: January 22-23, 2015 - 8:30am - 4:30pm - EST Instructor: Sam Cornwell (scornwell@mitre.org) is a Senior Cyber Security Engineer at Fort Meade in Defense Cyber Security Department J83J. Since 2011, Sam has been working on projects such as Checkmate (a kernel and userspace memory integrity verification and timing-based attestation tool), Copernicus, (a BIOS extractor and configuration checker), and several other private security sensors designed to combat sophisticated threats. He has also researched and developed attacks against UEFI SecureBoot. TPL109: Introduction to ARM (Advanced/Acorn RISC Machine) Architecture & Software Systems Course Description: Mobile devices based on RISC architectures such as ARM are becoming increasingly ubiquitous inside and outside sponsor environments. This class will provide an opportunity to examine the ARM processor architecture on which most mobile phones, and many embedded systems are based. The class will begin with an intro to the ARM architecture, focusing on the instruction sets (ARM and Thumb instruction sets) and features like processor modes, interrupts, and pipelining. The class will cover some systems level topics such as how different types of operating systems like Linux on ARM, and Real-time operating systems are implemented. This will include a lab with the use of Das U-Boot to boot your own "kernel." Topics will also try to include the basis for userspace-kernel separation on ARM, schedulers, and virtual memory. There will be numerous labs, including an ARM port of the CMU Binary Bomb lab, where you perform basic reverse engineering on a binary. Labs will cover how C code translates to ARM assembly, as well as the changes induced by compiler optimizations. The class development environment will be the Android development environment; however the code developed will be at the bare-metal 5|Page Approved for Public Release; Distribution Unlimited. Case Number 14-3731 ©2014 The MITRE Corporation. ALL RIGHTS RESERVED Fall 2014 Course Schedule level, rather than the application level. This will provide experience with both disassembling and debugging ARM assembly. Labs will also include how to use Das U-Boot bootloader to run a home-made "kernel" or any bare-metal program. Course Objectives: • Learn that assembly is not an arcane art, but rather an API which can be learned like any other. • Gain exposure to a core set of ARM architecture and assembly so as to be able to read and understand short programs in disassembled form. • Navigate in a hands-on embedded environment for Linux which Android is built on. • Identify the techniques for analyzing binary programs with both disassemblers and debuggers. Format: Lecture and Lab Prerequisites: Ability to read simple C programs. Students are strongly encouraged to have taken Introduction to Intel x86: Architecture, Assembly, Applications and Alliteration Target Audience: Developers wishing to learn about the deep internals of ARM-based phones Security researchers Forensic analysts Incident responders People interested in reverse engineering and malware analysis for phones Length: 2 Days (14 Hours) Schedule: February 19-20, 2015 (8:30-4:30) Instructor: Ganu Kini (gkini@mitre.org) graduated from Carnegie Mellon University in 2011 with a Master of Science in Information Security Technology and Management. While there he had the opportunity to delve further into bare-metal ARM systems, develop a rudimentary kernel on the Gumstix platform using only the standard C library and look at some properties of a real time OS and its implications in safety and security critical applications. With a background in electrical engineering and materials science from Virginia Tech, Ganu has always tinkered with embedded systems since his high school days when he had the chance to participate in his first U.S. FIRST Robotics competition and has since mentored high school students for the same competition. TPL465: Intermediate Intel x86: Architecture, Assembly, and Applications Course Description: Building upon the introductory class (TPL103), this class goes into more depth on topics already learned, and introduces more advanced topics that dive deeper into how Intel-based systems work. Topics will include, but are not limited to: Physical and virtual memory and how a limited amount of physical memory is represented as much more virtual memory through a multi-level paging system. We will also talk about memory segmentation. The hardware basis for kernel versus userspace separation and how software transitions between the two. This portion answers the question of why does x86 have 4 "rings", with ring 0 being the most privileged, and ring 3 being the least. Hardware and software interrupts, and how they are the basis for debugging. 6|Page Approved for Public Release; Distribution Unlimited. Case Number 14-3731 ©2014 The MITRE Corporation. ALL RIGHTS RESERVED Fall 2014 Course Schedule Input/Output instructions and how these allow the CPU to talk to peripherals. Example applications will include showing how hardware and memory mechanisms are used for software exploits, anti-debug techniques, rootkit hiding, and direct hardware access for keystroke logging. We will perform labs on: Using WinDbg to perform kernel debugging on a virtual machine (which is equally applicable for debugging a real machine.) Using a custom WinDbg plugin to examine the Local (memory segment) Descriptor Table (LDT), and Global (memory segment) Descriptor Table (GDT) in order to understand how Windows sets memory segment ranges and permissions for userspace and kernel space. Using WinDbg and the !pte command to understand how Windows organizes its paging structures which map physical memory to virtual memory. Investigating where exactly the XD/NX bit is set in order to make memory as non-executable (which Microsoft calls Data Execution Prevention (DEP)), to prevent some types of exploits from succeeding. Using the Read Timestamp Counter (RDTSC) instruction to profile code execution time. Also, using a profile of code execution time to change a program's behavior in the presence of a debugger (e.g., executing different code if the code appears to have been stopped at a breakpoint.). Printing information about task state segments, which hold information that is used to find the kernel stack when an interrupt occurs. Watching what does and doesn't change when a software interrupt is used to transfer control from userspace to kernel. Reading the Interrupt Descriptor Table (IDT) and understanding the security implications of changes to it. Understanding how RedPill uses the IDT in order to detect that a system is virtualized. Having a process read its own memory when a software breakpoint is set, in order to see how a debugger will change memory to set the breakpoint but hide the change from the user. Watch how hardware-based breakpoints manipulate dedicated debug registers. Using port input/output to access the backdoor communications channel that VMWare uses in order to send copy/paste, mouse movement, and other events in and out of a VM. Using port I/O in order to talk directly to the PS2 keyboard controller in order to sniff keystrokes or flash keyboard LEDs. Course Objectives: • • • • Understand that assembly is not an arcane art, but rather an API that can be learned like any other. Cover more of the most frequently used hardware mechanisms. Learn new assembly instructions. Apply new skills to interesting examples. Format: Presentation, exercises, and labs. Prerequisites: Must be comfortable with C/C++ code and able to read and understand short C/C++ programs. Must be comfortable with C/C++ pointers. Must have taken the introductory class (TPL103) or demonstrate equivalent knowledge to the instructor. Target Audience: 7|Page Approved for Public Release; Distribution Unlimited. Case Number 14-3731 ©2014 The MITRE Corporation. ALL RIGHTS RESERVED Fall 2014 Course Schedule Developers who want to understand the correspondence between high level code and machine code. Staff who want to better understand the low level hardware mechanisms which support binary program execution and operating system design. Staff interested in reverse engineering and malware analysis. Staff interested in vulnerability research and mitigation. Staff applying to the Deep System Security & Trusted Computing Learning Path. Length: 2 Days - 14 Hours Schedule: February 9-10, 2015 8:30am - 4:30pm - EST Instructor: Xeno Kovah graduated from Carnegie Mellon University in 2007 with a Masters of Science in Information Security Technology and Management. While there he researched worms, bots, and malware. While taking the highly regarded Operating Systems class, in which students build an OS from scratch, he gained a greater appreciation of how the capabilities provided by hardware influence the software abstractions built above them. Xeno also studied computer science and electrical engineering at the University of Minnesota. There he approached assembly both from software down, in CS classes, and from hardware up, in EE classes. Xeno has experience with 4 other assembly languages beyond x86: PowerPC, ARM, SPARC, and M68HC12. TPL477: Introduction to Android Forensics and Security Testing Course Description: This course will cover the most common issues facing mobile devices, and general tips for securing mobile applications. Upon completion of general mobile security overview, the course will delve into a proven practice in Mobile Device Forensics and Mobile Application Penetration Testing for Android devices. Over the two-day course, students will get hands-on time with open-source and commercial forensics tools, setup and explore reverse engineering development environments, and experience the process with which G020 mobile security engineers have successfully applied to several projects. Areas covered include, identifying application vulnerabilities, code analysis, memory & file system analysis, and insecure storage of sensitive data. Course Objectives: • Identify common issues and general tips for securing mobile applications • Conduct forensics on Android devices • Conduct a penetration test on an Android application Format: Presentation, exercises, and labs. Prerequisites: Development experience with Android and Eclipse, Windows command line and Linux/UNIX terminal. Target Audience: Software Engineers developing Android applications, InfoSec Engineers conducting security assessments or engineering of Android applications and staff applying to the Mobile System Security Android Learning Path. Length: 2 Days - 14 Hours Schedule: December 9-10, 2014 - 8:30am - 4:30pm - EST Instructor: Jared Ondricek (jondricek@mitre.org). Jared is a Cyber Security Engineer with The MITRE Corporation who has a passion for everything related to mobile security. He has experience with reverse engineering applications and malware on several platforms, doing forensics analysis, and working in both research and incident response environments. Additionally he presented at DFRWS 2013 on "Detecting Maliciousness Using Periodic Mobile Forensics" from the MITRE Innovation Program. If he isn't reading up on the latest Android security threats, then he is either developing methods to automate the analysis process of unknown 8|Page Approved for Public Release; Distribution Unlimited. Case Number 14-3731 ©2014 The MITRE Corporation. ALL RIGHTS RESERVED Fall 2014 Course Schedule files, finding best practice ways of sharing analysis results and tools with others, or tinkering with the Android operating system source code. He is pursuing an MS in Computer Science at The George Washington University and he received his BS in Computer Information Technology from Brigham Young University - Idaho. TPL482: JSON and JSON Schema Course Description: JSON is a data format that is increasingly being used for data exchanges due to its compactness. JSON Schema is a simple, powerful schema language for validating JSON-formatted data. In this course you will learn the JSON data format and you will learn the JSON Schema language. You will learn how to write JSON documents. You will learn how to create JSON Schemas and validate JSON documents against JSON Schemas. Format: Lecture/Lab Prerequisites: None Target Audience: All MITRE Staff Length: Two Days Schedule: 3-Feb-2015 - 4-Feb-2015 (8:00 - 4:00) Instructor: Roger Costello (costello@mitre.org) is a lead staff in E54C, Agile and Adaptive Software Engineering. He has worked extensively in the Internet technologies area. Roger has been actively involved with XML and the entire family of XML technologies for several years. Roger has created and taught over a dozen different courses on the XML technologies and is regularly invited to talk at XML conferences. He has traveled to many of the MITRE sites around the world, providing XML training. Roger is regularly invited to teach XML courses to the Boston chapter of the IEEE. 9|Page Approved for Public Release; Distribution Unlimited. Case Number 14-3731 ©2014 The MITRE Corporation. ALL RIGHTS RESERVED Fall 2014 Course Schedule As well as XML training, Roger consults for numerous MITRE projects that are using XML technologies. He has a Ph.D. in Computer Science from Ohio State University. TST414: Introduction to Bayesian Data Analysis Course Description: Data analysis is the process of making inferences from data. This process is very familiar to MITRE staff, so that most would claim that they know all about it, or at least enough about it to get their work done. Inferential methodology, however, has undergone a major revolution over the past twenty years due primarily to advances in computer hardware and software. The result has been a new, updated Bayesian approach. This course provides an overview of this new methodology with enough detail to enable you to continue pursuing the subject on your own. The focus is on developing mathematical models from data. Contemporary Bayesian methodology is far more powerful and intuitive than traditional alternatives but it is not a black-box algorithm. There are no canned formulas with this approach and no "quick-and-dirty" answers. Topics covered will include: Reasons why inferential methodology is changing Essentials of the new paradigm Computational procedures, especially Markov Chain Monte Carlo (MCMC) Several detailed examples Comparison of new and old techniques Suggestions for computer programming A brief look at available software and other resources Course Objectives: • • • • Understand the nature of Bayesian methodology and why it is gradually supplanting traditional approaches to inference Have a better appreciation of the range of data analysis problems that are solvable and the effort needed to solve them Be aware of the various procedures involved in Bayesian inference and the nature of their output Know enough about the relevant mathematics and computer programming to assess the feasibility of doing similar studies on their own • Know what further resources are available and where to find them Format: Lecture Prerequisites: Experience in data analysis is necessary to provide a context for the new material. Although we shall not actually do any mathematics, students should have a background that includes basic statistics and calculus, at least to the extent that the concepts and symbology be familiar. Computer programming experience would be helpful but is not required. Target Audience: All MITRE Technical Staff Length: 2 days (14 hours) Schedule: 2-Dec-2014 - 3-Dec-2014 (8:30 - 4:30) 10 | P a g e Approved for Public Release; Distribution Unlimited. Case Number 14-3731 ©2014 The MITRE Corporation. ALL RIGHTS RESERVED Fall 2014 Course Schedule Instructor: Michael P. McLaughlin, a native of Portland, Maine, holds several academic degrees: B.S. in Chemistry, Seattle University (1966), M.Sc. and Ph.D. in Organic Chemistry, Univ. of Massachusetts (Amherst) (1970, 1977), Ap. Sc. in Computer Heuristics, Modeling and Numerical Methods, George Washington University (1987). In 1966-68 and 1971-75, he lived in Ghana, West Africa where he taught high school and college-level chemistry, first as a Peace Corps volunteer and, later, as a contract teacher. Before coming to MITRE, in 1980, Dr. McLaughlin was Asst. Professor of Chemistry at Indiana University. He first joined MITRE as an MTS in the Environment Division and is currently working in CAASD, on GPS/WAAS. Outside of MITRE, he is a Macintosh software developer, occasional writer and webmaster of two websites. More details can be found in the Bio section of Dr. McLaughlin's personal webpage: http://www.geocities.com/~mikemclaughlin/Bio.html TSV062: Privacy Engineering Course Description: This class is the first half-day session of a full day on Privacy. This morning class will focus on Privacy Engineering, while the afternoon class (TSV063) will focus on privacy for health care systems. If you manage projects where Personally Identifiable Information (PII) is collected and/or used either by MITRE or by sponsors, then you will want to attend the morning session. If you or your sponsors work with health care systems or data, then you will want to apply to attend both the morning (TSV062) and afternoon (TSV063) classes. Mission-critical privacy issues continue to be challenges. One solution is Privacy by Design (PbD), a set of principles which advocates that privacy be the default mode of operation for organizations and systems. MITRE's Privacy Community of Practice (CoP) is leading the way with its recently developed Privacy Engineering Framework, which aims to make PbD a usable and repeatable tool for use both by MITRE and sponsors by taking a systems engineering approach to PbD. This session will discuss the concept of PbD and the Privacy Engineering Framework and will cover other privacy-related issues and practices in the design and implementation of information technologies, including what to do to ensure that NIST SP 800-53 Rev 4 Appendix J Privacy Controls are addressed within sponsor systems. Attending this session will enable you to ensure that appropriate actions are being followed to embed privacy into technology and processes. Course Objectives: • Understand the concept of privacy and the importance of developing privacy into systems from the beginning • Understand what Privacy by Design (PbD) is and its usefulness for the federal government • Understand how to use the Privacy Engineering Framework at MITRE and with sponsors to take a systems engineering approach to privacy • Understand how privacy can be integrated into the different stages of the systems engineering life cycle Format: Presentation and classroom interaction. Prerequisites: None Target Audience: All MITRE staff and managers, particularly those working with system engineering concepts or programs that handle PII. Length: ½ Day 11 | P a g e Approved for Public Release; Distribution Unlimited. Case Number 14-3731 ©2014 The MITRE Corporation. ALL RIGHTS RESERVED Fall 2014 Course Schedule Schedule: December 4, 2014 - 8:30am - 12:00pm - EST Instructor: Catherine M. Petrozzino (cmp@mitre.org) (J83B), CIPP/US/G/IT is a Senior Information Privacy and Cyber Security Consultant at the MITRE Corporation. She has 25+ years of experience in information technology - the last 20 of which were focused on information security and privacy. Ms. Petrozzino is a senior leader for MITRE's privacy community of practice and currently supports healthcare-related privacy and security research and assists with the identification and management of privacy risk for MITRE and for external sponsors - particularly in the area of protected health information and other types of personal medical information. She led/supported the development and design of privacy-enhancing tools that are actively being used by different sponsor organizations to support their privacy programs and systems development. Her past responsibilities included overseeing MITRE's DoD privacy work...Prior to MITRE, Ms. Petrozzino was a member of the information security and privacy teams for John Hancock Financial Services. Her responsibilities included ensuring John Hancock's IT systems were compliant with HIPAA and Gramm-Leach-Bliley (GLB). She holds a B.A. in Mathematical Sciences from Johns Hopkins University, and an M.S. in Computer Science from Northeastern University. She has served as one of the lead faculty for the IAPP's Privacy Training Program Stuart S. Shapiro (sshapiro@mitre.org) (J83B) is a Principal Information Privacy and Security Engineer at MITRE and has supported a wide range of privacy and security activities involving, among others, critical infrastructure protection, policy frameworks, risk and control assessment, and incident response. In particular, he has led multiple research and operational efforts in the areas of privacy engineering, privacy risk management, and privacy-enhancing technologies (PETs). He has written and presented on privacy engineering (and the related Privacy by Design), privacy risk modeling, and PETs in numerous forums and participates in multiple privacy-relevant standards efforts. Among his professional affiliations are the International Association of Privacy Professionals (IAPP), the Advisory Board of the Ponemon Institute¿s Responsible Information Management Council, and the US Public Policy Council of the Association for Computing Machinery (USACM) where he currently serves as Co-Vice-Chair. Kris Miller (kmiller@mitre.org) is a Principal Privacy Strategist within the Enterprise Strategy and Transformation (ES&T) division at the MITRE Corporation. Kris¿s practice focuses on domestic and international policy development, strategic privacy planning, enterprise data governance, legal and regulatory compliance, and the development of federal information technology (IT) systems that incorporate privacy-by-design. Kris has been a trusted advisor to government executives in the Department of Defense (DoD), the Department of Health and Human Services (HSS), the Veterans Administration (VA), and the Department of Homeland Security (DHS). Kris's matters span US federal laws - including the Privacy Act of 1974, the e-Government Act of 2002, and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) - to state privacy laws and international privacy regimes, particularly in the European Union (EU). In the healthcare space, Kris helped CMS (CCIIO) draft data sharing agreements to facilitate operation of the Affordable Care Act, led the Prescription Drug Management Program project law and Policy Work Group, co-authored the book Information Privacy in the Evolving Healthcare Environment, and he currently leads MITRE's privacy and security work for the Office of the National Coordinator for Health IT (ONC), it's Chief Privacy Officer, and related FACA committee working groups focused on privacy, security, and transport. Kris is licensed to practice law in both New York and Connecticut, and he is a Certified Information Privacy Professional with specific qualifications in US Government and EU privacy (CIPP/G and CIPP/E). TSV064: Introduction to Hardware Hacking Course Description: Embedded devices are all around us. They’re in our homes, our cars, our workplaces, on our bodies, on our roads and in our airspace. Embedded devices are literally everywhere. Gartner estimates 26 billion devices by 2020. Traditionally, these devices have been isolated but current and future trends are to interconnect these devices to form the Internet of Things. This interconnectedness increases the importance of securing these devices. Introduction to hardware hacking is a course with the following goals: 1) Introduction to embedded systems 2) Presentation of techniques an attacker may utilize to reveal the inner workings of an embedded system 3) Some discussion of how this knowledge can be leveraged to subvert intended system behavior The course will include several labs to reinforce concepts. 12 | P a g e Approved for Public Release; Distribution Unlimited. Case Number 14-3731 ©2014 The MITRE Corporation. ALL RIGHTS RESERVED Fall 2014 Course Schedule Course Objectives: • • • • • • • Embedded system basics Basic soldering technique Board analysis methodology Identification of peripherals, data buses, diagnostic ports and tap points Device instrumentation Bus monitoring and decoding Development access via JTAG Format: Lecture and labs. Prerequisites: None Target Audience: This course is open to all MITRE technical staff. Length: 2 Days (14 Hours) Schedule: March 9-10, 2015 (8:30-4:30) Instructor: Chris Korban (ckorban@mitre.org) is a Sr. Cyber Security Engineer in Department J83J - Defense Cyber Security. Bob Heinemann (rheinemann@mitre.org) is a Lead Multi-Discipline Systems Engineer in Department J52B - Cyber Operations. TSV065: Introduction to Side-Channel Analysis Course Description: During the last 15 years, it has been widely demonstrated that electronic devices leak information about their internal state as they perform computations, presenting a major security threat to embedded systems. This information leakage can be observed through so-called "side-channels" such as system timing, power consumption, electromagnetic radiation, and many others. The development of side-channel attacks that exploit this information leakage to compromise otherwise secure algorithms continues to be an active field of research. Are your systems vulnerable to such an attack? This course is an introduction to the threat of side-channel attacks, how they work in theory and practice, and how to defend against them. Topics include: Simple power and electromagnetic analysis (SPA/SEMA) Differential power and electromagnetic analysis (DPA/DEMA) Signal Processing Countermeasures Side-channel analysis tools and data acquisition hardware During the course students will complete hands-on exercises to gain a better understanding of how side-channel attacks work, the difficulty of conducting various attacks, and the effectiveness of various countermeasures. Students will have an opportunity to collect their own side-channel data on a real embedded target and modify the code running on the target. Students will benefit from having some prior familiarity with the programming languages Python and C, as most of the analysis tools are written in Python and the target code is written in C. This class will serve as a prerequisite for a later class on advanced side-channel analysis. 13 | P a g e Approved for Public Release; Distribution Unlimited. Case Number 14-3731 ©2014 The MITRE Corporation. ALL RIGHTS RESERVED Fall 2014 Course Schedule Course Objectives: • Provide detailed knowledge on the threat of side-channel attacks and how to understand their potential impact on overall system security. • Demonstrate how basic side-channel attacks work • Introduce countermeasures to defend against these basic attacks • Discuss advanced side-channel attacks and how the side-channel threat is evolving • Provide insight on the impact of security architectures on end device security requirements Format: Lecture, demos, and lab exercises. Prerequisites: None, however, some programming experience with Python and C would be helpful. Target Audience: This course is open to all MITRE technical staff. Length: 2 Days (14 Hours) Schedule: June 8-9, 2015 (8:30-4:30) Instructor: Adam Woodbury (awoodbury@mitre.org ) is a Digital/Micro HW Eng, Principle in Department J82E - Electronic Sys Development. He is actively involved in the development of J82E's Secure Electronic Lab, which has advanced capabilities for researching implementation security issues such as side-channel leakage, fault induction, and trusted hardware. Dan has worked in the area of embedded systems since arriving at MITRE in 2006. He is the principle investigator on the IESC MIP, which is developing tools to help evaluate and protect software against side-channel attacks. Joseph Chapman (jchapman@mitre.org) is a Digital/Micro HW Eng, Lead in Department J82E - Electronic Sys Development. He is actively involved in the development of J82E's Secure Electronic Lab, which has advanced capabilities for researching implementation security issues such as side-channel leakage, fault induction, and trusted hardware. Joe has worked at MITRE since 2005 and has worked on a variety of projects concerning signal processing and embedded security. He is currently working on developing tools to integrate side-channel attack threat evaluation into the FPGA and ASIC design process to enable automated threat analysis and countermeasure validation. Daniel Walters (dwalters@mitre.org) is a Digital/Micro HW Eng, Lead in Department J82E - Electronic Sys Development. He is actively involved in the development of J82E's Secure Electronic Lab, which has advanced capabilities for researching implementation security issues such as side-channel leakage, fault induction, and trusted hardware. Dan has worked in the area of embedded systems since arriving at MITRE in 2006. He is the principle investigator on the IESC MIP, which is developing tools to help evaluate and protect software against side-channel attacks. TSV066: Linux/Unix Security Course Description: This course is a hands-on introduction to Linux/Unix security fundamentals that are critical to cyber security. Curriculum will start from basic host security, working up to Security-Enhanced Linux (SELinux) and Mandatory Access Control (MAC) configuration. This course will be designed to fill in knowledge gaps for attendees. Attendees with all levels of technical backgrounds will benefit from this class. 14 | P a g e Approved for Public Release; Distribution Unlimited. Case Number 14-3731 ©2014 The MITRE Corporation. ALL RIGHTS RESERVED Fall 2014 Course Schedule Critical components include audit configuration, data encryption, securely managing system resources, kernel security and managing privileges. Each component will be examined on both Linux based systems (CentOS) and Unix/BSD based systems (FreeBSD) to further enhance the learning process by showing different ways to address similar problems. The class will incorporate hands-on exercises and labs. Students will gain an understanding of host based security configuration concepts. These concepts will be demonstrated by student labs based on common misconfigurations that students must address by applying concepts learned throughout the class. The class will culminate when students are asked to secure a system that has been preconfigured with bugs that have been stacked to form an insecure user environment. It is expected that attendees will have knowledge in one or more topics covered in the class. This class is meant to fill in gaps and allow students to build on their previous knowledge to become more technically skilled cyber security professionals. Solid foundational knowledge will allow students to easily understand more advanced topics. The technical confidence students will gain in this class will allow them to quickly tackle technical hurdles in their day-to-day work. We need more ¿ninjas¿ in MITRE tech centers, who are not intimidated by the unknown, and have a broad technical background, enabling them to overcome adversity to solve critical cyber security problems. Course Objectives: • • • • • • • Introduce Linux host based security Review security options available to a Linux/Unix host Review auditing options available to a Linux/Unix host Learn fundamentals of Mandatory Access Control (MAC) Learn how to implement privilege separation for users and processes Understand security implications of default Linux/Unix configurations All attendees will apply all knowledge through lab exercises during the course Format: Lab Prerequisites: Minimal networking, system administration, and/or cyber security knowledge. Target Audience: Junior tech staff Senior tech staff that have found themselves working in a lab Engineers changing disciplines to cyber security Engineers in other fields supporting cyber work. Length: 2 Days (14 Hours) Schedule: February 5-6, 2015 (8:30-4:30) Instructor: Derek Anderson (danderson@mitre.org) is a Lead Cyber Security Engineer in Department J83C - Army/Navy Security. He supports various customers performing vulnerability assessments and prototype development. Previous to MITRE, he worked in a world-class managed security service SOC as a Security Analyst. Derek holds a BS in Information Technology from Rochester Institute of Technology and is currently enrolled in a Masters program in Information Assurance at Capitol College. TSV100: Introduction to Secure Coding 15 | P a g e Approved for Public Release; Distribution Unlimited. Case Number 14-3731 ©2014 The MITRE Corporation. ALL RIGHTS RESERVED Fall 2014 Course Schedule Course Description: The purpose of this course is to provide developers at MITRE with focused training related to secure coding. The hope is that each developer will leave the course with a better understanding of how they can improve, from a security perspective, the code that they write. This course provides a look at some of the most prevalent security related coding mistakes made here at MITRE. Each type of issue is explained in depth including how a malicious user may attack the code, and strategies for avoiding the issues are then reviewed. Knowledge of at least one programming language is required, although the specific programming language is not important as the concepts that will be discussed are language independent. The course will cover many of the weaknesses within the context of a web application, but most of the concepts will apply to all application development. Course Objectives: • Reinforce the importance of secure coding • Identify the most common code level weaknesses within MITRE • Provide an overview of each weakness type including examples within code (weaknesses include cross-site scripting, SQL injection and bypassing authorization checks) • Demonstrate how malicious users will exploit these weaknesses • Discuss techniques to avoid each weakness • Provide an overview of internal and external resources available to developers Format: This one-day course is setup as an exploration through a hypothetical web application where a malicious user attempts to take advantage of certain flaws within the code. Throughout the course, we will be identifying the flaws, discussing them, understanding the specific attacks, and finally discussing how to improve the code to prevent the attack. Prerequisites: Participants must have working knowledge and experience writing code and developing applications. A specific programming language is not required as the concepts that will be discussed are language independent. Target Audience: This course is open to MITRE technical staff that develop code and wish to increase their understanding of secure coding. Staff attending this course may be asked to participate in hands on course work and activities. Length: 1 Day, 7 hours Schedule: 12-Nov-2014 (Session 0013) Schedule: 13 April 2015 (Session 0015) Instructor: Drew Buttner has been at MITRE since 2001 and is one of the leaders of MITRE's software assurance work program in support of both MITRE internal and its Government sponsors. His experience and technical expertise is in the areas of code development, standardization, and static code analysis. The past couple of years he has provided support to both the Department of Defense and NIST in their research of static analysis tools. Currently he is working to establish a secure code review practice for the MITRE Community. Larry Shields is a principal InfoSec Engineer with G022, working in MITRE InfoSec. Conducting code reviews for MITRE developed applications is one of the many tasks on his plate. Prior to coming to MITRE, Larry spent many years running code reviews, conducting penetration testing, and teaching application security courses for Fidelity Investments. He is a Certified Information Systems Security Professional (CISSP), and has been a contributor to the Open Web Application Security Project (OWASP). TSV404: Introduction to Vulnerability Assessment 16 | P a g e Approved for Public Release; Distribution Unlimited. Case Number 14-3731 ©2014 The MITRE Corporation. ALL RIGHTS RESERVED Fall 2014 Course Schedule Course Description: The purpose of this course on Vulnerability Assessment is to demonstrate how to identify vulnerabilities in a computer network, determine how a cyber attacker might exploit these vulnerabilities, and examine how the vulnerabilities might be mitigated. A methodology is presented in the course for conducting vulnerability assessments for MITRE sponsors. The methodology lays out an orderly approach for conducting a vulnerability assessment and demonstrates numerous tools and techniques in an isolated computer laboratory setting to examine such problems through penetration testing. **The course content may be subject to slight changes.** Course Objectives: • • • • • • • Learn a general methodology for conducting assessments Scan and mapping network topology Identify listening ports/services on hosts Fingerprint operating systems remotely Learn methodology/best practices for audit of router, switch, and firewalls Learn methodology/best practices for audit UNIX and Windows security Learn methodology/best practices for web application security assessments Format: This three-day course has lectures and demonstrations to provide the conceptual approach to vulnerability assessments and laboratory time to use various tools and techniques to understand the enumeration and identification phases of a security assessment. Prerequisites: Participants should have a good to excellent understanding of the UNIX and Windows operating systems. They should have a good understanding of the TCP/IP protocol suite. For example, they should be familiar with TCP, IP, UDP, and ICMP packet header formats and how these protocols are used. Programming experience in Perl and/or C is desired. They should also have a general background in computer and/or network security and understand general approaches to policies and procedures for developing a security plan for an installation or facility or agency. Target Audience: This course is open to MITRE technical staff who wish to increase their understanding of the vulnerability assessment process and techniques. Staff completing this course may be asked to contribute to sponsor tasks involving vulnerability assessments. Length: 3 days, 21 hours Schedule: 2-Dec-2014 - 4-Dec-2014 (8:30 - 4:30) Instructor: Nathan Adams (nadams@mitre.org) is Principal Information Security Engineer and the primary focal point for the Security Testing Community of Practice within MITRE. He has been leading and providing security testing activities including penetration testing, vulnerability assessments, and security test and evaluations to federal organizations including the DoD, Intelligence Community, and several federal civil agencies since 2001. He holds an M.S. in Computer Science from Colorado Technical University and is a Certified Information Systems Security Professional (CISSP). TSV427: Introduction to Reverse Engineering Software Course Description: Throughout the history of invention curious minds have sought to understand the inner workings of their gadgets. Whether investigating a broken watch, or improving an engine, these people have broken down their goods into their elemental parts to understand how they work. This is Reverse Engineering (RE), and it is done every day from recreating outdated and incompatible software, understanding malicious code, or exploiting weaknesses in software. 17 | P a g e Approved for Public Release; Distribution Unlimited. Case Number 14-3731 ©2014 The MITRE Corporation. ALL RIGHTS RESERVED Fall 2014 Course Schedule In this course we will explore what drives people to reverse engineer software and the methodology and tools used to do it. Topics include, but are not limited to: Uses for RE The tricks and pitfalls of analyzing compiled code Identifying calling conventions How to navigate x86 assembly using IDA Pro Identifying Control Flows Identifying the Win32 API Using a debugger to aid RE Dynamic Analysis tools and techniques for RE During the course students will complete many hands on exercises. This class will serve as a prerequisite for a later class on malware analysis. Course Objectives: • Provide detailed knowledge on RE methodology and tools • Demonstrate how to navigate x86 assembly code while avoiding tangents • Prepare students for follow on courses in Malware and Vulnerability Analysis Format: Lecture/lab Prerequisites: An introductory course on x86 assembly such as TPL103. TPL465 Intermediate x86 is also recommended. Must be comfortable with the C programming language. An understanding of the Microsoft Portable Executable & Common Object File Format (PE-COFF), such as is conveyed in the TSV424 Life of Binaries class. Experience with Python a plus. Target Audience: Developers who want to understand the correspondence between high-level code and machine code. Staff who want to better understand the low level hardware mechanisms which support binary program execution and operating system design. Staff interested in reverse engineering and malware analysis. Staff interested in vulnerability research and mitigation. Length: Two days (14 hours) Bedford Schedule: 23-Feb-2015 - 24-Feb-2015 (8:30 - 4:30) For more information: Contact Bo Kaufmann at 781.271.3112. 18 | P a g e Approved for Public Release; Distribution Unlimited. Case Number 14-3731 ©2014 The MITRE Corporation. ALL RIGHTS RESERVED Fall 2014 Course Schedule Instructor: Frank Posluszny has been supporting computer network defense teams focused on targeted (APT/ACT) attacks since 2008. His current role supports security engineering, performs malware analysis, and reverse engineers malware command and control (C2) protocols. He has contributed to open source projects, including the Zero Wine Tryouts malware analysis suite. He has a BS and an MS in Computer Science from Worcester Polytechnic Institute, where he focused on networking and systems security. TSV432: Introduction to Trusted Computing and the Use of Trusted Platform Modules Course Description: This course is an introduction to the fundamental technologies behind Trusted Computing. You will learn what Trusted Platform Modules (TPMs) are and what capabilities they can provide both at an in-depth technical level and in an enterprise context. You will also learn about how other technologies such as the Dynamic Root of Trust for Measurement (DRTM) and virtualization can both take advantage of TPMs and be used to enhance the TPM's capabilities. We will cover major use cases for trusted computing, including machine authentication, data protection, and attestation. This course will also introduce you to the various software resources that exist today to support TPMs, give a high-level overview of related research and development projects, and briefly discuss other trusted computing standards such as Trusted Network Connect which may be relevant to enterprise deployment of TPMs and trusted computing. Course Objectives: • Introduce students to both basic and advanced TPM capabilities, as well as other trusted computing standards and technologies • Show how TPMs and related technologies can be used in enterprise environments and for cutting-edge research • Give students the necessary tools and information to design and build systems that take advantage of trusted computing Format: This class is presentations, discussions, and demonstrations. Prerequisites: Familiarity with the basic principles of cryptography and security will help as will hearing about hashes, public and private keys, discussion of integrity or authenticity, and so forth. Target Audience: Engineers and system designers who may need to use TPMs or trusted computing in upcoming projects. People who have heard about TPMs and Trusted Computing but don't really know whether it's useful to them or what it's good for. Enterprise system designers who are concerned about out-of-date software, stolen certificates, or unauthorized machines and are looking for possible solutions. Staff applying to the Deep System Security & Trusted Computing Learning Path. Length: 2 Days - 14 Hours Schedule: March 26-27, 2015 - 8:30am - 4:30pm - EST Instructor: Xeno Kovah graduated from Carnegie Mellon University in 2007 with a Masters of Science in Information Security Technology and Management. While there he researched worms, bots, and malware. While taking the highly regarded Operating Systems class, in which students build an OS from scratch, he gained a greater appreciation of how the capabilities provided by hardware influence the software abstractions built above them. Xeno also studied computer science and electrical engineering at the University of Minnesota. There he approached assembly both from software down, in CS classes, and from hardware up, in EE classes. Xeno has experience with 4 other assembly languages beyond x86: PowerPC, ARM, SPARC, and M68HC12. TSV436: Secure Code Review Course Description: This course is designed to help developers bring a secure coding mindset into typical project peer reviews. The course briefly talks about the development lifecycle and the importance of peer reviews in delivering a quality product. How to 19 | P a g e Approved for Public Release; Distribution Unlimited. Case Number 14-3731 ©2014 The MITRE Corporation. ALL RIGHTS RESERVED Fall 2014 Course Schedule perform this review is discussed and how to keep secure coding a priority during the review is stressed. A variety of hands-on exercises will address common coding mistakes, what to focus on during a review, and how to manage limited time. Throughout the course, the class will break out into pairs and perform example peer reviews on sample code. Perl will be used for the hands-on exercises; however every attempt will be made to generalize the code such that anyone with an understanding of a coding language will be comfortable. Course Objectives: • • • • • Describe how peer reviews fit into the software development process Start a peer review and gain the necessary background about the code Identifty techniques for making sense of a large amount of code Review common secure coding mistakes Create report findings that go back to the developer Format: Lecture plus team exercises Prerequisites: TSV100 Introduction to Secure Coding Target Audience: Developers Length: One day (7 hours) Schedule: 29-Jan-2015 (Session 0005) Schedule: 7-May-2015 (Session 0006) Instructor: Drew Buttner has been at MITRE since 2001 and is one of the leaders of MITRE's software assurance work program in support of both MITRE internal and its Government sponsors. His experience and technical expertise is in the areas of code development, standardization, and static code analysis. The past couple of years he has provided support to both the Department of Defense and NIST in their research of static analysis tools. Currently he is working to establish a secure code review practice for the MITRE Community. 20 | P a g e Approved for Public Release; Distribution Unlimited. Case Number 14-3731 ©2014 The MITRE Corporation. ALL RIGHTS RESERVED